diff --git a/.github/workflows/continuous-integration-terraform.yml b/.github/workflows/continuous-integration-terraform.yml index 7ccfd3911..8cce76d31 100644 --- a/.github/workflows/continuous-integration-terraform.yml +++ b/.github/workflows/continuous-integration-terraform.yml @@ -40,19 +40,19 @@ jobs: run: rm ./terraform/backend.tf - name: Run a Terraform init - uses: docker://hashicorp/terraform:1.8.4 + uses: docker://hashicorp/terraform:1.9.2 with: entrypoint: terraform args: -chdir=terraform init - name: Run a Terraform validate - uses: docker://hashicorp/terraform:1.8.4 + uses: docker://hashicorp/terraform:1.9.2 with: entrypoint: terraform args: -chdir=terraform validate - name: Run a Terraform format check - uses: docker://hashicorp/terraform:1.8.4 + uses: docker://hashicorp/terraform:1.9.2 with: entrypoint: terraform args: -chdir=terraform fmt -check=true -diff=true diff --git a/terraform/.terraform-version b/terraform/.terraform-version index bfa363e76..8fdcf3869 100644 --- a/terraform/.terraform-version +++ b/terraform/.terraform-version @@ -1 +1 @@ -1.8.4 +1.9.2 diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index f335d60ee..90cd30389 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -2,72 +2,62 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/azure/azapi" { - version = "1.13.1" + version = "1.14.0" constraints = ">= 1.13.0" hashes = [ - "h1:2cnqo8u7YMuBexFZv8/lXGxIn1dXuEnC44LAL90GAa0=", - "zh:1f2aceddd67ceeb82a75c2f15dc01e54781e9aed5968507dbc29590c165b2e2b", - "zh:397f0bfbac899d48e23cecf38d362c27562150aa20b19157b5bd370b8e6801ee", - "zh:652263b7d00623684e29ef7b8ff285a17c5bd7cc8ba7d22967c66d0b3a3c568a", - "zh:652c53320a41434942877515780296a1509be03f32d54e60178f39200f960a67", - "zh:666426faf686401e54ec09fe06e9d7c06a6455ec398764f70558440c73aeb7f9", - "zh:6aa91ae8ba78f2494f99b4c99e66d15ed0b14d735cd1f77adc12ff9dfa075807", - "zh:a529e5a13c37d1805c469227f08cdbe7527d04dd64d18709d26627c6a0b588b1", - "zh:a589c049205e8e5bf94a13d56b28f400d908ad27e13e16df64408ee82eb8a0ff", - "zh:a9a50defdee230f315f74be6c77ff104fe2610a1b3ad6b87326f555e80d13b18", - "zh:ba49ef70d96e13795e2dbffd6cb2ff976dfe84e0373a5971ebe3b4c9c9b7af60", - "zh:d3ed50efe5f8c80d3d7d464ab9a13ccf82440d871c9ce3032ce476845364c6b9", - "zh:e3eb48ee8c36ee4f81850d8a21fc59b81886c729d7c3b7adece4a25f355bed2f", + "h1:8UJUnecUZ60NCW06NssnYrSB0URrFI+WL9tq5x739mY=", + "zh:083709be750b878dfb33747ba1d326d23619a0ed654f95bce9c808e424923c90", + "zh:261b5060297b732d97b4363ad753355bfee00e93d773fd329023a5619b964c39", + "zh:51adfdaeb1b2c3d9e7aeba97c9c73d469712223dd125b14d90377d445d1cd3df", + "zh:5bcbedc9eeefa5e6267042604af20f93cadceba41d8d90a91040f60f6c5e38a9", + "zh:6da127f306083e740767f53dd0cc8787166a8af4f44519873dd8775ca981ddef", + "zh:7604cf377b8ea31a5a44db5b8566f5eea4d73acdfaaeb8ba10fcac46cbf4a738", + "zh:77789ef8906acabbf7eb55378e1f9c407499bb765811f193d256897d2925d66d", + "zh:8a333c53279b3b0b65519191dbba8ef7dc390f5d96216e4e6f165cac8b3e5dc2", + "zh:8c0dfe57dc2c29f8953db3037144d2254ce28bfa55dae537707ae4bdb4460f64", + "zh:debdeabcbcb6b421c2cdf2093d520c67e75a11d28d357b0ba32dd748105a5460", + "zh:e252ee062513904836fcc5e6548243429819e68aa7cfaeac7da8d816c4c4d1e8", + "zh:f48d1fd67b463d2121516911b5d20f8a72217e43e7740bb74929a17dbd43bb59", ] } provider "registry.terraform.io/hashicorp/azuread" { - version = "2.50.0" + version = "2.53.1" constraints = ">= 2.37.1" hashes = [ - "h1:/G7xnO8J6f2WvVXBfd111XeKjKsw2t9Oj7WkDLu4Ygc=", - "zh:0eb91d177d1d868dc50c006f07fb17905318555c5c7ff56ba5a8a623415e9342", - "zh:1baabaca448f4cab0cb31cbb1b564d1849a13ca4a6536d1a6f92097b88cd883d", + "h1:EZNO8sEtUABuRxujQrDrW1z1QsG0dq6iLbzWtnG7Om4=", + "zh:162916b037e5133f49298b0ffa3e7dcef7d76530a8ca738e7293373980f73c68", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:4fdd139514253128f389ac00b7942c4a4da10135b120ff4c0dc0fd8382c3b003", - "zh:6adb28fd81775a79b894d4c15dc292188ff2b1ff7f9d5bacd6db19ca75a71f92", - "zh:6bcd4d8ec7ad5b15b576defc803958948717d496b2c1356a77577eb6f86ac1b6", - "zh:8a4b65cb3f67199bf1a46f8061169373dcfb5619934ecf80eaf143d8a8b4f1db", - "zh:93c886fc940619b74610b88b067491d2b731e27e20550b08a44227c1b2e59022", - "zh:9a16a45fa544f0b777bf2f83b1e1156018b0737c9359c432c2d774451f168b59", - "zh:9b191e3496e8d461f612b1a767b44821d2ea62545f7f0363690c0b6fc73af37b", - "zh:e6575b9c6ca30c3adc6b39839f246be3d9d8ce883a111fb695f1618df3887574", - "zh:f5c5336948cd05a9dd64a5938c5edfb90adfda0df89d80e80da1a1fdb2c61816", + "zh:492931cea4f30887ab5bca36a8556dfcb897288eddd44619c0217fc5da2d57e7", + "zh:4c895e450e18335ad8714cc6d3488fc1a78816ad2851a91b06cb2ef775dd7c66", + "zh:60d92fdaf7235574201f2d8f68f733ee00a822993b3fc95e6952e09e6ec76999", + "zh:67a169119efa41c1fb867ef1a8e79bf03472a2324384c36eb55370c817dcce42", + "zh:9dd4d5ed9233cf9329262200bc5a1aa60942b80dbc611e2ef4b09f47531b39b1", + "zh:a3c160e35b9e40fc1497b83c2f37a8e24565b05a1783c7733609f3695735c2a9", + "zh:a4a221da42b1f46e7c436c7145e5beaadfd9d03f3be6fd526d132c03f18a5979", + "zh:af0d3476a9702d2287e168e3baa670e64daab9c9b01c01e17025a5248f3e28e9", + "zh:e3579bff7894f3d36066b74ec324be6d28f56a42a387a2b8a0eabf33cbff86df", + "zh:f1749ee8ad972ae6424665aa9d2c0ece8c40c51d41ec2f38b863148cb437e865", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.110.0" + version = "3.113.0" constraints = ">= 3.52.0, >= 3.76.0" hashes = [ - "h1:1RTNF6+oWimes50dMCD3UsV5TGm3CKQ4QiUmJJUbZgI=", - "h1:2fc8TUCoyCcjNgpLUM2gAUtkYyBVy2r5Rwbhld7jFak=", - "h1:4QrrAcbVTUzX2xQIywvAZeM+lrCgcFbFGoADvTAXdhk=", - "h1:EY+IRabj+4NJ3tqB4kVg7dTjoTdwOMHUhIvIoddgRTI=", - "h1:W+wrSFwN8u+2rqJIXWRHC/IQ2eDxkMqmCT2QgHGj6p0=", - "h1:aoeAevsmln75g4lAptA396vMBN1X1thwN6Dippw80RM=", - "h1:ice1q9zU8gIFSpCvuO7NBvod/zV5FPoZHhaHvXlETss=", - "h1:sEdDtDbngITDazd3IjiHPVX7fKGjlBAVdgBB+EULVKQ=", - "h1:sxJe/N9/r+UDNQmRMKRRbJN9N1zpijux3iCJYwWs20A=", - "h1:uFWuQs6FmEBPJOm7dpp29zC5g/tDwVXT9Ub2UR35Dc0=", - "h1:uxeKsqfI9LjvYkcMCiFwlDpQzZvrB83pVJIoG9s4t54=", - "zh:1a1fe9e1a4c08453f249352d135349f7a06f2973dbb839375c7b802523a87351", - "zh:25a9ddeb9b0e1d974aa45ecd67e3f7b8ee333565f0fd99e02b588acf55c46664", - "zh:3ef3f6ed554348b10a645342110baa7d5a4932857e66f20b2b258f9c1af57b0b", - "zh:443e05f7510de0992d7fd4912d2aa3ef477cf186e7c2796bbb699ea12e531b86", - "zh:815444b71a70e79a2c96995bb1970a860d9ce160e11d07c7e61dd284f9b9de8e", - "zh:839d6bc2344e64f0ae8c39c2fd76bedd86c96c3ea22d827492f797b114cb761a", - "zh:922ec196b32c2fe8cff13a58ebfd75929f3a500cf8730aa80d72e0074f00b7cd", - "zh:a818559d9d389b0d6d27bc2c9cea7b97c27451bd9a49f4e86d2221613b459e09", - "zh:e90979a9f2574a368