From 456d58bcdd61c78e1940282ca98030a69f982c68 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 29 Jan 2022 15:36:17 +0100 Subject: [PATCH 01/33] start with new module --- .../applicationGateways/deploy.bicep | 784 +++++++++++------- .../applicationGateways/deploy_old.bicep | 432 ++++++++++ 2 files changed, 912 insertions(+), 304 deletions(-) create mode 100644 arm/Microsoft.Network/applicationGateways/deploy_old.bicep diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index 1e9db49110..b805ec6a71 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -1,81 +1,8 @@ -@description('Required. The name to be used for the Application Gateway.') +@description('Required. Name of the Application Gateway.') +@maxLength(24) param name string -@description('Optional. The name of the SKU for the Application Gateway.') -@allowed([ - 'Standard_Small' - 'Standard_Medium' - 'Standard_Large' - 'WAF_Medium' - 'WAF_Large' - 'Standard_v2' - 'WAF_v2' -]) -param sku string = 'WAF_Medium' - -@description('Optional. The number of Application instances to be configured.') -@minValue(1) -@maxValue(10) -param capacity int = 2 - -@description('Optional. Enables HTTP/2 support.') -param http2Enabled bool = true - -@description('Required. PublicIP Resource ID used in Public Frontend.') -param frontendPublicIpResourceId string - -@metadata({ - description: 'Optional. The private IP within the Application Gateway subnet to be used as frontend private address.' - limitations: 'The IP must be available in the configured subnet. If empty, allocation method will be set to dynamic. Once a method (static or dynamic) has been configured, it cannot be changed' -}) -param frontendPrivateIpAddress string = '' - -@description('Required. The name of the Virtual Network where the Application Gateway will be deployed.') -param vNetName string - -@description('Required. The name of Gateway Subnet Name where the Application Gateway will be deployed.') -param subnetName string - -@description('Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed.') -param vNetResourceGroup string = resourceGroup().name - -@description('Optional. The Subscription ID of the Virtual Network where the Application Gateway will be deployed.') -param vNetSubscriptionId string = subscription().subscriptionId - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} - -@description('Optional. Application Gateway IP configuration name.') -param gatewayIpConfigurationName string = 'gatewayIpConfiguration01' - -@description('Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners.') -param sslCertificateName string = 'sslCertificate01' - -@description('Optional. Secret ID of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners.') -param sslCertificateKeyVaultSecretId string = '' - -@description('Required. The backend pools to be configured.') -param backendPools array - -@description('Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools.') -param backendHttpConfigurations array - -@description('Optional. The backend HTTP settings probes to be configured.') -param probes array = [] - -@description('Required. The frontend http listeners to be configured.') -param frontendHttpListeners array = [] - -@description('Required. The frontend HTTPS listeners to be configured.') -param frontendHttpsListeners array = [] - -@description('Optional. The http redirects to be configured. Each redirect will route http traffic to a predefined frontEnd HTTPS listener.') -param frontendHttpRedirects array = [] - -@description('Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration.') -param routingRules array - -@description('Optional. Location for all Resources.') +@description('Optional. Location for all resources.') param location string = resourceGroup().location @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @@ -83,35 +10,18 @@ param location string = resourceGroup().location @maxValue(365) param diagnosticLogsRetentionInDays int = 365 -@description('Optional. Resource ID of the diagnostic storage account.') +@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticStorageAccountId string = '' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') +@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. ') param diagnosticEventHubAuthorizationRuleId string = '' -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticEventHubName string = '' -@allowed([ - 'CanNotDelete' - 'NotSpecified' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = 'NotSpecified' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') -param roleAssignments array = [] - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') -param cuaId string = '' - @description('Optional. The name of logs that will be streamed.') @allowed([ 'ApplicationGatewayAccessLog' @@ -151,244 +61,510 @@ var diagnosticsMetrics = [for metric in metricsToEnable: { } }] -var applicationGatewayResourceId = az.resourceId('Microsoft.Network/applicationGateways', name) -var subnetResourceId = az.resourceId(vNetSubscriptionId, vNetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', vNetName, subnetName) -var frontendPublicIPConfigurationName = 'public' -var frontendPrivateIPConfigurationName = 'private' -var frontendPrivateIPDynamicConfiguration = { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: subnetResourceId - } -} -var frontendPrivateIPStaticConfiguration = { - privateIPAllocationMethod: 'Static' - privateIPAddress: frontendPrivateIpAddress - subnet: { - id: subnetResourceId - } -} -var redirectConfigurationsHttpRedirectNamePrefix = 'httpRedirect' -var httpListenerhttpRedirectNamePrefix = 'httpRedirect' -var requestRoutingRuleHttpRedirectNamePrefix = 'httpRedirect' -var wafConfiguration = { - enabled: true - firewallMode: 'Detection' - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - disabledRuleGroups: [] - requestBodyCheck: true - maxRequestBodySizeInKb: '128' -} -var sslCertificates = [ - { - name: sslCertificateName - properties: { - keyVaultSecretId: sslCertificateKeyVaultSecretId - } - } -] -var frontendPorts = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpPorts), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsPorts), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirectPorts)) -var httpListeners = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpListeners_var), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsListeners_var), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirects_var)) -var redirectConfigurations = (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRedirectConfigurations) -var requestRoutingRules = concat(httpsRequestRoutingRules, (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRequestRoutingRules)) +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : null +@description('Optional. Resource tags.') +param tags object = {} -var backendAddressPools = [for backendPool in backendPools: { - name: backendPool.backendPoolName - type: 'Microsoft.Network/applicationGateways/backendAddressPools' - properties: { - backendAddresses: contains(backendPool, 'BackendAddresses') ? backendPool.BackendAddresses : [] - } -}] -var probes_var = [for probe in probes: { - name: '${probe.backendHttpConfigurationName}Probe' - type: 'Microsoft.Network/applicationGateways/probes' - properties: { - protocol: probe.protocol - host: probe.host - path: probe.path - interval: contains(probe, 'interval') ? probe.interval : 30 - timeout: contains(probe, 'timeout') ? probe.timeout : 30 - unhealthyThreshold: contains(probe, 'timeout') ? probe.unhealthyThreshold : 3 - minServers: contains(probe, 'timeout') ? probe.minServers : 0 - match: { - body: contains(probe, 'timeout') ? probe.body : '' - statusCodes: probe.statusCodes - } - } -}] -var backendHttpConfigurations_var = [for backendHttpConfiguration in backendHttpConfigurations: { - name: backendHttpConfiguration.backendHttpConfigurationName - properties: { - port: backendHttpConfiguration.port - protocol: backendHttpConfiguration.protocol - cookieBasedAffinity: backendHttpConfiguration.cookieBasedAffinity - pickHostNameFromBackendAddress: backendHttpConfiguration.pickHostNameFromBackendAddress - probeEnabled: backendHttpConfiguration.probeEnabled - probe: bool(backendHttpConfiguration.probeEnabled) ? json('{"id": "${applicationGatewayResourceId}/probes/${backendHttpConfiguration.backendHttpConfigurationName}Probe"}') : null - } -}] -var frontendHttpsPorts = [for frontendHttpsListener in frontendHttpsListeners: { - name: 'port${frontendHttpsListener.port}' - properties: { - Port: frontendHttpsListener.port - } -}] -var frontendHttpsListeners_var = [for frontendHttpsListener in frontendHttpsListeners: { - name: frontendHttpsListener.frontendListenerName - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpsListener.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpsListener.port}' - } - Protocol: 'https' - SslCertificate: { - id: '${applicationGatewayResourceId}/sslCertificates/${sslCertificateName}' - } - } -}] -var frontendHttpPorts = [for frontendHttpListener in frontendHttpListeners: { - name: 'port${frontendHttpListener.port}' - properties: { - Port: frontendHttpListener.port - } -}] -var frontendHttpListeners_var = [for frontendHttpListener in frontendHttpListeners: { - name: frontendHttpListener.frontendListenerName - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpListener.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpListener.port}' - } - Protocol: 'http' - } -}] -var httpsRequestRoutingRules = [for routingRule in routingRules: { - name: '${routingRule.frontendListenerName}-${routingRule.backendHttpConfigurationName}-${routingRule.backendHttpConfigurationName}' - properties: { - RuleType: 'Basic' - httpListener: { - id: '${applicationGatewayResourceId}/httpListeners/${routingRule.frontendListenerName}' - } - backendAddressPool: { - id: '${applicationGatewayResourceId}/backendAddressPools/${routingRule.backendPoolName}' - } - backendHttpSettings: { - id: '${applicationGatewayResourceId}/backendHttpSettingsCollection/${routingRule.backendHttpConfigurationName}' - } - } -}] -var frontendHttpRedirectPorts = [for frontendHttpRedirect in frontendHttpRedirects: { - name: 'port${frontendHttpRedirect.port}' - properties: { - Port: frontendHttpRedirect.port - } -}] -var frontendHttpRedirects_var = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpRedirect.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpRedirect.port}' - } - Protocol: 'http' - } -}] -var httpRequestRoutingRules = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' - properties: { - RuleType: 'Basic' - httpListener: { - id: '${applicationGatewayResourceId}/httpListeners/${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' - } - redirectConfiguration: { - id: '${applicationGatewayResourceId}/redirectConfigurations/${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' - } - } -}] -var httpRedirectConfigurations = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' - properties: { - redirectType: 'Permanent' - includePath: true - includeQueryString: true - requestRoutingRules: [ - { - id: '${applicationGatewayResourceId}/requestRoutingRules/${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' - } - ] - targetListener: { - id: '${applicationGatewayResourceId}/httpListeners/${frontendHttpRedirect.frontendListenerName}' - } - } -}] +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') +param cuaId string = '' module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} } -resource applicationGateway 'Microsoft.Network/applicationGateways@2021-03-01' = { +resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = { name: name location: location - identity: identity tags: tags + identity: { + type: 'string' + userAssignedIdentities: {} + } properties: { - sku: { - name: sku - tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) - capacity: capacity + authenticationCertificates: [ + { + id: 'string' + name: 'string' + properties: { + data: 'string' + } + } + ] + autoscaleConfiguration: { + maxCapacity: int + minCapacity: int } + backendAddressPools: [ + { + id: 'string' + name: 'string' + properties: { + backendAddresses: [ + { + fqdn: 'string' + ipAddress: 'string' + } + ] + } + } + ] + backendHttpSettingsCollection: [ + { + id: 'string' + name: 'string' + properties: { + affinityCookieName: 'string' + authenticationCertificates: [ + { + id: 'string' + } + ] + connectionDraining: { + drainTimeoutInSec: int + enabled: bool + } + cookieBasedAffinity: 'string' + hostName: 'string' + path: 'string' + pickHostNameFromBackendAddress: bool + port: int + probe: { + id: 'string' + } + probeEnabled: bool + protocol: 'string' + requestTimeout: int + trustedRootCertificates: [ + { + id: 'string' + } + ] + } + } + ] + customErrorConfigurations: [ + { + customErrorPageUrl: 'string' + statusCode: 'string' + } + ] + enableFips: bool + enableHttp2: bool + firewallPolicy: { + id: 'string' + } + forceFirewallPolicyAssociation: bool + frontendIPConfigurations: [ + { + id: 'string' + name: 'string' + properties: { + privateIPAddress: 'string' + privateIPAllocationMethod: 'string' + privateLinkConfiguration: { + id: 'string' + } + publicIPAddress: { + id: 'string' + } + subnet: { + id: 'string' + } + } + } + ] + frontendPorts: [ + { + id: 'string' + name: 'string' + properties: { + port: int + } + } + ] gatewayIPConfigurations: [ { - name: gatewayIpConfigurationName + id: 'string' + name: 'string' properties: { subnet: { - id: subnetResourceId + id: 'string' } } } ] - frontendIPConfigurations: [ + globalConfiguration: { + enableRequestBuffering: bool + enableResponseBuffering: bool + } + httpListeners: [ { - name: frontendPrivateIPConfigurationName - type: 'Microsoft.Network/applicationGateways/frontendIPConfigurations' - properties: empty(frontendPrivateIpAddress) ? frontendPrivateIPDynamicConfiguration : frontendPrivateIPStaticConfiguration + id: 'string' + name: 'string' + properties: { + customErrorConfigurations: [ + { + customErrorPageUrl: 'string' + statusCode: 'string' + } + ] + firewallPolicy: { + id: 'string' + } + frontendIPConfiguration: { + id: 'string' + } + frontendPort: { + id: 'string' + } + hostName: 'string' + hostNames: [ + 'string' + ] + protocol: 'string' + requireServerNameIndication: bool + sslCertificate: { + id: 'string' + } + sslProfile: { + id: 'string' + } + } } + ] + loadDistributionPolicies: [ { - name: frontendPublicIPConfigurationName + id: 'string' + name: 'string' properties: { - publicIPAddress: { - id: frontendPublicIpResourceId + loadDistributionAlgorithm: 'string' + loadDistributionTargets: [ + { + id: 'string' + name: 'string' + properties: { + backendAddressPool: { + id: 'string' + } + weightPerServer: int + } + } + ] + } + } + ] + privateLinkConfigurations: [ + { + id: 'string' + name: 'string' + properties: { + ipConfigurations: [ + { + id: 'string' + name: 'string' + properties: { + primary: bool + privateIPAddress: 'string' + privateIPAllocationMethod: 'string' + subnet: { + id: 'string' + } + } + } + ] + } + } + ] + probes: [ + { + id: 'string' + name: 'string' + properties: { + host: 'string' + interval: int + match: { + body: 'string' + statusCodes: [ + 'string' + ] + } + minServers: int + path: 'string' + pickHostNameFromBackendHttpSettings: bool + port: int + protocol: 'string' + timeout: int + unhealthyThreshold: int + } + } + ] + redirectConfigurations: [ + { + id: 'string' + name: 'string' + properties: { + includePath: bool + includeQueryString: bool + pathRules: [ + { + id: 'string' + } + ] + redirectType: 'string' + requestRoutingRules: [ + { + id: 'string' + } + ] + targetListener: { + id: 'string' + } + targetUrl: 'string' + urlPathMaps: [ + { + id: 'string' + } + ] + } + } + ] + requestRoutingRules: [ + { + id: 'string' + name: 'string' + properties: { + backendAddressPool: { + id: 'string' + } + backendHttpSettings: { + id: 'string' + } + httpListener: { + id: 'string' + } + loadDistributionPolicy: { + id: 'string' + } + priority: int + redirectConfiguration: { + id: 'string' + } + rewriteRuleSet: { + id: 'string' + } + ruleType: 'string' + urlPathMap: { + id: 'string' + } + } + } + ] + rewriteRuleSets: [ + { + id: 'string' + name: 'string' + properties: { + rewriteRules: [ + { + actionSet: { + requestHeaderConfigurations: [ + { + headerName: 'string' + headerValue: 'string' + } + ] + responseHeaderConfigurations: [ + { + headerName: 'string' + headerValue: 'string' + } + ] + urlConfiguration: { + modifiedPath: 'string' + modifiedQueryString: 'string' + reroute: bool + } + } + conditions: [ + { + ignoreCase: bool + negate: bool + pattern: 'string' + variable: 'string' + } + ] + name: 'string' + ruleSequence: int + } + ] + } + } + ] + sku: { + capacity: int + name: 'string' + tier: 'string' + } + sslCertificates: [ + { + id: 'string' + name: 'string' + properties: { + data: 'string' + keyVaultSecretId: 'string' + password: 'string' + } + } + ] + sslPolicy: { + cipherSuites: [ + 'string' + ] + disabledSslProtocols: [ + 'string' + ] + minProtocolVersion: 'string' + policyName: 'string' + policyType: 'string' + } + sslProfiles: [ + { + id: 'string' + name: 'string' + properties: { + clientAuthConfiguration: { + verifyClientCertIssuerDN: bool + } + sslPolicy: { + cipherSuites: [ + 'string' + ] + disabledSslProtocols: [ + 'string' + ] + minProtocolVersion: 'string' + policyName: 'string' + policyType: 'string' } + trustedClientCertificates: [ + { + id: 'string' + } + ] } } ] - sslCertificates: