Skip to content

azurermCdnFrontdoorRule

Manages a Front Door (standard/premium) Rule.

!>IMPORTANT: The Rules resource must include a dependsOn meta-argument which references the azurermCdnFrontdoorOrigin and the azurermCdnFrontdoorOriginGroup.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-cdn-frontdoor",
  }
);
const azurermCdnFrontdoorProfileExample =
  new azurerm.cdnFrontdoorProfile.CdnFrontdoorProfile(this, "example_1", {
    name: "example-profile",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorProfileExample.overrideLogicalId("example");
const azurermCdnFrontdoorRuleSetExample =
  new azurerm.cdnFrontdoorRuleSet.CdnFrontdoorRuleSet(this, "example_2", {
    cdn_frontdoor_profile_id: azurermCdnFrontdoorProfileExample.id,
    name: "exampleruleset",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorRuleSetExample.overrideLogicalId("example");
const azurermCdnFrontdoorEndpointExample =
  new azurerm.cdnFrontdoorEndpoint.CdnFrontdoorEndpoint(this, "example_3", {
    cdn_frontdoor_profile_id: azurermCdnFrontdoorProfileExample.id,
    name: "example-endpoint",
    tags: {
      endpoint: "contoso.com",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorEndpointExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginGroupExample =
  new azurerm.cdnFrontdoorOriginGroup.CdnFrontdoorOriginGroup(
    this,
    "example_4",
    {
      cdn_frontdoor_profile_id: azurermCdnFrontdoorProfileExample.id,
      health_probe: [
        {
          interval_in_seconds: 240,
          path: "/healthProbe",
          protocol: "Https",
          request_type: "GET",
        },
      ],
      load_balancing: [
        {
          additional_latency_in_milliseconds: 0,
          sample_size: 16,
          successful_samples_required: 3,
        },
      ],
      name: "example-originGroup",
      restore_traffic_time_to_healed_or_new_endpoint_in_minutes: 10,
      session_affinity_enabled: true,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginGroupExample.overrideLogicalId("example");
const azurermCdnFrontdoorOriginExample =
  new azurerm.cdnFrontdoorOrigin.CdnFrontdoorOrigin(this, "example_5", {
    cdn_frontdoor_origin_group_id: azurermCdnFrontdoorOriginGroupExample.id,
    certificate_name_check_enabled: false,
    enabled: true,
    host_name: azurermCdnFrontdoorEndpointExample.hostName,
    http_port: 80,
    https_port: 443,
    name: "example-origin",
    origin_host_header: "contoso.com",
    priority: 1,
    weight: 500,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorOriginExample.overrideLogicalId("example");
const azurermCdnFrontdoorRuleExample =
  new azurerm.cdnFrontdoorRule.CdnFrontdoorRule(this, "example_6", {
    actions: [
      {
        route_configuration_override_action: [
          {
            cache_behavior: "OverrideIfOriginMissing",
            cache_duration: "365.23:59:59",
            cdn_frontdoor_origin_group_id:
              azurermCdnFrontdoorOriginGroupExample.id,
            compression_enabled: true,
            forwarding_protocol: "HttpsOnly",
            query_string_caching_behavior: "IncludeSpecifiedQueryStrings",
            query_string_parameters: ["foo", "clientIp={client_ip}"],
          },
        ],
        url_redirect_action: [
          {
            destination_fragment: "UrlRedirect",
            destination_hostname: "contoso.com",
            destination_path: "/exampleredirection",
            query_string: "clientIp={client_ip}",
            redirect_protocol: "MatchRequest",
            redirect_type: "PermanentRedirect",
          },
        ],
      },
    ],
    behavior_on_match: "Continue",
    cdn_frontdoor_rule_set_id: azurermCdnFrontdoorRuleSetExample.id,
    conditions: [
      {
        host_name_condition: [
          {
            match_values: [
              "www.contoso.com",
              "images.contoso.com",
              "video.contoso.com",
            ],
            negate_condition: false,
            operator: "Equal",
            transforms: ["Lowercase", "Trim"],
          },
        ],
        is_device_condition: [
          {
            match_values: ["Mobile"],
            negate_condition: false,
            operator: "Equal",
          },
        ],
        post_args_condition: [
          {
            match_values: ["J", "K"],
            operator: "BeginsWith",
            post_args_name: "customerName",
            transforms: ["Uppercase"],
          },
        ],
        request_method_condition: [
          {
            match_values: ["DELETE"],
            negate_condition: false,
            operator: "Equal",
          },
        ],
        url_filename_condition: [
          {
            match_values: ["media.mp4"],
            negate_condition: false,
            operator: "Equal",
            transforms: ["Lowercase", "RemoveNulls", "Trim"],
          },
        ],
      },
    ],
    depends_on: [
      `\${${azurermCdnFrontdoorOriginGroupExample.fqn}}`,
      `\${${azurermCdnFrontdoorOriginExample.fqn}}`,
    ],
    name: "examplerule",
    order: 1,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCdnFrontdoorRuleExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this Front Door Rule. Possible values must be between 1 and 260 characters in length, begin with a letter and may contain only letters and numbers. Changing this forces a new Front Door Rule to be created.