c5857a19bbfa43718cfd4ba12cc3dff9f7ce8f782160d1b", - "zh:f1321caa0a77e7ffb68384b3e35d285fa0fa6c2a8202d2a37d8c321367060ac7", - "zh:f3ae86bf1cb82923595d389db220fd2039cb5fd3720d754abd5c06b6c705ac2c", + "h1:SbNQLapCxbTbhM37LaRALPizAZMiA5sTRC09sUWgZOo=", + "zh:12479f5664288943400447b55e50df675c28ae82ad8d373cc2e5682f3a3411f0", + "zh:1b42a14e80e568429d3b55fed753ca3ef0df9dcdfa107890d7264599c020940f", + "zh:381be6ca617f848de3baa3985a6e1788e91a803afe04a3c5c727453528b6310d", + "zh:3e70e2e07b6db1c363de3e5d0ca47f27fc956473df03329c7d2e54d3ac29176b", + "zh:87c7633aeaa828098c6055da9e67d4acaf4b46748b6b3f0267e105e55f05de25", + "zh:8d0d98226901f874770dd5220d4701a12ae8bd586994615aa7dcba12b9736bec", + "zh:9fd913acd42a60c3a90a18ce803567ef861db8779a59aacced91f2cbd86de9d9", + "zh:b6f3f7ae0a055437fb36c139af9bb3135e7f4dad172157ae1eb0177dc74d703f", + "zh:b927027ba2bf40d34e03d742fd2b6c5299023b5ab8e6f05e50aac76a46ad1094", + "zh:ceb5187b9d2a439f4e48944f3ffeeeaf47a03dbe6f3325ea1775bf659ce0aa88", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fb9d78dfeca7489bffca9b1a1f3abee7f16dbbcba31388aea1102062c1d6dce8", ] } diff --git a/terraform/README.md b/terraform/README.md index 6cef47729..673d68252 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -137,7 +137,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.8.0 | +| [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.10.1 | | [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.2 | | [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.4 | @@ -162,8 +162,9 @@ No resources. | [cdn\_frontdoor\_host\_add\_response\_headers](#input\_cdn\_frontdoor\_host\_add\_response\_headers) | List of response headers to add at the CDN Front Door `[{ "name" = "Strict-Transport-Security", "value" = "max-age=31536000" }]` | `list(map(string))` | n/a | yes | | [cdn\_frontdoor\_origin\_fqdn\_override](#input\_cdn\_frontdoor\_origin\_fqdn\_override) | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | `string` | `""` | no | | [cdn\_frontdoor\_origin\_host\_header\_override](#input\_cdn\_frontdoor\_origin\_host\_header\_override) | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host\_name (`cdn_frontdoor_origin_fqdn_override`) | `string` | `""` | no | -| [cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes](#input\_cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes) | CDN Front Door rate limiting duration in minutes | `number` | n/a | yes | -| [cdn\_frontdoor\_rate\_limiting\_threshold](#input\_cdn\_frontdoor\_rate\_limiting\_threshold) | CDN Front Door rate limiting duration in minutes | `number` | n/a | yes | +| [cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes](#input\_cdn\_frontdoor\_rate\_limiting\_duration\_in\_minutes) | CDN Front Door rate limiting duration in minutes | `number` | `5` | no | +| [cdn\_frontdoor\_rate\_limiting\_threshold](#input\_cdn\_frontdoor\_rate\_limiting\_threshold) | CDN Front Door rate limiting duration in minutes | `number` | `300` | no | +| [cdn\_frontdoor\_waf\_custom\_rules](#input\_cdn\_frontdoor\_waf\_custom\_rules) | Map of all Custom rules you want to apply to the CDN WAF |
map(object({
priority : number,
action : string
match_conditions : map(object({
match_variable : string,
