Skip to content

Commit

Permalink
feat: Added cdn profile security policies support - `avm/res/cdn/prof…
Browse files Browse the repository at this point in the history
…ile` (#3025)

## Description

Adds support for Security Policies on cdn/profile, making it possible to
use the module to deploy Azure Front Door Premium with Web Application
Firewall.

Fixes #2376

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.cdn.profile](https://github.com/anderseide/avm-bicep-registry-modules/actions/workflows/avm.res.cdn.profile.yml/badge.svg?branch=cdn-profile-security-policies)](https://github.com/anderseide/avm-bicep-registry-modules/actions/workflows/avm.res.cdn.profile.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [x] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [x] Update to documentation

## Checklist

- [x] I'm sure there are no other open Pull Requests for the same
update/change
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Guillaume Beaud <79973892+gbeaud@users.noreply.github.com>
anderseide and gbeaud authored Oct 1, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 2a43532 commit 3073a74
Showing 18 changed files with 1,060 additions and 60 deletions.
322 changes: 314 additions & 8 deletions avm/res/cdn/profile/README.md
Original file line number Diff line number Diff line change
@@ -27,6 +27,7 @@ This module deploys a CDN Profile.
| `Microsoft.Cdn/profiles/ruleSets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets) |
| `Microsoft.Cdn/profiles/ruleSets/rules` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/ruleSets/rules) |
| `Microsoft.Cdn/profiles/secrets` | [2023-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/2023-05-01/profiles/secrets) |
| `Microsoft.Cdn/profiles/securityPolicies` | [2024-02-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cdn/profiles/securityPolicies) |

## Usage examples

@@ -36,12 +37,245 @@ The following section provides usage examples for the module, which were used to
>**Note**: To reference the module, please use the following syntax `br/public:avm/res/cdn/profile:<version>`.
- [As Azure Front Door](#example-1-as-azure-front-door)
- [Using only defaults](#example-2-using-only-defaults)
- [Using large parameter set](#example-3-using-large-parameter-set)
- [WAF-aligned](#example-4-waf-aligned)
- [As Azure Front Door Premium](#example-1-as-azure-front-door-premium)
- [As Azure Front Door](#example-2-as-azure-front-door)
- [Using only defaults](#example-3-using-only-defaults)
- [Using large parameter set](#example-4-using-large-parameter-set)
- [WAF-aligned](#example-5-waf-aligned)

### Example 1: _As Azure Front Door_
### Example 1: _As Azure Front Door Premium_

This instance deploys the module as Azure Front Door Premium.


<details>

<summary>via Bicep module</summary>

```bicep
module profile 'br/public:avm/res/cdn/profile:<version>' = {
name: 'profileDeployment'
params: {
// Required parameters
name: 'dep-test-cdnpafdp'
sku: 'Premium_AzureFrontDoor'
// Non-required parameters
afdEndpoints: [
{
name: 'dep-test-cdnpafdp-afd-endpoint'
routes: [
{
customDomainNames: [
'dep-test-cdnpafdp-custom-domain'
]
name: 'dep-test-cdnpafdp-afd-route'
originGroupName: 'dep-test-cdnpafdp-origin-group'
ruleSets: [
{
name: 'deptestcdnpafdpruleset'
}
]
}
]
}
]
customDomains: [
{
certificateType: 'ManagedCertificate'
hostName: 'dep-test-cdnpafdp-custom-domain.azurewebsites.net'
name: 'dep-test-cdnpafdp-custom-domain'
}
]
location: 'global'
originGroups: [
{
loadBalancingSettings: {
additionalLatencyInMilliseconds: 50
sampleSize: 4
successfulSamplesRequired: 3
}
name: 'dep-test-cdnpafdp-origin-group'
origins: [
{
hostName: 'dep-test-cdnpafdp-origin.azurewebsites.net'
name: 'dep-test-cdnpafdp-origin'
}
]
}
]
originResponseTimeoutSeconds: 60
ruleSets: [
{
name: 'deptestcdnpafdpruleset'
rules: [
{
actions: [
{
name: 'UrlRedirect'
parameters: {
customHostname: 'dev-etradefd.trade.azure.defra.cloud'
customPath: '/test123'
destinationProtocol: 'Https'
redirectType: 'PermanentRedirect'
typeName: 'DeliveryRuleUrlRedirectActionParameters'
}
}
]
name: 'deptestcdnpafdprule'
order: 1
}
]
}
]
securityPolicies: [
{
associations: [
{
domains: [
{
id: '<id>'
}
]
patternsToMatch: [
'/*'
]
}
]
name: 'deptestcdnpafdpsecpol'
wafPolicyResourceId: '<wafPolicyResourceId>'
}
]
}
}
```