  • cdnFrontdoorRuleSetId - (Required) The resource ID of the Front Door Rule Set for this Front Door Rule. Changing this forces a new Front Door Rule to be created.

  • order - (Required) The order in which the rules will be applied for the Front Door Endpoint. The order value should be sequential and begin at 1(e.g. 1, 2, 3...). A Front Door Rule with a lesser order value will be applied before a rule with a greater order value.

->NOTE: If the Front Door Rule has an order value of 0 they do not require any conditions and the actions will always be applied.

  • actions - (Required) An actions block as defined below.

  • behaviorOnMatch - (Optional) If this rule is a match should the rules engine continue processing the remaining rules or stop? Possible values are continue and stop. Defaults to continue.

  • conditions - (Optional) A conditions block as defined below.

An actions block supports the following:

->NOTE: You may include up to 5 separate actions in the actions block.

Some actions support actionServerVariables which provide access to structured information about the request. For more information about actionServerVariables see the actionServerVariables as defined below.

  • urlRewriteAction - (Optional) A urlRewriteAction block as defined below. You may not have a urlRewriteAction and a urlRedirectAction defined in the same actions block.

  • urlRedirectAction - (Optional) A urlRedirectAction block as defined below. You may not have a urlRedirectAction and a urlRewriteAction defined in the same actions block.

  • routeConfigurationOverrideAction - (Optional) A routeConfigurationOverrideAction block as defined below.

  • requestHeaderAction - (Optional) A requestHeaderAction block as defined below.

  • responseHeaderAction - (Optional) A responseHeaderAction block as defined below.

An urlRedirectAction block supports the following:

  • redirectType - (Required) The response type to return to the requestor. Possible values include moved, found , temporaryRedirect or permanentRedirect.

  • destinationHostname - (Required) The host name you want the request to be redirected to. The value must be a string between 0 and 2048 characters in length, leave blank to preserve the incoming host.

  • redirectProtocol - (Optional) The protocol the request will be redirected as. Possible values include matchRequest, http or https. Defaults to matchRequest.

  • destinationPath - (Optional) The path to use in the redirect. The value must be a string and include the leading /, leave blank to preserve the incoming path. Defaults to an empty string. Defaults to "".

  • queryString - (Optional) The query string used in the redirect URL. The value must be in the \=\ or \={actionServerVariable} format and must not include the leading ?, leave blank to preserve the incoming query string. Maximum allowed length for this field is 2048 characters. Defaults to an empty string. Defaults to "".

  • destinationFragment - (Optional) The fragment to use in the redirect. The value must be a string between 0 and 1024 characters in length, leave blank to preserve the incoming fragment. Defaults to an empty string. Defaults to "".

