azurermApplicationGateway

Manages an Application Gateway.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.254.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "example-network",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const backendAddressPoolName = `\${${azurermVirtualNetworkExample.name}}-beap`;
const frontendIpConfigurationName = `\${${azurermVirtualNetworkExample.name}}-feip`;
const frontendPortName = `\${${azurermVirtualNetworkExample.name}}-feport`;
const httpSettingName = `\${${azurermVirtualNetworkExample.name}}-be-htst`;
const listenerName = `\${${azurermVirtualNetworkExample.name}}-httplstn`;
const requestRoutingRuleName = `\${${azurermVirtualNetworkExample.name}}-rqrt`;
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
  this,
  "example_2",
  {
    allocation_method: "Dynamic",
    location: azurermResourceGroupExample.location,
    name: "example-pip",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
new azurerm.subnet.Subnet(this, "backend", {
  address_prefixes: ["10.254.2.0/24"],
  name: "backend",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
const azurermSubnetFrontend = new azurerm.subnet.Subnet(this, "frontend", {
  address_prefixes: ["10.254.0.0/24"],
  name: "frontend",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
new azurerm.applicationGateway.ApplicationGateway(this, "network", {
  backend_address_pool: [
    {
      name: backendAddressPoolName,
    },
  ],
  backend_http_settings: [
    {
      cookie_based_affinity: "Disabled",
      name: httpSettingName,
      path: "/path1/",
      port: 80,
      protocol: "Http",
      request_timeout: 60,
    },
  ],
  frontend_ip_configuration: [
    {
      name: frontendIpConfigurationName,
      public_ip_address_id: azurermPublicIpExample.id,
    },
  ],
  frontend_port: [
    {
      name: frontendPortName,
      port: 80,
    },
  ],
  gateway_ip_configuration: [
    {
      name: "my-gateway-ip-configuration",
      subnet_id: azurermSubnetFrontend.id,
    },
  ],
  http_listener: [
    {
      frontend_ip_configuration_name: frontendIpConfigurationName,
      frontend_port_name: frontendPortName,
      name: listenerName,
      protocol: "Http",
    },
  ],
  location: azurermResourceGroupExample.location,
  name: "example-appgateway",
  request_routing_rule: [
    {
      backend_address_pool_name: backendAddressPoolName,
      backend_http_settings_name: httpSettingName,
      http_listener_name: listenerName,
      name: requestRoutingRuleName,
      rule_type: "Basic",
    },
  ],
  resource_group_name: azurermResourceGroupExample.name,
  sku: [
    {
      capacity: 2,
      name: "Standard_Small",
      tier: "Standard",
    },
  ],
});

Argument Reference

The following arguments are supported:

• name - (Required) The name of the Application Gateway. Changing this forces a new resource to be created.

• resourceGroupName - (Required) The name of the resource group in which to the Application Gateway should exist. Changing this forces a new resource to be created.

• location - (Required) The Azure region where the Application Gateway should exist. Changing this forces a new resource to be created.

• backendAddressPool - (Required) One or more backendAddressPool blocks as defined below.

• backendHttpSettings - (Required) One or more backendHttpSettings blocks as defined below.

• frontendIpConfiguration - (Required) One or more frontendIpConfiguration blocks as defined below.

• frontendPort - (Required) One or more frontendPort blocks as defined below.

• gatewayIpConfiguration - (Required) One or more gatewayIpConfiguration blocks as defined below.

• httpListener - (Required) One or more httpListener blocks as defined below.

• fipsEnabled - (Optional) Is FIPS enabled on the Application Gateway?

• global - (Optional) A global block as defined below.

• identity - (Optional) An identity block as defined below.

• privateLinkConfiguration - (Optional) One or more privateLinkConfiguration blocks as defined below.

• requestRoutingRule - (Required) One or more requestRoutingRule blocks as defined below.

• sku - (Required) A sku block as defined below.

• zones - (Optional) Specifies a list of Availability Zones in which this Application Gateway should be located. Changing this forces a new Application Gateway to be created.

• trustedClientCertificate - (Optional) One or more trustedClientCertificate blocks as defined below.

• sslProfile - (Optional) One or more sslProfile blocks as defined below.

-> Please Note: Availability Zones are only supported in several regions at this time. They are also only supported for v2 SKUs

• authenticationCertificate - (Optional) One or more authenticationCertificate blocks as defined below.

• trustedRootCertificate - (Optional) One or more trustedRootCertificate blocks as defined below.

• sslPolicy - (Optional) a sslPolicy block as defined below.

• enableHttp2 - (Optional) Is HTTP2 enabled on the application gateway resource? Defaults to false.

• forceFirewallPolicyAssociation - (Optional) Is the Firewall Policy associated with the Application Gateway?

• probe - (Optional) One or more probe blocks as defined below.

• sslCertificate - (Optional) One or more sslCertificate blocks as defined below.

• tags - (Optional) A mapping of tags to assign to the resource.

• urlPathMap - (Optional) One or more urlPathMap blocks as defined below.

• wafConfiguration - (Optional) A wafConfiguration block as defined below.

• customErrorConfiguration - (Optional) One or more customErrorConfiguration blocks as defined below.

• firewallPolicyId - (Optional) The ID of the Web Application Firewall Policy.

• redirectConfiguration - (Optional) One or more redirectConfiguration blocks as defined below.

• autoscaleConfiguration - (Optional) A autoscaleConfiguration block as defined below.

• rewriteRuleSet - (Optional) One or more rewriteRuleSet blocks as defined below. Only valid for v2 SKUs.

A authenticationCertificate block supports the following:

• name - (Required) The Name of the Authentication Certificate to use.

• data - (Required) The contents of the Authentication Certificate which should be used.

A trustedRootCertificate block supports the following:

• name - (Required) The Name of the Trusted Root Certificate to use.

• data - (Optional) The contents of the Trusted Root Certificate which should be used. Required if keyVaultSecretId is not set.

• keyVaultSecretId - (Optional) The Secret ID of (base-64 encoded unencrypted pfx) secret or certificate object stored in Azure KeyVault. You need to enable soft delete for the Key Vault to use this feature. Required if data is not set.

-> NOTE: TLS termination with Key Vault certificates is limited to the v2 SKUs.

-> NOTE: For TLS termination with Key Vault certificates to work properly existing user-assigned managed identity, which Application Gateway uses to retrieve certificates from Key Vault, should be defined via identity block. Additionally, access policies in the Key Vault to allow the identity to be granted get access to the secret should be defined.

A authenticationCertificate block, within the backendHttpSettings block supports the following:

• name - (Required) The name of the Authentication Certificate.

A backendAddressPool block supports the following:

• name - (Required) The name of the Backend Address Pool.

• fqdns - (Optional) A list of FQDN's which should be part of the Backend Address Pool.

• ipAddresses - (Optional) A list of IP Addresses which should be part of the Backend Address Pool.

A backendHttpSettings block supports the following:

• cookieBasedAffinity - (Required) Is Cookie-Based Affinity enabled? Possible values are enabled and disabled.

• affinityCookieName - (Optional) The name of the affinity cookie.

• name - (Required) The name of the Backend HTTP Settings Collection.

• path - (Optional) The Path which should be used as a prefix for all HTTP requests.

• port - (Required) The port which should be used for this Backend HTTP Settings Collection.

• probeName - (Optional) The name of an associated HTTP Probe.

• protocol - (Required) The Protocol which should be used. Possible values are http and https.

• requestTimeout - (Optional) The request timeout in seconds, which must be between 1 and 86400 seconds. Defaults to 30.

• hostName - (Optional) Host header to be sent to the backend servers. Cannot be set if pickHostNameFromBackendAddress is set to true.

• pickHostNameFromBackendAddress - (Optional) Whether host header should be picked from the host name of the backend server. Defaults to false.