</details>
<p>

<details>

<summary>via JSON Parameter file</summary>

```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
// Required parameters
"name": {
"value": "dep-test-cdnpafdp"
},
"sku": {
"value": "Premium_AzureFrontDoor"
},
// Non-required parameters
"afdEndpoints": {
"value": [
{
"name": "dep-test-cdnpafdp-afd-endpoint",
"routes": [
{
"customDomainNames": [
"dep-test-cdnpafdp-custom-domain"
],
"name": "dep-test-cdnpafdp-afd-route",
"originGroupName": "dep-test-cdnpafdp-origin-group",
"ruleSets": [
{
"name": "deptestcdnpafdpruleset"
}
]
}
]
}
]
},
"customDomains": {
"value": [
{
"certificateType": "ManagedCertificate",
"hostName": "dep-test-cdnpafdp-custom-domain.azurewebsites.net",
"name": "dep-test-cdnpafdp-custom-domain"
}
]
},
"location": {
"value": "global"
},
"originGroups": {
"value": [
{
"loadBalancingSettings": {
"additionalLatencyInMilliseconds": 50,
"sampleSize": 4,
"successfulSamplesRequired": 3
},
"name": "dep-test-cdnpafdp-origin-group",
"origins": [
{
"hostName": "dep-test-cdnpafdp-origin.azurewebsites.net",
"name": "dep-test-cdnpafdp-origin"
}
]
}
]
},
"originResponseTimeoutSeconds": {
"value": 60
},
"ruleSets": {
"value": [
{
"name": "deptestcdnpafdpruleset",
"rules": [
{
"actions": [
{
"name": "UrlRedirect",
"parameters": {
"customHostname": "dev-etradefd.trade.azure.defra.cloud",
"customPath": "/test123",
"destinationProtocol": "Https",
"redirectType": "PermanentRedirect",
"typeName": "DeliveryRuleUrlRedirectActionParameters"
}
}
],
"name": "deptestcdnpafdprule",
"order": 1
}
]
}
]
},
"securityPolicies": {
"value": [
{
"associations": [
{
"domains": [
{
"id": "<id>"
}
],
"patternsToMatch": [
"/*"
]
}
],
"name": "deptestcdnpafdpsecpol",
"wafPolicyResourceId": "<wafPolicyResourceId>"
}
]
}
}
}
```

</details>
<p>

### Example 2: _As Azure Front Door_

This instance deploys the module as Azure Front Door.

@@ -235,7 +469,7 @@ module profile 'br/public:avm/res/cdn/profile:<version>' = {
</details>
<p>

### Example 2: _Using only defaults_
### Example 3: _Using only defaults_

This instance deploys the module with the minimum set of required parameters.

@@ -287,7 +521,7 @@ module profile 'br/public:avm/res/cdn/profile:<version>' = {
</details>
<p>

### Example 3: _Using large parameter set_
### Example 4: _Using large parameter set_

This instance deploys the module with most of its features enabled.

@@ -455,7 +689,7 @@ module profile 'br/public:avm/res/cdn/profile:<version>' = {
</details>
<p>

### Example 4: _WAF-aligned_
### Example 5: _WAF-aligned_

This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.

@@ -603,6 +837,7 @@ module profile 'br/public:avm/res/cdn/profile:<version>' = {
| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
| [`ruleSets`](#parameter-rulesets) | array | Array of rule set objects. |
| [`secrets`](#parameter-secrets) | array | Array of secret objects. |
| [`securityPolicies`](#parameter-securitypolicies) | array | Array of Security Policy objects (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/securitypolicies for details). |
| [`tags`](#parameter-tags) | object | Endpoint tags. |

### Parameter: `name`
@@ -857,6 +1092,77 @@ Array of secret objects.
- Type: array
- Default: `[]`

### Parameter: `securityPolicies`

Array of Security Policy objects (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/securitypolicies for details).

- Required: No
- Type: array
- Default: `[]`

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`associations`](#parameter-securitypoliciesassociations) | array | Domain names and URL patterns to math with this association. |
| [`name`](#parameter-securitypoliciesname) | string | Name of the security policy. |
| [`wafPolicyResourceId`](#parameter-securitypolicieswafpolicyresourceid) | string | Resource ID of WAF policy. |

### Parameter: `securityPolicies.associations`

Domain names and URL patterns to math with this association.

- Required: Yes
- Type: array

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`domains`](#parameter-securitypoliciesassociationsdomains) | array | List of domain resource id to associate with this resource. |
| [`patternsToMatch`](#parameter-securitypoliciesassociationspatternstomatch) | array | List of patterns to match with this association. |

### Parameter: `securityPolicies.associations.domains`

List of domain resource id to associate with this resource.

- Required: Yes
- Type: array

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`id`](#parameter-securitypoliciesassociationsdomainsid) | string | ResourceID to domain that will be associated. |

### Parameter: `securityPolicies.associations.domains.id`

ResourceID to domain that will be associated.

- Required: Yes
- Type: string

### Parameter: `securityPolicies.associations.patternsToMatch`

List of patterns to match with this association.

- Required: Yes
- Type: array

### Parameter: `securityPolicies.name`

Name of the security policy.

- Required: Yes
- Type: string

### Parameter: `securityPolicies.wafPolicyResourceId`

Resource ID of WAF policy.

- Required: Yes
- Type: string

### Parameter: `tags`

Endpoint tags.
8 changes: 4 additions & 4 deletions avm/res/cdn/profile/afdEndpoint/main.json
Original file line number Diff line number Diff line change
@@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "3384292547879688658"
"version": "0.30.23.60470",
"templateHash": "792735746278824384"
},
"name": "CDN Profiles AFD Endpoints",
"description": "This module deploys a CDN Profile AFD Endpoint.",
@@ -156,8 +156,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "18002678880456924020"
"version": "0.30.23.60470",
"templateHash": "1034122698174669197"
},
"name": "CDN Profiles AFD Endpoint Route",
"description": "This module deploys a CDN Profile AFD Endpoint route.",
Loading

0 comments on commit 3073a74

Please sign in to comment.