-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
9ad6111
commit 54d0c79
Showing
13 changed files
with
117 additions
and
465 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
metadata description = 'Creates an Azure Frontdoor CDN profile in front of a storage domain.' | ||
|
||
param name string | ||
param origin string | ||
param tags object = {} | ||
param allowHttp bool = false | ||
param httpsRedirect bool = true | ||
param defaultRouteName string = 'default-route' | ||
param defaultOriginGroupName string = 'default-origin-group' | ||
param defaultOriginName string = 'default-origin' | ||
|
||
@allowed(['Enabled', 'Disabled']) | ||
param sessionAffinityState string = 'Disabled' | ||
|
||
var supportedProtocols = allowHttp ? [ | ||
'Http' | ||
'Https' | ||
] : [ | ||
'Https' | ||
] | ||
|
||
@allowed(['Standard_AzureFrontDoor', 'Premium_AzureFrontDoor']) | ||
param sku string = 'Standard_AzureFrontDoor' | ||
|
||
param originResponseTimeoutSeconds int = 60 | ||
|
||
resource cdnProfile 'Microsoft.Cdn/profiles@2023-07-01-preview' = { | ||
Check failure Code scanning / templateanalyzer Managed identity. Error
When configuring a Standard or Premium SKU with a custom domain using bring your own certificate (BYOC) access to a Key Vault is required. Standard and Premium Front Door profiles support two methods for authorizing access to Azure resources:
Using the Microsoft managed multi-tenant app registration.
Standard SKU profiles use the client ID 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8.
Premium SKU profiles use the client ID d4631ece-daab-479b-be77-ccb713491fc0.
With a system or user assigned managed identity.
The multi-tenant app registration has a number of challenges: Only a single client ID is used for each SKU for all Azure Front Door profiles. If multiple Front Door profiles are deployed into a single subscription, it is not possible to restrict access so that each profile has access to it's own Key Vault. A Entra ID (Azure AD) Global Administrator of must register the multi-tenant application for each tenant once before it can be used. Using an managed identity allows access to Key Vault to be granted using RBAC on an individual basis. |
||
name: name | ||
location: 'Global' | ||
tags: tags | ||
sku: { | ||
name: sku | ||
} | ||
properties: { | ||
originResponseTimeoutSeconds: originResponseTimeoutSeconds | ||
} | ||
} | ||
|
||
resource originGroups 'Microsoft.Cdn/profiles/origingroups@2022-11-01-preview' = { | ||
name: defaultOriginGroupName | ||
parent: cdnProfile | ||
properties: { | ||
loadBalancingSettings: { | ||
sampleSize: 4 | ||
successfulSamplesRequired: 3 | ||
additionalLatencyInMilliseconds: 50 | ||
} | ||
healthProbeSettings: { | ||
probePath: '/' | ||
probeRequestType: 'HEAD' | ||
probeProtocol: allowHttp ? 'Http' : 'Https' | ||
probeIntervalInSeconds: 100 | ||
} | ||
sessionAffinityState: sessionAffinityState | ||
} | ||
|
||
resource origins 'origins@2022-11-01-preview' = { | ||
name: defaultOriginName | ||
properties: { | ||
hostName: origin | ||
httpPort: 80 | ||
httpsPort: 443 | ||
originHostHeader: origin | ||
priority: 1 | ||
weight: 1000 | ||
enabledState: 'Enabled' | ||
enforceCertificateNameCheck: true | ||
} | ||
} | ||
} | ||
|
||
resource afdEndpoints 'Microsoft.Cdn/profiles/afdEndpoints@2023-05-01' = { | ||
parent: cdnProfile | ||
name: name | ||
location: 'Global' | ||
properties: { | ||
enabledState: 'Enabled' | ||
} | ||
|
||
resource routes 'routes@2022-11-01-preview' = { | ||
name: defaultRouteName | ||
properties: { | ||
customDomains: [] | ||
originGroup: { | ||
id: originGroups.id | ||
} | ||
ruleSets: [] | ||
supportedProtocols: supportedProtocols | ||
patternsToMatch: [ | ||
'/*' | ||
] | ||
forwardingProtocol: 'MatchRequest' | ||
linkToDefaultDomain: 'Enabled' | ||
httpsRedirect: httpsRedirect ? 'Enabled' : 'Disabled' | ||
enabledState: 'Enabled' | ||
} | ||
} | ||
} | ||
|
||
output cdnProfileId string = cdnProfile.id | ||
output endpointHostname string = afdEndpoints.properties.hostName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.