Skip to content

hmcts/azure-platform-terraform

BranchesTags

Repository files navigation

azure-platform-terraform

All things terraform

Pre-commit Installation

This repository has been configured with pre-commit hooks. To install pre-commit see its installation guide

For this repository you will also need these dependencies:

Frontdoor

To setup a basic Frontdoor configuration, go to the required environment within environments folder and edit the environments tfvars file

Within the variable frontends add the basic object to the array:

{
  name              = "{Sub-Domain Name}"
  custom_domain     = "{URL}"
  backend_domain    = ["{Backend URL or Firewall}"]
  disabled_rules    = {}
  global_exclusions = []
}

WAF Exclusions

If you have blocks on the Web Application Firewall(WAF) you may want to exclude them to allow traffic. Please first see if the block is really required to exclude and if there is an alternative route first to keep as much protection in place.

To exclude add the parameter global_exclusions, which is an array of exclusions. Each exclusion is formatted as:

{
  match_variable = "BLOCK TYPE"
  operator       = "OPERATOR"
  selector       = "VALUE"
}

BLOCK TYPE

Variable Description
RequestCookieNames Cookie Name
QueryStringArgNames Query String Argument
RequestBodyPostArgNames Property within the Request Body
RequestHeaderNames Header Parameter Name

OPERATOR

Operator Description
Equals Matches value
StartsWith Starts with string
EndsWith Ends with string
Contains Contains String

VALUE string being blocked.

TLS

By default it will use the Azure Frontdoor Managed Certificates, which will validate the URL against the DNS within the tenant then generate a certificate.

If you would like to use a certificate from the ACME Key Vaults managed by Platform Operations, then you can add the following properties:

{
  certificate_name = "{Certificate Name}"
  ssl_mode         = "AzureKeyVault"
}

Shutter Pattern

You can get more detail from shutter-implementation-and-design

TLS

The shuttering service currently requires an ACME certificate, you will need to add the certificate_name field:

{
  certificate_name = "{Certificate Name}"
}

TLS Policy

By default the Frontdoor module will use TLS12 policy, if you would like to change this then add the property to the frontends variable to desired minimum TLS policy:

frontends = [
  {
    ...OTHER FRONTEND CONFIG...
    minimum_tls_version = "...TLS POLICY.."
  }
]

For example, you could set this to "TLS13" (if supported) for more recent protocols. Note: tls_policy object property is not yet supported in the terraform module.

Azure will use it's default, in the portal that seems to be "TLS12_2022" cipher suite policy, if you would like to change this then add the property to the frontends variable to desired suite policy:

frontends = [
  {
    ...OTHER FRONTEND CONFIG...
    cipher_suite_policy = "...CIPHER SUITE POLICY.."
  }
]

For example, you could set this to "TLS12_2023" (a stronger sipher suite). Note: tls_policy object property is not yet supported in the terraform module.

Custom Data Updates

Please note that custom_data updates will cause VMs to restart.

For example updates to cloudconfig-private.tpl & cloudconfig.tpl

About

All things terraform

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

8 stars

Watchers

125 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages