Skip to content

azurermCdnFrontdoorOrigin

Manages a Front Door (standard/premium) Origin.

!>IMPORTANT: If you are attempting to implement an Origin that uses its own Private Link Service with a Load Balancer the Profile resource in your configuration file must have a dependsOn meta-argument which references the azurermPrivateLinkService, see exampleUsageWithPrivateLinkService below.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermCdnFrontdoorProfileExample =
  new azurerm.cdnFrontdoorProfile.CdnFrontdoorProfile(this, "example_1", {
    name: "example-profile",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "Premium_AzureFrontDoor",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorProfileExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginGroupExample =
  new azurerm.cdnFrontdoorOriginGroup.CdnFrontdoorOriginGroup(
    this,
    "example_2",
    {
      cdn_frontdoor_profile_id: azurermCdnFrontdoorProfileExample.id,
      load_balancing: [{}],
      name: "example-origingroup",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginGroupExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginExample =
  new azurerm.cdnFrontdoorOrigin.CdnFrontdoorOrigin(this, "example_3", {
    cdn_frontdoor_origin_group_id: azurermCdnFrontdoorOriginGroupExample.id,
    certificate_name_check_enabled: false,
    enabled: true,
    host_name: "contoso.com",
    http_port: 80,
    https_port: 443,
    name: "example-origin",
    origin_host_header: "www.contoso.com",
    priority: 1,
    weight: 1,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginExample.overrideLogicalId("example");

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_replication_type: "LRS",
    account_tier: "Premium",
    allow_nested_items_to_be_public: false,
    location: azurermResourceGroupExample.location,
    name: "examplestoracc",
    network_rules: [
      {
        default_action: "Deny",
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    tags: {
      environment: "Example",
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermCdnFrontdoorProfileExample =
  new azurerm.cdnFrontdoorProfile.CdnFrontdoorProfile(this, "example_2", {
    name: "example-profile",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "Premium_AzureFrontDoor",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorProfileExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginGroupExample =
  new azurerm.cdnFrontdoorOriginGroup.CdnFrontdoorOriginGroup(
    this,
    "example_3",
    {
      cdn_frontdoor_profile_id: azurermCdnFrontdoorProfileExample.id,
      load_balancing: [{}],
      name: "example-origin-group",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginGroupExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginExample =
  new azurerm.cdnFrontdoorOrigin.CdnFrontdoorOrigin(this, "example_4", {
    cdn_frontdoor_origin_group_id: azurermCdnFrontdoorOriginGroupExample.id,
    certificate_name_check_enabled: true,
    enabled: true,
    host_name: azurermStorageAccountExample.primaryBlobHost,
    name: "example-origin",
    origin_host_header: azurermStorageAccountExample.primaryBlobHost,
    priority: 1,
    private_link: [
      {
        location: azurermStorageAccountExample.location,
        private_link_target_id: azurermStorageAccountExample.id,
        request_message: "Request access for Private Link Origin CDN Frontdoor",
        target_type: "blob",
      },
    ],
    weight: 500,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginExample.overrideLogicalId("example");

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.5.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "vn-example",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
  this,
  "example_3",
  {
    allocation_method: "Static",
    location: azurermResourceGroupExample.location,
    name: "ip-example",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "Standard",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_4", {
  address_prefixes: ["10.5.1.0/24"],
  name: "sn-example",
  private_link_service_network_policies_enabled: false,
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermLbExample = new azurerm.lb.Lb(this, "example_5", {
  frontend_ip_configuration: [
    {
      name: azurermPublicIpExample.name,
      public_ip_address_id: azurermPublicIpExample.id,
    },
  ],
  location: azurermResourceGroupExample.location,
  name: "lb-example",
  resource_group_name: azurermResourceGroupExample.name,
  sku: "Standard",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLbExample.overrideLogicalId("example");
const azurermPrivateLinkServiceExample =
  new azurerm.privateLinkService.PrivateLinkService(this, "example_6", {
    load_balancer_frontend_ip_configuration_ids: [
      `\${${azurermLbExample.frontendIpConfiguration}.0.id}`,
    ],
    location: azurermResourceGroupExample.location,
    name: "pls-example",
    nat_ip_configuration: [
      {
        name: "primary",
        primary: true,
        private_ip_address: "10.5.1.17",
        private_ip_address_version: "IPv4",
        subnet_id: azurermSubnetExample.id,
      },
    ],
    resource_group_name: azurermResourceGroupExample.name,
    visibility_subscription_ids: [
      dataAzurermClientConfigCurrent.subscriptionId,
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPrivateLinkServiceExample.overrideLogicalId("example");
const azurermCdnFrontdoorProfileExample =
  new azurerm.cdnFrontdoorProfile.CdnFrontdoorProfile(this, "example_7", {
    depends_on: [`\${${azurermPrivateLinkServiceExample.fqn}}`],
    name: "profile-example",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "Premium_AzureFrontDoor",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorProfileExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginGroupExample =
  new azurerm.cdnFrontdoorOriginGroup.CdnFrontdoorOriginGroup(
    this,
    "example_8",
    {
      cdn_frontdoor_profile_id: azurermCdnFrontdoorProfileExample.id,
      load_balancing: [
        {
          additional_latency_in_milliseconds: 0,
          sample_size: 16,
          successful_samples_required: 3,
        },
      ],
      name: "group-example",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginGroupExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginExample =
  new azurerm.cdnFrontdoorOrigin.CdnFrontdoorOrigin(this, "example_9", {
    cdn_frontdoor_origin_group_id: azurermCdnFrontdoorOriginGroupExample.id,
    certificate_name_check_enabled: false,
    enabled: true,
    host_name: "example.com",
    name: "origin-example",
    origin_host_header: "example.com",
    priority: 1,
    private_link: [
      {
        location: azurermResourceGroupExample.location,
        private_link_target_id: azurermPrivateLinkServiceExample.id,
        request_message: "Request access for Private Link Origin CDN Frontdoor",
      },
    ],
    weight: 1000,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this Front Door Origin. Changing this forces a new Front Door Origin to be created.

