From f37d7bdbba2d83f8115d6925c88e587900be9b25 Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Tue, 2 May 2023 18:03:52 +0100 Subject: [PATCH] test data --- .../ApplicationGatewayEnablesWAF.yaml | 2 +- .../ApplicationGatewayEnablesWAF/fail.bicep | 293 +++------ .../ApplicationGatewayEnablesWAF/pass.bicep | 622 ++++++++++-------- 3 files changed, 435 insertions(+), 482 deletions(-) diff --git a/checkov/bicep/checks/graph_checks/ApplicationGatewayEnablesWAF.yaml b/checkov/bicep/checks/graph_checks/ApplicationGatewayEnablesWAF.yaml index 5dd704d7b21..c29a3acc72f 100644 --- a/checkov/bicep/checks/graph_checks/ApplicationGatewayEnablesWAF.yaml +++ b/checkov/bicep/checks/graph_checks/ApplicationGatewayEnablesWAF.yaml @@ -25,7 +25,7 @@ definition: - Microsoft.Network/FrontDoorWebApplicationFirewallPolicies operator: exists - cond_type: attribute - attribute: policySettings.enabledState + attribute: policySettings.State operator: equals value: 'Enabled' resource_types: diff --git a/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/fail.bicep b/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/fail.bicep index e1ddc5b14e0..6c4f60f0c73 100644 --- a/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/fail.bicep +++ b/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/fail.bicep @@ -1,294 +1,177 @@ -@description('Admin username for the backend servers') -param adminUsername string +@description('Virtual Network name') +param virtualNetworkName string -@description('Password for the admin account on the backend servers') -@secure() -param adminPassword string +@description('Virtual Network address range') +param vnetAddressPrefix string = '10.0.0.0/16' -@description('Location for all resources.') -param location string = resourceGroup().location +@description('Subnet Name') +param subnetName string = 'subnet1' -@description('Size of the virtual machine.') -param vmSize string = 'Standard_B2ms' +@description('Subnet prefix') +param subnetPrefix string = '10.0.0.0/24' -var virtualMachines_myVM_name = 'myVM' -var virtualNetworks_myVNet_name_var = 'myVNet' -var myNic_name = 'net-int' -var ipconfig_name = 'ipconfig' -var publicIPAddress_name = 'public_ip' -var nsg_name = 'vm-nsg' -var applicationGateways_myAppGateway_name = 'myAppGateway' -var vnet_prefix = '10.0.0.0/16' -var ag_subnet_prefix = '10.0.0.0/24' -var backend_subnet_prefix = '10.0.1.0/24' -var AppGW_AppFW_Pol_name = 'WafPol01' +@description('Application Gateway name') +param applicationGatewayName string = 'fail' -resource nsg_name_0_2_1 'Microsoft.Network/networkSecurityGroups@2021-08-01' = [for i in range(0, length(range(0, 2))): { - name: '${nsg_name}${(range(0, 2)[i] + 1)}' - location: location - properties: { - securityRules: [ - { - name: 'RDP' - properties: { - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '3389' - sourceAddressPrefix: '*' - destinationAddressPrefix: '*' - access: 'Allow' - priority: 300 - direction: 'Inbound' - } - } - ] - } -}] +@description('Application Gateway size') +@allowed([ + 'Standard_Small' + 'Standard_Medium' + 'Standard_Large' +]) +param applicationGatewaySize string = 'Standard_Small' -resource publicIPAddress_name_0_3 'Microsoft.Network/publicIPAddresses@2021-08-01' = [for i in range(0, length(range(0, 3))): { - name: '${publicIPAddress_name}${range(0, 3)[i]}' - location: location - sku: { - name: 'Standard' +@description('Application Gateway instance count') +@allowed([ + 1 + 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 + 10 +]) +param applicationGatewayInstanceCount int = 2 + +@description('Application Gateway front end port') +param frontendPort int = 80 + +@description('Application Gateway back end port') +param backendPort int = 80 + +@description('Backend pool ip addresses') +param backendIPAddresses array = [ + { + IpAddress: '10.0.0.4' } - properties: { - publicIPAddressVersion: 'IPv4' - publicIPAllocationMethod: 