• authenticationCertificate - (Optional) One or more authenticationCertificate blocks as defined below.

• trustedRootCertificateNames - (Optional) A list of trustedRootCertificate names.

• connectionDraining - (Optional) A connectionDraining block as defined below.

A connectionDraining block supports the following:

• enabled - (Required) If connection draining is enabled or not.

• drainTimeoutSec - (Required) The number of seconds connection draining is active. Acceptable values are from 1 second to 3600 seconds.

A frontendIpConfiguration block supports the following:

• name - (Required) The name of the Frontend IP Configuration.

• subnetId - (Optional) The ID of the Subnet.

• privateIpAddress - (Optional) The Private IP Address to use for the Application Gateway.

• publicIpAddressId - (Optional) The ID of a Public IP Address which the Application Gateway should use. The allocation method for the Public IP Address depends on the sku of this Application Gateway. Please refer to the Azure documentation for public IP addresses for details.

• privateIpAddressAllocation - (Optional) The Allocation Method for the Private IP Address. Possible values are dynamic and static.

• privateLinkConfigurationName - (Optional) The name of the private link configuration to use for this frontend IP configuration.

A frontendPort block supports the following:

• name - (Required) The name of the Frontend Port.

• port - (Required) The port used for this Frontend Port.

A gatewayIpConfiguration block supports the following:

• name - (Required) The Name of this Gateway IP Configuration.

• subnetId - (Required) The ID of the Subnet which the Application Gateway should be connected to.

A httpListener block supports the following:

• name - (Required) The Name of the HTTP Listener.

• frontendIpConfigurationName - (Required) The Name of the Frontend IP Configuration used for this HTTP Listener.

• frontendPortName - (Required) The Name of the Frontend Port use for this HTTP Listener.

• hostName - (Optional) The Hostname which should be used for this HTTP Listener. Setting this value changes Listener Type to 'Multi site'.

• hostNames - (Optional) A list of Hostname(s) should be used for this HTTP Listener. It allows special wildcard characters.

-> NOTE The hostNames and hostName are mutually exclusive and cannot both be set.

• protocol - (Required) The Protocol to use for this HTTP Listener. Possible values are http and https.

• requireSni - (Optional) Should Server Name Indication be Required?

• sslCertificateName - (Optional) The name of the associated SSL Certificate which should be used for this HTTP Listener.

• customErrorConfiguration - (Optional) One or more customErrorConfiguration blocks as defined below.

• firewallPolicyId - (Optional) The ID of the Web Application Firewall Policy which should be used for this HTTP Listener.

• sslProfileName - (Optional) The name of the associated SSL Profile which should be used for this HTTP Listener.

An identity block supports the following:

• type - (Required) Specifies the type of Managed Service Identity that should be configured on this Application Gateway. Only possible value is userAssigned.

• identityIds - (Required) Specifies a list of User Assigned Managed Identity IDs to be assigned to this Application Gateway.

A privateLinkConfiguration block supports the following:

• name - (Required) The name of the private link configuration.

• ipConfiguration - (Required) One or more ipConfiguration blocks as defined below.

-> Please Note: The allowApplicationGatewayPrivateLink feature must be registered on the subscription before enabling private link

az feature register --name AllowApplicationGatewayPrivateLink --namespace Microsoft.Network

An ipConfiguration block supports the following:

• name - (Required) The name of the IP configuration.

• subnetId - (Required) The ID of the subnet the private link configuration should connect to.

• privateIpAddressAllocation - (Required) The allocation method used for the Private IP Address. Possible values are dynamic and static.

• primary - (Required) Is this the Primary IP Configuration?

• privateIpAddress - (Optional) The Static IP Address which should be used.

A match block supports the following:

• body - (Optional) A snippet from the Response Body which must be present in the Response.

• statusCode - (Required) A list of allowed status codes for this Health Probe.

A pathRule block supports the following:

• name - (Required) The Name of the Path Rule.

• paths - (Required) A list of Paths used in this Path Rule.

