» azurerm_application_gateway

Manages an Application Gateway.

» Example Usage

resource "azurerm_resource_group" "test" {
  name     = "example-resources"
  location = "West US"
}

resource "azurerm_virtual_network" "test" {
  name                = "example-network"
  resource_group_name = "${azurerm_resource_group.test.name}"
  location            = "${azurerm_resource_group.test.location}"
  address_space       = ["10.254.0.0/16"]
}

resource "azurerm_subnet" "frontend" {
  name                 = "frontend"
  resource_group_name  = "${azurerm_resource_group.test.name}"
  virtual_network_name = "${azurerm_virtual_network.test.name}"
  address_prefix       = "10.254.0.0/24"
}

resource "azurerm_subnet" "backend" {
  name                 = "backend"
  resource_group_name  = "${azurerm_resource_group.test.name}"
  virtual_network_name = "${azurerm_virtual_network.test.name}"
  address_prefix       = "10.254.2.0/24"
}

resource "azurerm_public_ip" "test" {
  name                = "example-pip"
  resource_group_name = "${azurerm_resource_group.test.name}"
  location            = "${azurerm_resource_group.test.location}"
  allocation_method   = "Dynamic"
}

# since these variables are re-used - a locals block makes this more maintainable
locals {
  backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
  frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
  frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
  http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
  listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
  request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
  redirect_configuration_name    = "${azurerm_virtual_network.test.name}-rdrcfg"
}

resource "azurerm_application_gateway" "network" {
  name                = "example-appgateway"
  resource_group_name = "${azurerm_resource_group.test.name}"
  location            = "${azurerm_resource_group.test.location}"

  sku {
    name     = "Standard_Small"
    tier     = "Standard"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = "${azurerm_subnet.frontend.id}"
  }

  frontend_port {
    name = "${local.frontend_port_name}"
    port = 80
  }

  frontend_ip_configuration {
    name                 = "${local.frontend_ip_configuration_name}"
    public_ip_address_id = "${azurerm_public_ip.test.id}"
  }

  backend_address_pool {
    name = "${local.backend_address_pool_name}"
  }

  backend_http_settings {
    name                  = "${local.http_setting_name}"
    cookie_based_affinity = "Disabled"
    path                  = "/path1/"
    port                  = 80
    protocol              = "Http"
    request_timeout       = 1
  }

  http_listener {
    name                           = "${local.listener_name}"
    frontend_ip_configuration_name = "${local.frontend_ip_configuration_name}"
    frontend_port_name             = "${local.frontend_port_name}"
    protocol                       = "Http"
  }

  request_routing_rule {
    name                       = "${local.request_routing_rule_name}"
    rule_type                  = "Basic"
    http_listener_name         = "${local.listener_name}"
    backend_address_pool_name  = "${local.backend_address_pool_name}"
    backend_http_settings_name = "${local.http_setting_name}"
  }
}

» Argument Reference

The following arguments are supported:

  • name - (Required) The name of the Application Gateway. Changing this forces a new resource to be created.

  • resource_group_name - (Required) The name of the resource group in which to the Application Gateway should exist. Changing this forces a new resource to be created.

  • location - (Required) The Azure region where the Application Gateway should exist. Changing this forces a new resource to be created.

  • backend_address_pool - (Required) One or more backend_address_pool blocks as defined below.

  • backend_http_settings - (Required) One or more backend_http_settings blocks as defined below.

  • frontend_ip_configuration - (Required) One or more frontend_ip_configuration blocks as defined below.

  • frontend_port - (Required) One or more frontend_port blocks as defined below.

  • gateway_ip_configuration - (Required) One or more gateway_ip_configuration blocks as defined below.

  • http_listener - (Required) One or more http_listener blocks as defined below.

  • request_routing_rule - (Required) One or more request_routing_rule blocks as defined below.

  • sku - (Required) A sku block as defined below.

  • zones - (Optional) A collection of availability zones to spread the Application Gateway over.


  • authentication_certificate - (Optional) One or more authentication_certificate blocks as defined below.