A routeConfigurationOverrideAction block supports the following:

->NOTE: In the v3.x of the provider the cacheDuration, cacheBehavior and queryStringCachingBehavior will have default values. You can use Terraform's ignore_changes functionality to ignore these default values. In v4.0 of the provider the cacheDuration, cacheBehavior and queryStringCachingBehavior will NOT have default values and will need to be explicitly set in the configuration file.

  • cacheDuration - (Optional) When Cache behavior is set to override or setIfMissing, this field specifies the cache duration to use. The maximum duration is 366 days specified in the dHh:mm:ss format(e.g. 36523:59:59). If the desired maximum cache duration is less than 1 day then the maximum cache duration should be specified in the hh:mm:ss format(e.g. 23:59:59).

  • cdnFrontdoorOriginGroupId - (Optional) The Front Door Origin Group resource ID that the request should be routed to. This overrides the configuration specified in the Front Door Endpoint route.

  • forwardingProtocol - (Optional) The forwarding protocol the request will be redirected as. This overrides the configuration specified in the route to be associated with. Possible values include matchRequest, httpOnly or httpsOnly.

->NOTE: If the cdnFrontdoorOriginGroupId is not defined you cannot set the forwardingProtocol.

  • queryStringCachingBehavior - (Optional) includeSpecifiedQueryStrings query strings specified in the queryStringParameters field get included when the cache key gets generated. useQueryString cache every unique URL, each unique URL will have its own cache key. ignoreSpecifiedQueryStrings query strings specified in the queryStringParameters field get excluded when the cache key gets generated. ignoreQueryString query strings aren't considered when the cache key gets generated. Possible values include ignoreQueryString, useQueryString, ignoreSpecifiedQueryStrings or includeSpecifiedQueryStrings.

  • queryStringParameters - (Optional) A list of query string parameter names.

->NOTE: queryStringParameters is a required field when the queryStringCachingBehavior is set to includeSpecifiedQueryStrings or ignoreSpecifiedQueryStrings.

  • compressionEnabled - (Optional) Should the Front Door dynamically compress the content? Possible values include true or false.

->NOTE: Content won't be compressed on AzureFrontDoor when requested content is smaller than 1Byte or larger than 1Mb.

  • cacheBehavior - (Optional) honorOrigin the Front Door will always honor origin response header directive. If the origin directive is missing, Front Door will cache contents anywhere from 1 to 3 days. overrideAlways the TTL value returned from your Front Door Origin is overwritten with the value specified in the action. This behavior will only be applied if the response is cacheable. overrideIfOriginMissing if no TTL value gets returned from your Front Door Origin, the rule sets the TTL to the value specified in the action. This behavior will only be applied if the response is cacheable. disabled the Front Door will not cache the response contents, irrespective of Front Door Origin response directives. Possible values include honorOrigin, overrideAlways, overrideIfOriginMissing or disabled.

An urlRewriteAction block supports the following:

  • sourcePattern - (Required) The source pattern in the URL path to replace. This uses prefix-based matching. For example, to match all URL paths use a forward slash "/" as the source pattern value.

  • destination - (Required) The destination path to use in the rewrite. The destination path overwrites the source pattern.

  • preserveUnmatchedPath - (Optional) Append the remaining path after the source pattern to the new destination path? Possible values true or false. Defaults to false.

A requestHeaderAction block supports the following:

  • headerAction - (Required) The action to be taken on the specified headerName. Possible values include append, overwrite or delete.

-> NOTE: append causes the specified header to be added to the request with the specified value. If the header is already present, the value is appended to the existing header value using string concatenation. No delimiters are added. overwrite causes specified header to be added to the request with the specified value. If the header is already present, the specified value overwrites the existing value. delete causes the header to be deleted from the request.

  • headerName - (Required) The name of the header to modify.

  • value - (Optional) The value to append or overwrite.

->NOTE: value is required if the headerAction is set to append or overwrite.