'Static' - idleTimeoutInMinutes: 4 + { + IpAddress: '10.0.0.5' } -}] +] -resource virtualNetworks_myVNet_name 'Microsoft.Network/virtualNetworks@2021-08-01' = { - name: virtualNetworks_myVNet_name_var +@description('Cookie based affinity') +@allowed([ + 'Enabled' + 'Disabled' +]) +param cookieBasedAffinity string = 'Disabled' + +@description('Location for all resources.') +param location string = resourceGroup().location + +var subnetRef = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, subnetName) + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2020-05-01' = { + name: virtualNetworkName location: location properties: { addressSpace: { addressPrefixes: [ - vnet_prefix + vnetAddressPrefix ] } subnets: [ { - name: 'myAGSubnet' - properties: { - addressPrefix: ag_subnet_prefix - privateEndpointNetworkPolicies: 'Enabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } - } - { - name: 'myBackendSubnet' + name: subnetName properties: { - addressPrefix: backend_subnet_prefix - privateEndpointNetworkPolicies: 'Enabled' - privateLinkServiceNetworkPolicies: 'Enabled' + addressPrefix: subnetPrefix } } ] - enableDdosProtection: false - enableVmProtection: false } } -resource virtualMachines_myVM_name_0_2_1 'Microsoft.Compute/virtualMachines@2021-11-01' = [for i in range(0, length(range(0, 2))): { - name: '${virtualMachines_myVM_name}${(range(0, 2)[i] + 1)}' - location: location - properties: { - hardwareProfile: { - vmSize: vmSize - } - storageProfile: { - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2019-Datacenter' - version: 'latest' - } - osDisk: { - osType: 'Windows' - createOption: 'FromImage' - caching: 'ReadWrite' - managedDisk: { - storageAccountType: 'StandardSSD_LRS' - } - diskSizeGB: 127 - } - } - osProfile: { - computerName: '${virtualMachines_myVM_name}${(range(0, 2)[i] + 1)}' - adminUsername: adminUsername - adminPassword: adminPassword - windowsConfiguration: { - provisionVMAgent: true - enableAutomaticUpdates: true - } - allowExtensionOperations: true - } - networkProfile: { - networkInterfaces: [ - { - id: resourceId('Microsoft.Network/networkInterfaces', '${myNic_name}${(range(0, 2)[i] + 1)}') - } - ] - } - } - dependsOn: [ - myNic_name_0_2_1 - ] -}] - -resource virtualMachines_myVM_name_0_2_1_IIS 'Microsoft.Compute/virtualMachines/extensions@2021-11-01' = [for i in range(0, length(range(0, 2))): { - name: '${virtualMachines_myVM_name}${(range(0, 2)[i] + 1)}/IIS' - location: location - properties: { - autoUpgradeMinorVersion: true - publisher: 'Microsoft.Compute' - type: 'CustomScriptExtension' - typeHandlerVersion: '1.4' - settings: { - commandToExecute: 'powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path "C:\\inetpub\\wwwroot\\Default.htm" -Value $($env:computername)' - } - } - dependsOn: [ - virtualMachines_myVM_name_0_2_1 - ] -}] - -resource fail 'Microsoft.Network/applicationGateways@2021-08-01' = { - name: 'fail' +resource applicationGateway 'Microsoft.Network/applicationGateways@2020-05-01' = { + name: applicationGatewayName location: location properties: { sku: { - name: 'WAF_v2' - tier: 'WAF_v2' - capacity: 2 + name: applicationGatewaySize + tier: 'Standard' + capacity: applicationGatewayInstanceCount } gatewayIPConfigurations: [ { name: 'appGatewayIpConfig' properties: { subnet: { - id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworks_myVNet_name_var, 'myAGSubnet') + id: subnetRef } } } ] frontendIPConfigurations: [ { - name: 'appGwPublicFrontendIp' + name: 'appGatewayFrontendIP' properties: { - privateIPAllocationMethod: 'Dynamic' - publicIPAddress: { - id: resourceId('Microsoft.Network/publicIPAddresses', '${publicIPAddress_name}0') + subnet: { + id: subnetRef } } } ] frontendPorts: [ { - name: 'port_80' + name: 'appGatewayFrontendPort' properties: { - port: 80 + port: frontendPort } } ] backendAddressPools: [ { - name: 'myBackendPool' - properties: {} + name: 'appGatewayBackendPool' + properties: { + backendAddresses: backendIPAddresses + } } ] backendHttpSettingsCollection: [ { - name: 'myHTTPSetting' + name: 'appGatewayBackendHttpSettings' properties: { - port: 80 + port: backendPort protocol: 'Http' - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: false - requestTimeout: 20 + cookieBasedAffinity: cookieBasedAffinity } } ] httpListeners: [ { - name: 'myListener' + name: 'appGatewayHttpListener' properties: { - firewallPolicy: { - id: resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', AppGW_AppFW_Pol_name) - } frontendIPConfiguration: { - id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', applicationGateways_myAppGateway_name, 'appGwPublicFrontendIp') + id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', applicationGatewayName, 'appGatewayFrontendIP') } frontendPort: { - id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', applicationGateways_myAppGateway_name, 'port_80') + id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', applicationGatewayName, 'appGatewayFrontendPort') } protocol: 'Http' - requireServerNameIndication: false } } ] requestRoutingRules: [ { - name: 'myRoutingRule' + name: 'rule1' properties: { ruleType: 'Basic' - priority: 10 httpListener: { - id: resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGateways_myAppGateway_name, 'myListener') + id: resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGatewayName, 'appGatewayHttpListener') } backendAddressPool: { - id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGateways_myAppGateway_name, 'myBackendPool') + id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGatewayName, 'appGatewayBackendPool') } backendHttpSettings: { - id: resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', applicationGateways_myAppGateway_name, 'myHTTPSetting') + id: resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', applicationGatewayName, 'appGatewayBackendHttpSettings') } } } ] - enableHttp2: false } dependsOn: [ - virtualNetworks_myVNet_name - publicIPAddress_name_0_3 + virtualNetwork ] } - -resource myNic_name_0_2_1 'Microsoft.Network/networkInterfaces@2021-08-01' = [for i in range(0, length(range(0, 2))): { - name: '${myNic_name}${(range(0, 2)[i] + 1)}' - location: location - properties: { - ipConfigurations: [ - { - name: '${ipconfig_name}${(range(0, 2)[i] + 1)}' - properties: { - privateIPAllocationMethod: 'Dynamic' - publicIPAddress: { - id: resourceId('Microsoft.Network/publicIPAddresses', '${publicIPAddress_name}${(range(0, 2)[i] + 1)}') - } - subnet: { - id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworks_myVNet_name_var, 'myBackendSubnet') - } - primary: true - privateIPAddressVersion: 'IPv4' - applicationGatewayBackendAddressPools: [ - { - id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGateways_myAppGateway_name, 'myBackendPool') - } - ] - } - } - ] - enableAcceleratedNetworking: false - enableIPForwarding: false - networkSecurityGroup: { - id: resourceId('Microsoft.Network/networkSecurityGroups', '${nsg_name}${(range(0, 2)[i] + 1)}') - } - } - dependsOn: [ - resourceId('Microsoft.Network/applicationGateways', applicationGateways_myAppGateway_name) - virtualNetworks_myVNet_name - nsg_name_0_2_1 - publicIPAddress_name_0_3 - ] -}] \ No newline at end of file diff --git a/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/pass.bicep b/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/pass.bicep index 6baef901ba5..47fb4ace6df 100644 --- a/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/pass.bicep +++ b/tests/bicep/graph/checks/resources/ApplicationGatewayEnablesWAF/pass.bicep @@ -1,342 +1,412 @@ -@description('Admin username for the backend servers') -param adminUsername string +@description('Application gateway name') +param applicationGatewayName string = 'pass' -@description('Password for the admin account on the backend servers') -@secure() -param adminPassword string - -@description('Location for all resources.') +@description('Application gateway location') param location string = resourceGroup().location -@description('Size of the virtual machine.') -param vmSize string = 'Standard_B2ms' - -var virtualMachines_myVM_name = 'myVM' -var virtualNetworks_myVNet_name_var = 'myVNet' -var myNic_name = 'net-int' -var ipconfig_name = 'ipconfig' -var publicIPAddress_name = 'public_ip' -var nsg_name = 'vm-nsg' -var applicationGateways_myAppGateway_name = 'pass' -var vnet_prefix = '10.0.0.0/16' -var ag_subnet_prefix = '10.0.0.0/24' -var backend_subnet_prefix = '10.0.1.0/24' -var AppGW_AppFW_Pol_name_var = 'WafPol01' - -resource nsg_name_0_2_1 'Microsoft.Network/networkSecurityGroups@2021-08-01' = [for i in range(0, length(range(0, 2))): { - name: '${nsg_name}${(range(0, 2)[i] + 1)}' - location: location - properties: { - securityRules: [ - { - name: 'RDP' - properties: { - protocol: 'Tcp' - sourcePortRange: '*' - destinationPortRange: '3389' - sourceAddressPrefix: '*' - destinationAddressPrefix: '*' - access: 'Allow' - priority: 300 - direction: 'Inbound' - } - } - ] - } -}] +@description('Application gateway tier') +@allowed([ + 'Standard' + 'WAF' + 'Standard_v2' + 'WAF_v2' +]) +param tier string = 'WAF_v2' + +@description('Application gateway sku') +@allowed([ + 'Standard_Small' + 'Standard_Medium' + 'Standard_Large' + 'WAF_Medium' + 'WAF_Large' + 'Standard_v2' + 'WAF_v2' +]) +param sku string = 'WAF_v2' + +@description('Enable HTTP/2 support') +param http2Enabled bool = true + +@description('Capacity (instance count) of application gateway') +@minValue(1) +@maxValue(32) +param capacity int = 2 + +@description('Autoscale capacity (instance count) of application gateway') +@minValue(1) +@maxValue(32) +param autoScaleMaxCapacity int = 10 + +@description('Public ip address name') +param publicIpAddressName string = 'appGwpublicIp' + +@description('Virutal network subscription id') +param vNetSubscriptionId string = subscription().subscriptionId + +@description('Virutal network resource group') +param existingVnetResourceGroup string + +@description('Virutal network name') +param existingVnetName string + +@description('Application gateway subnet name') +param existingSubnetName string + +@description('Array containing ssl certificates') +param sslCertificates array = [] + +@description('Array containing trusted root certificates') +param trustedRootCertificates array = [] + +@description('Array containing http listeners') +param httpListeners array = [ +{ +name: 'HttpListener01' +protocol: 'Http' +frontEndPort: 'port_80' +firewallPolicy: 'Enabled' +} +] + +@description('Array containing backend address pools') +param backendAddressPools array = [ +{ +name: 'BackendPool01' +backendAddresses: [ +{ +ipAddress: '10.1.2.3' +} +] +} +] + +@description('Array containing backend http settings') +param backendHttpSettings array = [ +{ +name: 'BackendHttpSetting01' +port: 80 +protocol: 'Http' +cookieBasedAffinity: 'Enabled' +affinityCookieName: 'CookieAffinity01' +requestTimeout: 300 +connectionDraining: { +drainTimeoutInSec: 60 +enabled: true +} +} +] + +@description('Array containing request routing rules') +param rules array = [ +{ +name: 'Rule01' +ruleType: 'Basic' +listener: 'HttpListener01' +backendPool: 'BackendPool01' +backendHttpSettings: 'BackendHttpSetting01' +} +] + +@description('Array containing redirect configurations') +param redirectConfigurations array = [] + +@description('Array containing front end ports') +param frontEndPorts array = [ +{ +name: 'port_80' +port: 80 +} +] + +@description('Array containing custom probes') +param customProbes array = [] -resource publicIPAddress_name_0_3 'Microsoft.Network/publicIPAddresses@2021-08-01' = [for i in range(0, length(range(0, 3))): { - name: '${publicIPAddress_name}${range(0, 3)[i]}' +@description('Enable web application firewall') +param enableWebApplicationFirewall