stanagh · stanagh · Dec 12, 2025
diff --git a/.github/workflows/terraform-push.yml b/.github/workflows/terraform-push.yml
@@ -46,6 +46,9 @@ jobs:
         - name: Terraform Init
           run: terraform init 
 
+        - name: Terraform Format
+          run: terraform fmt && terraform fmt -resursive 
+
         - name: Terraform Plan
           if: ${{ github.event_name == 'push' || github.event.inputs.action == 'plan' || github.event.inputs.action == 'apply' }}
           run: terraform plan

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -68,11 +68,6 @@ module "kv" {
   clientid_secret_writer_principal_id = data.azurerm_client_config.current.object_id
   secret_reader_principal_id          = azurerm_user_assigned_identity.ca_uai.principal_id
 
-  # mongo_connection_string = var.TODO_MONGO_CONNSTR
-  # mongo_connection_string = module.kv.mongo_connstr_secret_id
-  # mongo_db_name           = var.TODO_MONGO_DB
-  # redis_host              = var.REDIS_SESSION_HOST
-  # weather_api_key         = var.WEATHER_API_KEY
 }
 
 module "container_apps" {
@@ -90,24 +85,16 @@ module "container_apps" {
   acr_id           = module.acr.acr_id
   uai_id           = azurerm_user_assigned_identity.ca_uai.id
 
-
   log_analytics_id  = module.app_insights.log_analytics_workspace_id
   identity_type     = "UserAssigned"
   user_assigned_ids = [azurerm_user_assigned_identity.ca_uai.id]
 
   key_vault_name = module.kv.key_vault_name
 
-  # mongo_connection_string = module.kv.mongo_connstr_secret_id
-  # mongo_connstr_secret_id = module.kv.mongo_connstr_secret_id
-  # mongo_db_name           = module.kv.mongo_db_name_secret_id
-  # weather_api_key         = module.kv.weather_api_key_secret_id
-  # redis_connstr_secret_id = module.kv.redis_host_secret_id
-
-
-  mongo_connstr_secret_id = module.kv.key_vault_secret_ids["mongo_connstr"]
-  redis_connstr_secret_id    = module.kv.key_vault_secret_ids["redis_host"]
-  weather_api_key_secret_id     = module.kv.key_vault_secret_ids["weather_api_key"]
-  mongo_db_name_secret_id        = module.kv.key_vault_secret_ids["mongo_db_name"]
+  mongo_connstr_secret_id   = module.kv.key_vault_secret_ids["mongo_connstr"]
+  redis_connstr_secret_id   = module.kv.key_vault_secret_ids["redis_host"]
+  weather_api_key_secret_id = module.kv.key_vault_secret_ids["weather_api_key"]
+  mongo_db_name_secret_id   = module.kv.key_vault_secret_ids["mongo_db_name"]
 
   application_insights_connection_string = module.app_insights.connection_string
   application_client_ID                  = module.azuread_application_registration.client_id
@@ -131,7 +118,6 @@ module "frontdoor" {
   dns_zone_id       = module.dns.dns_zone_id
   dns_zone_name     = module.dns.dns_zone_name
   cname_record_name = "app"
-  # cname_record_value         = module.container_apps.ca_latest_revision_fqdn
   ttl = 300
 
   fdprofile_name      = "${local.region}-fd-${local.environment}-${random_integer.suffix.result}"
@@ -140,8 +126,9 @@ module "frontdoor" {
   fdroute_name        = "${local.region}-fdr-${random_integer.suffix.result}"
   host_name           = "app.${local.domain_name}"
 
-  origin_name      = "${local.region}-fdo-${random_integer.suffix.result}"
-  origin_host_name = module.container_apps.container_app_hostname
+  origin_name             = "${local.region}-fdo-${random_integer.suffix.result}"
+  origin_host_name        = module.container_apps.container_app_hostname
   origin_host_name_header = module.container_apps.container_app_hostname
+
 
 }
diff --git a/terraform/modules/acr/output.tf b/terraform/modules/acr/output.tf
@@ -1,5 +1,3 @@
-# modules/acr/outputs.tf
-
 output "acr_id" {
   description = "The ID of the Container Registry"
   value       = azurerm_container_registry.acr.id
@@ -15,14 +13,3 @@ output "login_server" {
   value       = azurerm_container_registry.acr.login_server
 