A responseHeaderAction block supports the following:

  • headerAction - (Required) The action to be taken on the specified headerName. Possible values include append, overwrite or delete.

-> NOTE: append causes the specified header to be added to the request with the specified value. If the header is already present, the value is appended to the existing header value using string concatenation. No delimiters are added. overwrite causes specified header to be added to the request with the specified value. If the header is already present, the specified value overwrites the existing value. delete causes the header to be deleted from the request.

  • headerName - (Required) The name of the header to modify.

  • value - (Optional) The value to append or overwrite.

->NOTE: value is required if the headerAction is set to append or overwrite.

A conditions block supports the following:

->NOTE: You may include up to 10 separate conditions in the conditions block.

  • remoteAddressCondition - (Optional) A remoteAddressCondition block as defined below.

  • requestMethodCondition - (Optional) A requestMethodCondition block as defined below.

  • queryStringCondition - (Optional) A queryStringCondition block as defined below.

  • postArgsCondition - (Optional) A postArgsCondition block as defined below.

  • requestUriCondition - (Optional) A requestUriCondition block as defined below.

  • requestHeaderCondition - (Optional) A requestHeaderCondition block as defined below.

  • requestBodyCondition - (Optional) A requestBodyCondition block as defined below.

  • requestSchemeCondition - (Optional) A requestSchemeCondition block as defined below.

  • urlPathCondition - (Optional) A urlPathCondition block as defined below.

  • urlFileExtensionCondition - (Optional) A urlFileExtensionCondition block as defined below.

  • urlFilenameCondition - (Optional) A urlFilenameCondition block as defined below.

  • httpVersionCondition - (Optional) A httpVersionCondition block as defined below.

  • cookiesCondition - (Optional) A cookiesCondition block as defined below.

  • isDeviceCondition - (Optional) A isDeviceCondition block as defined below.

  • socketAddressCondition - (Optional) A socketAddressCondition block as defined below.

  • clientPortCondition - (Optional) A clientPortCondition block as defined below.

  • serverPortCondition - (Optional) A serverPortCondition block as defined below.

  • hostNameCondition - (Optional) A hostNameCondition block as defined below.

  • sslProtocolCondition - (Optional) A sslProtocolCondition block as defined below.

A sslProtocolCondition block supports the following:

->The sslProtocolCondition identifies requests based on the SSL protocol of an established TLS connection.

  • matchValues - (Required) A list of one or more HTTP methods. Possible values are tlSv1, tlSv11 and tlSv12 logic.

  • operator - (Optional) Possible value equal. Defaults to equal.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

A hostNameCondition block supports the following:

->The hostNameCondition identifies requests based on the specified hostname in the request from client.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) A list of one or more string values representing the value of the request hostname to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

A serverPortCondition block supports the following:

->The serverPortCondition identifies requests based on which port of the Front Door server accepted the request on.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • matchValues - (Required) A list of one or more integer values(e.g. "1") representing the value of the client port to match. Possible values include 80 or 443. If multiple values are specified, they're evaluated using or logic.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

A clientPortCondition block supports the following:

->The clientPortCondition identifies requests based on the port of the client which made the request.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more integer values(e.g. "1") representing the value of the client port to match. If multiple values are specified, they're evaluated using or logic.

A socketAddressCondition block supports the following:

->The socketAddressCondition identifies requests based on the IP address of the direct connection to the Front Door Profiles edge. If the client used an HTTP proxy or a load balancer to send the request, the value of Socket address is the IP address of the proxy or load balancer.

->Remote Address represents the original client IP that is either from the network connection or typically the xForwardedFor request header if the user is behind a proxy.

  • operator - (Optional) The type of match. The Possible values are ipMatch or any. Defaults to ipMatch.

->NOTE: If the value of the operator field is set to ipMatch then the matchValues field is also required.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) Specify one or more IP address ranges. If multiple IP address ranges are specified, they're evaluated using or logic.

