Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF (#4111)

2024-11-05 08:06:29 +00:00 · 2024-11-05 08:06:29 +00:00 · d259370eba
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@ -129,6 +129,10 @@ inputs:
    description: "Firewall SKU"
    required: false
    default: ""
+  APP_GATEWAY_SKU:
+    description: "Application Gateway SKU"
+    required: false
+    default: ""

 runs:
  using: composite
@ -239,6 +243,7 @@ runs:
          -e TF_VAR_resource_processor_number_processes_per_instance="${{ (inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE != ''
            && inputs.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE) || 5 }}" \
          -e TF_VAR_firewall_sku=${{ inputs.FIREWALL_SKU }} \
+          -e TF_VAR_app_gateway_sku=${{ inputs.APP_GATEWAY_SKU }} \
          -e E2E_TESTS_NUMBER_PROCESSES="${{ inputs.E2E_TESTS_NUMBER_PROCESSES }}" \
          '${{ inputs.CI_CACHE_ACR_NAME }}${{ env.ACR_DOMAIN_SUFFIX }}/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
        bash -c "${{ inputs.COMMAND }}"
--- a/.github/workflows/deploy_tre_reusable.yml
+++ b/.github/workflows/deploy_tre_reusable.yml
@ -358,6 +358,7 @@ jobs:
          RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE: ${{ vars.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE }}
          RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
          FIREWALL_SKU: ${{ vars.FIREWALL_SKU}}
+          APP_GATEWAY_SKU: ${{ vars.APP_GATEWAY_SKU }}

      - name: API Healthcheck
        uses: ./.github/actions/devcontainer_run_command
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,7 +6,7 @@
 FEATURES:

 ENHANCEMENTS:
-
+* Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
 BUG FIXES:

 COMPONENTS:
--- a/config.sample.yaml
+++ b/config.sample.yaml
@ -43,6 +43,7 @@ tre:
  # Uncomment the following to disable deployment of the Web UI.
  # deploy_ui: false
  firewall_sku: Standard
+  app_gateway_sku: Standard_v2

  # Uncomment to deploy to a custom domain
  # custom_domain: __CHANGE_ME__
--- a/config_schema.json
+++ b/config_schema.json
@ -89,6 +89,10 @@
          "description": "SKU of the Azure Firewall.",
          "type": "string"
        },
+        "app_gateway_sku": {
+          "description": "SKU of the Application Gateway.",
+          "type": "string"
+        },
        "custom_domain": {
          "description": "Custom domain name.",
          "type": "string"
--- a/core/terraform/appgateway/appgateway.tf
+++ b/core/terraform/appgateway/appgateway.tf
@ -26,11 +26,13 @@ resource "azurerm_application_gateway" "agw" {
  tags                = local.tre_core_tags

  sku {
-    name     = "Standard_v2"
-    tier     = "Standard_v2"
+    name     = coalesce(var.app_gateway_sku, "Standard_v2")
+    tier     = coalesce(var.app_gateway_sku, "Standard_v2")
    capacity = 1
  }

+  firewall_policy_id = var.app_gateway_sku == "WAF_v2" ? azurerm_web_application_firewall_policy.waf[0].id : null
+
  # User-assign managed identify id required to access certificate in KeyVault
  identity {
    type         = "UserAssigned"
@ -120,6 +122,12 @@ resource "azurerm_application_gateway" "agw" {
    path                = "/api/ping"
    timeout             = "30"
    unhealthy_threshold = "3"
+
+    match {
+      status_code = [
+        "200-399"
+      ]
+    }
  }