  • cdnFrontdoorOriginGroupId - (Required) The ID of the Front Door Origin Group within which this Front Door Origin should exist. Changing this forces a new Front Door Origin to be created.

  • hostName - (Required) The IPv4 address, IPv6 address or Domain name of the Origin.

!> IMPORTANT: This must be unique across all Front Door Origins within a Front Door Endpoint.

  • certificateNameCheckEnabled - (Required) Specifies whether certificate name checks are enabled for this origin.

  • enabled - (Optional) Should the origin be enabled? Possible values are true or false. Defaults to true.

-> NOTE: The enabled field will need to be explicitly set until the 4.0 provider is released due to the deprecation of the healthProbesEnabled property in version 3.x of the AzureRM Provider.

  • httpPort - (Optional) The value of the HTTP port. Must be between 1 and 65535. Defaults to 80.

  • httpsPort - (Optional) The value of the HTTPS port. Must be between 1 and 65535. Defaults to 443.

  • originHostHeader - (Optional) The host header value (an IPv4 address, IPv6 address or Domain name) which is sent to the origin with each request. If unspecified the hostname from the request will be used.

-> Azure Front Door Origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin's hostname. This field's value overrides the host header defined in the Front Door Endpoint. For more information on how to properly set the origin host header value please see the product documentation.

  • priority - (Optional) Priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy. Must be between 1 and 5 (inclusive). Defaults to 1.

  • privateLink - (Optional) A privateLink block as defined below.

-> NOTE: Private Link requires that the Front Door Profile this Origin is hosted within is using the SKU premiumAzureFrontDoor and that the certificateNameCheckEnabled field is set to true.

  • weight - (Optional) The weight of the origin in a given origin group for load balancing. Must be between 1 and 1000. Defaults to 500.

A privateLink block supports the following:

\~> NOTE: At this time the Private Link Endpoint must be approved manually - for more information and region availability please see the product documentation.

!> IMPORTANT: Origin support for direct private end point connectivity is limited to storage (azureBlobs), appServices and internalLoadBalancers. The Azure Front Door Private Link feature is region agnostic but for the best latency, you should always pick an Azure region closest to your origin when choosing to enable Azure Front Door Private Link endpoint.

!> IMPORTANT: To associate a Load Balancer with a Front Door Origin via Private Link you must stand up your own azurermPrivateLinkService - and ensure that a dependsOn exists on the azurermCdnFrontdoorOrigin resource to ensure it's destroyed before the azurermPrivateLinkService resource (e.g. dependsOn = [azurermPrivateLinkServiceExample]) due to the design of the Front Door Service.

  • requestMessage - (Optional) Specifies the request message that will be submitted to the privateLinkTargetId when requesting the private link endpoint connection. Values must be between 1 and 140 characters in length. Defaults to accessRequestForCdnFrontDoorPrivateLinkOrigin.

  • targetType - (Optional) Specifies the type of target for this Private Link Endpoint. Possible values are blob, blobSecondary, web and sites.

-> NOTE: targetType cannot be specified when using a Load Balancer as an Origin.

  • location - (Required) Specifies the location where the Private Link resource should exist. Changing this forces a new resource to be created.

  • privateLinkTargetId - (Required) The ID of the Azure Resource to connect to via the Private Link.

-> Note: the privateLinkTargetId property must specify the Resource ID of the Private Link Service when using Load Balancer as an Origin.

Example HCL Configurations

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Front Door Origin.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Front Door Origin.
  • read - (Defaults to 5 minutes) Used when retrieving the Front Door Origin.
  • update - (Defaults to 30 minutes) Used when updating the Front Door Origin.
  • delete - (Defaults to 30 minutes) Used when deleting the Front Door Origin.

Import

Front Door Origins can be imported using the resourceId, e.g.

terraform import azurerm_cdn_frontdoor_origin.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Cdn/profiles/profile1/originGroups/originGroup1/origins/origin1