->NOTE: See the specifyingIpAddressRanges section below on how to correctly define the matchValues field.

A remoteAddressCondition block supports the following:

->Remote Address represents the original client IP that is either from the network connection or typically the xForwardedFor request header if the user is behind a proxy.

  • operator - (Optional) The type of the remote address to match. Possible values include any, geoMatch or ipMatch. Use the negateCondition to specify Not geoMatch or Not ipMatch.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) For the IP Match or IP Not Match operators: specify one or more IP address ranges. If multiple IP address ranges are specified, they're evaluated using or logic. For the Geo Match or Geo Not Match operators: specify one or more locations using their country code.

->NOTE: See the specifyingIpAddressRanges section below on how to correctly define the matchValues field.

A requestMethodCondition block supports the following:

->The requestMethodCondition identifies requests that use the specified HTTP request method.

  • matchValues - (Required) A list of one or more HTTP methods. Possible values include get, post, put, delete, head, options or trace. If multiple values are specified, they're evaluated using or logic.

  • operator - (Optional) Possible value equal. Defaults to equal.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

A queryStringCondition block supports the following:

->Use the queryStringCondition to identify requests that contain a specific query string.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more string or integer values(e.g. "1") representing the value of the query string to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

A postArgsCondition block supports the following:

->Use the postArgsCondition to identify requests based on the arguments provided within a post request's body. A single match condition matches a single argument from the post request's body.

  • postArgsName - (Required) A string value representing the name of the post argument.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more string or integer values(e.g. "1") representing the value of the post argument to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

A requestUriCondition block supports the following:

->The requestUriCondition identifies requests that match the specified URL. The entire URL is evaluated, including the protocol and query string, but not the fragment. When you use this rule condition, be sure to include the protocol(e.g. For example, use https://wwwContosoCom instead of just wwwContosoCom).

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more string or integer values(e.g. "1") representing the value of the request URL to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

A requestHeaderCondition block supports the following:

->The requestHeaderCondition identifies requests that include a specific header in the request. You can use this match condition to check if a header exists whatever its value, or to check if the header matches a specified value.

  • headerName - (Required) A string value representing the name of the post argument.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more string or integer values(e.g. "1") representing the value of the request header to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

A requestBodyCondition block supports the following:

->The requestBodyCondition identifies requests based on specific text that appears in the body of the request.

->NOTE: If a request body exceeds 64Kb in size, only the first 64Kb will be considered for the request body match condition.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • matchValues - (Required) A list of one or more string or integer values(e.g. "1") representing the value of the request body text to match. If multiple values are specified, they're evaluated using or logic.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

A requestSchemeCondition block supports the following:

->The requestSchemeCondition identifies requests that use the specified protocol.

  • operator - (Optional) Possible value equal. Defaults to equal.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) The requests protocol to match. Possible values include http or https.

An urlPathCondition block supports the following:

->The urlPathCondition identifies requests that include the specified path in the request URL. The path is the part of the URL after the hostname and a slash(e.g. in the URL https://wwwContosoCom/files/secure/file1Pdf, the path is files/secure/file1Pdf).

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more string or integer values(e.g. "1") representing the value of the request path to match. Don't include the leading slash (/). If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

An urlFileExtensionCondition block supports the following:

->The urlFileExtensionCondition identifies requests that include the specified file extension in the file name in the request URL. Don't include a leading period(e.g. use html instead of html).

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Required) A list of one or more string or integer values(e.g. "1") representing the value of the request file extension to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

An urlFilenameCondition block supports the following:

->The urlFilenameCondition identifies requests that include the specified file name in the request URL.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • matchValues - (Required) A list of one or more string or integer values(e.g. "1") representing the value of the request file name to match. If multiple values are specified, they're evaluated using or logic.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

A httpVersionCondition block supports the following:

->Use the HTTP version match condition to identify requests that have been made by using a specific version of the HTTP protocol.