• backendAddressPoolName - (Optional) The Name of the Backend Address Pool to use for this Path Rule. Cannot be set if redirectConfigurationName is set.

• backendHttpSettingsName - (Optional) The Name of the Backend HTTP Settings Collection to use for this Path Rule. Cannot be set if redirectConfigurationName is set.

• redirectConfigurationName - (Optional) The Name of a Redirect Configuration to use for this Path Rule. Cannot be set if backendAddressPoolName or backendHttpSettingsName is set.

• rewriteRuleSetName - (Optional) The Name of the Rewrite Rule Set which should be used for this URL Path Map. Only valid for v2 SKUs.

• firewallPolicyId - (Optional) The ID of the Web Application Firewall Policy which should be used as a HTTP Listener.

A probe block support the following:

• host - (Optional) The Hostname used for this Probe. If the Application Gateway is configured for a single site, by default the Host name should be specified as ‘127.0.0.1’, unless otherwise configured in custom probe. Cannot be set if pickHostNameFromBackendHttpSettings is set to true.

• interval - (Required) The Interval between two consecutive probes in seconds. Possible values range from 1 second to a maximum of 86,400 seconds.

• name - (Required) The Name of the Probe.

• protocol - (Required) The Protocol used for this Probe. Possible values are http and https.

• path - (Required) The Path used for this Probe.

• timeout - (Required) The Timeout used for this Probe, which indicates when a probe becomes unhealthy. Possible values range from 1 second to a maximum of 86,400 seconds.

• unhealthyThreshold - (Required) The Unhealthy Threshold for this Probe, which indicates the amount of retries which should be attempted before a node is deemed unhealthy. Possible values are from 1 to 20.

• port - (Optional) Custom port which will be used for probing the backend servers. The valid value ranges from 1 to 65535. In case not set, port from HTTP settings will be used. This property is valid for Standard_v2 and WAF_v2 only.

• pickHostNameFromBackendHttpSettings - (Optional) Whether the host header should be picked from the backend HTTP settings. Defaults to false.

• match - (Optional) A match block as defined above.

• minimumServers - (Optional) The minimum number of servers that are always marked as healthy. Defaults to 0.

A requestRoutingRule block supports the following:

• name - (Required) The Name of this Request Routing Rule.

• ruleType - (Required) The Type of Routing that should be used for this Rule. Possible values are basic and pathBasedRouting.

• httpListenerName - (Required) The Name of the HTTP Listener which should be used for this Routing Rule.

• backendAddressPoolName - (Optional) The Name of the Backend Address Pool which should be used for this Routing Rule. Cannot be set if redirectConfigurationName is set.

• backendHttpSettingsName - (Optional) The Name of the Backend HTTP Settings Collection which should be used for this Routing Rule. Cannot be set if redirectConfigurationName is set.

• redirectConfigurationName - (Optional) The Name of the Redirect Configuration which should be used for this Routing Rule. Cannot be set if either backendAddressPoolName or backendHttpSettingsName is set.

• rewriteRuleSetName - (Optional) The Name of the Rewrite Rule Set which should be used for this Routing Rule. Only valid for v2 SKUs.

-> NOTE: backendAddressPoolName, backendHttpSettingsName, redirectConfigurationName, and rewriteRuleSetName are applicable only when ruleType is basic.

• urlPathMapName - (Optional) The Name of the URL Path Map which should be associated with this Routing Rule.

• priority - (Optional) Rule evaluation order can be dictated by specifying an integer value from 1 to 20000 with 1 being the highest priority and 20000 being the lowest priority.

-> NOTE: priority is required when sku0Tier is set to *V2.

A global block supports the following:

• requestBufferingEnabled - (Required) Whether Application Gateway's Request buffer is enabled.

• responseBufferingEnabled - (Required) Whether Application Gateway's Response buffer is enabled.

A sku block supports the following:

• name - (Required) The Name of the SKU to use for this Application Gateway. Possible values are standardSmall, standardMedium, standardLarge, standardV2, wafMedium, wafLarge, and wafV2.

