Skip to content

azurermFrontdoorCustomHttpsConfiguration

!> IMPORTANT This deploys an Azure Front Door (classic) resource which has been deprecated and will receive security updates only. Please migrate your existing Azure Front Door (classic) deployments to the new Azure Front Door (standard/premium) resources. For your convenience, the service team has exposed a frontDoorClassic to frontDoorStandard/premium migration tool to allow you to migrate your existing frontDoorClassic instances to the new frontDoorStandard/premium product tiers.

Manages the Custom HTTPS Configuration for an Azure Front Door (classic) Frontend Endpoint.

-> NOTE: Defining custom HTTPS configurations using a separate azurermFrontdoorCustomHttpsConfiguration resource allows for parallel creation/update.

!> BREAKING CHANGE: In order to address the ordering issue we have changed the design on how to retrieve existing sub resources such as frontend endpoints. Existing design will be deprecated and will result in an incorrect configuration. Please refer to the updated documentation below for more information.

!> BREAKING CHANGE: The resourceGroupName field has been removed as of the v2580 provider release. If the resourceGroupName field has been defined in your current azurermFrontdoorCustomHttpsConfiguration resource configuration file please remove it else you will receive a anArgumentNamed "resourceGroupName"IsNotExpectedHere error. If your pre-existing Front Door instance contained inline customHttpsConfiguration blocks there are additional steps that will need to be completed to successfully migrate your Front Door onto the v2580 provider which can be found in this guide.

!> Be Aware: Azure is rolling out a breaking change on Friday 9th April 2021 which may cause issues with the CDN/FrontDoor resources. More information is available in this GitHub issue - however unfortunately this may necessitate a breaking change to the CDN and Front Door resources, more information will be posted in the GitHub issue as the necessary changes are identified.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "FrontDoorExampleResourceGroup",
  }
);
const dataAzurermKeyVaultVault =
  new azurerm.dataAzurermKeyVault.DataAzurermKeyVault(this, "vault", {
    name: "example-vault",
    resource_group_name: "example-vault-rg",
  });
const azurermFrontdoorExample = new azurerm.frontdoor.Frontdoor(
  this,
  "example_2",
  {
    backend_pool: [
      {
        backend: [
          {
            address: "www.bing.com",
            host_header: "www.bing.com",
            http_port: 80,
            https_port: 443,
          },
        ],
        health_probe_name: "exampleHealthProbeSetting1",
        load_balancing_name: "exampleLoadBalancingSettings1",
        name: "exampleBackendBing",
      },
    ],
    backend_pool_health_probe: [
      {
        name: "exampleHealthProbeSetting1",
      },
    ],
    backend_pool_load_balancing: [
      {
        name: "exampleLoadBalancingSettings1",
      },
    ],
    frontend_endpoint: [
      {
        host_name: "example-FrontDoor.azurefd.net",
        name: "exampleFrontendEndpoint1",
      },
      {
        host_name: "examplefd1.examplefd.net",
        name: "exampleFrontendEndpoint2",
      },
    ],
    name: "example-FrontDoor",
    resource_group_name: azurermResourceGroupExample.name,
    routing_rule: [
      {
        accepted_protocols: ["Http", "Https"],
        forwarding_configuration: [
          {
            backend_pool_name: "exampleBackendBing",
            forwarding_protocol: "MatchRequest",
          },
        ],
        frontend_endpoints: ["exampleFrontendEndpoint1"],
        name: "exampleRoutingRule1",
        patterns_to_match: ["/*"],
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermFrontdoorExample.overrideLogicalId("example");
new azurerm.frontdoorCustomHttpsConfiguration.FrontdoorCustomHttpsConfiguration(
  this,
  "example_custom_https_0",
  {
    custom_https_provisioning_enabled: false,
    frontend_endpoint_id: `\${${azurermFrontdoorExample.frontendEndpoints.fqn}["exampleFrontendEndpoint1"]}`,
  }
);
new azurerm.frontdoorCustomHttpsConfiguration.FrontdoorCustomHttpsConfiguration(
  this,
  "example_custom_https_1",
  {
    custom_https_configuration: [
      {
        azure_key_vault_certificate_secret_name: "examplefd1",
        azure_key_vault_certificate_vault_id: dataAzurermKeyVaultVault.id,
        certificate_source: "AzureKeyVault",
      },
    ],
    custom_https_provisioning_enabled: true,
    frontend_endpoint_id: `\${${azurermFrontdoorExample.frontendEndpoints.fqn}["exampleFrontendEndpoint2"]}`,
  }
);

Argument Reference

  • frontendEndpointId - (Required) The ID of the Front Door Frontend Endpoint which this configuration refers to. Changing this forces a new resource to be created.

  • customHttpsProvisioningEnabled - (Required) Should the HTTPS protocol be enabled for this custom domain associated with the Front Door?

  • customHttpsConfiguration - (Optional) A customHttpsConfiguration block as defined above.

The customHttpsConfiguration block supports the following:

  • certificateSource - (Optional) Certificate source to encrypted https traffic with. Allowed values are frontDoor or azureKeyVault. Defaults to frontDoor.

The following attributes are only valid if certificateSource is set to azureKeyVault:

  • azureKeyVaultCertificateVaultId - (Optional) The ID of the Key Vault containing the SSL certificate.

  • azureKeyVaultCertificateSecretName - (Optional) The name of the Key Vault secret representing the full certificate PFX.

  • azureKeyVaultCertificateSecretVersion - (Optional) The version of the Key Vault secret representing the full certificate PFX.

\~> Note: In order to enable the use of your own custom httpsCertificate you must grant azureFrontDoorService access to your key vault. For instructions on how to configure your keyVault correctly please refer to the product documentation.

Attributes Reference

  • id - The ID of the Azure Front Door Custom HTTPS Configuration.

  • customHttpsConfiguration - (Optional) A customHttpsConfiguration block as defined below.

The customHttpsConfiguration block exports the following:

  • minimumTlsVersion - Minimum client TLS version supported.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 6 hours) Used when creating a Custom HTTPS Configuration.
  • update - (Defaults to 6 hours) Used when updating a Custom HTTPS Configuration.
  • read - (Defaults to 5 minutes) Used when retrieving a Custom HTTPS Configuration.
  • delete - (Defaults to 6 hours) Used when deleting a Custom HTTPS Configuration.

Import

Front Door Custom HTTPS Configurations can be imported using the resourceId of the Front Door Custom HTTPS Configuration, e.g.

terraform import azurerm_frontdoor_custom_https_configuration.example_custom_https_1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/frontDoors/frontdoor1/customHttpsConfiguration/endpoint1