empty(sslCertificateKeyVaultSecretId) ? null : sslCertificates - backendAddressPools: backendAddressPools - probes: probes_var - backendHttpSettingsCollection: backendHttpConfigurations_var - frontendPorts: frontendPorts - httpListeners: httpListeners - redirectConfigurations: redirectConfigurations - requestRoutingRules: requestRoutingRules - enableHttp2: http2Enabled - webApplicationFirewallConfiguration: startsWith(sku, 'WAF') ? wafConfiguration : null + trustedClientCertificates: [ + { + id: 'string' + name: 'string' + properties: { + data: 'string' + } + } + ] + trustedRootCertificates: [ + { + id: 'string' + name: 'string' + properties: { + data: 'string' + keyVaultSecretId: 'string' + } + } + ] + urlPathMaps: [ + { + id: 'string' + name: 'string' + properties: { + defaultBackendAddressPool: { + id: 'string' + } + defaultBackendHttpSettings: { + id: 'string' + } + defaultLoadDistributionPolicy: { + id: 'string' + } + defaultRedirectConfiguration: { + id: 'string' + } + defaultRewriteRuleSet: { + id: 'string' + } + pathRules: [ + { + id: 'string' + name: 'string' + properties: { + backendAddressPool: { + id: 'string' + } + backendHttpSettings: { + id: 'string' + } + firewallPolicy: { + id: 'string' + } + loadDistributionPolicy: { + id: 'string' + } + paths: [ + 'string' + ] + redirectConfiguration: { + id: 'string' + } + rewriteRuleSet: { + id: 'string' + } + } + } + ] + } + } + ] + webApplicationFirewallConfiguration: { + disabledRuleGroups: [ + { + ruleGroupName: 'string' + rules: [ + int + ] + } + ] + enabled: bool + exclusions: [ + { + matchVariable: 'string' + selector: 'string' + selectorMatchOperator: 'string' + } + ] + fileUploadLimitInMb: int + firewallMode: 'string' + maxRequestBodySize: int + maxRequestBodySizeInKb: int + requestBodyCheck: bool + ruleSetType: 'string' + ruleSetVersion: 'string' + } } - dependsOn: [] + zones: [ + 'string' + ] } resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { diff --git a/arm/Microsoft.Network/applicationGateways/deploy_old.bicep b/arm/Microsoft.Network/applicationGateways/deploy_old.bicep new file mode 100644 index 0000000000..1e9db49110 --- /dev/null +++ b/arm/Microsoft.Network/applicationGateways/deploy_old.bicep @@ -0,0 +1,432 @@ +@description('Required. The name to be used for the Application Gateway.') +param name string + +@description('Optional. The name of the SKU for the Application Gateway.') +@allowed([ + 'Standard_Small' + 'Standard_Medium' + 'Standard_Large' + 'WAF_Medium' + 'WAF_Large' + 'Standard_v2' + 'WAF_v2' +]) +param sku string = 'WAF_Medium' + +@description('Optional. The number of Application instances to be configured.') +@minValue(1) +@maxValue(10) +param capacity int = 2 + +@description('Optional. Enables HTTP/2 support.') +param http2Enabled bool = true + +@description('Required. PublicIP Resource ID used in Public Frontend.') +param frontendPublicIpResourceId string + +@metadata({ + description: 'Optional. The private IP within the Application Gateway subnet to be used as frontend private address.' + limitations: 'The IP must be available in the configured subnet. If empty, allocation method will be set to dynamic. Once a method (static or dynamic) has been configured, it cannot be changed' +}) +param frontendPrivateIpAddress string = '' + +@description('Required. The name of the Virtual Network where the Application Gateway will be deployed.') +param vNetName string + +@description('Required. The name of Gateway Subnet Name where the Application Gateway will be deployed.') +param subnetName string + +@description('Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed.') +param vNetResourceGroup string = resourceGroup().name + +@description('Optional. The Subscription ID of the Virtual Network where the Application Gateway will be deployed.') +param vNetSubscriptionId string = subscription().subscriptionId + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + +@description('Optional. Application Gateway IP configuration name.') +param gatewayIpConfigurationName string = 'gatewayIpConfiguration01' + +@description('Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners.') +param sslCertificateName string = 'sslCertificate01' + +@description('Optional. Secret ID of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners.') +param sslCertificateKeyVaultSecretId string = '' + +@description('Required. The backend pools to be configured.') +param backendPools array + +@description('Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools.') +param backendHttpConfigurations array + +@description('Optional. The backend HTTP settings probes to be configured.') +param probes array = [] + +@description('Required. The frontend http listeners to be configured.') +param frontendHttpListeners array = [] + +@description('Required. The frontend HTTPS listeners to be configured.') +param frontendHttpsListeners array = [] + +@description('Optional. The http redirects to be configured. Each redirect will route http traffic to a predefined frontEnd HTTPS listener.') +param frontendHttpRedirects array = [] + +@description('Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration.') +param routingRules array + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of the diagnostic log analytics workspace.') +param diagnosticWorkspaceId string = '' + +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param diagnosticEventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param diagnosticEventHubName string = '' + +@allowed([ + 'CanNotDelete' + 'NotSpecified' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock.') +param lock string = 'NotSpecified' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') +param cuaId string = '' + +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'ApplicationGatewayAccessLog' + 'ApplicationGatewayPerformanceLog' + 'ApplicationGatewayFirewallLog' +]) +param logsToEnable array = [ + 'ApplicationGatewayAccessLog' + 'ApplicationGatewayPerformanceLog' + 'ApplicationGatewayFirewallLog' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var applicationGatewayResourceId = az.resourceId('Microsoft.Network/applicationGateways', name) +var subnetResourceId = az.resourceId(vNetSubscriptionId, vNetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', vNetName, subnetName) +var frontendPublicIPConfigurationName = 'public' +var frontendPrivateIPConfigurationName = 'private' +var frontendPrivateIPDynamicConfiguration = { + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: subnetResourceId + } +} +var frontendPrivateIPStaticConfiguration = { + privateIPAllocationMethod: 'Static' + privateIPAddress: frontendPrivateIpAddress + subnet: { + id: subnetResourceId + } +} +var redirectConfigurationsHttpRedirectNamePrefix = 'httpRedirect' +var httpListenerhttpRedirectNamePrefix = 'httpRedirect' +var requestRoutingRuleHttpRedirectNamePrefix = 'httpRedirect' +var wafConfiguration = { + enabled: true + firewallMode: 'Detection' + ruleSetType: 'OWASP' + ruleSetVersion: '3.0' + disabledRuleGroups: [] + requestBodyCheck: true + maxRequestBodySizeInKb: '128' +} +var sslCertificates = [ + { + name: sslCertificateName + properties: { + keyVaultSecretId: sslCertificateKeyVaultSecretId + } + } +] +var frontendPorts = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpPorts), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsPorts), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirectPorts)) +var httpListeners = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpListeners_var), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsListeners_var), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirects_var)) +var redirectConfigurations = (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRedirectConfigurations) +var requestRoutingRules = concat(httpsRequestRoutingRules, (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRequestRoutingRules)) + +var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + +var backendAddressPools = [for backendPool in backendPools: { + name: backendPool.backendPoolName + type: 'Microsoft.Network/applicationGateways/backendAddressPools' + properties: { + backendAddresses: contains(backendPool, 'BackendAddresses') ? backendPool.BackendAddresses : [] + } +}] +var probes_var = [for probe in probes: { + name: '${probe.backendHttpConfigurationName}Probe' + type: 'Microsoft.Network/applicationGateways/probes' + properties: { + protocol: probe.protocol + host: probe.host + path: probe.path + interval: contains(probe, 'interval') ? probe.interval : 30 + timeout: contains(probe, 'timeout') ? probe.timeout : 30 + unhealthyThreshold: contains(probe, 'timeout') ? probe.unhealthyThreshold : 3 + minServers: contains(probe, 'timeout') ? probe.minServers : 0 + match: { + body: contains(probe, 'timeout') ? probe.body : '' + statusCodes: probe.statusCodes + } + } +}] +var backendHttpConfigurations_var = [for backendHttpConfiguration in backendHttpConfigurations: { + name: backendHttpConfiguration.backendHttpConfigurationName + properties: { + port: backendHttpConfiguration.port + protocol: backendHttpConfiguration.protocol + cookieBasedAffinity: backendHttpConfiguration.cookieBasedAffinity + pickHostNameFromBackendAddress: backendHttpConfiguration.pickHostNameFromBackendAddress + probeEnabled: backendHttpConfiguration.probeEnabled + probe: bool(backendHttpConfiguration.probeEnabled) ? json('{"id": "${applicationGatewayResourceId}/probes/${backendHttpConfiguration.backendHttpConfigurationName}Probe"}') : null + } +}] +var frontendHttpsPorts = [for frontendHttpsListener in frontendHttpsListeners: { + name: 'port${frontendHttpsListener.port}' + properties: { + Port: frontendHttpsListener.port + } +}] +var frontendHttpsListeners_var = [for frontendHttpsListener in frontendHttpsListeners: { + name: frontendHttpsListener.frontendListenerName + properties: { + FrontendIPConfiguration: { + id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpsListener.frontendIPType}' + } + FrontendPort: { + id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpsListener.port}' + } + Protocol: 'https' + SslCertificate: { + id: '${applicationGatewayResourceId}/sslCertificates/${sslCertificateName}' + } + } +}] +var frontendHttpPorts = [for frontendHttpListener in frontendHttpListeners: { + name: 'port${frontendHttpListener.port}' + properties: { + Port: frontendHttpListener.port + } +}] +var frontendHttpListeners_var = [for frontendHttpListener in frontendHttpListeners: { + name: frontendHttpListener.frontendListenerName + properties: { + FrontendIPConfiguration: { + id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpListener.frontendIPType}' + } + FrontendPort: { + id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpListener.port}' + } + Protocol: 'http' + } +}] +var httpsRequestRoutingRules = [for routingRule in routingRules: { + name: '${routingRule.frontendListenerName}-${routingRule.backendHttpConfigurationName}-${routingRule.backendHttpConfigurationName}' + properties: { + RuleType: 'Basic' + httpListener: { + id: '${applicationGatewayResourceId}/httpListeners/${routingRule.frontendListenerName}' + } + backendAddressPool: { + id: '${applicationGatewayResourceId}/backendAddressPools/${routingRule.backendPoolName}' + } + backendHttpSettings: { + id: '${applicationGatewayResourceId}/backendHttpSettingsCollection/${routingRule.backendHttpConfigurationName}' + } + } +}] +var frontendHttpRedirectPorts = [for frontendHttpRedirect in frontendHttpRedirects: { + name: 'port${frontendHttpRedirect.port}' + properties: { + Port: frontendHttpRedirect.port + } +}] +var frontendHttpRedirects_var = [for frontendHttpRedirect in frontendHttpRedirects: { + name: '${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' + properties: { + FrontendIPConfiguration: { + id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpRedirect.frontendIPType}' + } + FrontendPort: { + id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpRedirect.port}' + } + Protocol: 'http' + } +}] +var httpRequestRoutingRules = [for frontendHttpRedirect in frontendHttpRedirects: { + name: '${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' + properties: { + RuleType: 'Basic' + httpListener: { + id: '${applicationGatewayResourceId}/httpListeners/${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' + } + redirectConfiguration: { + id: '${applicationGatewayResourceId}/redirectConfigurations/${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' + } + } +}] +var httpRedirectConfigurations = [for frontendHttpRedirect in frontendHttpRedirects: { + name: '${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' + properties: { + redirectType: 'Permanent' + includePath: true + includeQueryString: true + requestRoutingRules: [ + { + id: '${applicationGatewayResourceId}/requestRoutingRules/${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' + } + ] + targetListener: { + id: '${applicationGatewayResourceId}/httpListeners/${frontendHttpRedirect.frontendListenerName}' + } + } +}] + +module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource applicationGateway 'Microsoft.Network/applicationGateways@2021-03-01' = { + name: name + location: location + identity: identity + tags: tags + properties: { + sku: { + name: sku + tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) + capacity: capacity + } + gatewayIPConfigurations: [ + { + name: gatewayIpConfigurationName + properties: { + subnet: { + id: subnetResourceId + } + } + } + ] + frontendIPConfigurations: [ + { + name: frontendPrivateIPConfigurationName + type: 'Microsoft.Network/applicationGateways/frontendIPConfigurations' + properties: empty(frontendPrivateIpAddress) ? frontendPrivateIPDynamicConfiguration : frontendPrivateIPStaticConfiguration + } + { + name: frontendPublicIPConfigurationName + properties: { + publicIPAddress: { + id: frontendPublicIpResourceId + } + } + } + ] + sslCertificates: empty(sslCertificateKeyVaultSecretId) ? null : sslCertificates + backendAddressPools: backendAddressPools + probes: probes_var + backendHttpSettingsCollection: backendHttpConfigurations_var + frontendPorts: frontendPorts + httpListeners: httpListeners + redirectConfigurations: redirectConfigurations + requestRoutingRules: requestRoutingRules + enableHttp2: http2Enabled + webApplicationFirewallConfiguration: startsWith(sku, 'WAF') ? wafConfiguration : null + } + dependsOn: [] +} + +resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { + name: '${applicationGateway.name}-${lock}-lock' + properties: { + level: lock + notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' + } + scope: applicationGateway +} + +resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { + name: '${applicationGateway.name}-diagnosticSettings' + properties: { + storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId + workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId + eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId + eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName + metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics + logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs + } + scope: applicationGateway +} + +module applicationGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}' + params: { + principalIds: roleAssignment.principalIds + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + resourceId: applicationGateway.id + } +}] + +@description('The name of the application gateway') +output name string = applicationGateway.name + +@description('The resource ID of the application gateway') +output resourceId string = applicationGateway.id + +@description('The resource group the application gateway was deployed into') +output resourceGroupName string = resourceGroup().name From dece5735a799c152aa549656e270a297e18a825d Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 29 Jan 2022 16:15:07 +0100 Subject: [PATCH 02/33] work in progress --- .../applicationGateways/deploy.bicep | 186 +++++++----------- 1 file changed, 70 insertions(+), 116 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index b805ec6a71..6dc7685877 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -5,6 +5,51 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + +@description('Optional. Authentication certificates of the application gateway resource.') +param authenticationCertificates array = [] + +@description('Optional. Upper bound on number of Application Gateway capacity.') +param autoscaleMaxCapacity int = 10 + +@description('Optional. Lower bound on number of Application Gateway capacity.') +param autoscaleMinCapacity int = 0 + +@description('Optional. Backend address pool of the application gateway resource.') +param backendAddressPools array = [] + +@description('Optional. Backend http settings of the application gateway resource.') +param backendHttpSettingsCollection array = [] + +@description('Optional. Custom error configurations of the application gateway resource.') +param customErrorConfigurations array = [] + +@description('Optional. Whether FIPS is enabled on the application gateway resource.') +param enableFips bool = false + +@description('Optional. Whether HTTP2 is enabled on the application gateway resource.') +param enableHttp2 bool = false + +@description('Optional. The resource Id of an associated firewall policy.') +param firewallPolicyId string = '' + +@description('Optional. Frontend IP addresses of the application gateway resource.') +param frontendIPConfigurations