Expose APP_SERVICE_SKU build variable to allow enablement of App Gate…

…way WAF (#4111)
microsoft · Nov 5, 2024 · d259370 · d259370
1 parent 501ee92
commit d259370
Show file tree

Hide file tree

Showing 13 changed files with 75 additions and 4 deletions.
diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
@@ -129,6 +129,10 @@ inputs:
     description: "Firewall SKU"
     required: false
     default: ""
+  APP_GATEWAY_SKU:
+    description: "Application Gateway SKU"
+    required: false
+    default: ""
 
 runs:
   using: composite
@@ -239,6 +243,7 @@ runs:
           -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
             && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
           -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
+          -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
           -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
           '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c "${{ inputs.COMMAND }}"
diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
@@ -358,6 +358,7 @@ jobs:
           RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE: ${{ vars.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE }}
           RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
           FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}
+          APP_GATEWAY_SKU: ${{ vars.APP_GATEWAY_SKU }}
 
       - name: API Healthcheck
         uses: ./.github/actions/devcontainer_run_command

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,7 +6,7 @@
 FEATURES:
 
 ENHANCEMENTS:
-
+* Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
 BUG FIXES:
 
 COMPONENTS:

diff --git a/config.sample.yaml b/config.sample.yaml
@@ -43,6 +43,7 @@ tre:
   # Uncomment the following to disable deployment of the Web UI.
   # deploy_ui: false
   firewall_sku: Standard
+  app_gateway_sku: Standard_v2
 
   # Uncomment to deploy to a custom domain
   # custom_domain: __CHANGE_ME__

diff --git a/config_schema.json b/config_schema.json
@@ -89,6 +89,10 @@
           "description": "SKU of the Azure Firewall.",
           "type": "string"
         },
+        "app_gateway_sku": {
+          "description": "SKU of the Application Gateway.",
+          "type": "string"
+        },
         "custom_domain": {
           "description": "Custom domain name.",
           "type": "string"

diff --git a/core/terraform/appgateway/appgateway.tf b/core/terraform/appgateway/appgateway.tf
@@ -26,11 +26,13 @@ resource "azurerm_application_gateway" "agw" {
   tags                = local.tre_core_tags
 
   sku {
-    name     = "Standard_v2"
-    tier     = "Standard_v2"
+    name     = coalesce(var.app_gateway_sku, "Standard_v2")
+    tier     = coalesce(var.app_gateway_sku, "Standard_v2")
     capacity = 1
   }
 
+  firewall_policy_id = var.app_gateway_sku == "WAF_v2" ? azurerm_web_application_firewall_policy.waf[0].id : null
+
   # User-assign managed identify id required to access certificate in KeyVault
   identity {
     type         = "UserAssigned"
@@ -120,6 +122,12 @@ resource "azurerm_application_gateway" "agw" {
     path                = "/api/ping"
     timeout             = "30"
     unhealthy_threshold = "3"
+
+    match {
+      status_code = [
+        "200-399"
+      ]
+    }
   }
 
   # Public HTTPS listener
@@ -198,6 +206,40 @@ resource "azurerm_application_gateway" "agw" {
 
 }
 
+resource "azurerm_web_application_firewall_policy" "waf" {
+
+  // only create WAF policy when App Gateway sku.tier == "WAF_v2"
+  count = var.app_gateway_sku == "WAF_v2" ? 1 : 0
+
+  name                = "wafpolicy-${var.tre_id}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  policy_settings {
+    enabled = true
+    mode    = "Detection"
+  }
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = 3.2
+    }
+  }
+
+  // once created ignore policy_settings and rulesets allow to be managed outside of here
+  lifecycle { ignore_changes = [policy_settings, managed_rules] }
+
+  // terraform doesn't handle the downgrade from WAF_v2 > Standard_v2 SKU, this is required to detatch the policy from the app gateway before deletion of the policy
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+          APP_GATEWAY_ID=$(az network application-gateway waf-policy show --name ${self.name} --resource-group ${self.resource_group_name} --query applicationGateways[0].id --output tsv)
+          az network application-gateway update --ids $APP_GATEWAY_ID --set firewallPolicy=null --set sku.name=Standard_v2 --set sku.tier=Standard_v2
+        EOT
+  }
+}
+
 resource "azurerm_monitor_diagnostic_setting" "agw" {
   name                       = "diagnostics-agw-${var.tre_id}"
   target_resource_id         = azurerm_application_gateway.agw.id

diff --git a/core/terraform/appgateway/variables.tf b/core/terraform/appgateway/variables.tf
@@ -26,3 +26,6 @@ variable "static_web_dns_zone_id" {
 variable "log_analytics_workspace_id" {
   type = string
 }
+variable "app_gateway_sku" {
+  type = string
+}
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -99,6 +99,7 @@ module "appgateway" {
   keyvault_id                = azurerm_key_vault.kv.id
   static_web_dns_zone_id     = module.network.static_web_dns_zone_id
   log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id
+  app_gateway_sku            = var.app_gateway_sku
 
   depends_on = [
     module.network,

diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
@@ -186,6 +186,17 @@ variable "firewall_sku" {
   default     = ""
 }
 
+variable "app_gateway_sku" {
+  description = "Application Gateway SKU"
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = contains(["", "Standard_v2", "WAF_v2"], var.app_gateway_sku)
+    error_message = "Invalid app_gateway_sku value"
+  }
+}
+
 variable "rp_bundle_values" {
   description = "Additional environment values to set on the resource processor that can be supplied to template bundles"
   type        = map(string)

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.10.9"
+__version__ = "0.10.10"
diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
@@ -40,6 +40,7 @@
 | `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). |
 
 ## For authentication in `/config.yaml`

diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
@@ -84,6 +84,7 @@ Configure the following **variables** in your github environment:
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). |
 
 ### Configure Authentication Secrets

diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md
@@ -146,6 +146,7 @@ Configure variables used in the deployment workflow:
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 
 
 ### Deploy the TRE using the workflow