• tier - (Required) The Tier of the SKU to use for this Application Gateway. Possible values are standard, standardV2, waf and wafV2.

• capacity - (Optional) The Capacity of the SKU to use for this Application Gateway. When using a V1 SKU this value must be between 1 and 32, and 1 to 125 for a V2 SKU. This property is optional if autoscaleConfiguration is set.

A sslCertificate block supports the following:

• name - (Required) The Name of the SSL certificate that is unique within this Application Gateway

• data - (Optional) PFX certificate. Required if keyVaultSecretId is not set.

• password - (Optional) Password for the pfx file specified in data. Required if data is set.

• keyVaultSecretId - (Optional) Secret Id of (base-64 encoded unencrypted pfx) secret or certificate object stored in Azure KeyVault. You need to enable soft delete for keyvault to use this feature. Required if data is not set.

-> NOTE: TLS termination with Key Vault certificates is limited to the v2 SKUs.

-> NOTE: For TLS termination with Key Vault certificates to work properly existing user-assigned managed identity, which Application Gateway uses to retrieve certificates from Key Vault, should be defined via identity block. Additionally, access policies in the Key Vault to allow the identity to be granted get access to the secret should be defined.

A urlPathMap block supports the following:

• name - (Required) The Name of the URL Path Map.

• defaultBackendAddressPoolName - (Optional) The Name of the Default Backend Address Pool which should be used for this URL Path Map. Cannot be set if defaultRedirectConfigurationName is set.

• defaultBackendHttpSettingsName - (Optional) The Name of the Default Backend HTTP Settings Collection which should be used for this URL Path Map. Cannot be set if defaultRedirectConfigurationName is set.

• defaultRedirectConfigurationName - (Optional) The Name of the Default Redirect Configuration which should be used for this URL Path Map. Cannot be set if either defaultBackendAddressPoolName or defaultBackendHttpSettingsName is set.

-> NOTE: Both defaultBackendAddressPoolName and defaultBackendHttpSettingsName or defaultRedirectConfigurationName should be specified.

• defaultRewriteRuleSetName - (Optional) The Name of the Default Rewrite Rule Set which should be used for this URL Path Map. Only valid for v2 SKUs.

• pathRule - (Required) One or more pathRule blocks as defined above.

A trustedClientCertificate block supports the following:

• name - (Required) The name of the Trusted Client Certificate that is unique within this Application Gateway.

• data - (Required) The base-64 encoded certificate.

A sslProfile block supports the following:

• name - (Required) The name of the SSL Profile that is unique within this Application Gateway.

• trustedClientCertificateNames - (Optional) The name of the Trusted Client Certificate that will be used to authenticate requests from clients.

• verifyClientCertIssuerDn - (Optional) Should client certificate issuer DN be verified? Defaults to false.

• sslPolicy - (Optional) a sslPolicy block as defined below.

A sslPolicy block supports the following:

• disabledProtocols - (Optional) A list of SSL Protocols which should be disabled on this Application Gateway. Possible values are tlSv10, tlSv11, tlSv12 and tlSv13.

\~> NOTE: disabledProtocols cannot be set when policyName or policyType are set.

• policyType - (Optional) The Type of the Policy. Possible values are predefined, custom and customV2.

\~> NOTE: policyType is Required when policyName is set - cannot be set if disabledProtocols is set.

When using a policyType of predefined the following fields are supported:

• policyName - (Optional) The Name of the Policy e.g AppGwSslPolicy20170401S. Required if policyType is set to predefined. Possible values can change over time and are published here https://docs.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview. Not compatible with disabledProtocols.