  # Public HTTPS listener
@ -198,6 +206,40 @@ resource "azurerm_application_gateway" "agw" {

 }

+resource "azurerm_web_application_firewall_policy" "waf" {
+
+  // only create WAF policy when App Gateway sku.tier == "WAF_v2"
+  count = var.app_gateway_sku == "WAF_v2" ? 1 : 0
+
+  name                = "wafpolicy-${var.tre_id}"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+
+  policy_settings {
+    enabled = true
+    mode    = "Detection"
+  }
+
+  managed_rules {
+    managed_rule_set {
+      type    = "OWASP"
+      version = 3.2
+    }
+  }
+
+  // once created ignore policy_settings and rulesets allow to be managed outside of here
+  lifecycle { ignore_changes = [policy_settings, managed_rules] }
+
+  // terraform doesn't handle the downgrade from WAF_v2 > Standard_v2 SKU, this is required to detatch the policy from the app gateway before deletion of the policy
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+          APP_GATEWAY_ID=$(az network application-gateway waf-policy show --name ${self.name} --resource-group ${self.resource_group_name} --query applicationGateways[0].id --output tsv)
+          az network application-gateway update --ids $APP_GATEWAY_ID --set firewallPolicy=null --set sku.name=Standard_v2 --set sku.tier=Standard_v2
+        EOT
+  }
+}
+
 resource "azurerm_monitor_diagnostic_setting" "agw" {
  name                       = "diagnostics-agw-${var.tre_id}"
  target_resource_id         = azurerm_application_gateway.agw.id
--- a/core/terraform/appgateway/variables.tf
+++ b/core/terraform/appgateway/variables.tf
@ -26,3 +26,6 @@ variable "static_web_dns_zone_id" {
 variable "log_analytics_workspace_id" {
  type = string
 }
+variable "app_gateway_sku" {
+  type = string
+}
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@ -99,6 +99,7 @@ module "appgateway" {
  keyvault_id                = azurerm_key_vault.kv.id
  static_web_dns_zone_id     = module.network.static_web_dns_zone_id
  log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id
+  app_gateway_sku            = var.app_gateway_sku

  depends_on = [
    module.network,
--- a/core/terraform/variables.tf
+++ b/core/terraform/variables.tf
@ -186,6 +186,17 @@ variable "firewall_sku" {
  default     = ""
 }

+variable "app_gateway_sku" {
+  description = "Application Gateway SKU"
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = contains(["", "Standard_v2", "WAF_v2"], var.app_gateway_sku)
+    error_message = "Invalid app_gateway_sku value"
+  }
+}
+
 variable "rp_bundle_values" {
  description = "Additional environment values to set on the resource processor that can be supplied to template bundles"
  type        = map(string)
--- a/core/version.txt
+++ b/core/version.txt
@ -1 +1 @@
-__version__ = "0.10.9"
+__version__ = "0.10.10"
--- a/docs/tre-admins/environment-variables.md
+++ b/docs/tre-admins/environment-variables.md
@ -40,6 +40,7 @@
 | `WORKSPACE_APP_SERVICE_PLAN_SKU` | Optional. The SKU used for AppService plan used in E2E tests unless otherwise specified. Default value is `P1v2`. |
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](custom-domain.md). |

 ## For authentication in `/config.yaml`
--- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
+++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md
@ -84,6 +84,7 @@ Configure the following **variables** in your github environment:
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |
 | `CUSTOM_DOMAIN` | Optional. Custom domain name to access the Azure TRE portal. See [Custom domain name](../custom-domain.md). |

 ### Configure Authentication Secrets
--- a/docs/tre-admins/setup-instructions/workflows.md
+++ b/docs/tre-admins/setup-instructions/workflows.md
@ -146,6 +146,7 @@ Configure variables used in the deployment workflow:
 | `RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE` | Optional. The number of processes to instantiate when the Resource Processor starts. Equates to the number of parallel deployment operations possible in your TRE. Defaults to `5`. |
 | `ENABLE_SWAGGER` | Optional. Determines whether the Swagger interface for the API will be available. Default value is `false`. |
 | `FIREWALL_SKU` | Optional. The SKU of the Azure Firewall instance. Default value is `Standard`. Allowed values [`Basic`, `Standard`, `Premium`]. See [Azure Firewall SKU feature comparison](https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku). |
+| `APP_GATEWAY_SKU` | Optional. The SKU of the Application Gateway. Default value is `Standard_v2`. Allowed values [`Standard_v2`, `WAF_v2`] |


 ### Deploy the TRE using the workflow