  • disabled_ssl_protocols - (Optional / Deprecated) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2. ~> NOTE: disabled_ssl_protocols has been deprecated in favour of disabled_protocols in the ssl_policy block.

  • ssl_policy (Optional) a ssl policy block as defined below.

  • enable_http2 - (Optional) Is HTTP2 enabled on the application gateway resource? Defaults to false.

  • probe - (Optional) One or more probe blocks as defined below.

  • ssl_certificate - (Optional) One or more ssl_certificate blocks as defined below.

  • tags - (Optional) A mapping of tags to assign to the resource.

  • url_path_map - (Optional) One or more url_path_map blocks as defined below.

  • waf_configuration - (Optional) A waf_configuration block as defined below.

  • custom_error_configuration - (Optional) One or more custom_error_configuration blocks as defined below.

  • redirect_configuration - (Optional) A redirect_configuration block as defined below.

  • autoscale_configuration - (Optional) A autoscale_configuration block as defined below.

  • rewrite_rule_set - (Optional) One or more rewrite_rule_set blocks as defined below. Only valid for v2 SKUs.


A authentication_certificate block supports the following:

  • name - (Required) The Name of the Authentication Certificate to use.

  • data - (Required) The contents of the Authentication Certificate which should be used.


A authentication_certificate block, within the backend_http_settings block supports the following:

  • name - (Required) The name of the Authentication Certificate.

A backend_address_pool block supports the following:

  • name - (Required) The name of the Backend Address Pool.

  • fqdns - (Optional) A list of FQDN's which should be part of the Backend Address Pool.

  • fqdn_list - (Optional Deprecated) A list of FQDN's which should be part of the Backend Address Pool. This field has been deprecated in favour of fqdns and will be removed in v2.0 of the AzureRM Provider.

  • ip_addresses - (Optional) A list of IP Addresses which should be part of the Backend Address Pool.

  • ip_address_list - (Optional Deprecated) A list of IP Addresses which should be part of the Backend Address Pool. This field has been deprecated in favour of ip_addresses and will be removed in v2.0 of the AzureRM Provider.


A backend_http_settings block supports the following:

  • cookie_based_affinity - (Required) Is Cookie-Based Affinity enabled? Possible values are Enabled and Disabled.

  • affinity_cookie_name - (Optional) The name of the affinity cookie.

  • name - (Required) The name of the Backend HTTP Settings Collection.

  • path - (Optional) The Path which should be used as a prefix for all HTTP requests.

  • port- (Required) The port which should be used for this Backend HTTP Settings Collection.

  • probe_name - (Required) The name of an associated HTTP Probe.

  • protocol- (Required) The Protocol which should be used. Possible values are Http and Https.

  • request_timeout - (Required) The request timeout in seconds, which must be between 1 and 86400 seconds.

  • host_name - (Optional) Host header to be sent to the backend servers. Cannot be set if pick_host_name_from_backend_address is set to true.

  • pick_host_name_from_backend_address - (Optional) Whether host header should be picked from the host name of the backend server. Defaults to false.

  • authentication_certificate - (Optional) One or more authentication_certificate blocks.

  • connection_draining - (Optional) A connection_draining block as defined below.


A connection_draining block supports the following:

  • enabled - (Required) If connection draining is enabled or not.

  • drain_timeout_sec - (Required) The number of seconds connection draining is active. Acceptable values are from 1 second to 3600 seconds.


A frontend_ip_configuration block supports the following:

  • name - (Required) The name of the Frontend IP Configuration.

  • subnet_id - (Required) The ID of the Subnet which the Application Gateway should be connected to.

  • private_ip_address - (Optional) The Private IP Address to use for the Application Gateway.

  • public_ip_address_id - (Optional) The ID of a Public IP Address which the Application Gateway should use.


A frontend_port block supports the following:

  • name - (Required) The name of the Frontend Port.

  • port - (Required) The port used for this Frontend Port.


A gateway_ip_configuration block supports the following:

  • name - (Required) The Name of this Gateway IP Configuration.

  • subnet_id - (Required) The ID of a Subnet.