array = [] + +@description('Optional. Frontend ports of the application gateway resource.') +param frontendPorts array = [] + +@description('Optional. Subnets of the application gateway resource.') +param gatewayIPConfigurations array = [] + +@description('Optional. Enable request buffering.') +param enableRequestBuffering bool = false + +@description('Optional. Enable response buffering.') +param enableResponseBuffering bool = false + @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @maxValue(365) @@ -42,6 +87,13 @@ param metricsToEnable array = [ 'AllMetrics' ] +var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + var diagnosticsLogs = [for log in logsToEnable: { category: log enabled: true @@ -87,126 +139,28 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = name: name location: location tags: tags - identity: { - type: 'string' - userAssignedIdentities: {} - } + identity: identity properties: { - authenticationCertificates: [ - { - id: 'string' - name: 'string' - properties: { - data: 'string' - } - } - ] + authenticationCertificates: authenticationCertificates autoscaleConfiguration: { - maxCapacity: int - minCapacity: int - } - backendAddressPools: [ - { - id: 'string' - name: 'string' - properties: { - backendAddresses: [ - { - fqdn: 'string' - ipAddress: 'string' - } - ] - } - } - ] - backendHttpSettingsCollection: [ - { - id: 'string' - name: 'string' - properties: { - affinityCookieName: 'string' - authenticationCertificates: [ - { - id: 'string' - } - ] - connectionDraining: { - drainTimeoutInSec: int - enabled: bool - } - cookieBasedAffinity: 'string' - hostName: 'string' - path: 'string' - pickHostNameFromBackendAddress: bool - port: int - probe: { - id: 'string' - } - probeEnabled: bool - protocol: 'string' - requestTimeout: int - trustedRootCertificates: [ - { - id: 'string' - } - ] - } - } - ] - customErrorConfigurations: [ - { - customErrorPageUrl: 'string' - statusCode: 'string' - } - ] - enableFips: bool - enableHttp2: bool - firewallPolicy: { - id: 'string' + maxCapacity: autoscaleMaxCapacity + minCapacity: autoscaleMinCapacity } - forceFirewallPolicyAssociation: bool - frontendIPConfigurations: [ - { - id: 'string' - name: 'string' - properties: { - privateIPAddress: 'string' - privateIPAllocationMethod: 'string' - privateLinkConfiguration: { - id: 'string' - } - publicIPAddress: { - id: 'string' - } - subnet: { - id: 'string' - } - } - } - ] - frontendPorts: [ - { - id: 'string' - name: 'string' - properties: { - port: int - } - } - ] - gatewayIPConfigurations: [ - { - id: 'string' - name: 'string' - properties: { - subnet: { - id: 'string' - } - } - } - ] + backendAddressPools: backendAddressPools + backendHttpSettingsCollection: backendHttpSettingsCollection + customErrorConfigurations: customErrorConfigurations + enableFips: enableFips + enableHttp2: enableHttp2 + firewallPolicy: empty(firewallPolicyId) ? { + id: firewallPolicyId + } : null + forceFirewallPolicyAssociation: !empty(firewallPolicyId) + frontendIPConfigurations: frontendIPConfigurations + frontendPorts: frontendPorts + gatewayIPConfigurations: gatewayIPConfigurations globalConfiguration: { - enableRequestBuffering: bool - enableResponseBuffering: bool + enableRequestBuffering: enableRequestBuffering + enableResponseBuffering: enableResponseBuffering } httpListeners: [ { From 4b5eabad569730bb3b77d1a76364cf7d6af68dd9 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 29 Jan 2022 16:22:11 +0100 Subject: [PATCH 03/33] work in progress --- .../applicationGateways/deploy.bicep | 231 +++--------------- 1 file changed, 28 insertions(+), 203 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index 6dc7685877..c6fbb6ab7d 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -50,6 +50,27 @@ param enableRequestBuffering bool = false @description('Optional. Enable response buffering.') param enableResponseBuffering bool = false +@description('Optional. Http listeners of the application gateway resource.') +param httpListeners array = [] + +@description('Optional. Load distribution policies of the application gateway resource.') +param loadDistributionPolicies array = [] + +@description('Optional. PrivateLink configurations on application gateway.') +param privateLinkConfigurations array = [] + +@description('Optional. Probes of the application gateway resource.') +param probes array = [] + +@description('Optional. Redirect configurations of the application gateway resource.') +param redirectConfigurations array = [] + +@description('Optional. Request routing rules of the application gateway resource.') +param requestRoutingRules array = [] + +@description('Optional. Rewrite rules for the application gateway resource. ') +param rewriteRuleSets array = [] + @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @maxValue(365) @@ -162,209 +183,13 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = enableRequestBuffering: enableRequestBuffering enableResponseBuffering: enableResponseBuffering } - httpListeners: [ - { - id: 'string' - name: 'string' - properties: { - customErrorConfigurations: [ - { - customErrorPageUrl: 'string' - statusCode: 'string' - } - ] - firewallPolicy: { - id: 'string' - } - frontendIPConfiguration: { - id: 'string' - } - frontendPort: { - id: 'string' - } - hostName: 'string' - hostNames: [ - 'string' - ] - protocol: 'string' - requireServerNameIndication: bool - sslCertificate: { - id: 'string' - } - sslProfile: { - id: 'string' - } - } - } - ] - loadDistributionPolicies: [ - { - id: 'string' - name: 'string' - properties: { - loadDistributionAlgorithm: 'string' - loadDistributionTargets: [ - { - id: 'string' - name: 'string' - properties: { - backendAddressPool: { - id: 'string' - } - weightPerServer: int - } - } - ] - } - } - ] - privateLinkConfigurations: [ - { - id: 'string' - name: 'string' - properties: { - ipConfigurations: [ - { - id: 'string' - name: 'string' - properties: { - primary: bool - privateIPAddress: 'string' - privateIPAllocationMethod: 'string' - subnet: { - id: 'string' - } - } - } - ] - } - } - ] - probes: [ - { - id: 'string' - name: 'string' - properties: { - host: 'string' - interval: int - match: { - body: 'string' - statusCodes: [ - 'string' - ] - } - minServers: int - path: 'string' - pickHostNameFromBackendHttpSettings: bool - port: int - protocol: 'string' - timeout: int - unhealthyThreshold: int - } - } - ] - redirectConfigurations: [ - { - id: 'string' - name: 'string' - properties: { - includePath: bool - includeQueryString: bool - pathRules: [ - { - id: 'string' - } - ] - redirectType: 'string' - requestRoutingRules: [ - { - id: 'string' - } - ] - targetListener: { - id: 'string' - } - targetUrl: 'string' - urlPathMaps: [ - { - id: 'string' - } - ] - } - } - ] - requestRoutingRules: [ - { - id: 'string' - name: 'string' - properties: { - backendAddressPool: { - id: 'string' - } - backendHttpSettings: { - id: 'string' - } - httpListener: { - id: 'string' - } - loadDistributionPolicy: { - id: 'string' - } - priority: int - redirectConfiguration: { - id: 'string' - } - rewriteRuleSet: { - id: 'string' - } - ruleType: 'string' - urlPathMap: { - id: 'string' - } - } - } - ] - rewriteRuleSets: [ - { - id: 'string' - name: 'string' - properties: { - rewriteRules: [ - { - actionSet: { - requestHeaderConfigurations: [ - { - headerName: 'string' - headerValue: 'string' - } - ] - responseHeaderConfigurations: [ - { - headerName: 'string' - headerValue: 'string' - } - ] - urlConfiguration: { - modifiedPath: 'string' - modifiedQueryString: 'string' - reroute: bool - } - } - conditions: [ - { - ignoreCase: bool - negate: bool - pattern: 'string' - variable: 'string' - } - ] - name: 'string' - ruleSequence: int - } - ] - } - } - ] + httpListeners: httpListeners + loadDistributionPolicies: loadDistributionPolicies + privateLinkConfigurations: privateLinkConfigurations + probes: probes + redirectConfigurations: redirectConfigurations + requestRoutingRules: requestRoutingRules + rewriteRuleSets: rewriteRuleSets sku: { capacity: int name: 'string' From 89384e71da08df30691bf964ee1c30c3cfeece16 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 29 Jan 2022 17:21:46 +0100 Subject: [PATCH 04/33] initial version --- .../applicationGateways/deploy.bicep | 295 +++++++++--------- 1 file changed, 146 insertions(+), 149 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index c6fbb6ab7d..fe987ce8eb 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -71,6 +71,112 @@ param requestRoutingRules array = [] @description('Optional. Rewrite rules for the application gateway resource. ') param rewriteRuleSets array = [] +@description('Optional. The name of the SKU for the Application Gateway.') +@allowed([ + 'Standard_Small' + 'Standard_Medium' + 'Standard_Large' + 'WAF_Medium' + 'WAF_Large' + 'Standard_v2' + 'WAF_v2' +]) +param sku string = 'WAF_Medium' + +@description('Optional. The number of Application instances to be configured.') +@minValue(1) +@maxValue(10) +param capacity int = 2 + +@description('Optional. SSL certificates of the application gateway resource.') +param sslCertificates array = [] + +@description('Optional. Ssl cipher suites to be enabled in the specified order to application gateway.') +@allowed([ + 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256' + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA' + 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256' + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA' + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA' + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA' + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' + 'TLS_RSA_WITH_AES_128_CBC_SHA' + 'TLS_RSA_WITH_AES_128_CBC_SHA256' + 'TLS_RSA_WITH_AES_128_GCM_SHA256' + 'TLS_RSA_WITH_AES_256_CBC_SHA' + 'TLS_RSA_WITH_AES_256_CBC_SHA256' + 'TLS_RSA_WITH_AES_256_GCM_SHA384' +]) +param sslPolicyCipherSuites array = [ + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' +] + +@description('Optional. Ssl protocols to be disabled on application gateway.') +@allowed([ + 'TLSv1_0' + 'TLSv1_1' + 'TLSv1_2' +]) +param sslPolicyDisabledSslProtocols array = [] + +@description('Optional. Ssl protocol enums.') +@allowed([ + 'TLSv1_0' + 'TLSv1_1' + 'TLSv1_2' +]) +param sslPolicyMinProtocolVersion string = 'TLSv1_2' + +@description('Optional. Ssl predefined policy name enums.') +@allowed([ + 'AppGwSslPolicy20150501' + 'AppGwSslPolicy20170401' + 'AppGwSslPolicy20170401S' + '' +]) +param sslPolicyName string = '' + +@description('Optional. Type of Ssl Policy.') +@allowed([ + 'Custom' + 'Predefined' +]) +param sslPolicyType string = 'Custom' + +@description('Optional. SSL profiles of the application gateway resource.') +param sslProfiles array = [] + +@description('Optional. Trusted client certificates of the application gateway resource.') +param trustedClientCertificates array = [] + +@description('Optional. Trusted Root certificates of the application gateway resource.') +param trustedRootCertificates array = [] + +@description('Optional. URL path map of the application gateway resource.') +param urlPathMaps array = [] + +@description('Optional. Application gateway web application firewall configuration.') +param webApplicationFirewallConfiguration object = {} + +@description('Optional. A list of availability zones denoting where the resource needs to come from.') +param zones array = [] + @description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') @minValue(0) @maxValue(365) @@ -191,159 +297,50 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = requestRoutingRules: requestRoutingRules rewriteRuleSets: rewriteRuleSets sku: { - capacity: int - name: 'string' - tier: 'string' + name: sku + tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) + capacity: capacity } - sslCertificates: [ - { - id: 'string' - name: 'string' - properties: { - data: 'string' - keyVaultSecretId: 'string' - password: 'string' - } - } - ] + sslCertificates: sslCertificates sslPolicy: { - cipherSuites: [ - 'string' - ] - disabledSslProtocols: [ - 'string' - ] - minProtocolVersion: 'string' - policyName: 'string' - policyType: 'string' - } - sslProfiles: [ - { - id: 'string' - name: 'string' - properties: { - clientAuthConfiguration: { - verifyClientCertIssuerDN: bool - } - sslPolicy: { - cipherSuites: [ - 'string' - ] - disabledSslProtocols: [ - 'string' - ] - minProtocolVersion: 'string' - policyName: 'string' - policyType: 'string' - } - trustedClientCertificates: [ - { - id: 'string' - } - ] - } - } - ] - trustedClientCertificates: [ - { - id: 'string' - name: 'string' - properties: { - data: 'string' - } - } - ] - trustedRootCertificates: [ - { - id: 'string' - name: 'string' - properties: { - data: 'string' - keyVaultSecretId: 'string' - } - } - ] - urlPathMaps: [ - { - id: 'string' - name: 'string' - properties: { - defaultBackendAddressPool: { - id: 'string' - } - defaultBackendHttpSettings: { - id: 'string' - } - defaultLoadDistributionPolicy: { - id: 'string' - } - defaultRedirectConfiguration: { - id: 'string' - } - defaultRewriteRuleSet: { - id: 'string' - } - pathRules: [ - { - id: 'string' - name: 'string' - properties: { - backendAddressPool: { - id: 'string' - } - backendHttpSettings: { - id: 'string' - } - firewallPolicy: { - id: 'string' - } - loadDistributionPolicy: { - id: 'string' - } - paths: [ - 'string' - ] - redirectConfiguration: { - id: 'string' - } - rewriteRuleSet: { - id: 'string' - } - } - } - ] - } - } - ] - webApplicationFirewallConfiguration: { - disabledRuleGroups: [ - { - ruleGroupName: 'string' - rules: [ - int - ] - } - ] - enabled: bool - exclusions: [ - { - matchVariable: 'string' - selector: 'string' - selectorMatchOperator: 'string' - } - ] - fileUploadLimitInMb: int - firewallMode: 'string' - maxRequestBodySize: int - maxRequestBodySizeInKb: int - requestBodyCheck: bool - ruleSetType: 'string' - ruleSetVersion: 'string' + cipherSuites: sslPolicyCipherSuites + disabledSslProtocols: sslPolicyDisabledSslProtocols + minProtocolVersion: sslPolicyMinProtocolVersion + policyName: sslPolicyName + policyType: sslPolicyType } + sslProfiles: sslProfiles + trustedClientCertificates: trustedClientCertificates + trustedRootCertificates: trustedRootCertificates + urlPathMaps: urlPathMaps + webApplicationFirewallConfiguration: webApplicationFirewallConfiguration + // { + // disabledRuleGroups: [ + // { + // ruleGroupName: 'string' + // rules: [ + // int + // ] + // } + // ] + // enabled: bool + // exclusions: [ + // { + // matchVariable: 'string' + // selector: 'string' + // selectorMatchOperator: 'string' + // } + // ] + // fileUploadLimitInMb: int + // firewallMode: 'string' + // maxRequestBodySize: int + // maxRequestBodySizeInKb: int + // requestBodyCheck: bool + // ruleSetType: 'string' + // ruleSetVersion: 'string' + // } } - zones: [ - 'string' - ] + zones: zones } resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { From eda4e450166fdf4b2e61433832e8a48cd6d93fbb Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sat, 29 Jan 2022 17:25:01 +0100 Subject: [PATCH 05/33] update readme --- .../applicationGateways/deploy_old.bicep | 432 ------------------ .../applicationGateways/readme.md | 206 ++------- 2 files changed, 48 insertions(+), 590 deletions(-) delete mode 100644 arm/Microsoft.Network/applicationGateways/deploy_old.bicep diff --git a/arm/Microsoft.Network/applicationGateways/deploy_old.bicep b/arm/Microsoft.Network/applicationGateways/deploy_old.bicep deleted file mode 100644 index 1e9db49110..0000000000 --- a/arm/Microsoft.Network/applicationGateways/deploy_old.bicep +++ /dev/null @@ -1,432 +0,0 @@ -@description('Required. The name to be used for the Application Gateway.') -param name string - -@description('Optional. The name of the SKU for the Application Gateway.') -@allowed([ - 'Standard_Small' - 'Standard_Medium' - 'Standard_Large' - 'WAF_Medium' - 'WAF_Large' - 'Standard_v2' - 'WAF_v2' -]) -param sku string = 'WAF_Medium' - -@description('Optional. The number of Application instances to be configured.') -@minValue(1) -@maxValue(10) -param capacity int = 2 - -@description('Optional. Enables HTTP/2 support.') -param http2Enabled bool = true - -@description('Required. PublicIP Resource ID used in Public Frontend.') -param frontendPublicIpResourceId string - -@metadata({ - description: 'Optional. The private IP within the Application Gateway subnet to be used as frontend private address.' - limitations: 'The IP must be available in the configured subnet. If empty, allocation method will be set to dynamic. Once a method (static or dynamic) has been configured, it cannot be changed' -}) -param frontendPrivateIpAddress string = '' - -@description('Required. The name of the Virtual Network where the Application Gateway will be deployed.') -param vNetName string - -@description('Required. The name of Gateway Subnet Name where the Application Gateway will be deployed.') -param subnetName string - -@description('Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed.') -param vNetResourceGroup string = resourceGroup().name - -@description('Optional. The Subscription ID of the Virtual Network where the Application Gateway will be deployed.') -param vNetSubscriptionId string = subscription().subscriptionId - -@description('Optional. The ID(s) to assign to the resource.') -param userAssignedIdentities object = {} - -@description('Optional. Application Gateway IP configuration name.') -param gatewayIpConfigurationName string = 'gatewayIpConfiguration01' - -@description('Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners.') -param sslCertificateName string = 'sslCertificate01' - -@description('Optional. Secret ID of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners.') -param sslCertificateKeyVaultSecretId string = '' - -@description('Required. The backend pools to be configured.') -param backendPools array - -@description('Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools.') -param backendHttpConfigurations array - -@description('Optional. The backend HTTP settings probes to be configured.') -param probes array = [] - -@description('Required. The frontend http listeners to be configured.') -param frontendHttpListeners array = [] - -@description('Required. The frontend HTTPS listeners to be configured.') -param frontendHttpsListeners array = [] - -@description('Optional. The http redirects to be configured. Each redirect will route http traffic to a predefined frontEnd HTTPS listener.') -param frontendHttpRedirects array = [] - -@description('Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration.') -param routingRules array - -@description('Optional. Location for all Resources.') -param location string = resourceGroup().location - -@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') -@minValue(0) -@maxValue(365) -param diagnosticLogsRetentionInDays int = 365 - -@description('Optional. Resource ID of the diagnostic storage account.