bool = true + +@description('Name of the firewall policy. Only required if enableWebApplicationFirewall is set to true') +param firewallPolicyName string = 'FirewallPolicy01' + +@description('Array containing the firewall policy settings. Only required if enableWebApplicationFirewall is set to true') +param firewallPolicySettings object = { +requestBodyCheck: true +maxRequestBodySizeInKb: 128 +fileUploadLimitInMb: 100 +state: 'Enabled' +mode: 'Detection' +} + +@description('Array containing the firewall policy custom rules. Only required if enableWebApplicationFirewall is set to true') +param firewallPolicyCustomRules array = [] + +@description('Array containing the firewall policy managed rule sets. Only required if enableWebApplicationFirewall is set to true') +param firewallPolicyManagedRuleSets array = [ +{ +ruleSetType: 'OWASP' +ruleSetVersion: '3.2' +} +] + +@description('Array containing the firewall policy managed rule exclusions. Only required if enableWebApplicationFirewall is set to true') +param firewallPolicyManagedRuleExclusions array = [] + +@description('Enable delete lock') +param enableDeleteLock bool = false + +@description('Enable diagnostic logs') +param enableDiagnostics bool = false + +@description('Storage account resource id. Only required if enableDiagnostics is set to true') +param diagnosticStorageAccountId string = '' + +@description('Log analytics workspace resource id. Only required if enableDiagnostics is set to true') +param logAnalyticsWorkspaceId string = '' + +var publicIpLockName = '${publicIpAddressName}-lck' +var publicIpDiagnosticsName = '${publicIpAddressName}-dgs' +var appGatewayLockName = '${applicationGatewayName}-lck' +var appGatewayDiagnosticsName = '${applicationGatewayName}-dgs' +var gatewayIpConfigurationName = 'appGatewayIpConfig' +var frontendIpConfigurationName = 'appGwPublicFrontendIp' + +resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2021-03-01' = { + name: publicIpAddressName location: location sku: { name: 'Standard' } properties: { - publicIPAddressVersion: 'IPv4' publicIPAllocationMethod: 'Static' - idleTimeoutInMinutes: 4 } -}] +} -resource virtualNetworks_myVNet_name 'Microsoft.Network/virtualNetworks@2021-08-01' = { - name: virtualNetworks_myVNet_name_var - location: location +resource publicIpDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (enableDiagnostics) { + scope: publicIpAddress + name: publicIpDiagnosticsName properties: { - addressSpace: { - addressPrefixes: [ - vnet_prefix - ] - } - subnets: [ + workspaceId: (empty(logAnalyticsWorkspaceId) ? null : logAnalyticsWorkspaceId) + storageAccountId: (empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId) + logs: [ { - name: 'myAGSubnet' - properties: { - addressPrefix: ag_subnet_prefix - privateEndpointNetworkPolicies: 'Enabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } + category: 'DDoSProtectionNotifications' + enabled: true } { - name: 'myBackendSubnet' - properties: { - addressPrefix: backend_subnet_prefix - privateEndpointNetworkPolicies: 'Enabled' - privateLinkServiceNetworkPolicies: 'Enabled' - } + category: 'DDoSMitigationFlowLogs' + enabled: true + } + { + category: 'DDoSMitigationReports' + enabled: true + } + ] + metrics: [ + { + category: 'AllMetrics' + enabled: true } ] - enableDdosProtection: false - enableVmProtection: false } } -resource virtualMachines_myVM_name_0_2_1 'Microsoft.Compute/virtualMachines@2021-11-01' = [for i in range(0, length(range(0, 2))): { - name: '${virtualMachines_myVM_name}${(range(0, 2)[i] + 1)}' +resource publicIpLock 'Microsoft.Authorization/locks@2017-04-01' = if (enableDeleteLock) { + scope: publicIpAddress + name: publicIpLockName + properties: { + level: 'CanNotDelete' + } +} + +resource applicationGateway 'Microsoft.Network/applicationGateways@2021-03-01' = { + name: applicationGatewayName location: location properties: { - hardwareProfile: { - vmSize: vmSize - } - storageProfile: { - imageReference: { - publisher: 'MicrosoftWindowsServer' - offer: 'WindowsServer' - sku: '2019-Datacenter' - version: 'latest' + frontendPorts: [for item in frontEndPorts: { + name: item.name + properties: { + port: item.port } - osDisk: { - osType: 'Windows' - createOption: 'FromImage' - caching: 'ReadWrite' - managedDisk: { - storageAccountType: 'StandardSSD_LRS' - } - diskSizeGB: 127 + }] + probes: [for item in customProbes: { + name: item.name + properties: { + protocol: item.protocol + host: item.host + path: item.path + interval: item.interval + timeout: item.timeout + unhealthyThreshold: item.unhealthyThreshold + pickHostNameFromBackendHttpSettings: item.pickHostNameFromBackendHttpSettings + minServers: item.minServers + match: item.match } - } - osProfile: { - computerName: '${virtualMachines_myVM_name}${(range(0, 2)[i] + 1)}' - adminUsername: adminUsername - adminPassword: adminPassword - windowsConfiguration: { - provisionVMAgent: true - enableAutomaticUpdates: true + }] + backendAddressPools: [for item in backendAddressPools: { + name: item.name + properties: { + backendAddresses: item.backendAddresses } - allowExtensionOperations: true - } - networkProfile: { - networkInterfaces: [ - { - id: resourceId('Microsoft.Network/networkInterfaces', '${myNic_name}${(range(0, 2)[i] + 1)}') + }] + trustedRootCertificates: [for item in trustedRootCertificates: { + name: item.name + properties: { + keyVaultSecretId: '${reference(item.keyVaultResourceId, '2021-10-01').vaultUri}secrets/${item.secretName}' + } + }] + sslCertificates: [for item in sslCertificates: { + name: item.name + properties: { + keyVaultSecretId: '${reference(item.keyVaultResourceId, '2021-10-01').vaultUri}secrets/${item.secretName}' + } + }] + backendHttpSettingsCollection: [for item in backendHttpSettings: { + name: item.name + properties: { + port: item.port + protocol: item.protocol + cookieBasedAffinity: item.cookieBasedAffinity + affinityCookieName: (contains(item, 'affinityCookieName') ? item.affinityCookieName : null) + requestTimeout: item.requestTimeout + connectionDraining: item.connectionDraining + probe: (contains(item, 'probeName') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/probes', applicationGatewayName, item.probeName)}"}') : null) + trustedRootCertificates: (contains(item, 'trustedRootCertificate') ? json('[{"id": "${resourceId('Microsoft.Network/applicationGateways/trustedRootCertificates', applicationGatewayName, item.trustedRootCertificate)}"}]') : null) + hostName: (contains(item, 'hostName') ? item.hostName : null) + pickHostNameFromBackendAddress: (contains(item, 'pickHostNameFromBackendAddress') ? item.pickHostNameFromBackendAddress : false) + } + }] + httpListeners: [for item in httpListeners: { + name: item.name + properties: { + frontendIPConfiguration: { + id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', applicationGatewayName, frontendIpConfigurationName) } - ] - } - } - dependsOn: [ - myNic_name_0_2_1 - ] -}] - -resource virtualMachines_myVM_name_0_2_1_IIS 'Microsoft.Compute/virtualMachines/extensions@2021-11-01' = [for i in range(0, length(range(0, 2))): { - name: '${virtualMachines_myVM_name}${(range(0, 2)[i] + 1)}/IIS' - location: location - properties: { - autoUpgradeMinorVersion: true - publisher: 'Microsoft.Compute' - type: 'CustomScriptExtension' - typeHandlerVersion: '1.4' - settings: { - commandToExecute: 'powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path "C:\\inetpub\\wwwroot\\Default.htm" -Value $($env:computername)' - } - } - dependsOn: [ - virtualMachines_myVM_name_0_2_1 - ] -}] - -resource pass 'Microsoft.Network/applicationGateways@2021-08-01' = { - name: 'pass' - location: location - properties: { + frontendPort: { + id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', applicationGatewayName, item.frontEndPort) + } + protocol: item.protocol + sslCertificate: (contains(item, 'sslCertificate') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/sslCertificates', applicationGatewayName, item.sslCertificate)}"}') : null) + hostNames: (contains(item, 'hostNames') ? item.hostNames : null) + hostName: (contains(item, 'hostName') ? item.hostName : null) + requireServerNameIndication: (contains(item, 'requireServerNameIndication') ? item.requireServerNameIndication : false) + firewallPolicy: (contains(item, 'firewallPolicy') ? json('{"id": "${firewallPolicyName_placeholdervalue_firewallPolicy.id}"}') : null) + } + }] + requestRoutingRules: [for item in rules: { + name: item.name + properties: { + ruleType: item.ruleType + httpListener: (contains(item, 'listener') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGatewayName, item.listener)}"}') : null) + backendAddressPool: (contains(item, 'backendPool') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGatewayName, item.backendPool)}"}') : null) + backendHttpSettings: (contains(item, 'backendHttpSettings') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', applicationGatewayName, item.backendHttpSettings)}"}') : null) + redirectConfiguration: (contains(item, 'redirectConfiguration') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/redirectConfigurations', applicationGatewayName, item.redirectConfiguration)}"}') : null) + } + }] + redirectConfigurations: [for item in redirectConfigurations: { + name: item.name + properties: { + redirectType: item.redirectType + targetUrl: item.targetUrl + targetListener: (contains(item, 'targetListener') ? json('{"id": "${resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGatewayName, item.targetListener)}"}') : null) + includePath: item.includePath + includeQueryString: item.includeQueryString + requestRoutingRules: [ + { + id: resourceId('Microsoft.Network/applicationGateways/requestRoutingRules', applicationGatewayName, item.requestRoutingRule) + } + ] + } + }] sku: { - name: 'WAF_v2' - tier: 'WAF_v2' - capacity: 2 + name: sku + tier: tier + } + autoscaleConfiguration: { + minCapacity: capacity + maxCapacity: autoScaleMaxCapacity } + enableHttp2: http2Enabled + webApplicationFirewallConfiguration: { + enabled: true + firewallMode: firewallPolicySettings.mode + ruleSetType: 'OWASP' + ruleSetVersion: '3.2' + } gatewayIPConfigurations: [ { - name: 'appGatewayIpConfig' + name: gatewayIpConfigurationName properties: { subnet: { - id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworks_myVNet_name_var, 'myAGSubnet') + id: resourceId(vNetSubscriptionId, existingVnetResourceGroup, 'Microsoft.Network/virtualNetworks/subnets', existingVnetName, existingSubnetName) } } } ] frontendIPConfigurations: [ { - name: 'appGwPublicFrontendIp' + name: frontendIpConfigurationName properties: { - privateIPAllocationMethod: 'Dynamic' publicIPAddress: { - id: resourceId('Microsoft.Network/publicIPAddresses', '${publicIPAddress_name}0') + id: publicIpAddress.id } } } ] - frontendPorts: [ - { - name: 'port_80' - properties: { - port: 80 - } - } - ] - backendAddressPools: [ + firewallPolicy: (enableWebApplicationFirewall ? { + id: firewallPolicyName_placeholdervalue_firewallPolicy.id + } : null) + } +} + +resource appGatewayDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (enableDiagnostics) { + scope: applicationGateway + name: appGatewayDiagnosticsName + properties: { + workspaceId: (empty(logAnalyticsWorkspaceId) ? null : logAnalyticsWorkspaceId) + storageAccountId: (empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId) + logs: [ { - name: 'myBackendPool' - properties: {} + category: 'ApplicationGatewayAccessLog' + enabled: true } - ] - backendHttpSettingsCollection: [ { - name: 'myHTTPSetting' - properties: { - port: 80 - protocol: 'Http' - cookieBasedAffinity: 'Disabled' - pickHostNameFromBackendAddress: false - requestTimeout: 20 - } + category: 'ApplicationGatewayPerformanceLog' + enabled: true } - ] - httpListeners: [ { - name: 'myListener' - properties: { - firewallPolicy: { - id: AppGW_AppFW_Pol_name.id - } - frontendIPConfiguration: { - id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', applicationGateways_myAppGateway_name, 'appGwPublicFrontendIp') - } - frontendPort: { - id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', applicationGateways_myAppGateway_name, 'port_80') - } - protocol: 'Http' - requireServerNameIndication: false - } + category: 'ApplicationGatewayFirewallLog' + enabled: true } ] - requestRoutingRules: [ + metrics: [ { - name: 'myRoutingRule' - properties: { - ruleType: 'Basic' - priority: 10 - httpListener: { - id: resourceId('Microsoft.Network/applicationGateways/httpListeners', applicationGateways_myAppGateway_name, 'myListener') - } - backendAddressPool: { - id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGateways_myAppGateway_name, 'myBackendPool') - } - backendHttpSettings: { - id: resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', applicationGateways_myAppGateway_name, 'myHTTPSetting') - } - } + category: 'AllMetrics' + enabled: true } ] - enableHttp2: false - firewallPolicy: { - id: AppGW_AppFW_Pol_name.id - } } - dependsOn: [ - - virtualNetworks_myVNet_name - publicIPAddress_name_0_3 - ] } -resource AppGW_AppFW_Pol_name 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-08-01' = { - name: AppGW_AppFW_Pol_name_var - location: location +resource appGatewayLock 'Microsoft.Authorization/locks@2017-04-01' = if (enableDeleteLock) { + scope: applicationGateway + name: appGatewayLockName properties: { - customRules: [ - { - name: 'CustRule01' - priority: 100 - ruleType: 'MatchRule' - action: 'Block' - matchConditions: [ - { - matchVariables: [ - { - variableName: 'RemoteAddr' - } - ] - operator: 'IPMatch' - negationConditon: true - matchValues: [ - '10.10.10.0/24' - ] - } - ] - } - ] - policySettings: { - requestBodyCheck: true - maxRequestBodySizeInKb: 128 - fileUploadLimitInMb: 100 - state: 'Enabled' - mode: 'Prevention' - } - managedRules: { - managedRuleSets: [ - { - ruleSetType: 'OWASP' - ruleSetVersion: '3.1' - } - ] - } + level: 'CanNotDelete' } } -resource myNic_name_0_2_1 'Microsoft.Network/networkInterfaces@2021-08-01' = [for i in range(0, length(range(0, 2))): { - name: '${myNic_name}${(range(0, 2)[i] + 1)}' +resource firewallPolicyName_placeholdervalue_firewallPolicy 'Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies@2021-03-01' = if (enableWebApplicationFirewall) { + name: ((firewallPolicyName == '') ? 'placeholdervalue' : firewallPolicyName) location: location properties: { - ipConfigurations: [ - { - name: '${ipconfig_name}${(range(0, 2)[i] + 1)}' - properties: { - privateIPAllocationMethod: 'Dynamic' - publicIPAddress: { - id: resourceId('Microsoft.Network/publicIPAddresses', '${publicIPAddress_name}${(range(0, 2)[i] + 1)}') - } - subnet: { - id: resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworks_myVNet_name_var, 'myBackendSubnet') - } - primary: true - privateIPAddressVersion: 'IPv4' - applicationGatewayBackendAddressPools: [ - { - id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', applicationGateways_myAppGateway_name, 'myBackendPool') - } - ] - } - } - ] - enableAcceleratedNetworking: false - enableIPForwarding: false - networkSecurityGroup: { - id: resourceId('Microsoft.Network/networkSecurityGroups', '${nsg_name}${(range(0, 2)[i] + 1)}') + customRules: firewallPolicyCustomRules + policySettings: firewallPolicySettings + managedRules: { + managedRuleSets: firewallPolicyManagedRuleSets + exclusions: firewallPolicyManagedRuleExclusions } } - dependsOn: [ - resourceId('Microsoft.Network/applicationGateways', applicationGateways_myAppGateway_name) - virtualNetworks_myVNet_name - nsg_name_0_2_1 - publicIPAddress_name_0_3 - ] -}] \ No newline at end of file +} + +output name string = applicationGatewayName +output id string = applicationGateway.id