A http_listener block supports the following:

  • name - (Required) The Name of the HTTP Listener.

  • frontend_ip_configuration_name - (Required) The Name of the Frontend IP Configuration used for this HTTP Listener.

  • frontend_port_name - (Required) The Name of the Frontend Port use for this HTTP Listener.

  • host_name - (Optional) The Hostname which should be used for this HTTP Listener.

  • protocol - (Required) The Protocol to use for this HTTP Listener. Possible values are Http and Https.

  • require_sni - (Optional) Should Server Name Indication be Required? Defaults to false.

  • ssl_certificate_name - (Optional) The name of the associated SSL Certificate which should be used for this HTTP Listener.

  • custom_error_configuration - (Optional) One or more custom_error_configuration blocks as defined below.


A match block supports the following:

  • body - (Optional) A snippet from the Response Body which must be present in the Response. Defaults to *.

  • status_code - (Optional) A list of allowed status codes for this Health Probe.


A path_rule block supports the following:

  • name - (Required) The Name of the Path Rule.

  • paths - (Required) A list of Paths used in this Path Rule.

  • backend_address_pool_name - (Optional) The Name of the Backend Address Pool to use for this Path Rule. Cannot be set if redirect_configuration_name is set.

  • backend_http_settings_name - (Optional) The Name of the Backend HTTP Settings Collection to use for this Path Rule. Cannot be set if redirect_configuration_name is set.

  • redirect_configuration_name - (Optional) The Name of a Redirect Configuration to use for this Path Rule. Cannot be set if backend_address_pool_name or backend_http_settings_name is set.

  • rewrite_rule_set_name - (Optional) The Name of the Rewrite Rule Set which should be used for this URL Path Map. Only valid for v2 SKUs.


A probe block support the following:

  • host - (Optional) The Hostname used for this Probe. If the Application Gateway is configured for a single site, by default the Host name should be specified as ‘127.0.0.1’, unless otherwise configured in custom probe. Cannot be set if pick_host_name_from_backend_http_settings is set to true.

  • interval - (Required) The Interval between two consecutive probes in seconds. Possible values range from 1 second to a maximum of 86,400 seconds.

  • name - (Required) The Name of the Probe.

  • protocol - (Required) The Protocol used for this Probe. Possible values are Http and Https.

  • path - (Required) The Path used for this Probe.

  • timeout - (Required) The Timeout used for this Probe, which indicates when a probe becomes unhealthy. Possible values range from 1 second to a maximum of 86,400 seconds.

  • unhealthy_threshold - (Required) The Unhealthy Threshold for this Probe, which indicates the amount of retries which should be attempted before a node is deemed unhealthy. Possible values are from 1 - 20 seconds.

  • pick_host_name_from_backend_http_settings - (Optional) Whether the host header should be picked from the backend http settings. Defaults to false.

  • match - (Optional) A match block as defined above.

  • minimum_servers - (Optional) The minimum number of servers that are always marked as healthy. Defaults to 0.


A request_routing_rule block supports the following:

  • name - (Required) The Name of this Request Routing Rule.

  • rule_type - (Required) The Type of Routing that should be used for this Rule. Possible values are Basic and PathBasedRouting.

  • http_listener_name - (Required) The Name of the HTTP Listener which should be used for this Routing Rule.

  • backend_address_pool_name - (Optional) The Name of the Backend Address Pool which should be used for this Routing Rule. Cannot be set if redirect_configuration_name is set.

  • backend_http_settings_name - (Optional) The Name of the Backend HTTP Settings Collection which should be used for this Routing Rule. Cannot be set if redirect_configuration_name is set.

  • redirect_configuration_name - (Optional) The Name of the Redirect Configuration which should be used for this Routing Rule. Cannot be set if either backend_address_pool_name or backend_http_settings_name is set.

  • rewrite_rule_set_name - (Optional) The Name of the Rewrite Rule Set which should be used for this Routing Rule. Only valid for v2 SKUs.

  • url_path_map_name - (Optional) The Name of the URL Path Map which should be associated with this Routing Rule.