match_values : optional(list(string), []),
operator : optional(string, "Any"),
selector : optional(string, null),
negation_condition : optional(bool, false),
}))
}))
| `{}` | no | | [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no | | [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes | | [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | n/a | yes | diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf index bcd249bb0..42b579d64 100644 --- a/terraform/container-apps-hosting.tf +++ b/terraform/container-apps-hosting.tf @@ -1,5 +1,5 @@ module "azure_container_apps_hosting" { - source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.8.0" + source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.10.1" environment = local.environment project_name = local.project_name @@ -42,6 +42,7 @@ module "azure_container_apps_hosting" { cdn_frontdoor_forwarding_protocol = local.cdn_frontdoor_forwarding_protocol cdn_frontdoor_enable_rate_limiting = local.cdn_frontdoor_enable_rate_limiting cdn_frontdoor_rate_limiting_duration_in_minutes = local.cdn_frontdoor_rate_limiting_duration_in_minutes + cdn_frontdoor_waf_custom_rules = local.cdn_frontdoor_waf_custom_rules cdn_frontdoor_rate_limiting_threshold = local.cdn_frontdoor_rate_limiting_threshold cdn_frontdoor_host_add_response_headers = local.cdn_frontdoor_host_add_response_headers cdn_frontdoor_custom_domains = local.cdn_frontdoor_custom_domains diff --git a/terraform/locals.tf b/terraform/locals.tf index 319d2be7e..a48b30a09 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -34,6 +34,7 @@ locals { cdn_frontdoor_enable_rate_limiting = var.cdn_frontdoor_enable_rate_limiting cdn_frontdoor_rate_limiting_duration_in_minutes = var.cdn_frontdoor_rate_limiting_duration_in_minutes cdn_frontdoor_rate_limiting_threshold = var.cdn_frontdoor_rate_limiting_threshold + cdn_frontdoor_waf_custom_rules = var.cdn_frontdoor_waf_custom_rules cdn_frontdoor_host_add_response_headers = var.cdn_frontdoor_host_add_response_headers cdn_frontdoor_custom_domains = var.cdn_frontdoor_custom_domains cdn_frontdoor_origin_fqdn_override = var.cdn_frontdoor_origin_fqdn_override diff --git a/terraform/variables.tf b/terraform/variables.tf index feceb8b3d..902c05d03 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -178,11 +178,13 @@ variable "cdn_frontdoor_enable_rate_limiting" { variable "cdn_frontdoor_rate_limiting_duration_in_minutes" { description = "CDN Front Door rate limiting duration in minutes" type = number + default = 5 } variable "cdn_frontdoor_rate_limiting_threshold" { description = "CDN Front Door rate limiting duration in minutes" type = number + default = 300 } variable "cdn_frontdoor_host_add_response_headers" { @@ -360,3 +362,19 @@ variable "enable_cdn_frontdoor_health_probe" { type = bool default = false } + +variable "cdn_frontdoor_waf_custom_rules" { + description = "Map of all Custom rules you want to apply to the CDN WAF" + type = map(object({ + priority : number, + action : string + match_conditions : map(object({ + match_variable : string, + match_values : optional(list(string), []), + operator : optional(string, "Any"), + selector : optional(string, null), + negation_condition : optional(bool, false), + })) + })) + default = {} +}