From e763b96f0dad6343828979ed10e0304ff17578f2 Mon Sep 17 00:00:00 2001 From: Stan Date: Fri, 12 Dec 2025 17:03:02 +0000 Subject: [PATCH] Add Terraform formatting step, Created WAF policy in Frontdoor module, refactored key vault outputs and cleaned up unused variables --- .github/workflows/terraform-push.yml | 3 + terraform/main.tf | 27 +++------ terraform/modules/acr/output.tf | 13 ----- .../azuread_application_registration/main.tf | 2 +- terraform/modules/ca/main.tf | 2 +- terraform/modules/frontdoor/main.tf | 56 ++++++++++++++++++- terraform/modules/frontdoor/variables.tf | 16 ------ terraform/modules/keyvault/locals.tf | 8 +-- terraform/modules/keyvault/main.tf | 6 +- terraform/modules/keyvault/outputs.tf | 16 ------ terraform/modules/keyvault/variables.tf | 6 +- terraform/provider.tf | 4 -- 12 files changed, 76 insertions(+), 83 deletions(-) diff --git a/.github/workflows/terraform-push.yml b/.github/workflows/terraform-push.yml index c6fe908..3d9f77f 100644 --- a/.github/workflows/terraform-push.yml +++ b/.github/workflows/terraform-push.yml @@ -46,6 +46,9 @@ jobs: - name: Terraform Init run: terraform init + - name: Terraform Format + run: terraform fmt && terraform fmt -resursive + - name: Terraform Plan if: ${{ github.event_name == 'push' || github.event.inputs.action == 'plan' || github.event.inputs.action == 'apply' }} run: terraform plan diff --git a/terraform/main.tf b/terraform/main.tf index e2cc255..edbb2d7 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -68,11 +68,6 @@ module "kv" { clientid_secret_writer_principal_id = data.azurerm_client_config.current.object_id secret_reader_principal_id = azurerm_user_assigned_identity.ca_uai.principal_id - # mongo_connection_string = var.TODO_MONGO_CONNSTR - # mongo_connection_string = module.kv.mongo_connstr_secret_id - # mongo_db_name = var.TODO_MONGO_DB - # redis_host = var.REDIS_SESSION_HOST - # weather_api_key = var.WEATHER_API_KEY } module "container_apps" { @@ -90,24 +85,16 @@ module "container_apps" { acr_id = module.acr.acr_id uai_id = azurerm_user_assigned_identity.ca_uai.id - log_analytics_id = module.app_insights.log_analytics_workspace_id identity_type = "UserAssigned" user_assigned_ids = [azurerm_user_assigned_identity.ca_uai.id] key_vault_name = module.kv.key_vault_name - # mongo_connection_string = module.kv.mongo_connstr_secret_id - # mongo_connstr_secret_id = module.kv.mongo_connstr_secret_id - # mongo_db_name = module.kv.mongo_db_name_secret_id - # weather_api_key = module.kv.weather_api_key_secret_id - # redis_connstr_secret_id = module.kv.redis_host_secret_id - - - mongo_connstr_secret_id = module.kv.key_vault_secret_ids["mongo_connstr"] - redis_connstr_secret_id = module.kv.key_vault_secret_ids["redis_host"] - weather_api_key_secret_id = module.kv.key_vault_secret_ids["weather_api_key"] - mongo_db_name_secret_id = module.kv.key_vault_secret_ids["mongo_db_name"] + mongo_connstr_secret_id = module.kv.key_vault_secret_ids["mongo_connstr"] + redis_connstr_secret_id = module.kv.key_vault_secret_ids["redis_host"] + weather_api_key_secret_id = module.kv.key_vault_secret_ids["weather_api_key"] + mongo_db_name_secret_id = module.kv.key_vault_secret_ids["mongo_db_name"] application_insights_connection_string = module.app_insights.connection_string application_client_ID = module.azuread_application_registration.client_id @@ -131,7 +118,6 @@ module "frontdoor" { dns_zone_id = module.dns.dns_zone_id dns_zone_name = module.dns.dns_zone_name cname_record_name = "app" - # cname_record_value = module.container_apps.ca_latest_revision_fqdn ttl = 300 fdprofile_name = "${local.region}-fd-${local.environment}-${random_integer.suffix.result}" @@ -140,8 +126,9 @@ module "frontdoor" { fdroute_name = "${local.region}-fdr-${random_integer.suffix.result}" host_name = "app.