A sku block supports the following:

  • name - (Required) The Name of the SKU to use for this Application Gateway. Possible values are Standard_Small, Standard_Medium, Standard_Large, Standard_v2, WAF_Medium, WAF_Large, and WAF_v2.

  • tier - (Required) The Tier of the SKU to use for this Application Gateway. Possible values are Standard, Standard_v2, WAF and WAF_v2.

  • capacity - (Required) The Capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale_configuration is set


A ssl_certificate block supports the following:

  • name - (Required) The Name of the SSL certificate that is unique within this Application Gateway

  • data - (Required) PFX certificate.

  • password - (Required) Password for the pfx file specified in data.


A url_path_map block supports the following:

  • name - (Required) The Name of the URL Path Map.

  • default_backend_address_pool_name - (Optional) The Name of the Default Backend Address Pool which should be used for this URL Path Map. Cannot be set if default_redirect_configuration_name is set.

  • default_backend_http_settings_name - (Optional) The Name of the Default Backend HTTP Settings Collection which should be used for this URL Path Map. Cannot be set if default_redirect_configuration_name is set.

  • default_redirect_configuration_name - (Optional) The Name of the Default Redirect Configuration which should be used for this URL Path Map. Cannot be set if either default_backend_address_pool_name or default_backend_http_settings_name is set.

  • default_rewrite_rule_set_name - (Optional) The Name of the Default Rewrite Rule Set which should be used for this URL Path Map. Only valid for v2 SKUs.

  • path_rule - (Required) One or more path_rule blocks as defined above.


A ssl_policy block supports the following:

  • disabled_protocols - (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2.
  • policy_type - (Optional) The Type of the Policy. Possible values are Predefined and Custom.

When using a policy_type of Predefined the following fields are supported:

When using a policy_type of Custom the following fields are supported:

  • cipher_suites - (Required) A List of accepted cipher suites. Possible values are: TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384.

  • min_protocol_version - (Required) The minimal TLS version. Possible values are TLSv1_0, TLSv1_1 and TLSv1_2.


A waf_configuration block supports the following:

  • enabled - (Required) Is the Web Application Firewall be enabled?

  • firewall_mode - (Required) The Web Application Firewall Mode. Possible values are Detection and Prevention.

  • rule_set_type - (Required) The Type of the Rule Set used for this Web Application Firewall.

  • rule_set_version - (Required) The Version of the Rule Set used for this Web Application Firewall.

  • disabled_rule_group - (Optional) one or more disabled_rule_group blocks as defined below.

  • file_upload_limit_mb - (Optional) The File Upload Limit in MB. Accepted values are in the range 1MB to 500MB. Defaults to 100MB.

  • request_body_check - (Optional) Is Request Body Inspection enabled? Defaults to true.

  • max_request_body_size_kb - (Optional) The Maximum Request Body Size in KB. Accepted values are in the range 1KB to 128KB. Defaults to 128KB.

  • exclusion - (Optional) one or more exclusion blocks as defined below.


A disabled_rule_group block supports the following:

  • rule_group_name - (Required) The rule group where specific rules should be disabled. Accepted values are: crs_20_protocol_violations, crs_21_protocol_anomalies, crs_23_request_limits, crs_30_http_policy, crs_35_bad_robots, crs_40_generic_attacks, crs_41_sql_injection_attacks, crs_41_xss_attacks, crs_42_tight_security, crs_45_trojans, General, REQUEST-911-METHOD-ENFORCEMENT, REQUEST-913-SCANNER-DETECTION, REQUEST-920-PROTOCOL-ENFORCEMENT, REQUEST-921-PROTOCOL-ATTACK, REQUEST-930-APPLICATION-ATTACK-LFI, REQUEST-931-APPLICATION-ATTACK-RFI, REQUEST-932-APPLICATION-ATTACK-RCE, REQUEST-933-APPLICATION-ATTACK-PHP, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION

  • rules - (Optional) A list of rules which should be disabled in that group. Disables all rules in the specified group if rules is not specified.


