Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Modules] Bicep module to create Front Door WAF Policy (#3718) #3881

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: 'Network - FrontDoorWebApplicationFirewallPolicies'

parameters:
- name: staticValidation
displayName: Execute static validation
type: boolean
default: true
- name: deploymentValidation
displayName: Execute deployment validation
type: boolean
default: true
- name: removeDeployment
displayName: Remove deployed module
type: boolean
default: true
- name: prerelease
displayName: Publish prerelease module
type: boolean
default: false

pr: none

trigger:
batch: true
branches:
include:
- main
paths:
include:
- '/.azuredevops/modulePipelines/ms.network.frontdoorwebapplicationfirewallpolicies'
- '/.azuredevops/pipelineTemplates/*.yml'
- '/modules/network/front-door-web-application-firewall-policy/*'
- '/utilities/pipelines/*'
exclude:
- '/utilities/pipelines/deploymentRemoval/*'
- '/**/*.md'

variables:
- template: '../../settings.yml'
- group: 'PLATFORM_VARIABLES'
- name: modulePath
value: '/modules/network/front-door-web-application-firewall-policy'

stages:
- template: /.azuredevops/pipelineTemplates/stages.module.yml
parameters:
staticValidation: '${{ parameters.staticValidation }}'
deploymentValidation: '${{ parameters.deploymentValidation }}'
removeDeployment: '${{ parameters.removeDeployment }}'
prerelease: '${{ parameters.prerelease }}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: 'Network - FrontDoorWebApplicationFirewallPolicies'

on:
workflow_dispatch:
inputs:
staticValidation:
type: boolean
description: 'Execute static validation'
required: false
default: true
deploymentValidation:
type: boolean
description: 'Execute deployment validation'
required: false
default: true
removeDeployment:
type: boolean
description: 'Remove deployed module'
required: false
default: true
prerelease:
type: boolean
description: 'Publish prerelease module'
required: false
default: false
push:
branches:
- main
paths:
- '.github/actions/templates/**'
- '.github/workflows/template.module.yml'
- '.github/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml'
- 'modules/network/front-door-web-application-firewall-policy/**'
- 'utilities/pipelines/**'
- '!utilities/pipelines/deploymentRemoval/**'
- '!*/**/README.md'

env:
modulePath: 'modules/network/front-door-web-application-firewall-policy'
workflowPath: '.github/workflows/ms.network.frontdoorwebapplicationfirewallpolicies.yml'

concurrency:
group: ${{ github.workflow }}

jobs:
###########################
# Initialize pipeline #
###########################
job_initialize_pipeline:
runs-on: ubuntu-20.04
name: 'Initialize pipeline'
steps:
- name: 'Checkout'
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: 'Set input parameters to output variables'
id: get-workflow-param
uses: ./.github/actions/templates/getWorkflowInput
with:
workflowPath: '${{ env.workflowPath}}'
- name: 'Get parameter file paths'
id: get-module-test-file-paths
uses: ./.github/actions/templates/getModuleTestFiles
with:
modulePath: '${{ env.modulePath }}'
outputs:
workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }}
moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }}
modulePath: '${{ env.modulePath }}'

##############################
# Call reusable workflow #
##############################
call-workflow-passing-data:
name: 'Module'
needs:
- job_initialize_pipeline
uses: ./.github/workflows/template.module.yml
with:
workflowInput: '${{ needs.job_initialize_pipeline.outputs.workflowInput }}'
moduleTestFilePaths: '${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}'
modulePath: '${{ needs.job_initialize_pipeline.outputs.modulePath}}'
secrets: inherit
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
@sys.description('Required. The IDs of the principals to assign the role to.')
param principalIds array

@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
param roleDefinitionIdOrName string

@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
param resourceId string

@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''

@sys.description('Optional. The description of the role assignment.')
param description string = ''

@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
param condition string = ''

@sys.description('Optional. Version of the condition.')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'