 }
-
-# output "admin_username" {
-#   description = "The admin username of the Container Registry"
-#   value       = azurerm_container_registry.acr.admin_username
-# }
-
-# output "admin_password" {
-#   description = "The admin password of the Container Registry"
-#   value       = azurerm_container_registry.acr.admin_password
-#   sensitive   = true
-# }
diff --git a/terraform/modules/azuread_application_registration/main.tf b/terraform/modules/azuread_application_registration/main.tf
@@ -29,7 +29,7 @@ resource "azuread_application_redirect_uris" "nodejs_demoapp_redirect_uris" {
   redirect_uris = ["https://login.microsoftonline.com/common/oauth2/nativeclient",
     "https://login.live.com/oauth20_desktop.srf",
     "https://app.stanagh.website/signin",
-    "http://localhost:3000/signin", 
+    "http://localhost:3000/signin",
     "https://stanagh.website/signin"
 
   ]

diff --git a/terraform/modules/ca/main.tf b/terraform/modules/ca/main.tf
@@ -57,7 +57,7 @@ resource "azurerm_container_app" "ca" {
       image  = var.container_app_image
       cpu    = 0.25
       memory = "0.5Gi"
-      
+
       env {
         name        = "TODO_MONGO_CONNSTR"
         secret_name = "mongo-connstr"

diff --git a/terraform/modules/frontdoor/main.tf b/terraform/modules/frontdoor/main.tf
@@ -19,7 +19,6 @@ resource "azurerm_dns_cname_record" "app" {
   depends_on = [azurerm_cdn_frontdoor_route.fdroute]
 }
 
-
 resource "azurerm_cdn_frontdoor_profile" "fdProfile" {
   name                = var.fdprofile_name
   resource_group_name = var.resource_group_name
@@ -28,6 +27,60 @@ resource "azurerm_cdn_frontdoor_profile" "fdProfile" {
   response_timeout_seconds = 30
 }
 
+resource "azurerm_cdn_frontdoor_firewall_policy" "waf_policy" {
+  name                = "${var.fdprofile_name}-wafpolicy"
+  resource_group_name = var.resource_group_name
+  sku_name            = azurerm_cdn_frontdoor_profile.fdProfile.sku_name
+  mode                = "Prevention"
+
+  managed_rule {
+    type    = "Microsoft_DefaultRuleSet"
+    version = "2.1"
+    action  = "Block"
+  }
+
+  managed_rule {
+    type    = "Microsoft_BotManagerRuleSet"
+    version = "1.0"
+    action  = "Block"
+  }
+
+  custom_rule {
+    name                 = "rate-limit-rule"
+    priority             = 1
+    type                 = "RateLimitRule"
+    rate_limit_threshold = 100
+    action               = "Block"
+    match_condition {
+      match_variable = "RequestUri"
+      operator       = "Contains"
+      match_values   = ["/login", "/api/"]
+    }
+  }
+
+  request_body_check_enabled        = true
+  redirect_url                      = "https://learn.microsoft.com/docs/"
+  custom_block_response_status_code = 403
+  custom_block_response_body        = base64encode("Request blocked by WAF policy.")
+}
+
+resource "azurerm_cdn_frontdoor_security_policy" "waf_security_policy" {
+  name                     = "${var.fdprofile_name}-wafsecuritypolicy"
+  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.fdProfile.id
+
+  security_policies {
+    firewall {
+      cdn_frontdoor_firewall_policy_id = azurerm_cdn_frontdoor_firewall_policy.waf_policy.id
+
+      association {
+        domain {
+          cdn_frontdoor_domain_id = azurerm_cdn_frontdoor_custom_domain.fdcustom_domain.id
+        }
+        patterns_to_match = ["/*"]
+      }
+    }
+  }
+}
 
 resource "azurerm_cdn_frontdoor_origin_group" "fdorigin_group" {
   name                     = var.fdorigin_group_name
@@ -89,7 +142,6 @@ resource "azurerm_cdn_frontdoor_route" "fdroute" {
   cdn_frontdoor_endpoint_id     = azurerm_cdn_frontdoor_endpoint.fdendpoint.id
   cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.fdorigin_group.id
   cdn_frontdoor_origin_ids      = [azurerm_cdn_frontdoor_origin.fdorigin.id]
-  # cdn_frontdoor_rule_set_ids    = [azurerm_cdn_frontdoor_rule_set.fdrule_set.id]
   enabled = true
 
   forwarding_protocol    = "HttpsOnly"

diff --git a/terraform/modules/frontdoor/variables.tf b/terraform/modules/frontdoor/variables.tf
@@ -3,12 +3,6 @@ variable "cname_record_name" {
   type        = string
 