A exclusion block supports the following:

  • match_variable - (Required) Match variable of the exclusion rule to exclude header, cookie or GET arguments. Possible values are RequestHeaderNames, RequestArgNames and RequestCookieNames

  • selector_match_operator - (Optional) Operator which will be used to search in the variable content. Possible values are Equals, StartsWith, EndsWith, Contains. If empty will exclude all traffic on this match_variable

  • selector - (Optional) String value which will be used for the filter operation. If empty will exclude all traffic on this match_variable


A custom_error_configuration block supports the following:

  • status_code - (Required) Status code of the application gateway customer error. Possible values are HttpStatus403 and HttpStatus502

  • custom_error_page_url - (Required) Error page URL of the application gateway customer error.


A redirect_configuration block supports the following:

  • name - (Required) Unique name of the redirect configuration block

  • redirect_type - (Required) The type of redirect. Possible values are Permanent, Temporary, Found and SeeOther

  • target_listener_name - (Optional) The name of the listener to redirect to. Cannot be set if target_url is set.

  • target_url - (Optional) The Url to redirect the request to. Cannot be set if target_listener_name is set.

  • include_path - (Optional) Whether or not to include the path in the redirected Url. Defaults to false

  • include_query_string - (Optional) Whether or not to include the query string in the redirected Url. Default to false


A autoscale_configuration block supports the following:

  • min_capacity - (Required) Minimum capacity for autoscaling.

  • max_capacity - (Optional) Maximum capacity for autoscaling.


A rewrite_rule_set block supports the following:

  • name - (Required) Unique name of the rewrite rule set block

  • rewrite_rule - (Required) One or more rewrite_rule blocks as defined above.


A rewrite_rule block supports the following:

  • name - (Required) Unique name of the rewrite rule block

  • rule_sequence - (Required) Rule sequence of the rewrite rule that determines the order of execution in a set.

  • condition - (Optional) One or more condition blocks as defined above.

  • request_header_configuration - (Optional) One or more request_header_configuration blocks as defined above.

  • response_header_configuration - (Optional) One or more response_header_configuration blocks as defined above.


A condition block supports the following:

  • variable - (Required) The variable of the condition.

  • pattern - (Required) The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.

  • ignore_case - (Optional) Perform a case in-sensitive comparison. Defaults to false

  • negate - (Optional) Negate the result of the condition evaluation. Defaults to false


A request_header_configuration block supports the following:

  • header_name - (Required) Header name of the header configuration.

  • header_value - (Required) Header value of the header configuration.


A response_header_configuration block supports the following:

  • header_name - (Required) Header name of the header configuration.

  • header_value - (Required) Header value of the header configuration.

» Attributes Reference

The following attributes are exported:


A authentication_certificate block exports the following:

  • id - The ID of the Authentication Certificate.

A authentication_certificate block, within the backend_http_settings block exports the following:

  • id - The ID of the Authentication Certificate.

A backend_address_pool block exports the following:

  • id - The ID of the Backend Address Pool.

A backend_http_settings block exports the following:

  • id - The ID of the Backend HTTP Settings Configuration.

  • probe_id - The ID of the associated Probe.


A frontend_ip_configuration block exports the following:

  • id - The ID of the Frontend IP Configuration.

A frontend_port block exports the following:

  • id - The ID of the Frontend Port.

A gateway_ip_configuration block exports the following:

  • id - The ID of the Gateway IP Configuration.

A http_listener block exports the following:


A path_rule block exports the following:


A probe block exports the following:

  • id - The ID of the Probe.

A request_routing_rule block exports the following:


A ssl_certificate block exports the following:

  • id - The ID of the SSL Certificate.

  • public_cert_data - The Public Certificate Data associated with the SSL Certificate.


A url_path_map block exports the following:


A custom_error_configuration block exports the following:

  • id - The ID of the Custom Error Configuration.

A redirect_configuration block exports the following:

  • id - The ID of the Redirect Configuration.

A rewrite_rule_set block exports the following:

  • id - The ID of the Rewrite Rule Set

» Import

Application Gateway's can be imported using the resource id, e.g.

terraform import azurerm_application_gateway.test /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/applicationGateways/myGateway1