When using a policyType of custom the following fields are supported:

• cipherSuites - (Optional) A List of accepted cipher suites. Possible values are: tlsDheDssWith3DesEdeCbcSha, tlsDheDssWithAes128CbcSha, tlsDheDssWithAes128CbcSha256, tlsDheDssWithAes256CbcSha, tlsDheDssWithAes256CbcSha256, tlsDheRsaWithAes128CbcSha, tlsDheRsaWithAes128GcmSha256, tlsDheRsaWithAes256CbcSha, tlsDheRsaWithAes256GcmSha384, tlsEcdheEcdsaWithAes128CbcSha, tlsEcdheEcdsaWithAes128CbcSha256, tlsEcdheEcdsaWithAes128GcmSha256, tlsEcdheEcdsaWithAes256CbcSha, tlsEcdheEcdsaWithAes256CbcSha384, tlsEcdheEcdsaWithAes256GcmSha384, tlsEcdheRsaWithAes128CbcSha, tlsEcdheRsaWithAes128CbcSha256, tlsEcdheRsaWithAes128GcmSha256, tlsEcdheRsaWithAes256CbcSha, tlsEcdheRsaWithAes256CbcSha384, tlsEcdheRsaWithAes256GcmSha384, tlsRsaWith3DesEdeCbcSha, tlsRsaWithAes128CbcSha, tlsRsaWithAes128CbcSha256, tlsRsaWithAes128GcmSha256, tlsRsaWithAes256CbcSha, tlsRsaWithAes256CbcSha256 and tlsRsaWithAes256GcmSha384.

• minProtocolVersion - (Optional) The minimal TLS version. Possible values are tlSv10, tlSv11, tlSv12 and tlSv13.

A wafConfiguration block supports the following:

• enabled - (Required) Is the Web Application Firewall enabled?

• firewallMode - (Required) The Web Application Firewall Mode. Possible values are detection and prevention.

• ruleSetType - (Optional) The Type of the Rule Set used for this Web Application Firewall. Possible values are owasp and microsoftBotManagerRuleSet.

• ruleSetVersion - (Required) The Version of the Rule Set used for this Web Application Firewall. Possible values are 01, 10, 229, 30, 31 and 32.

• disabledRuleGroup - (Optional) one or more disabledRuleGroup blocks as defined below.

• fileUploadLimitMb - (Optional) The File Upload Limit in MB. Accepted values are in the range 1MB to 750MB for the wafV2 SKU, and 1MB to 500MB for all other SKUs. Defaults to 100MB.

• requestBodyCheck - (Optional) Is Request Body Inspection enabled? Defaults to true.

• maxRequestBodySizeKb - (Optional) The Maximum Request Body Size in KB. Accepted values are in the range 1KB to 128KB. Defaults to 128KB.

• exclusion - (Optional) one or more exclusion blocks as defined below.

A disabledRuleGroup block supports the following:

• ruleGroupName - (Required) The rule group where specific rules should be disabled. Possible values are badBots, crs20ProtocolViolations, crs21ProtocolAnomalies, crs23RequestLimits, crs30HttpPolicy, crs35BadRobots, crs40GenericAttacks, crs41SqlInjectionAttacks, crs41XssAttacks, crs42TightSecurity, crs45Trojans, general, goodBots, knownCvEs, request911MethodEnforcement, request913ScannerDetection, request920ProtocolEnforcement, request921ProtocolAttack, request930ApplicationAttackLfi, request931ApplicationAttackRfi, request932ApplicationAttackRce, request933ApplicationAttackPhp, request941ApplicationAttackXss, request942ApplicationAttackSqli, request943ApplicationAttackSessionFixation, request944ApplicationAttackJava and unknownBots.

• rules - (Optional) A list of rules which should be disabled in that group. Disables all rules in the specified group if rules is not specified.

A exclusion block supports the following:

• matchVariable - (Required) Match variable of the exclusion rule to exclude header, cookie or GET arguments. Possible values are requestArgKeys, requestArgNames, requestArgValues, requestCookieKeys, requestCookieNames, requestCookieValues, requestHeaderKeys, requestHeaderNames and requestHeaderValues

• selectorMatchOperator - (Optional) Operator which will be used to search in the variable content. Possible values are contains, endsWith, equals, equalsAny and startsWith. If empty will exclude all traffic on this matchVariable

• selector - (Optional) String value which will be used for the filter operation. If empty will exclude all traffic on this matchVariable

A customErrorConfiguration block supports the following:

• statusCode - (Required) Status code of the application gateway customer error. Possible values are httpStatus403 and httpStatus502

• customErrorPageUrl - (Required) Error page URL of the application gateway customer error.