  • matchValues - (Required) What HTTP version should this condition match? Possible values 20, 11, 10 or 09.

  • operator - (Optional) Possible value equal. Defaults to equal.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

A cookiesCondition block supports the following:

->Use the cookiesCondition to identify requests that have include a specific cookie.

  • cookieName - (Required) A string value representing the name of the cookie.

  • operator - (Required) A Conditional operator. Possible values include any, equal, contains, beginsWith, endsWith, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual or regEx. Details can be found in the conditionOperatorList below.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) One or more string or integer values(e.g. "1") representing the value of the request header to match. If multiple values are specified, they're evaluated using or logic.

  • transforms - (Optional) A Conditional operator. Possible values include lowercase, removeNulls, trim, uppercase, urlDecode or urlEncode. Details can be found in the conditionTransformList below.

An isDeviceCondition block supports the following:

->Use the isDeviceCondition to identify requests that have been made from a mobile or desktop device.

  • operator - (Optional) Possible value equal. Defaults to equal.

  • negateCondition - (Optional) If true operator becomes the opposite of its value. Possible values true or false. Defaults to false. Details can be found in the conditionOperatorList below.

  • matchValues - (Optional) Which device should this rule match on? Possible values mobile or desktop.

Specifying IP Address Ranges

When specifying IP address ranges in the socketAddressCondition and the remoteAddressCondition matchValues use the following format:

Use cidr notation when specifying IP address blocks. This means that the syntax for an IP address block is the base IP address followed by a forward slash and the prefix size For example:

  • iPv4 example: 55564/26 matches any requests that arrive from addresses 55564 through 555127.
  • iPv6 example: 1:2:3:/48 matches any requests that arrive from addresses 1:2:3:0:0:0:0:0 through 1:2:3:ffff:ffff:ffff:ffff:ffff.

When you specify multiple IP addresses and IP address blocks, or logic is applied.

  • iPv4 example: if you add two IP addresses 1234 and 10203040, the condition is matched for any requests that arrive from either address 1234 or 10203040.
  • iPv6 example: if you add two IP addresses 1:2:3:4:5:6:7:8 and 10:20:30:40:50:60:70:80, the condition is matched for any requests that arrive from either address 1:2:3:4:5:6:7:8 or 10:20:30:40:50:60:70:80.

Action Server Variables

Rule Set server variables provide access to structured information about the request. You can use server variables to dynamically change the request/response headers or URL rewrite paths/query strings, for example, when a new page load or when a form is posted.

Supported Action Server Variables

Variable name Description
socketIp The IP address of the direct connection to Front Door Profiles edge. If the client used an HTTP proxy or a load balancer to send the request, the value of socketIp is the IP address of the proxy or load balancer.
clientIp The IP address of the client that made the original request. If there was an xForwardedFor header in the request, then the client IP address is picked from the header.
clientPort The IP port of the client that made the request.
hostname The host name in the request from the client.
geoCountry Indicates the requester's country/region of origin through its country/region code.
httpMethod The method used to make the URL request, such as get or post.
httpVersion The request protocol. Usually http/10, http/11, or http/20.
queryString The list of variable/value pairs that follows the "?" in the requested URL. For example, in the request http://contosoCom:8080/articleAspx?id=123&title=fabrikam, the queryString value will be id=123&title=fabrikam.
requestScheme The request scheme: http or https.
requestUri The full original request URI (with arguments). For example, in the request http://contosoCom:8080/articleAspx?id=123&title=fabrikam, the requestUri value will be /articleAspx?id=123&title=fabrikam.
sslProtocol The protocol of an established TLS connection.
serverPort The port of the server that accepted a request.
urlPath Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments. For example, in the request http://contosoCom:8080/articleAspx?id=123&title=fabrikam, the uriPath value will be /articleAspx.

Action Server Variable Format

Server variables can be specified using the following formats:

  • {variable} - Include the entire server variable. For example, if the client IP address is 111222333444 then the {clientIp} token would evaluate to 111222333444.