 }
-
-# variable "cname_record_value" {
-#   description = "The value of the CNAME record."
-#   type        = string
-# }
-
 variable "ttl" {
   description = "The TTL (time to live) of the DNS A record in seconds."
   type        = number
@@ -51,11 +45,6 @@ variable "origin_host_name_header" {
   type        = string
 }
 
-# variable "frontdoor_custom_domain_name" {
-#   description = "The name of the Front Door custom domain"
-#   type        = string
-# }
-
 variable "fdendpoint_name" {
   description = "The name of the Front Door endpoint"
   type        = string
@@ -76,11 +65,6 @@ variable "origin_name" {
   type        = string
 }
 
-# variable "fdendpoint_name" {
-#     description = "The name of the Front Door endpoint"
-#     type        = string    
-# }
-
 variable "fdroute_name" {
   description = "The name of the Front Door route"
   type        = string

diff --git a/terraform/modules/keyvault/locals.tf b/terraform/modules/keyvault/locals.tf
@@ -1,8 +1,8 @@
 locals {
   kv_secrets = {
-    mongo_connstr = "mongo-connstr"
-    mongo_db_name           = "mongo-db-name"
-    redis_host              = "redis-host"
-    weather_api_key         = "weather-api-key"
+    mongo_connstr   = "mongo-connstr"
+    mongo_db_name   = "mongo-db-name"
+    redis_host      = "redis-host"
+    weather_api_key = "weather-api-key"
   }
 }
diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf
@@ -61,8 +61,8 @@ resource "azurerm_role_assignment" "secret_reader" {
 
 
 data "azurerm_key_vault_secret" "secrets" {
-  for_each    = local.kv_secrets
-  name        = each.value
+  for_each     = local.kv_secrets
+  name         = each.value
   key_vault_id = azurerm_key_vault.kv.id
-  depends_on  = [azurerm_key_vault.kv, azurerm_role_assignment.secret_writer]
+  depends_on   = [azurerm_key_vault.kv, azurerm_role_assignment.secret_writer]
 }
diff --git a/terraform/modules/keyvault/outputs.tf b/terraform/modules/keyvault/outputs.tf
@@ -6,22 +6,6 @@ output "key_vault_name" {
   value = azurerm_key_vault.kv.name
 }
 
-# output "mongo_connstr_secret_id" {
-#   value = azurerm_key_vault_secret.mongo_connstr.id
-# }
-
-# output "mongo_db_name_secret_id" {
-#   value = azurerm_key_vault_secret.mongo_db_name.id
-# }
-
-# output "redis_host_secret_id" {
-#   value = azurerm_key_vault_secret.redis_host.id
-# }
-
-# output "weather_api_key_secret_id" {
-#   value = azurerm_key_vault_secret.weather_api_key.id
-# }
-
 output "key_vault_secret_ids" {
   value = {
     for key, secret in data.azurerm_key_vault_secret.secrets :

diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf
@@ -74,8 +74,8 @@ variable "kv_secrets" {
   type        = map(string)
   default = {
     mongo_connection_string = "mongo-connection-string"
-    mongo_db_name          = "mongo-db-name"
-    redis_host             = "redis-host"
-    weather_api_key        = "weather-api-key"
+    mongo_db_name           = "mongo-db-name"
+    redis_host              = "redis-host"
+    weather_api_key         = "weather-api-key"
   }
 }
diff --git a/terraform/provider.tf b/terraform/provider.tf
@@ -22,8 +22,4 @@ provider "azurerm" {
   }
 }
 
-# provider "azuread" {
-#   tenant_id = var.tenant_id
-# }
-
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,8 +22,4 @@ provider "azurerm" { @@
       }
     }
-    # provider "azuread" {
-    #   tenant_id = var.tenant_id
-    # }