A redirectConfiguration block supports the following:

• name - (Required) Unique name of the redirect configuration block

• redirectType - (Required) The type of redirect. Possible values are permanent, temporary, found and seeOther

• targetListenerName - (Optional) The name of the listener to redirect to. Cannot be set if targetUrl is set.

• targetUrl - (Optional) The Url to redirect the request to. Cannot be set if targetListenerName is set.

• includePath - (Optional) Whether or not to include the path in the redirected Url. Defaults to false

• includeQueryString - (Optional) Whether or not to include the query string in the redirected Url. Default to false

A autoscaleConfiguration block supports the following:

• minCapacity - (Required) Minimum capacity for autoscaling. Accepted values are in the range 0 to 100.

• maxCapacity - (Optional) Maximum capacity for autoscaling. Accepted values are in the range 2 to 125.

A rewriteRuleSet block supports the following:

• name - (Required) Unique name of the rewrite rule set block

• rewriteRule - (Optional) One or more rewriteRule blocks as defined above.

A rewriteRule block supports the following:

• name - (Required) Unique name of the rewrite rule block

• ruleSequence - (Required) Rule sequence of the rewrite rule that determines the order of execution in a set.

• condition - (Optional) One or more condition blocks as defined above.

• requestHeaderConfiguration - (Optional) One or more requestHeaderConfiguration blocks as defined above.

• responseHeaderConfiguration - (Optional) One or more responseHeaderConfiguration blocks as defined above.

• url - (Optional) One url block as defined below

A condition block supports the following:

• variable - (Required) The variable of the condition.

• pattern - (Required) The pattern, either fixed string or regular expression, that evaluates the truthfulness of the condition.

• ignoreCase - (Optional) Perform a case in-sensitive comparison. Defaults to false

• negate - (Optional) Negate the result of the condition evaluation. Defaults to false

A requestHeaderConfiguration block supports the following:

• headerName - (Required) Header name of the header configuration.

• headerValue - (Required) Header value of the header configuration. To delete a request header set this property to an empty string.

A responseHeaderConfiguration block supports the following:

• headerName - (Required) Header name of the header configuration.

• headerValue - (Required) Header value of the header configuration. To delete a response header set this property to an empty string.

A url block supports the following:

• path - (Optional) The URL path to rewrite.

• queryString - (Optional) The query string to rewrite.

• components - (Optional) The components used to rewrite the URL. Possible values are pathOnly and queryStringOnly to limit the rewrite to the URL Path or URL Query String only.

\~> Note: One or both of path and queryString must be specified. If one of these is not specified, it means the value will be empty. If you only want to rewrite path or queryString, use components.

• reroute - (Optional) Whether the URL path map should be reevaluated after this rewrite has been applied. More info on rewrite configutation

Attributes Reference

The following attributes are exported:

• id - The ID of the Application Gateway.

• authenticationCertificate - A list of authenticationCertificate blocks as defined below.

• backendAddressPool - A list of backendAddressPool blocks as defined below.

• backendHttpSettings - A list of backendHttpSettings blocks as defined below.

• frontendIpConfiguration - A list of frontendIpConfiguration blocks as defined below.

• frontendPort - A list of frontendPort blocks as defined below.

• gatewayIpConfiguration - A list of gatewayIpConfiguration blocks as defined below.

• enableHttp2 - (Optional) Is HTTP2 enabled on the application gateway resource?

• httpListener - A list of httpListener blocks as defined below.

• privateEndpointConnection - A list of privateEndpointConnection blocks as defined below.

• privateLinkConfiguration - A list of privateLinkConfiguration blocks as defined below.