  • {variable:offset} - Include the server variable after a specific offset, until the end of the variable. The offset is zero-based. For example, if the client IP address is 111222333444 then the {clientIp:3} token would evaluate to 222333444.

  • {variable:offset:length} - Include the server variable after a specific offset, up to the specified length. The offset is zero-based. For example, if the client IP address is 111222333444 then the {clientIp:4:3} token would evaluate to 222.

Action Server Variables Support

Action Server variables are supported on the following actions:

  • routeConfigurationOverrideAction
  • requestHeaderAction
  • responseHeaderAction
  • urlRedirectAction
  • urlRewriteAction

Condition Operator list

For rules that accept values from the standard operator list, the following operators are valid:

Operator Description Condition Value
Any Matches when there is any value, regardless of what it is. Any
Equal Matches when the value exactly matches the specified string. Equal
Contains Matches when the value contains the specified string. Contains
Less Than Matches when the length of the value is less than the specified integer. LessThan
Greater Than Matches when the length of the value is greater than the specified integer. GreaterThan
Less Than or Equal Matches when the length of the value is less than or equal to the specified integer. LessThanOrEqual
Greater Than or Equal Matches when the length of the value is greater than or equal to the specified integer. GreaterThanOrEqual
Begins With Matches when the value begins with the specified string. BeginsWith
Ends With Matches when the value ends with the specified string. EndsWith
RegEx Matches when the value matches the specified regular expression. See below for further details. RegEx
Not Any Matches when there is no value. Any and negateCondition = true
Not Equal Matches when the value does not match the specified string. Equal and negateCondition : true
Not Contains Matches when the value does not contain the specified string. Contains and negateCondition = true
Not Less Than Matches when the length of the value is not less than the specified integer. LessThan and negateCondition = true
Not Greater Than Matches when the length of the value is not greater than the specified integer. GreaterThan and negateCondition = true
Not Less Than or Equal Matches when the length of the value is not less than or equal to the specified integer. LessThanOrEqual and negateCondition = true
Not Greater Than or Equals Matches when the length of the value is not greater than or equal to the specified integer. GreaterThanOrEqual and negateCondition = true
Not Begins With Matches when the value does not begin with the specified string. BeginsWith and negateCondition = true
Not Ends With Matches when the value does not end with the specified string. EndsWith and negateCondition = true
Not RegEx Matches when the value does not match the specified regular expression. See conditionRegularExpressions for further details. RegEx and negateCondition = true

Condition Regular Expressions

Regular expressions don't support the following operations:

  • Backreferences and capturing subexpressions.
  • Arbitrary zero-width assertions.
  • Subroutine references and recursive patterns.
  • Conditional patterns.
  • Backtracking control verbs.
  • The \c single-byte directive.
  • The \r newline match directive.
  • The \k start of match reset directive.
  • Callouts and embedded code.
  • Atomic grouping and possessive quantifiers.

Condition Transform List

For rules that can transform strings, the following transforms are valid:

Transform Description
Lowercase Converts the string to the lowercase representation.
Uppercase Converts the string to the uppercase representation.
Trim Trims leading and trailing whitespace from the string.
RemoveNulls Removes null values from the string.
URLEncode URL-encodes the string.
URLDecode URL-decodes the string.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Front Door Rule.

  • cdnFrontdoorRuleSetName - The name of the Front Door Rule Set containing this Front Door Rule.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Front Door Rule.
  • read - (Defaults to 5 minutes) Used when retrieving the Front Door Rule.
  • update - (Defaults to 30 minutes) Used when updating the Front Door Rule.
  • delete - (Defaults to 30 minutes) Used when deleting the Front Door Rule.

Import

Front Door Rules can be imported using the resourceId, e.g.

terraform import azurerm_cdn_frontdoor_rule.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Cdn/profiles/profile1/ruleSets/ruleSet1/rules/rule1