${local.domain_name}" - origin_name = "${local.region}-fdo-${random_integer.suffix.result}" - origin_host_name = module.container_apps.container_app_hostname + origin_name = "${local.region}-fdo-${random_integer.suffix.result}" + origin_host_name = module.container_apps.container_app_hostname origin_host_name_header = module.container_apps.container_app_hostname + } diff --git a/terraform/modules/acr/output.tf b/terraform/modules/acr/output.tf index 2101b37..f8fb98c 100644 --- a/terraform/modules/acr/output.tf +++ b/terraform/modules/acr/output.tf @@ -1,5 +1,3 @@ -# modules/acr/outputs.tf - output "acr_id" { description = "The ID of the Container Registry" value = azurerm_container_registry.acr.id @@ -15,14 +13,3 @@ output "login_server" { value = azurerm_container_registry.acr.login_server } - -# output "admin_username" { -# description = "The admin username of the Container Registry" -# value = azurerm_container_registry.acr.admin_username -# } - -# output "admin_password" { -# description = "The admin password of the Container Registry" -# value = azurerm_container_registry.acr.admin_password -# sensitive = true -# } diff --git a/terraform/modules/azuread_application_registration/main.tf b/terraform/modules/azuread_application_registration/main.tf index c130261..03398d2 100644 --- a/terraform/modules/azuread_application_registration/main.tf +++ b/terraform/modules/azuread_application_registration/main.tf @@ -29,7 +29,7 @@ resource "azuread_application_redirect_uris" "nodejs_demoapp_redirect_uris" { redirect_uris = ["https://login.microsoftonline.com/common/oauth2/nativeclient", "https://login.live.com/oauth20_desktop.srf", "https://app.stanagh.website/signin", - "http://localhost:3000/signin", + "http://localhost:3000/signin", "https://stanagh.website/signin" ] diff --git a/terraform/modules/ca/main.tf b/terraform/modules/ca/main.tf index e3a8240..1fe23df 100644 --- a/terraform/modules/ca/main.tf +++ b/terraform/modules/ca/main.tf @@ -57,7 +57,7 @@ resource "azurerm_container_app" "ca" { image = var.container_app_image cpu = 0.25 memory = "0.5Gi" - + env { name = "TODO_MONGO_CONNSTR" secret_name = "mongo-connstr" diff --git a/terraform/modules/frontdoor/main.tf b/terraform/modules/frontdoor/main.tf index 22ddb4f..228c8ab 100644 --- a/terraform/modules/frontdoor/main.tf +++ b/terraform/modules/frontdoor/main.tf @@ -19,7 +19,6 @@ resource "azurerm_dns_cname_record" "app" { depends_on = [azurerm_cdn_frontdoor_route.fdroute] } - resource "azurerm_cdn_frontdoor_profile" "fdProfile" { name = var.fdprofile_name resource_group_name = var.resource_group_name @@ -28,6 +27,60 @@ resource "azurerm_cdn_frontdoor_profile" "fdProfile" { response_timeout_seconds = 30 } +resource "azurerm_cdn_frontdoor_firewall_policy" "waf_policy" { + name = "${var.fdprofile_name}-wafpolicy" + resource_group_name = var.resource_group_name + sku_name = azurerm_cdn_frontdoor_profile.fdProfile.sku_name + mode = "Prevention" + + managed_rule { + type = "Microsoft_DefaultRuleSet" + version = "2.1" + action = "Block" + } + + managed_rule { + type = "Microsoft_BotManagerRuleSet" + version = "1.0" + action = "Block" + } + + custom_rule { + name = "rate-limit-rule" + priority = 1 + type = "RateLimitRule" + rate_limit_threshold = 100 + action = "Block" + match_condition { + match_variable = "RequestUri" + operator = "Contains" + match_values = ["/login", "/api/"] + } + } + + request_body_check_enabled = true + redirect_url = "https://learn.microsoft.com/docs/" + custom_block_response_status_code = 403 + custom_block_response_body = base64encode("Request blocked by WAF policy.") +} + +resource "azurerm_cdn_frontdoor_security_policy" "waf_security_policy" { + name = "${var.fdprofile_name}-wafsecuritypolicy" + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.fdProfile.id + + security_policies { + firewall { + cdn_frontdoor_firewall_policy_id = azurerm_cdn_frontdoor_firewall_policy.waf_policy.id + + association { + domain { + cdn_frontdoor_domain_id = azurerm_cdn_frontdoor_custom_domain.fdcustom_domain.id + } + patterns_to_match = ["/*"] + } + } + } +} resource "azurerm_cdn_frontdoor_origin_group" "fdorigin_group" { name = var.fdorigin_group_name @@ -89,7 +142,6 @@ resource "azurerm_cdn_frontdoor_route" "fdroute" { cdn_frontdoor_endpoint_id = azurerm_cdn_frontdoor_endpoint.fdendpoint.id cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.fdorigin_group.id cdn_frontdoor_origin_ids = [azurerm_cdn_frontdoor_origin.fdorigin.id] - # cdn_frontdoor_rule_set_ids = [azurerm_cdn_frontdoor_rule_set.fdrule_set.id] enabled = true forwarding_protocol = "HttpsOnly" diff --git a/terraform/modules/frontdoor/variables.tf b/terraform/modules/frontdoor/variables.tf index 2c1d0f8..61d6f65 100644 --- a/terraform/modules/frontdoor/variables.tf +++ b/terraform/modules/frontdoor/variables.tf @@ -3,12 +3,6 @@ variable "cname_record_name" { type = string } - -# variable "cname_record_value" { -# description = "The value of the CNAME record." -# type = string -# } - variable "ttl" { description = "The TTL (time to live) of the DNS A record in seconds." type = number @@ -51,11 +45,6 @@ variable "origin_host_name_header" { type = string } -# variable "frontdoor_custom_domain_name" { -# description = "The name of the Front Door custom domain" -# type = string -# } - variable "fdendpoint_name" { description = "The name of the Front Door endpoint" type = string @@ -76,11 +65,6 @@ variable "origin_name" { type = string } -# variable "fdendpoint_name" { -# description = "The name of the Front Door endpoint" -# type = string -# } - variable "fdroute_name" { description = "The name of the Front Door route" type = string diff --git a/terraform/modules/keyvault/locals.tf b/terraform/modules/keyvault/locals.tf index 0b94f35..c8492b8 100644 --- a/terraform/modules/keyvault/locals.tf +++ b/terraform/modules/keyvault/locals.tf @@ -1,8 +1,8 @@ locals { kv_secrets = { - mongo_connstr = "mongo-connstr" - mongo_db_name = "mongo-db-name" - redis_host = "redis-host" - weather_api_key = "weather-api-key" + mongo_connstr = "mongo-connstr" + mongo_db_name = "mongo-db-name" + redis_host = "redis-host" + weather_api_key = "weather-api-key" } } \ No newline at end of file diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index 93c89c1..3b6a61c 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -61,8 +61,8 @@ resource "azurerm_role_assignment" "secret_reader" { data "azurerm_key_vault_secret" "secrets" { - for_each = local.kv_secrets - name = each.value + for_each = local.kv_secrets + name = each.value key_vault_id = azurerm_key_vault.kv.id - depends_on = [azurerm_key_vault.kv, azurerm_role_assignment.secret_writer] + depends_on = [azurerm_key_vault.kv, azurerm_role_assignment.secret_writer] } diff --git a/terraform/modules/keyvault/outputs.tf b/terraform/modules/keyvault/outputs.tf index cbfeb77..0c76fc1 100644 --- a/terraform/modules/keyvault/outputs.tf +++ b/terraform/modules/keyvault/outputs.tf @@ -6,22 +6,6 @@ output "key_vault_name" { value = azurerm_key_vault.kv.name } -# output "mongo_connstr_secret_id" { -# value = azurerm_key_vault_secret.mongo_connstr.id -# } - -# output "mongo_db_name_secret_id" { -# value = azurerm_key_vault_secret.mongo_db_name.id -# } - -# output "redis_host_secret_id" { -# value = azurerm_key_vault_secret.redis_host.id -# } - -# output "weather_api_key_secret_id" { -# value = azurerm_key_vault_secret.weather_api_key.id -# } - output "key_vault_secret_ids" { value = { for key, secret in data.azurerm_key_vault_secret.secrets : diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf index 7fda77e..d1db9d9 100644 --- a/terraform/modules/keyvault/variables.tf +++ b/terraform/modules/keyvault/variables.tf @@ -74,8 +74,8 @@ variable "kv_secrets" { type = map(string) default = { mongo_connection_string = "mongo-connection-string" - mongo_db_name = "mongo-db-name" - redis_host = "redis-host" - weather_api_key = "weather-api-key" + mongo_db_name = "mongo-db-name" + redis_host = "redis-host" + weather_api_key = "weather-api-key" } } \ No newline at end of file diff --git a/terraform/provider.tf b/terraform/provider.tf index 2bd6cee..a499e9d 100644 --- a/terraform/provider.tf +++ b/terraform/provider.tf @@ -22,8 +22,4 @@ provider "azurerm" { } } -# provider "azuread" { -# tenant_id = var.tenant_id -# } -