@sys.description('Optional. Id of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''

var builtInRoleNames = {
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}

resource frontDoorWAFPolicy 'Microsoft.Network/FrontDoorWebApplicationFirewallPolicies@2022-05-01' existing = {
name: last(split(resourceId, '/'))!
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
name: guid(frontDoorWAFPolicy.id, principalId, roleDefinitionIdOrName)
properties: {
description: description
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
principalId: principalId
principalType: !empty(principalType) ? any(principalType) : null
condition: !empty(condition) ? condition : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
}
scope: frontDoorWAFPolicy
}]
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
@description('Optional. The location to deploy to.')
param location string = resourceGroup().location

@description('Required. The name of the Managed Identity to create.')
param managedIdentityName string

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: managedIdentityName
location: location
}

@description('The principal ID of the created Managed Identity.')
output managedIdentityPrincipalId string = managedIdentity.properties.principalId
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
targetScope = 'subscription'

// ========== //
// Parameters //
// ========== //

@description('Optional. The name of the resource group to deploy for testing purposes.')
@maxLength(90)
param resourceGroupName string = 'ms.network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg'

@description('Optional. The location to deploy resources to.')
param location string = deployment().location

@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
param serviceShort string = 'nagwafpcom'

@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
param enableDefaultTelemetry bool = true

@description('Optional. A token to inject into the name of each resource.')
param namePrefix string = '[[namePrefix]]'

// ============ //
// Dependencies //
// ============ //

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
name: resourceGroupName
location: location
}

module nestedDependencies 'dependencies.bicep' = {
scope: resourceGroup
name: '${uniqueString(deployment().name, location)}-nestedDependencies'
params: {
managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
}
}

// ============== //
// Test Execution //
// ============== //

module testDeployment '../../main.bicep' = {
scope: resourceGroup
name: '${uniqueString(deployment().name, location)}-test-${serviceShort}'
params: {
enableDefaultTelemetry: enableDefaultTelemetry
name: '${namePrefix}${serviceShort}001'
lock: 'CanNotDelete'
sku: 'Premium_AzureFrontDoor'
policySettings: {
mode: 'Prevention'
redirectUrl: 'http://www.bing.com'
customBlockResponseStatusCode: 200
customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg=='
}
customRules: {
rules: [
{
name: 'CustomRule1'
priority: 2
enabledState: 'Enabled'
action: 'Block'
ruleType: 'MatchRule'
rateLimitDurationInMinutes: 1
rateLimitThreshold: 10
matchConditions: [
{
matchVariable: 'RemoteAddr'
selector: null
operator: 'GeoMatch'
negateCondition: false
transforms: []
matchValue: [
'CH'
]
}
{
matchVariable: 'RequestHeader'
selector: 'UserAgent'
operator: 'Contains'
negateCondition: false
transforms: []
matchValue: [
'windows'
]
}
{
matchVariable: 'QueryString'
operator: 'Contains'
negateCondition: false
transforms: [
'UrlDecode'
'Lowercase'
]
matchValue: [
'<?php'
'?>'
]
}
]
}
]
}
managedRules: {
managedRuleSets: [
{
ruleSetType: 'Microsoft_BotManagerRuleSet'
ruleSetVersion: '1.0'
}
]
}
tags: {
Environment: 'Non-Prod'
Role: 'DeploymentValidation'
}
roleAssignments: [
{
roleDefinitionIdOrName: 'Reader'
principalIds: [
nestedDependencies.outputs.managedIdentityPrincipalId
]
principalType: 'ServicePrincipal'
}
]
}
ahmadabdalla marked this conversation as resolved.
Show resolved Hide resolved
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
targetScope = 'subscription'

// ========== //
// Test Cases //
// ========== //

var namePrefix = 'crml'

// TEST 1 - COMMON
module common 'common/main.test.bicep' = {
name: '${uniqueString(deployment().name)}-common-test'
params: {
namePrefix: namePrefix
}
}

// TEST 2 - MIN
module min 'min/main.test.bicep' = {
name: '${uniqueString(deployment().name)}-min-test'
params: {
namePrefix: namePrefix
}
}
Loading
Loading