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the diagnostic log analytics workspace.') -param diagnosticWorkspaceId string = '' - -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') -param diagnosticEventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') -param diagnosticEventHubName string = '' - -@allowed([ - 'CanNotDelete' - 'NotSpecified' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock.') -param lock string = 'NotSpecified' - -@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') -param roleAssignments array = [] - -@description('Optional. Tags of the resource.') -param tags object = {} - -@description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered.') -param cuaId string = '' - -@description('Optional. The name of logs that will be streamed.') -@allowed([ - 'ApplicationGatewayAccessLog' - 'ApplicationGatewayPerformanceLog' - 'ApplicationGatewayFirewallLog' -]) -param logsToEnable array = [ - 'ApplicationGatewayAccessLog' - 'ApplicationGatewayPerformanceLog' - 'ApplicationGatewayFirewallLog' -] - -@description('Optional. The name of metrics that will be streamed.') -@allowed([ - 'AllMetrics' -]) -param metricsToEnable array = [ - 'AllMetrics' -] - -var diagnosticsLogs = [for log in logsToEnable: { - category: log - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -var diagnosticsMetrics = [for metric in metricsToEnable: { - category: metric - timeGrain: null - enabled: true - retentionPolicy: { - enabled: true - days: diagnosticLogsRetentionInDays - } -}] - -var applicationGatewayResourceId = az.resourceId('Microsoft.Network/applicationGateways', name) -var subnetResourceId = az.resourceId(vNetSubscriptionId, vNetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', vNetName, subnetName) -var frontendPublicIPConfigurationName = 'public' -var frontendPrivateIPConfigurationName = 'private' -var frontendPrivateIPDynamicConfiguration = { - privateIPAllocationMethod: 'Dynamic' - subnet: { - id: subnetResourceId - } -} -var frontendPrivateIPStaticConfiguration = { - privateIPAllocationMethod: 'Static' - privateIPAddress: frontendPrivateIpAddress - subnet: { - id: subnetResourceId - } -} -var redirectConfigurationsHttpRedirectNamePrefix = 'httpRedirect' -var httpListenerhttpRedirectNamePrefix = 'httpRedirect' -var requestRoutingRuleHttpRedirectNamePrefix = 'httpRedirect' -var wafConfiguration = { - enabled: true - firewallMode: 'Detection' - ruleSetType: 'OWASP' - ruleSetVersion: '3.0' - disabledRuleGroups: [] - requestBodyCheck: true - maxRequestBodySizeInKb: '128' -} -var sslCertificates = [ - { - name: sslCertificateName - properties: { - keyVaultSecretId: sslCertificateKeyVaultSecretId - } - } -] -var frontendPorts = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpPorts), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsPorts), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirectPorts)) -var httpListeners = concat((empty(frontendHttpListeners) ? frontendHttpListeners : frontendHttpListeners_var), (empty(frontendHttpsListeners) ? frontendHttpsListeners : frontendHttpsListeners_var), (empty(frontendHttpRedirects) ? frontendHttpRedirects : frontendHttpRedirects_var)) -var redirectConfigurations = (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRedirectConfigurations) -var requestRoutingRules = concat(httpsRequestRoutingRules, (empty(frontendHttpRedirects) ? frontendHttpRedirects : httpRequestRoutingRules)) - -var identityType = !empty(userAssignedIdentities) ? 'UserAssigned' : 'None' - -var identity = identityType != 'None' ? { - type: identityType - userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null -} : null - -var backendAddressPools = [for backendPool in backendPools: { - name: backendPool.backendPoolName - type: 'Microsoft.Network/applicationGateways/backendAddressPools' - properties: { - backendAddresses: contains(backendPool, 'BackendAddresses') ? backendPool.BackendAddresses : [] - } -}] -var probes_var = [for probe in probes: { - name: '${probe.backendHttpConfigurationName}Probe' - type: 'Microsoft.Network/applicationGateways/probes' - properties: { - protocol: probe.protocol - host: probe.host - path: probe.path - interval: contains(probe, 'interval') ? probe.interval : 30 - timeout: contains(probe, 'timeout') ? probe.timeout : 30 - unhealthyThreshold: contains(probe, 'timeout') ? probe.unhealthyThreshold : 3 - minServers: contains(probe, 'timeout') ? probe.minServers : 0 - match: { - body: contains(probe, 'timeout') ? probe.body : '' - statusCodes: probe.statusCodes - } - } -}] -var backendHttpConfigurations_var = [for backendHttpConfiguration in backendHttpConfigurations: { - name: backendHttpConfiguration.backendHttpConfigurationName - properties: { - port: backendHttpConfiguration.port - protocol: backendHttpConfiguration.protocol - cookieBasedAffinity: backendHttpConfiguration.cookieBasedAffinity - pickHostNameFromBackendAddress: backendHttpConfiguration.pickHostNameFromBackendAddress - probeEnabled: backendHttpConfiguration.probeEnabled - probe: bool(backendHttpConfiguration.probeEnabled) ? json('{"id": "${applicationGatewayResourceId}/probes/${backendHttpConfiguration.backendHttpConfigurationName}Probe"}') : null - } -}] -var frontendHttpsPorts = [for frontendHttpsListener in frontendHttpsListeners: { - name: 'port${frontendHttpsListener.port}' - properties: { - Port: frontendHttpsListener.port - } -}] -var frontendHttpsListeners_var = [for frontendHttpsListener in frontendHttpsListeners: { - name: frontendHttpsListener.frontendListenerName - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpsListener.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpsListener.port}' - } - Protocol: 'https' - SslCertificate: { - id: '${applicationGatewayResourceId}/sslCertificates/${sslCertificateName}' - } - } -}] -var frontendHttpPorts = [for frontendHttpListener in frontendHttpListeners: { - name: 'port${frontendHttpListener.port}' - properties: { - Port: frontendHttpListener.port - } -}] -var frontendHttpListeners_var = [for frontendHttpListener in frontendHttpListeners: { - name: frontendHttpListener.frontendListenerName - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpListener.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpListener.port}' - } - Protocol: 'http' - } -}] -var httpsRequestRoutingRules = [for routingRule in routingRules: { - name: '${routingRule.frontendListenerName}-${routingRule.backendHttpConfigurationName}-${routingRule.backendHttpConfigurationName}' - properties: { - RuleType: 'Basic' - httpListener: { - id: '${applicationGatewayResourceId}/httpListeners/${routingRule.frontendListenerName}' - } - backendAddressPool: { - id: '${applicationGatewayResourceId}/backendAddressPools/${routingRule.backendPoolName}' - } - backendHttpSettings: { - id: '${applicationGatewayResourceId}/backendHttpSettingsCollection/${routingRule.backendHttpConfigurationName}' - } - } -}] -var frontendHttpRedirectPorts = [for frontendHttpRedirect in frontendHttpRedirects: { - name: 'port${frontendHttpRedirect.port}' - properties: { - Port: frontendHttpRedirect.port - } -}] -var frontendHttpRedirects_var = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' - properties: { - FrontendIPConfiguration: { - id: '${applicationGatewayResourceId}/frontendIPConfigurations/${frontendHttpRedirect.frontendIPType}' - } - FrontendPort: { - id: '${applicationGatewayResourceId}/frontendPorts/port${frontendHttpRedirect.port}' - } - Protocol: 'http' - } -}] -var httpRequestRoutingRules = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' - properties: { - RuleType: 'Basic' - httpListener: { - id: '${applicationGatewayResourceId}/httpListeners/${httpListenerhttpRedirectNamePrefix}${frontendHttpRedirect.port}' - } - redirectConfiguration: { - id: '${applicationGatewayResourceId}/redirectConfigurations/${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' - } - } -}] -var httpRedirectConfigurations = [for frontendHttpRedirect in frontendHttpRedirects: { - name: '${redirectConfigurationsHttpRedirectNamePrefix}${frontendHttpRedirect.port}' - properties: { - redirectType: 'Permanent' - includePath: true - includeQueryString: true - requestRoutingRules: [ - { - id: '${applicationGatewayResourceId}/requestRoutingRules/${requestRoutingRuleHttpRedirectNamePrefix}${frontendHttpRedirect.port}-${frontendHttpRedirect.frontendListenerName}' - } - ] - targetListener: { - id: '${applicationGatewayResourceId}/httpListeners/${frontendHttpRedirect.frontendListenerName}' - } - } -}] - -module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { - name: 'pid-${cuaId}' - params: {} -} - -resource applicationGateway 'Microsoft.Network/applicationGateways@2021-03-01' = { - name: name - location: location - identity: identity - tags: tags - properties: { - sku: { - name: sku - tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) - capacity: capacity - } - gatewayIPConfigurations: [ - { - name: gatewayIpConfigurationName - properties: { - subnet: { - id: subnetResourceId - } - } - } - ] - frontendIPConfigurations: [ - { - name: frontendPrivateIPConfigurationName - type: 'Microsoft.Network/applicationGateways/frontendIPConfigurations' - properties: empty(frontendPrivateIpAddress) ? frontendPrivateIPDynamicConfiguration : frontendPrivateIPStaticConfiguration - } - { - name: frontendPublicIPConfigurationName - properties: { - publicIPAddress: { - id: frontendPublicIpResourceId - } - } - } - ] - sslCertificates: empty(sslCertificateKeyVaultSecretId) ? null : sslCertificates - backendAddressPools: backendAddressPools - probes: probes_var - backendHttpSettingsCollection: backendHttpConfigurations_var - frontendPorts: frontendPorts - httpListeners: httpListeners - redirectConfigurations: redirectConfigurations - requestRoutingRules: requestRoutingRules - enableHttp2: http2Enabled - webApplicationFirewallConfiguration: startsWith(sku, 'WAF') ? wafConfiguration : null - } - dependsOn: [] -} - -resource applicationGateway_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { - name: '${applicationGateway.name}-${lock}-lock' - properties: { - level: lock - notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.' - } - scope: applicationGateway -} - -resource applicationGateway_diagnosticSettingName 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) { - name: '${applicationGateway.name}-diagnosticSettings' - properties: { - storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId - workspaceId: empty(diagnosticWorkspaceId) ? null : diagnosticWorkspaceId - eventHubAuthorizationRuleId: empty(diagnosticEventHubAuthorizationRuleId) ? null : diagnosticEventHubAuthorizationRuleId - eventHubName: empty(diagnosticEventHubName) ? null : diagnosticEventHubName - metrics: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsMetrics - logs: empty(diagnosticStorageAccountId) && empty(diagnosticWorkspaceId) && empty(diagnosticEventHubAuthorizationRuleId) && empty(diagnosticEventHubName) ? null : diagnosticsLogs - } - scope: applicationGateway -} - -module applicationGateway_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { - name: '${uniqueString(deployment().name, location)}-AppGateway-Rbac-${index}' - params: { - principalIds: roleAssignment.principalIds - roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName - resourceId: applicationGateway.id - } -}] - -@description('The name of the application gateway') -output name string = applicationGateway.name - -@description('The resource ID of the application gateway') -output resourceId string = applicationGateway.id - -@description('The resource group the application gateway was deployed into') -output resourceGroupName string = resourceGroup().name diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 0256d3e85d..0a4569705f 100644 --- a/arm/Microsoft.Network/applicationGateways/readme.md +++ b/arm/Microsoft.Network/applicationGateways/readme.md @@ -1,183 +1,73 @@ -# Application Gateways `[Microsoft.Network/applicationGateways]` +# Network Application Gateways `[Microsoft.Network/applicationGateways]` -This template deploys an application gateway. +This module deploys Network ApplicationGateways. -## Resource types +## Resource Types | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/locks` | 2017-04-01 | | `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | | `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | -| `Microsoft.Network/applicationGateways` | 2021-03-01 | +| `Microsoft.Network/applicationGateways` | 2021-05-01 | ## Parameters | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `backendHttpConfigurations` | array | | | Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools. | -| `backendPools` | array | | | Required. The backend pools to be configured. | +| `authenticationCertificates` | array | `[]` | | Optional. Authentication certificates of the application gateway resource. | +| `autoscaleMaxCapacity` | int | `10` | | Optional. Upper bound on number of Application Gateway capacity. | +| `autoscaleMinCapacity` | int | | | Optional. Lower bound on number of Application Gateway capacity. | +| `backendAddressPools` | array | `[]` | | Optional. Backend address pool of the application gateway resource. | +| `backendHttpSettingsCollection` | array | `[]` | | Optional. Backend http settings of the application gateway resource. | | `capacity` | int | `2` | | Optional. The number of Application instances to be configured. | -| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered. | -| `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `customErrorConfigurations` | array | `[]` | | Optional. Custom error configurations of the application gateway resource. | +| `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. | -| `frontendHttpListeners` | array | `[]` | | Required. The frontend http listeners to be configured. | -| `frontendHttpRedirects` | array | `[]` | | Optional. The http redirects to be configured. Each redirect will route http traffic to a predefined frontEnd HTTPS listener. | -| `frontendHttpsListeners` | array | `[]` | | Required. The frontend HTTPS listeners to be configured. | -| `frontendPrivateIpAddress` | string | | | Optional. The private IP within the Application Gateway subnet to be used as frontend private address. | -| `frontendPublicIpResourceId` | string | | | Required. PublicIP Resource ID used in Public Frontend. | -| `gatewayIpConfigurationName` | string | `gatewayIpConfiguration01` | | Optional. Application Gateway IP configuration name. | -| `http2Enabled` | bool | `True` | | Optional. Enables HTTP/2 support. | -| `location` | string | `[resourceGroup().location]` | | Optional. Location for all Resources. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub | +| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub | +| `enableFips` | bool | | | Optional. Whether FIPS is enabled on the application gateway resource. | +| `enableHttp2` | bool | | | Optional. Whether HTTP2 is enabled on the application gateway resource. | +| `enableRequestBuffering` | bool | | | Optional. Enable request buffering. | +| `enableResponseBuffering` | bool | | | Optional. Enable response buffering. | +| `firewallPolicyId` | string | | | Optional. The resource Id of an associated firewall policy. | +| `frontendIPConfigurations` | array | `[]` | | Optional. Frontend IP addresses of the application gateway resource. | +| `frontendPorts` | array | `[]` | | Optional. Frontend ports of the application gateway resource. | +| `gatewayIPConfigurations` | array | `[]` | | Optional. Subnets of the application gateway resource. | +| `httpListeners` | array | `[]` | | Optional. Http listeners of the application gateway resource. | +| `loadDistributionPolicies` | array | `[]` | | Optional. Load distribution policies of the application gateway resource. | +| `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `logsToEnable` | array | `[ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog]` | `[ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayFirewallLog]` | Optional. The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | -| `name` | string | | | Required. The name to be used for the Application Gateway. | -| `probes` | array | `[]` | | Optional. The backend HTTP settings probes to be configured. | +| `name` | string | | | Required. Name of the Application Gateway. | +| `privateLinkConfigurations` | array | `[]` | | Optional. PrivateLink configurations on application gateway. | +| `probes` | array | `[]` | | Optional. Probes of the application gateway resource. | +| `redirectConfigurations` | array | `[]` | | Optional. Redirect configurations of the application gateway resource. | +| `requestRoutingRules` | array | `[]` | | Optional. Request routing rules of the application gateway resource. | +| `rewriteRuleSets` | array | `[]` | | Optional. Rewrite rules for the application gateway resource. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `routingRules` | array | | | Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration. | | `sku` | string | `WAF_Medium` | `[Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2]` | Optional. The name of the SKU for the Application Gateway. | -| `sslCertificateKeyVaultSecretId` | string | | | Optional. Secret ID of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners. | -| `sslCertificateName` | string | `sslCertificate01` | | Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners. | -| `subnetName` | string | | | Required. The name of Gateway Subnet Name where the Application Gateway will be deployed. | -| `tags` | object | `{object}` | | Optional. Tags of the resource. | +| `sslCertificates` | array | `[]` | | Optional. SSL certificates of the application gateway resource. | +| `sslPolicyCipherSuites` | array | `[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]` | `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` | Optional. Ssl cipher suites to be enabled in the specified order to application gateway. | +| `sslPolicyDisabledSslProtocols` | array | `[]` | `[TLSv1_0, TLSv1_1, TLSv1_2]` | Optional. Ssl protocols to be disabled on application gateway. | +| `sslPolicyMinProtocolVersion` | string | `TLSv1_2` | `[TLSv1_0, TLSv1_1, TLSv1_2]` | Optional. Ssl protocol enums. | +| `sslPolicyName` | string | | `[AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, ]` | Optional. Ssl predefined policy name enums. | +| `sslPolicyType` | string | `Custom` | `[Custom, Predefined]` | Optional. Type of Ssl Policy. | +| `sslProfiles` | array | `[]` | | Optional. SSL profiles of the application gateway resource. | +| `tags` | object | `{object}` | | Optional. Resource tags. | +| `trustedClientCertificates` | array | `[]` | | Optional. Trusted client certificates of the application gateway resource. | +| `trustedRootCertificates` | array | `[]` | | Optional. Trusted Root certificates of the application gateway resource. | +| `urlPathMaps` | array | `[]` | | Optional. URL path map of the application gateway resource. | | `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | -| `vNetName` | string | | | Required. The name of the Virtual Network where the Application Gateway will be deployed. | -| `vNetResourceGroup` | string | `[resourceGroup().name]` | | Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed. | -| `vNetSubscriptionId` | string | `[subscription().subscriptionId]` | | Optional. The Subscription ID of the Virtual Network where the Application Gateway will be deployed. | +| `webApplicationFirewallConfiguration` | object | `{object}` | | Optional. Application gateway web application firewall configuration. | +| `zones` | array | `[]` | | Optional. A list of availability zones denoting where the resource needs to come from. | -### Parameter Usage: `backendPools` +### Parameter Usage: `` -```json -"backendPools": { - "value": [ - { - "backendPoolName": "appServiceBackendPool", - "backendAddresses": [ - { - "fqdn": "aghapp.azurewebsites.net" - } - ] - }, - { - "backendPoolName": "privateVmBackendPool", - "backendAddresses": [ - { - "ipAddress": "10.0.0.4" - } - ] - } - ] -} -``` - -### Parameter Usage: `backendHttpConfigurations` - -```json -"backendHttpConfigurations": { - "value": [ - { - "backendHttpConfigurationName": "appServiceBackendHttpsSetting", - "port": 443, - "protocol": "https", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "probeEnabled": false - }, - { - "backendHttpConfigurationName": "privateVmHttpSetting", - "port": 80, - "protocol": "http", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "probeEnabled": true - } - ] -} -``` - -### Parameter Usage: `probes` - -```json -"probes": { - "value": [ - { - "backendHttpConfigurationName": "privateVmHttpSetting", - "protocol": "http", - "host": "10.0.0.4", - "path": "/", - "interval": 60, - "timeout": 15, - "unhealthyThreshold": 5, - "minServers": 3, - "statusCodes": [ - "200", - "401" - ] - } - ] -} -``` - -### Parameter Usage: `frontendHttpsListeners` - -```json -"frontendHttpsListeners": { - "value": [ - { - "frontendListenerName": "public443", - "frontendIPType": "Public", - "port": 443 - }, - { - "frontendListenerName": "private4433", - "frontendIPType": "Private", - "port": 4433 - } - ] -} -``` - -### Parameter Usage: `frontendHttpRedirects` - -```json -"frontendHttpRedirects": { - "value": [ - { - "frontendIPType": "Public", - "port": 80, - "frontendListenerName": "public443" - }, - { - "frontendIPType": "Private", - "port": 8080, - "frontendListenerName": "private4433" - } - ] -} -``` - -### Parameter Usage: `routingRules` - -```json -"routingRules": { - "value": [ - { - "frontendListenerName": "public443", - "backendPoolName": "appServiceBackendPool", - "backendHttpConfigurationName": "appServiceBackendHttpsSetting" - }, - { - "frontendListenerName": "private4433", - "backendPoolName": "privateVmBackendPool", - "backendHttpConfigurationName": "privateVmHttpSetting" - } - ] -} -``` +// TODO: Fill in Parameter usage ### Parameter Usage: `roleAssignments` @@ -241,7 +131,7 @@ You can specify multiple user assigned identities to a resource by providing add ## Template references -- [Applicationgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-03-01/applicationGateways) +- [Applicationgateways](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/applicationGateways) - [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/roleAssignments) From b20047e393810cbac5d1b0d55db99736289f54df Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Sun, 30 Jan 2022 11:48:58 +0100 Subject: [PATCH 06/33] fix --- .../applicationGateways/deploy.bicep | 32 +++++++++---------- .../applicationGateways/readme.md | 2 +- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index fe987ce8eb..c54f098be3 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -12,10 +12,10 @@ param userAssignedIdentities object = {} param authenticationCertificates array = [] @description('Optional. Upper bound on number of Application Gateway capacity.') -param autoscaleMaxCapacity int = 10 +param autoscaleMaxCapacity int = -1 @description('Optional. Lower bound on number of Application Gateway capacity.') -param autoscaleMinCapacity int = 0 +param autoscaleMinCapacity int = -1 @description('Optional. Backend address pool of the application gateway resource.') param backendAddressPools array = [] @@ -127,13 +127,13 @@ param sslPolicyCipherSuites array = [ 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' ] -@description('Optional. Ssl protocols to be disabled on application gateway.') -@allowed([ - 'TLSv1_0' - 'TLSv1_1' - 'TLSv1_2' -]) -param sslPolicyDisabledSslProtocols array = [] +// @description('Optional. Ssl protocols to be disabled on application gateway.') +// @allowed([ +// 'TLSv1_0' +// 'TLSv1_1' +// 'TLSv1_2' +// ]) +// param sslPolicyDisabledSslProtocols array = [] @description('Optional. Ssl protocol enums.') @allowed([ @@ -269,16 +269,16 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = identity: identity properties: { authenticationCertificates: authenticationCertificates - autoscaleConfiguration: { + autoscaleConfiguration: autoscaleMaxCapacity > 0 && autoscaleMinCapacity > 0 ? { maxCapacity: autoscaleMaxCapacity minCapacity: autoscaleMinCapacity - } + } : null backendAddressPools: backendAddressPools backendHttpSettingsCollection: backendHttpSettingsCollection customErrorConfigurations: customErrorConfigurations - enableFips: enableFips + //enableFips: enableFips ? enableFips : null enableHttp2: enableHttp2 - firewallPolicy: empty(firewallPolicyId) ? { + firewallPolicy: !empty(firewallPolicyId) ? { id: firewallPolicyId } : null forceFirewallPolicyAssociation: !empty(firewallPolicyId) @@ -299,14 +299,14 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = sku: { name: sku tier: endsWith(sku, 'v2') ? sku : substring(sku, 0, indexOf(sku, '_')) - capacity: capacity + capacity: autoscaleMaxCapacity > 0 && autoscaleMinCapacity > 0 ? null : capacity } sslCertificates: sslCertificates sslPolicy: { cipherSuites: sslPolicyCipherSuites - disabledSslProtocols: sslPolicyDisabledSslProtocols + // disabledSslProtocols: sslPolicyDisabledSslProtocols minProtocolVersion: sslPolicyMinProtocolVersion - policyName: sslPolicyName + policyName: empty(sslPolicyName) ? null : sslPolicyName policyType: sslPolicyType } sslProfiles: sslProfiles diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 0a4569705f..3773c4e3bd 100644 --- a/arm/Microsoft.Network/applicationGateways/readme.md +++ b/arm/Microsoft.Network/applicationGateways/readme.md @@ -52,7 +52,7 @@ This module deploys Network ApplicationGateways. | `sku` | string | `WAF_Medium` | `[Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2]` | Optional. The name of the SKU for the Application Gateway. | | `sslCertificates` | array | `[]` | | Optional. SSL certificates of the application gateway resource. | | `sslPolicyCipherSuites` | array | `[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]` | `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` | Optional. Ssl cipher suites to be enabled in the specified order to application gateway. | -| `sslPolicyDisabledSslProtocols` | array | `[]` | `[TLSv1_0, TLSv1_1, TLSv1_2]` | Optional. Ssl protocols to be disabled on application gateway. | + | `sslPolicyMinProtocolVersion` | string | `TLSv1_2` | `[TLSv1_0, TLSv1_1, TLSv1_2]` | Optional. Ssl protocol enums. | | `sslPolicyName` | string | | `[AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, ]` | Optional. Ssl predefined policy name enums. | | `sslPolicyType` | string | `Custom` | `[Custom, Predefined]` | Optional. Type of Ssl Policy. | From 3f406d0d6bbead0cb14aa56da6c1ec07406db032 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Mon, 31 Jan 2022 08:04:12 +0100 Subject: [PATCH 07/33] Upload suggestion (#946) --- arm/Microsoft.Network/applicationGateways/deploy.bicep | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index c54f098be3..6b13299e61 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -267,7 +267,7 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = location: location tags: tags identity: identity - properties: { + properties: union({ authenticationCertificates: authenticationCertificates autoscaleConfiguration: autoscaleMaxCapacity > 0 && autoscaleMinCapacity > 0 ? { maxCapacity: autoscaleMaxCapacity @@ -276,7 +276,6 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = backendAddressPools: backendAddressPools backendHttpSettingsCollection: backendHttpSettingsCollection customErrorConfigurations: customErrorConfigurations - //enableFips: enableFips ? enableFips : null enableHttp2: enableHttp2 firewallPolicy: !empty(firewallPolicyId) ? { id: firewallPolicyId @@ -339,7 +338,9 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = // ruleSetType: 'string' // ruleSetVersion: 'string' // } - } + }, (enableFips ? { + enableFips: enableFips + } : {}), {}) zones: zones } From 1473b074cb28da3baaf6c07511348ff5b91108f0 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 12:00:27 +0100 Subject: [PATCH 08/33] rebuild parameters file --- .../.parameters/parameters.json | 246 +++++++++++------- .../.parameters/parameters_old.json | 161 ++++++++++++ 2 files changed, 320 insertions(+), 87 deletions(-) create mode 100644 arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index f972b08ef2..b0d5a3912b 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -5,140 +5,202 @@ "name": { "value": "sxx-az-apgw-x-001" }, - "sku": { - "value": "WAF_v2" - }, - "vNetName": { - "value": "adp-sxx-az-vnet-x-001" - }, - "subnetName": { - "value": "sxx-az-subnet-x-007" - }, - "vNetResourceGroup": { - "value": "validation-rg" - }, - "frontendPrivateIpAddress": { - "value": "10.0.8.6" - }, - "frontendPublicIpResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apgw" - }, "userAssignedIdentities": { "value": { "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} } }, - "sslCertificateKeyVaultSecretId": { - "value": "https://adp-sxx-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" - }, - "backendPools": { + "backendAddressPools": { "value": [ { - "backendPoolName": "appServiceBackendPool", - "backendAddresses": [ - { - "fqdn": "aghapp.azurewebsites.net" - } - ] + "name": "appServiceBackendPool", + "properties": { + "backendAddresses": [ + { + "fqdn": "aghapp.azurewebsites.net" + } + ] + } }, { - "backendPoolName": "privateVmBackendPool", - "backendAddresses": [ - { - "ipAddress": "10.0.0.4" - } - ] + "name": "privateVmBackendPool", + "properties": { + "backendAddresses": [ + { + "ipAddress": "10.0.0.4" + } + ] + } } ] }, - "backendHttpConfigurations": { + "backendHttpSettingsCollection": { "value": [ { - "backendHttpConfigurationName": "appServiceBackendHttpsSetting", - "port": 443, - "protocol": "https", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "probeEnabled": false + "name": "appServiceBackendHttpsSetting", + "properties": { + "port": 443, + "protocol": "Https", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": true, + "probeEnabled": false + } }, { - "backendHttpConfigurationName": "privateVmHttpSetting", - "port": 80, - "protocol": "http", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "probeEnabled": true + "name": "privateVmHttpSetting", + "properties": { + "port": 80, + "protocol": "Http", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": false, + "probeEnabled": true + } } ] }, - "probes": { + "frontendIPConfigurations": { "value": [ { - "backendHttpConfigurationName": "privateVmHttpSetting", - "protocol": "http", - "host": "10.0.0.4", - "path": "/", - "interval": 60, - "timeout": 15, - "unhealthyThreshold": 5, - "minServers": 3, - "body": "", - "statusCodes": [ - "200", - "401" - ] + "name": "apw-frontend-ip-configuration", + "properties": { + "publicIPAddress": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apg" + } + } } ] }, - "frontendHttpsListeners": { + "frontendPorts": { "value": [ { - "frontendListenerName": "public443", - "frontendIPType": "Public", - "port": 443 + "name": "public443", + "properties": { + "port": 443 + } }, { - "frontendListenerName": "private4433", - "frontendIPType": "Private", - "port": 4433 + "name": "private4433", + "properties": { + "port": 4433 + } + } + ] + }, + "gatewayIPConfigurations": { + "value": [ + { + "name": "apw-ip-configuration", + "properties": { + "subnet": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-007" + } + } + } + ] + }, + "probes": { + "value": [ + { + "name": "privateVmHttpSetting", + "properties": { + "host": "10.0.0.4", + "interval": 60, + "match": { + "body": "", + "statusCodes": [ + "200", + "401" + ] + }, + "minServers": 3, + "path": "/", + "protocol": "http", + "timeout": 15, + "unhealthyThreshold": 5 + } } ] }, - "frontendHttpRedirects": { + "redirectConfigurations": { "value": [ { - "frontendIPType": "Public", - "port": 80, - "frontendListenerName": "public443" + "name": "public443", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-public443" + } + ], + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + } + } }, { - "frontendIPType": "Private", - "port": 8080, - "frontendListenerName": "private4433" + "name": "private4433", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-private4433" + } + ], + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + } + } } ] }, - "routingRules": { + "requestRoutingRules": { "value": [ { - "frontendListenerName": "public443", - "backendPoolName": "appServiceBackendPool", - "backendHttpConfigurationName": "appServiceBackendHttpsSetting" + "name": "apw-routing-rule-public443", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + }, + "backendAddressPool": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" + }, + "backendHttpSettings": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" + } + } }, { - "frontendListenerName": "private4433", - "backendPoolName": "privateVmBackendPool", - "backendHttpConfigurationName": "privateVmHttpSetting" + "name": "apw-routing-rule-private4433", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + }, + "backendAddressPool": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/privateVmBackendPool" + }, + "backendHttpSettings": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" + } + } } ] }, - "roleAssignments": { + "sku": { + "value": "WAF_v2" + }, + "sslCertificates": { "value": [ { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] + "name": "sxx-az-apgw-x-001-ssl-certificate", + "properties": { + "keyVaultSecretId": "https://adp-sxx-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" + } } ] }, @@ -156,6 +218,16 @@ }, "diagnosticEventHubName": { "value": "adp-sxx-az-evh-x-001" + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] } } } diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json new file mode 100644 index 0000000000..f972b08ef2 --- /dev/null +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json @@ -0,0 +1,161 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sxx-az-apgw-x-001" + }, + "sku": { + "value": "WAF_v2" + }, + "vNetName": { + "value": "adp-sxx-az-vnet-x-001" + }, + "subnetName": { + "value": "sxx-az-subnet-x-007" + }, + "vNetResourceGroup": { + "value": "validation-rg" + }, + "frontendPrivateIpAddress": { + "value": "10.0.8.6" + }, + "frontendPublicIpResourceId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apgw" + }, + "userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} + } + }, + "sslCertificateKeyVaultSecretId": { + "value": "https://adp-sxx-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" + }, + "backendPools": { + "value": [ + { + "backendPoolName": "appServiceBackendPool", + "backendAddresses": [ + { + "fqdn": "aghapp.azurewebsites.net" + } + ] + }, + { + "backendPoolName": "privateVmBackendPool", + "backendAddresses": [ + { + "ipAddress": "10.0.0.4" + } + ] + } + ] + }, + "backendHttpConfigurations": { + "value": [ + { + "backendHttpConfigurationName": "appServiceBackendHttpsSetting", + "port": 443, + "protocol": "https", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": true, + "probeEnabled": false + }, + { + "backendHttpConfigurationName": "privateVmHttpSetting", + "port": 80, + "protocol": "http", + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": false, + "probeEnabled": true + } + ] + }, + "probes": { + "value": [ + { + "backendHttpConfigurationName": "privateVmHttpSetting", + "protocol": "http", + "host": "10.0.0.4", + "path": "/", + "interval": 60, + "timeout": 15, + "unhealthyThreshold": 5, + "minServers": 3, + "body": "", + "statusCodes": [ + "200", + "401" + ] + } + ] + }, + "frontendHttpsListeners": { + "value": [ + { + "frontendListenerName": "public443", + "frontendIPType": "Public", + "port": 443 + }, + { + "frontendListenerName": "private4433", + "frontendIPType": "Private", + "port": 4433 + } + ] + }, + "frontendHttpRedirects": { + "value": [ + { + "frontendIPType": "Public", + "port": 80, + "frontendListenerName": "public443" + }, + { + "frontendIPType": "Private", + "port": 8080, + "frontendListenerName": "private4433" + } + ] + }, + "routingRules": { + "value": [ + { + "frontendListenerName": "public443", + "backendPoolName": "appServiceBackendPool", + "backendHttpConfigurationName": "appServiceBackendHttpsSetting" + }, + { + "frontendListenerName": "private4433", + "backendPoolName": "privateVmBackendPool", + "backendHttpConfigurationName": "privateVmHttpSetting" + } + ] + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsax001" + }, + "diagnosticWorkspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "diagnosticEventHubName": { + "value": "adp-sxx-az-evh-x-001" + } + } +} From 8c09bb3efc40855c065bcdb1422b8ec0039c1d89 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 12:10:42 +0100 Subject: [PATCH 09/33] test --- .../.parameters/parameters.json | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index b0d5a3912b..d7cb2625af 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -123,38 +123,38 @@ }, "redirectConfigurations": { "value": [ - { - "name": "public443", - "properties": { - "includePath": true, - "includeQueryString": true, - "redirectType": "Permanent", - "requestRoutingRules": [ - { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-public443" - } - ], - "targetListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" - } - } - }, - { - "name": "private4433", - "properties": { - "includePath": true, - "includeQueryString": true, - "redirectType": "Permanent", - "requestRoutingRules": [ - { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-private4433" - } - ], - "targetListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" - } - } - } + // { + // "name": "public443", + // "properties": { + // "includePath": true, + // "includeQueryString": true, + // "redirectType": "Permanent", + // "requestRoutingRules": [ + // { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-public443" + // } + // ], + // "targetListener": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + // } + // } + // }, + // { + // "name": "private4433", + // "properties": { + // "includePath": true, + // "includeQueryString": true, + // "redirectType": "Permanent", + // "requestRoutingRules": [ + // { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-private4433" + // } + // ], + // "targetListener": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + // } + // } + // } ] }, "requestRoutingRules": { From a14cfe3abaf6fdf374615f27ec9766417ddb6df7 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 13:13:20 +0100 Subject: [PATCH 10/33] add httplistener --- .../.parameters/parameters.json | 90 ++++++++++++------- 1 file changed, 58 insertions(+), 32 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index d7cb2625af..2a053a5c06 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -86,6 +86,32 @@ } ] }, + "httpListeners": [ + { + "name": "public443", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/public443" + }, + "protocol": "https" + } + }, + { + "name": "private4433", + "properties": { + // "frontendIPConfiguration": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" + // }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/private4433" + }, + "protocol": "https" + } + } + ], "gatewayIPConfigurations": { "value": [ { @@ -123,38 +149,38 @@ }, "redirectConfigurations": { "value": [ - // { - // "name": "public443", - // "properties": { - // "includePath": true, - // "includeQueryString": true, - // "redirectType": "Permanent", - // "requestRoutingRules": [ - // { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-public443" - // } - // ], - // "targetListener": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" - // } - // } - // }, - // { - // "name": "private4433", - // "properties": { - // "includePath": true, - // "includeQueryString": true, - // "redirectType": "Permanent", - // "requestRoutingRules": [ - // { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-private4433" - // } - // ], - // "targetListener": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" - // } - // } - // } + { + "name": "public443", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-public443" + } + ], + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + } + } + }, + { + "name": "private4433", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-private4433" + } + ], + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + } + } + } ] }, "requestRoutingRules": { From 7ad2b36bafc325a8184b0ca68360c09fed079495 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 13:24:47 +0100 Subject: [PATCH 11/33] test --- .../applicationGateways/.parameters/parameters.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 2a053a5c06..6677edfc1d 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -102,9 +102,6 @@ { "name": "private4433", "properties": { - // "frontendIPConfiguration": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" - // }, "frontendPort": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/private4433" }, From 550248180b2a0fdf4bc7f6be6d0d54c9a1a91c1a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 14:12:03 +0100 Subject: [PATCH 12/33] fix --- .../.parameters/parameters.json | 46 ++++++++++--------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 6677edfc1d..e47a619d1f 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -86,29 +86,31 @@ } ] }, - "httpListeners": [ - { - "name": "public443", - "properties": { - "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" - }, - "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/public443" - }, - "protocol": "https" - } - }, - { - "name": "private4433", - "properties": { - "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/private4433" - }, - "protocol": "https" + "httpListeners": { + "value": [ + { + "name": "public443", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/public443" + }, + "protocol": "https" + } + }, + { + "name": "private4433", + "properties": { + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/private4433" + }, + "protocol": "https" + } } - } - ], + ] + }, "gatewayIPConfigurations": { "value": [ { From 6c6458b211cbfecb99881f1f1708f12ee4763e1e Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 14:22:44 +0100 Subject: [PATCH 13/33] adding sslCertificate --- .../applicationGateways/.parameters/parameters.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index e47a619d1f..9dd6ba4e2b 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -97,6 +97,9 @@ "frontendPort": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/public443" }, + "sslCertificate": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/sslCertificates/sxx-az-apgw-x-001-ssl-certificate" + }, "protocol": "https" } }, From 77e4cd6e809511acda0c82006c2a56dce40a3bcd Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 14:30:04 +0100 Subject: [PATCH 14/33] fix --- .../applicationGateways/.parameters/parameters.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 9dd6ba4e2b..351b4ebc60 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -106,9 +106,15 @@ { "name": "private4433", "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" + }, "frontendPort": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/private4433" }, + "sslCertificate": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/sslCertificates/sxx-az-apgw-x-001-ssl-certificate" + }, "protocol": "https" } } From 3f9df85f02e25e5ee071995f720298e00d6eac5e Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 14:42:17 +0100 Subject: [PATCH 15/33] fix --- .../applicationGateways/.parameters/parameters.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 351b4ebc60..979b35008e 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -200,9 +200,9 @@ "httpListener": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" }, - "backendAddressPool": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" - }, + // "backendAddressPool": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" + // }, "backendHttpSettings": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" } From 6741bf7940ee90d1f84e00e0717cfe92203a6b8e Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 14:50:11 +0100 Subject: [PATCH 16/33] fix --- .../applicationGateways/.parameters/parameters.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 979b35008e..4ba7035331 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -199,13 +199,13 @@ "ruleType": "Basic", "httpListener": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" - }, + } //, // "backendAddressPool": { // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" // }, - "backendHttpSettings": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" - } + // "backendHttpSettings": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" + // } } }, { From c6c57422899f906e6d6272b176e8cbcfbf4cbb77 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 31 Jan 2022 14:57:26 +0100 Subject: [PATCH 17/33] test --- .../.parameters/parameters.json | 68 +++++++++---------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 4ba7035331..67822510ec 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -191,40 +191,40 @@ } ] }, - "requestRoutingRules": { - "value": [ - { - "name": "apw-routing-rule-public443", - "properties": { - "ruleType": "Basic", - "httpListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" - } //, - // "backendAddressPool": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" - // }, - // "backendHttpSettings": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" - // } - } - }, - { - "name": "apw-routing-rule-private4433", - "properties": { - "ruleType": "Basic", - "httpListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" - }, - "backendAddressPool": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/privateVmBackendPool" - }, - "backendHttpSettings": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" - } - } - } - ] - }, + // "requestRoutingRules": { + // "value": [ + // { + // "name": "apw-routing-rule-public443", + // "properties": { + // "ruleType": "Basic", + // "httpListener": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + // }, + // "backendAddressPool": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" + // }, + // "backendHttpSettings": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" + // } + // } + // }, + // { + // "name": "apw-routing-rule-private4433", + // "properties": { + // "ruleType": "Basic", + // "httpListener": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + // }, + // "backendAddressPool": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/privateVmBackendPool" + // }, + // "backendHttpSettings": { + // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" + // } + // } + // } + // ] + // }, "sku": { "value": "WAF_v2" }, From 5721f6b46c44dd4dc1fdfc5231f74c625123e9cb Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 1 Feb 2022 11:21:37 +0100 Subject: [PATCH 18/33] update parameters --- .../.parameters/parameters.json | 223 +++++++++++++----- 1 file changed, 158 insertions(+), 65 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 67822510ec..f501f47d7d 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -10,6 +10,17 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} } }, + "webApplicationFirewallConfiguration": { + "enabled": true, + "firewallMode": "Detection", + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0", + "disabledRuleGroups": [], + "requestBodyCheck": true, + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 100 + }, + "enableHttp2": true, "backendAddressPools": { "value": [ { @@ -43,7 +54,7 @@ "protocol": "Https", "cookieBasedAffinity": "Disabled", "pickHostNameFromBackendAddress": true, - "probeEnabled": false + "requestTimeout": 30 } }, { @@ -53,7 +64,10 @@ "protocol": "Http", "cookieBasedAffinity": "Disabled", "pickHostNameFromBackendAddress": false, - "probeEnabled": true + "requestTimeout": 30, + "probe": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/probes/privateVmHttpSettingProbe" + } } } ] @@ -61,8 +75,19 @@ "frontendIPConfigurations": { "value": [ { - "name": "apw-frontend-ip-configuration", + "name": "private", + "properties": { + "privateIPAddress": "10.0.8.6", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-007" + } + } + }, + { + "name": "public", "properties": { + "privateIPAllocationMethod": "Dynamic", "publicIPAddress": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apg" } @@ -73,16 +98,28 @@ "frontendPorts": { "value": [ { - "name": "public443", + "name": "port443", "properties": { "port": 443 } }, { - "name": "private4433", + "name": "port4433", "properties": { "port": 4433 } + }, + { + "name": "port80", + "properties": { + "port": 80 + } + }, + { + "name": "port8080", + "properties": { + "port": 8080 + } } ] }, @@ -92,30 +129,62 @@ "name": "public443", "properties": { "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/public" }, "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/public443" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port443" }, "sslCertificate": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/sslCertificates/sxx-az-apgw-x-001-ssl-certificate" }, - "protocol": "https" + "protocol": "https", + "hostNames": [], + "requireServerNameIndication": false } }, { "name": "private4433", "properties": { "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/apw-frontend-ip-configuration" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/private" }, "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/private4433" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port4433" }, "sslCertificate": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/sslCertificates/sxx-az-apgw-x-001-ssl-certificate" }, - "protocol": "https" + "protocol": "https", + "hostNames": [], + "requireServerNameIndication": false + } + }, + { + "name": "httpRedirect80", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/public" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port80" + }, + "protocol": "Http", + "hostNames": [], + "requireServerNameIndication": false + } + }, + { + "name": "httpRedirect8080", + "properties": { + "frontendIPConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/private" + }, + "frontendPort": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port8080" + }, + "protocol": "Http", + "hostNames": [], + "requireServerNameIndication": false } } ] @@ -135,22 +204,22 @@ "probes": { "value": [ { - "name": "privateVmHttpSetting", + "name": "privateVmHttpSettingProbe", "properties": { + "protocol": "Http", "host": "10.0.0.4", + "path": "/", "interval": 60, + "timeout": 15, + "unhealthyThreshold": 5, + "pickHostNameFromBackendHttpSettings": false, + "minServers": 3, "match": { - "body": "", "statusCodes": [ "200", "401" ] - }, - "minServers": 3, - "path": "/", - "protocol": "http", - "timeout": 15, - "unhealthyThreshold": 5 + } } } ] @@ -158,73 +227,97 @@ "redirectConfigurations": { "value": [ { - "name": "public443", + "name": "httpRedirect80", "properties": { + "redirectType": "Permanent", + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + }, "includePath": true, "includeQueryString": true, - "redirectType": "Permanent", "requestRoutingRules": [ { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-public443" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/httpRedirect80-public443" } - ], - "targetListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" - } + ] } }, { - "name": "private4433", + "name": "httpRedirect8080", "properties": { + "redirectType": "Permanent", + "targetListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + }, "includePath": true, "includeQueryString": true, - "redirectType": "Permanent", "requestRoutingRules": [ { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/apw-routing-rule-private4433" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/httpRedirect8080-private4433" } - ], - "targetListener": { + ] + } + } + ] + }, + "requestRoutingRules": { + "value": [ + { + "name": "public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + }, + "backendAddressPool": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" + }, + "backendHttpSettings": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" + } + } + }, + { + "name": "private4433-privateVmHttpSetting-privateVmHttpSetting", + "properties": { + "ruleType": "Basic", + "httpListener": { "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + }, + "backendAddressPool": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/privateVmBackendPool" + }, + "backendHttpSettings": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" + } + } + }, + { + "name": "httpRedirect80-public443", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/httpRedirect80" + }, + "redirectConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/redirectConfigurations/httpRedirect80" + } + } + }, + { + "name": "httpRedirect8080-private4433", + "properties": { + "ruleType": "Basic", + "httpListener": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/httpRedirect8080" + }, + "redirectConfiguration": { + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/redirectConfigurations/httpRedirect8080" } } } ] }, - // "requestRoutingRules": { - // "value": [ - // { - // "name": "apw-routing-rule-public443", - // "properties": { - // "ruleType": "Basic", - // "httpListener": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" - // }, - // "backendAddressPool": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" - // }, - // "backendHttpSettings": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" - // } - // } - // }, - // { - // "name": "apw-routing-rule-private4433", - // "properties": { - // "ruleType": "Basic", - // "httpListener": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" - // }, - // "backendAddressPool": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/privateVmBackendPool" - // }, - // "backendHttpSettings": { - // "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" - // } - // } - // } - // ] - // }, "sku": { "value": "WAF_v2" }, From 8e7b470059b9c0ded71d8e281f79166d98b6bd9a Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 1 Feb 2022 11:34:02 +0100 Subject: [PATCH 19/33] test --- .../applicationGateways/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index f501f47d7d..b91da55c73 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -20,7 +20,7 @@ "maxRequestBodySizeInKb": 128, "fileUploadLimitInMb": 100 }, - "enableHttp2": true, + //"enableHttp2": true, "backendAddressPools": { "value": [ { From 5f575d45b4e28ae313e2aa54a82ee921fd50fbcd Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 1 Feb 2022 11:40:10 +0100 Subject: [PATCH 20/33] test --- .../.parameters/parameters.json | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index b91da55c73..4b7c2175c2 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -10,16 +10,16 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} } }, - "webApplicationFirewallConfiguration": { - "enabled": true, - "firewallMode": "Detection", - "ruleSetType": "OWASP", - "ruleSetVersion": "3.0", - "disabledRuleGroups": [], - "requestBodyCheck": true, - "maxRequestBodySizeInKb": 128, - "fileUploadLimitInMb": 100 - }, + // "webApplicationFirewallConfiguration": { + // "enabled": true, + // "firewallMode": "Detection", + // "ruleSetType": "OWASP", + // "ruleSetVersion": "3.0", + // "disabledRuleGroups": [], + // "requestBodyCheck": true, + // "maxRequestBodySizeInKb": 128, + // "fileUploadLimitInMb": 100 + // }, //"enableHttp2": true, "backendAddressPools": { "value": [ From 3c5a38790698e5083f43d1f1b9c6e4de1de55465 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 1 Feb 2022 11:48:22 +0100 Subject: [PATCH 21/33] fix --- .../applicationGateways/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 4b7c2175c2..91c5270d7d 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -89,7 +89,7 @@ "properties": { "privateIPAllocationMethod": "Dynamic", "publicIPAddress": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apg" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apgw" } } } From c4a89c21a5437258615adaf0709d4008eba16d1b Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 1 Feb 2022 11:48:36 +0100 Subject: [PATCH 22/33] test --- .../.parameters/parameters.json | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 91c5270d7d..29af2d09fa 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -10,17 +10,17 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} } }, - // "webApplicationFirewallConfiguration": { - // "enabled": true, - // "firewallMode": "Detection", - // "ruleSetType": "OWASP", - // "ruleSetVersion": "3.0", - // "disabledRuleGroups": [], - // "requestBodyCheck": true, - // "maxRequestBodySizeInKb": 128, - // "fileUploadLimitInMb": 100 - // }, - //"enableHttp2": true, + "webApplicationFirewallConfiguration": { + "enabled": true, + "firewallMode": "Detection", + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0", + "disabledRuleGroups": [], + "requestBodyCheck": true, + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 100 + }, + "enableHttp2": true, "backendAddressPools": { "value": [ { From ad8a5689954b15d4355259d8476fe4399af3ac0f Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 1 Feb 2022 11:55:05 +0100 Subject: [PATCH 23/33] test --- .../.parameters/parameters.json | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 29af2d09fa..e7819de70d 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -10,17 +10,17 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} } }, - "webApplicationFirewallConfiguration": { - "enabled": true, - "firewallMode": "Detection", - "ruleSetType": "OWASP", - "ruleSetVersion": "3.0", - "disabledRuleGroups": [], - "requestBodyCheck": true, - "maxRequestBodySizeInKb": 128, - "fileUploadLimitInMb": 100 - }, - "enableHttp2": true, + // "webApplicationFirewallConfiguration": { + // "enabled": true, + // "firewallMode": "Detection", + // "ruleSetType": "OWASP", + // "ruleSetVersion": "3.0", + // "disabledRuleGroups": [], + // "requestBodyCheck": true, + // "maxRequestBodySizeInKb": 128, + // "fileUploadLimitInMb": 100 + // }, + // "enableHttp2": true, "backendAddressPools": { "value": [ { From 09a0c20ea4986b1bb4cdbdb1e31ae4a302ac118c Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 21 Feb 2022 11:19:20 +0100 Subject: [PATCH 24/33] remove --- .../.parameters/parameters_old.json | 161 ------------------ 1 file changed, 161 deletions(-) delete mode 100644 arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json deleted file mode 100644 index f972b08ef2..0000000000 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters_old.json +++ /dev/null @@ -1,161 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "sxx-az-apgw-x-001" - }, - "sku": { - "value": "WAF_v2" - }, - "vNetName": { - "value": "adp-sxx-az-vnet-x-001" - }, - "subnetName": { - "value": "sxx-az-subnet-x-007" - }, - "vNetResourceGroup": { - "value": "validation-rg" - }, - "frontendPrivateIpAddress": { - "value": "10.0.8.6" - }, - "frontendPublicIpResourceId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apgw" - }, - "userAssignedIdentities": { - "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} - } - }, - "sslCertificateKeyVaultSecretId": { - "value": "https://adp-sxx-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" - }, - "backendPools": { - "value": [ - { - "backendPoolName": "appServiceBackendPool", - "backendAddresses": [ - { - "fqdn": "aghapp.azurewebsites.net" - } - ] - }, - { - "backendPoolName": "privateVmBackendPool", - "backendAddresses": [ - { - "ipAddress": "10.0.0.4" - } - ] - } - ] - }, - "backendHttpConfigurations": { - "value": [ - { - "backendHttpConfigurationName": "appServiceBackendHttpsSetting", - "port": 443, - "protocol": "https", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": true, - "probeEnabled": false - }, - { - "backendHttpConfigurationName": "privateVmHttpSetting", - "port": 80, - "protocol": "http", - "cookieBasedAffinity": "Disabled", - "pickHostNameFromBackendAddress": false, - "probeEnabled": true - } - ] - }, - "probes": { - "value": [ - { - "backendHttpConfigurationName": "privateVmHttpSetting", - "protocol": "http", - "host": "10.0.0.4", - "path": "/", - "interval": 60, - "timeout": 15, - "unhealthyThreshold": 5, - "minServers": 3, - "body": "", - "statusCodes": [ - "200", - "401" - ] - } - ] - }, - "frontendHttpsListeners": { - "value": [ - { - "frontendListenerName": "public443", - "frontendIPType": "Public", - "port": 443 - }, - { - "frontendListenerName": "private4433", - "frontendIPType": "Private", - "port": 4433 - } - ] - }, - "frontendHttpRedirects": { - "value": [ - { - "frontendIPType": "Public", - "port": 80, - "frontendListenerName": "public443" - }, - { - "frontendIPType": "Private", - "port": 8080, - "frontendListenerName": "private4433" - } - ] - }, - "routingRules": { - "value": [ - { - "frontendListenerName": "public443", - "backendPoolName": "appServiceBackendPool", - "backendHttpConfigurationName": "appServiceBackendHttpsSetting" - }, - { - "frontendListenerName": "private4433", - "backendPoolName": "privateVmBackendPool", - "backendHttpConfigurationName": "privateVmHttpSetting" - } - ] - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsax001" - }, - "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - }, - "diagnosticEventHubName": { - "value": "adp-sxx-az-evh-x-001" - } - } -} From d641bff5dba30a5f209e9623484e5356d1165fa7 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 21 Feb 2022 11:22:24 +0100 Subject: [PATCH 25/33] update readme --- arm/Microsoft.Network/applicationGateways/readme.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 3773c4e3bd..3d607b8a0c 100644 --- a/arm/Microsoft.Network/applicationGateways/readme.md +++ b/arm/Microsoft.Network/applicationGateways/readme.md @@ -16,8 +16,8 @@ This module deploys Network ApplicationGateways. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `authenticationCertificates` | array | `[]` | | Optional. Authentication certificates of the application gateway resource. | -| `autoscaleMaxCapacity` | int | `10` | | Optional. Upper bound on number of Application Gateway capacity. | -| `autoscaleMinCapacity` | int | | | Optional. Lower bound on number of Application Gateway capacity. | +| `autoscaleMaxCapacity` | int | `-1` | | Optional. Upper bound on number of Application Gateway capacity. | +| `autoscaleMinCapacity` | int | `-1` | | Optional. Lower bound on number of Application Gateway capacity. | | `backendAddressPools` | array | `[]` | | Optional. Backend address pool of the application gateway resource. | | `backendHttpSettingsCollection` | array | `[]` | | Optional. Backend http settings of the application gateway resource. | | `capacity` | int | `2` | | Optional. The number of Application instances to be configured. | @@ -52,7 +52,6 @@ This module deploys Network ApplicationGateways. | `sku` | string | `WAF_Medium` | `[Standard_Small, Standard_Medium, Standard_Large, WAF_Medium, WAF_Large, Standard_v2, WAF_v2]` | Optional. The name of the SKU for the Application Gateway. | | `sslCertificates` | array | `[]` | | Optional. SSL certificates of the application gateway resource. | | `sslPolicyCipherSuites` | array | `[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]` | `[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384]` | Optional. Ssl cipher suites to be enabled in the specified order to application gateway. | - | `sslPolicyMinProtocolVersion` | string | `TLSv1_2` | `[TLSv1_0, TLSv1_1, TLSv1_2]` | Optional. Ssl protocol enums. | | `sslPolicyName` | string | | `[AppGwSslPolicy20150501, AppGwSslPolicy20170401, AppGwSslPolicy20170401S, ]` | Optional. Ssl predefined policy name enums. | | `sslPolicyType` | string | `Custom` | `[Custom, Predefined]` | Optional. Type of Ssl Policy. | From 8241fb70a454dc9a46f9b67d001288f2734eecd6 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Mon, 21 Feb 2022 15:30:27 +0100 Subject: [PATCH 26/33] update readme --- .../applicationGateways/readme.md | 537 +++++++++++++++++- 1 file changed, 535 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 3d607b8a0c..b8b279b20f 100644 --- a/arm/Microsoft.Network/applicationGateways/readme.md +++ b/arm/Microsoft.Network/applicationGateways/readme.md @@ -64,9 +64,542 @@ This module deploys Network ApplicationGateways. | `webApplicationFirewallConfiguration` | object | `{object}` | | Optional. Application gateway web application firewall configuration. | | `zones` | array | `[]` | | Optional. A list of availability zones denoting where the resource needs to come from. | -### Parameter Usage: `` +### Parameter Usage: `authenticationCertificates` -// TODO: Fill in Parameter usage +```json +"authenticationCertificates": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "data": "string" + } + } + ] +} +``` + +### Parameter Usage: `backendAddressPools` + +```json +"backendAddressPools": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddresses": [ + { + "fqdn": "string", + "ipAddress": "string" + } + ] + } + } + ] +} +``` + +### Parameter Usage: `backendHttpSettingsCollection` + +```json +"backendHttpSettingsCollection": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "affinityCookieName": "string", + "authenticationCertificates": [ + { + "id": "string" + } + ], + "connectionDraining": { + "drainTimeoutInSec": "int", + "enabled": "bool" + }, + "cookieBasedAffinity": "string", + "hostName": "string", + "path": "string", + "pickHostNameFromBackendAddress": "bool", + "port": "int", + "probe": { + "id": "string" + }, + "probeEnabled": "bool", + "protocol": "string", + "requestTimeout": "int", + "trustedRootCertificates": [ + { + "id": "string" + } + ] + } + } + ] +} +``` + +### Parameter Usage: `customErrorConfigurations` + +```json +"customErrorConfigurations": { + "value": [ + { + "customErrorPageUrl": "string", + "statusCode": "string" + } + ] +} +``` + +### Parameter Usage: `frontendIPConfigurations` + +```json +"frontendIPConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "privateIPAddress": "string", + "privateIPAllocationMethod": "string", + "privateLinkConfiguration": { + "id": "string" + }, + "publicIPAddress": { + "id": "string" + }, + "subnet": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `frontendPorts` + +```json +"frontendPorts": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "port": "int" + } + } + ] +} +``` + +### Parameter Usage: `gatewayIPConfigurations` + +```json +"gatewayIPConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "subnet": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `httpListeners` + +```json +"httpListeners": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "customErrorConfigurations": [ + { + "customErrorPageUrl": "string", + "statusCode": "string" + } + ], + "firewallPolicy": { + "id": "string" + }, + "frontendIPConfiguration": { + "id": "string" + }, + "frontendPort": { + "id": "string" + }, + "hostName": "string", + "hostNames": [ "string" ], + "protocol": "string", + "requireServerNameIndication": "bool", + "sslCertificate": { + "id": "string" + }, + "sslProfile": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `loadDistributionPolicies` + +```json +"loadDistributionPolicies": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "loadDistributionAlgorithm": "string", + "loadDistributionTargets": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddressPool": { + "id": "string" + }, + "weightPerServer": "int" + } + } + ] + } + } + ] +} +``` + +### Parameter Usage: `privateLinkConfigurations` + +```json +"privateLinkConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "ipConfigurations": [ + { + "id": "string", + "name": "string", + "properties": { + "primary": "bool", + "privateIPAddress": "string", + "privateIPAllocationMethod": "string", + "subnet": { + "id": "string" + } + } + } + ] + } + } + ] +} +``` + +### Parameter Usage: `probes` + +```json +"probes": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "host": "string", + "interval": "int", + "match": { + "body": "string", + "statusCodes": [ "string" ] + }, + "minServers": "int", + "path": "string", + "pickHostNameFromBackendHttpSettings": "bool", + "port": "int", + "protocol": "string", + "timeout": "int", + "unhealthyThreshold": "int" + } + } + ] +} +``` + +### Parameter Usage: `redirectConfigurations` + +```json +"redirectConfigurations": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "includePath": "bool", + "includeQueryString": "bool", + "pathRules": [ + { + "id": "string" + } + ], + "redirectType": "string", + "requestRoutingRules": [ + { + "id": "string" + } + ], + "targetListener": { + "id": "string" + }, + "targetUrl": "string", + "urlPathMaps": [ + { + "id": "string" + } + ] + } + } + ] +} +``` + +### Parameter Usage: `requestRoutingRules` + +```json +"requestRoutingRules": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddressPool": { + "id": "string" + }, + "backendHttpSettings": { + "id": "string" + }, + "httpListener": { + "id": "string" + }, + "loadDistributionPolicy": { + "id": "string" + }, + "priority": "int", + "redirectConfiguration": { + "id": "string" + }, + "rewriteRuleSet": { + "id": "string" + }, + "ruleType": "string", + "urlPathMap": { + "id": "string" + } + } + } + ] +} +``` + +### Parameter Usage: `rewriteRuleSets` + +```json +"rewriteRuleSets": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "rewriteRules": [ + { + "actionSet": { + "requestHeaderConfigurations": [ + { + "headerName": "string", + "headerValue": "string" + } + ], + "responseHeaderConfigurations": [ + { + "headerName": "string", + "headerValue": "string" + } + ], + "urlConfiguration": { + "modifiedPath": "string", + "modifiedQueryString": "string", + "reroute": "bool" + } + }, + "conditions": [ + { + "ignoreCase": "bool", + "negate": "bool", + "pattern": "string", + "variable": "string" + } + ], + "name": "string", + "ruleSequence": "int" + } + ] + } + } + ] +} +``` + +### Parameter Usage: `sslCertificates` + +```json +"sslCertificates": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "data": "string", + "keyVaultSecretId": "string", + "password": "string" + } + } + ] +} +``` + +### Parameter Usage: `sslProfiles` + +```json +"sslProfiles": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "clientAuthConfiguration": { + "verifyClientCertIssuerDN": "bool" + }, + "sslPolicy": { + "cipherSuites": [ "string" ], + "disabledSslProtocols": [ "string" ], + "minProtocolVersion": "string", + "policyName": "string", + "policyType": "string" + }, + "trustedClientCertificates": [ + { + "id": "string" + } + ] + } + } + ] +} +``` + +### Parameter Usage: `trustedClientCertificates` + +```json +"trustedClientCertificates": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "data": "string" + } + } + ] +} +``` + +### Parameter Usage: `trustedRootCertificates` + +```json +"trustedRootCertificates": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "data": "string", + "keyVaultSecretId": "string" + } + } + ] +} +``` + +### Parameter Usage: `urlPathMaps` + +```json +"urlPathMaps": { + "value": [ + { + "id": "string", + "name": "string", + "properties": { + "defaultBackendAddressPool": { + "id": "string" + }, + "defaultBackendHttpSettings": { + "id": "string" + }, + "defaultLoadDistributionPolicy": { + "id": "string" + }, + "defaultRedirectConfiguration": { + "id": "string" + }, + "defaultRewriteRuleSet": { + "id": "string" + }, + "pathRules": [ + { + "id": "string", + "name": "string", + "properties": { + "backendAddressPool": { + "id": "string" + }, + "backendHttpSettings": { + "id": "string" + }, + "firewallPolicy": { + "id": "string" + }, + "loadDistributionPolicy": { + "id": "string" + }, + "paths": [ "string" ], + "redirectConfiguration": { + "id": "string" + }, + "rewriteRuleSet": { + "id": "string" + } + } + } + ] + } + } + ] +} +``` ### Parameter Usage: `roleAssignments` From 8fd7bc0ba4603bad5c251152e278b7d162ec351a Mon Sep 17 00:00:00 2001 From: Rainer Halanek <61878316+rahalan@users.noreply.github.com> Date: Mon, 21 Feb 2022 18:04:31 +0100 Subject: [PATCH 27/33] Update arm/Microsoft.Network/applicationGateways/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../applicationGateways/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index e7819de70d..14636b0593 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "sxx-az-apgw-x-001" + "value": "<>-az-apgw-x-001" }, "userAssignedIdentities": { "value": { From cb7c84ce0cc7677763e1a25e9c7745ff075ab7ac Mon Sep 17 00:00:00 2001 From: Rainer Halanek <61878316+rahalan@users.noreply.github.com> Date: Mon, 21 Feb 2022 18:05:00 +0100 Subject: [PATCH 28/33] Update arm/Microsoft.Network/applicationGateways/.parameters/parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../applicationGateways/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 14636b0593..69f4d949b5 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -7,7 +7,7 @@ }, "userAssignedIdentities": { "value": { - "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {} + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, // "webApplicationFirewallConfiguration": { From b2cbb6be2a00cd7b13427b3841ed9e5d03873f41 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 22 Feb 2022 11:31:52 +0100 Subject: [PATCH 29/33] fixes --- .../.parameters/parameters.json | 92 ++++++++++--------- .../applicationGateways/deploy.bicep | 34 ------- .../applicationGateways/version.json | 2 +- 3 files changed, 48 insertions(+), 80 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 69f4d949b5..cd4f646cc2 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -10,17 +10,19 @@ "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<>-az-msi-x-001": {} } }, - // "webApplicationFirewallConfiguration": { - // "enabled": true, - // "firewallMode": "Detection", - // "ruleSetType": "OWASP", - // "ruleSetVersion": "3.0", - // "disabledRuleGroups": [], - // "requestBodyCheck": true, - // "maxRequestBodySizeInKb": 128, - // "fileUploadLimitInMb": 100 - // }, - // "enableHttp2": true, + "webApplicationFirewallConfiguration": { + "value": { + "enabled": true, + "firewallMode": "Detection", + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0", + "disabledRuleGroups": [], + "requestBodyCheck": true, + "maxRequestBodySizeInKb": 128, + "fileUploadLimitInMb": 100 + } + }, + "enableHttp2": true, "backendAddressPools": { "value": [ { @@ -66,7 +68,7 @@ "pickHostNameFromBackendAddress": false, "requestTimeout": 30, "probe": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/probes/privateVmHttpSettingProbe" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/probes/privateVmHttpSettingProbe" } } } @@ -80,7 +82,7 @@ "privateIPAddress": "10.0.8.6", "privateIPAllocationMethod": "Static", "subnet": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-007" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-007" } } }, @@ -89,7 +91,7 @@ "properties": { "privateIPAllocationMethod": "Dynamic", "publicIPAddress": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-sxx-az-pip-x-apgw" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-apgw" } } } @@ -129,13 +131,13 @@ "name": "public443", "properties": { "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/public" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/public" }, "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port443" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port443" }, "sslCertificate": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/sslCertificates/sxx-az-apgw-x-001-ssl-certificate" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/sslCertificates/<>-az-apgw-x-001-ssl-certificate" }, "protocol": "https", "hostNames": [], @@ -146,13 +148,13 @@ "name": "private4433", "properties": { "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/private" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/private" }, "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port4433" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port4433" }, "sslCertificate": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/sslCertificates/sxx-az-apgw-x-001-ssl-certificate" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/sslCertificates/<>-az-apgw-x-001-ssl-certificate" }, "protocol": "https", "hostNames": [], @@ -163,10 +165,10 @@ "name": "httpRedirect80", "properties": { "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/public" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/public" }, "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port80" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port80" }, "protocol": "Http", "hostNames": [], @@ -177,10 +179,10 @@ "name": "httpRedirect8080", "properties": { "frontendIPConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendIPConfigurations/private" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendIPConfigurations/private" }, "frontendPort": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/frontendPorts/port8080" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/frontendPorts/port8080" }, "protocol": "Http", "hostNames": [], @@ -195,7 +197,7 @@ "name": "apw-ip-configuration", "properties": { "subnet": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-007" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-007" } } } @@ -231,13 +233,13 @@ "properties": { "redirectType": "Permanent", "targetListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/public443" }, "includePath": true, "includeQueryString": true, "requestRoutingRules": [ { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/httpRedirect80-public443" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/requestRoutingRules/httpRedirect80-public443" } ] } @@ -247,13 +249,13 @@ "properties": { "redirectType": "Permanent", "targetListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/private4433" }, "includePath": true, "includeQueryString": true, "requestRoutingRules": [ { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/requestRoutingRules/httpRedirect8080-private4433" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/requestRoutingRules/httpRedirect8080-private4433" } ] } @@ -267,13 +269,13 @@ "properties": { "ruleType": "Basic", "httpListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/public443" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/public443" }, "backendAddressPool": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/appServiceBackendPool" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendAddressPools/appServiceBackendPool" }, "backendHttpSettings": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendHttpSettingsCollection/appServiceBackendHttpsSetting" } } }, @@ -282,13 +284,13 @@ "properties": { "ruleType": "Basic", "httpListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/private4433" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/private4433" }, "backendAddressPool": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendAddressPools/privateVmBackendPool" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendAddressPools/privateVmBackendPool" }, "backendHttpSettings": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/backendHttpSettingsCollection/privateVmHttpSetting" } } }, @@ -297,10 +299,10 @@ "properties": { "ruleType": "Basic", "httpListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/httpRedirect80" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/httpRedirect80" }, "redirectConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/redirectConfigurations/httpRedirect80" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/redirectConfigurations/httpRedirect80" } } }, @@ -309,10 +311,10 @@ "properties": { "ruleType": "Basic", "httpListener": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/httpListeners/httpRedirect8080" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/httpListeners/httpRedirect8080" }, "redirectConfiguration": { - "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/sxx-az-apgw-x-001/redirectConfigurations/httpRedirect8080" + "id": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/applicationGateways/<>-az-apgw-x-001/redirectConfigurations/httpRedirect8080" } } } @@ -324,9 +326,9 @@ "sslCertificates": { "value": [ { - "name": "sxx-az-apgw-x-001-ssl-certificate", + "name": "<>-az-apgw-x-001-ssl-certificate", "properties": { - "keyVaultSecretId": "https://adp-sxx-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" + "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" } } ] @@ -335,16 +337,16 @@ "value": 7 }, "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsax001" + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" }, "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" }, "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" }, "diagnosticEventHubName": { - "value": "adp-sxx-az-evh-x-001" + "value": "adp-<>-az-evh-x-001" }, "roleAssignments": { "value": [ diff --git a/arm/Microsoft.Network/applicationGateways/deploy.bicep b/arm/Microsoft.Network/applicationGateways/deploy.bicep index 6b13299e61..b8c7ca2933 100644 --- a/arm/Microsoft.Network/applicationGateways/deploy.bicep +++ b/arm/Microsoft.Network/applicationGateways/deploy.bicep @@ -127,14 +127,6 @@ param sslPolicyCipherSuites array = [ 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' ] -// @description('Optional. Ssl protocols to be disabled on application gateway.') -// @allowed([ -// 'TLSv1_0' -// 'TLSv1_1' -// 'TLSv1_2' -// ]) -// param sslPolicyDisabledSslProtocols array = [] - @description('Optional. Ssl protocol enums.') @allowed([ 'TLSv1_0' @@ -303,7 +295,6 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = sslCertificates: sslCertificates sslPolicy: { cipherSuites: sslPolicyCipherSuites - // disabledSslProtocols: sslPolicyDisabledSslProtocols minProtocolVersion: sslPolicyMinProtocolVersion policyName: empty(sslPolicyName) ? null : sslPolicyName policyType: sslPolicyType @@ -313,31 +304,6 @@ resource applicationGateway 'Microsoft.Network/applicationGateways@2021-05-01' = trustedRootCertificates: trustedRootCertificates urlPathMaps: urlPathMaps webApplicationFirewallConfiguration: webApplicationFirewallConfiguration - // { - // disabledRuleGroups: [ - // { - // ruleGroupName: 'string' - // rules: [ - // int - // ] - // } - // ] - // enabled: bool - // exclusions: [ - // { - // matchVariable: 'string' - // selector: 'string' - // selectorMatchOperator: 'string' - // } - // ] - // fileUploadLimitInMb: int - // firewallMode: 'string' - // maxRequestBodySize: int - // maxRequestBodySizeInKb: int - // requestBodyCheck: bool - // ruleSetType: 'string' - // ruleSetVersion: 'string' - // } }, (enableFips ? { enableFips: enableFips } : {}), {}) diff --git a/arm/Microsoft.Network/applicationGateways/version.json b/arm/Microsoft.Network/applicationGateways/version.json index 56f8d9ca40..badc0a2285 100644 --- a/arm/Microsoft.Network/applicationGateways/version.json +++ b/arm/Microsoft.Network/applicationGateways/version.json @@ -1,4 +1,4 @@ { "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.4" + "version": "0.5" } From 0ac1d5ef9b770e8f29d032bb625007b9ccb40d21 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 22 Feb 2022 11:40:59 +0100 Subject: [PATCH 30/33] fix --- .../applicationGateways/.parameters/parameters.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index cd4f646cc2..b82265571d 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -22,7 +22,9 @@ "fileUploadLimitInMb": 100 } }, - "enableHttp2": true, + "enableHttp2": { + "value": true + }, "backendAddressPools": { "value": [ { From 1afa0b18f33137f508e352ec100fa58b9f1d6c41 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 22 Feb 2022 11:56:14 +0100 Subject: [PATCH 31/33] fix --- .../applicationGateways/.parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index b82265571d..eb1213225c 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -330,7 +330,7 @@ { "name": "<>-az-apgw-x-001-ssl-certificate", "properties": { - "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" + "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/certificates/applicationGatewaySslCertificate/f46a93d6808a4a6eb9aa30d726b82dd4" } } ] From 1bd39ca62eb0788e3f7b9ade128537372bc9cb76 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 22 Feb 2022 12:13:48 +0100 Subject: [PATCH 32/33] fix --- .../.parameters/parameters.json | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index eb1213225c..3ec6149648 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -325,16 +325,16 @@ "sku": { "value": "WAF_v2" }, - "sslCertificates": { - "value": [ - { - "name": "<>-az-apgw-x-001-ssl-certificate", - "properties": { - "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/certificates/applicationGatewaySslCertificate/f46a93d6808a4a6eb9aa30d726b82dd4" - } - } - ] - }, + // "sslCertificates": { + // "value": [ + // { + // "name": "<>-az-apgw-x-001-ssl-certificate", + // "properties": { + // "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" + // } + // } + // ] + // }, "diagnosticLogsRetentionInDays": { "value": 7 }, From ebb02e0b7b7fb499a919cc09202948b8594b6128 Mon Sep 17 00:00:00 2001 From: Rainer Halanek Date: Tue, 22 Feb 2022 12:32:43 +0100 Subject: [PATCH 33/33] fix --- .../.parameters/parameters.json | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json index 3ec6149648..e0a8603a84 100644 --- a/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json +++ b/arm/Microsoft.Network/applicationGateways/.parameters/parameters.json @@ -325,16 +325,16 @@ "sku": { "value": "WAF_v2" }, - // "sslCertificates": { - // "value": [ - // { - // "name": "<>-az-apgw-x-001-ssl-certificate", - // "properties": { - // "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate/5b09a47d080943bb93d00f4dc45244a1" - // } - // } - // ] - // }, + "sslCertificates": { + "value": [ + { + "name": "<>-az-apgw-x-001-ssl-certificate", + "properties": { + "keyVaultSecretId": "https://adp-<>-az-kv-x-001.vault.azure.net/secrets/applicationGatewaySslCertificate02/40b9b1a7a69e48cfa1e36f24b97b8799" + } + } + ] + }, "diagnosticLogsRetentionInDays": { "value": 7 },