Skip to content

Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF #4111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 5, 2024
Merged

Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF #4111

merged 6 commits into from
Nov 5, 2024

Conversation

jonnyry
Copy link
Collaborator

@jonnyry jonnyry commented Oct 23, 2024
edited
Loading

What is being addressed

Exposes a new APP_GATEWAY_SKU variable in config.yaml / CICD to allow the App Gateway SKU to be configured allowing the App Gateway WAF to be enabled. (The Azure TRE currently deploys the Application Gateway with a Standard_v2 SKU which does not enable the WAF.)

image

When the APP_GATEWAY_SKU variable:

  • is not present, or is present and it's value is null/blank, or is equal to Standard_v2 then a Standard_v2 SKU App Gateway is provisioned (the same as before the change)
  • is equal to WAF_v2 then a WAF_v2 SKU App Gateway is provisioned along with a WAF Policy with default settings - 'Prevention' mode and the 'OWASP 3.2' ruleset

Notes about the change:

  • I've added a lifecycle { ignore_changes = [ policy_settings, managed_rules] } statement so that the policy and rules are not managed in terraform after being set up to allow config of the rulesets to happen independently of this build
  • There was an issue causing terraform to continually show changes in the azurerm_application_gateway around the probe.match field. I've added this field explicitly as it was being readded on every run despite not being defined.
  • The azurerm_web_application_firewall_policy resource requires a destruction provisioner as terraform does not properly unhook the WAF policy from the App Gateway before trying to destroy the WAF Policy. This is needed if changing config from WAF_v2 > Standard_v2.

@github-actions github-actions bot added the external PR from an external contributor label Oct 23, 2024
@jonnyry jonnyry changed the title Add App Gateway SKU deployment variable to allow WAF to be enabled Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF Oct 23, 2024
@jonnyry jonnyry marked this pull request as ready for review October 23, 2024 14:43
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 24, 2024
edited
Loading

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 03c88dc.

♻️ This comment has been updated with latest results.

marrobi
marrobi approved these changes Oct 24, 2024
View reviewed changes
Copy link
Member

@marrobi marrobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, haven't had chance to test, but providing it works as designed I'm good with it. 👍

@jonnyry
Copy link
Collaborator Author

jonnyry commented Oct 24, 2024

Great work, haven't had chance to test, but providing it works as designed I'm good with it. 👍

Thanks.

I've run the following deployments manually to test the various permutations:

  1. Local deployments (using make all/deploy-core)
    a. APP_GATEWAY_SKU variable not present
    b. APP_GATEWAY_SKU variable = Standard_v2
    c. APP_GATEWAY_SKU variable = WAF_v2
    d. APP_GATEWAY_SKU variable = Standard_v2 (to test destruction of WAF policy)

  2. GitHub Actions deployments
    a. APP_GATEWAY_SKU variable not present
    b. APP_GATEWAY_SKU variable = Standard_v2
    c. APP_GATEWAY_SKU variable = WAF_v2
    d. APP_GATEWAY_SKU variable = Standard_v2 (to test destruction of WAF policy)

tim-p-allen
tim-p-allen approved these changes Nov 4, 2024
View reviewed changes
Copy link

@tim-p-allen tim-p-allen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jonnyry
Copy link
Collaborator Author

jonnyry commented Nov 4, 2024

Fixed lint issue (updated core version)

@tim-p-allen
Copy link

/test-extended

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

🤖 pr-bot 🤖

⚠️ When using /test-extended on external PRs, the SHA of the checked commit must be specified

(in response to this comment from @tim-allen-ck)

@tim-p-allen
Copy link

/test-extended 03c88dc

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 4, 2024

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/11674125744 (with refid b140d5af)

(in response to this comment from @tim-allen-ck)

@tim-p-allen tim-p-allen merged commit d259370 into microsoft:main Nov 5, 2024
12 checks passed
@jonnyry jonnyry deleted the jr/upstream-main/68-enable-waf branch November 5, 2024 14:08
@JaimieWi JaimieWi mentioned this pull request Mar 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marrobi marrobi marrobi approved these changes

@tim-p-allen tim-p-allen tim-p-allen approved these changes

Assignees
No one assigned
Labels
external PR from an external contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonnyry @tim-p-allen @marrobi