• probe - A probe block as defined below.

• requestRoutingRule - A list of requestRoutingRule blocks as defined below.

• sslCertificate - A list of sslCertificate blocks as defined below.

• urlPathMap - A list of urlPathMap blocks as defined below.

• customErrorConfiguration - A list of customErrorConfiguration blocks as defined below.

• redirectConfiguration - A list of redirectConfiguration blocks as defined below.

A authenticationCertificate block exports the following:

• id - The ID of the Authentication Certificate.

A authenticationCertificate block, within the backendHttpSettings block exports the following:

• id - The ID of the Authentication Certificate.

A backendAddressPool block exports the following:

• id - The ID of the Backend Address Pool.

A backendHttpSettings block exports the following:

• id - The ID of the Backend HTTP Settings Configuration.

• probeId - The ID of the associated Probe.

A frontendIpConfiguration block exports the following:

• id - The ID of the Frontend IP Configuration.

• privateLinkConfigurationId - The ID of the associated private link configuration.

A frontendPort block exports the following:

• id - The ID of the Frontend Port.

A gatewayIpConfiguration block exports the following:

• id - The ID of the Gateway IP Configuration.

A httpListener block exports the following:

• id - The ID of the HTTP Listener.

• frontendIpConfigurationId - The ID of the associated Frontend Configuration.

• frontendPortId - The ID of the associated Frontend Port.

• sslCertificateId - The ID of the associated SSL Certificate.

• sslProfileId - The ID of the associated SSL Profile.

A pathRule block exports the following:

• id - The ID of the Path Rule.

• backendAddressPoolId - The ID of the Backend Address Pool used in this Path Rule.

• backendHttpSettingsId - The ID of the Backend HTTP Settings Collection used in this Path Rule.

• redirectConfigurationId - The ID of the Redirect Configuration used in this Path Rule.

• rewriteRuleSetId - The ID of the Rewrite Rule Set used in this Path Rule.

A privateEndpointConnection block exports the following:

• name - The name of the private endpoint connection.

• id - The ID of the private endpoint connection.

A privateLinkConfiguration block exports the following:

• id - The ID of the private link configuration.

A probe block exports the following:

• id - The ID of the Probe.

A requestRoutingRule block exports the following:

• id - The ID of the Request Routing Rule.

• httpListenerId - The ID of the associated HTTP Listener.

• backendAddressPoolId - The ID of the associated Backend Address Pool.

• backendHttpSettingsId - The ID of the associated Backend HTTP Settings Configuration.

• redirectConfigurationId - The ID of the associated Redirect Configuration.

• rewriteRuleSetId - The ID of the associated Rewrite Rule Set.

• urlPathMapId - The ID of the associated URL Path Map.

A sslCertificate block exports the following:

• id - The ID of the SSL Certificate.

• publicCertData - The Public Certificate Data associated with the SSL Certificate.

A urlPathMap block exports the following:

• id - The ID of the URL Path Map.

• defaultBackendAddressPoolId - The ID of the Default Backend Address Pool.

• defaultBackendHttpSettingsId - The ID of the Default Backend HTTP Settings Collection.

• defaultRedirectConfigurationId - The ID of the Default Redirect Configuration.

• pathRule - (Required) A list of pathRule blocks as defined above.

A customErrorConfiguration block exports the following:

• id - The ID of the Custom Error Configuration.

A redirectConfiguration block exports the following:

• id - The ID of the Redirect Configuration.

A rewriteRuleSet block exports the following:

• id - The ID of the Rewrite Rule Set

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

• create - (Defaults to 90 minutes) Used when creating the Application Gateway.
• update - (Defaults to 90 minutes) Used when updating the Application Gateway.
• read - (Defaults to 5 minutes) Used when retrieving the Application Gateway.
• delete - (Defaults to 90 minutes) Used when deleting the Application Gateway.

Import

Application Gateway's can be imported using the resourceId, e.g.

terraform import azurerm_application_gateway.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/applicationGateways/myGateway1