IaC Bazaar
Get started
AzureStatic-verified

Azure Front Door (Std/Premium) + WAF

Global entry point: Front Door profile, endpoints, origin groups, custom domains with managed TLS and WAF policy.

terraformAzure#azure

Compare CDN & Edge Delivery across clouds →

azure-front-doorterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

azure-front-door

Status: static-validated, live-test pending. Ships under live-test quarantine — a Front Door profile costs ~$35/mo base plus traffic, custom domain validation needs control of a real DNS zone, and managed-TLS issuance is asynchronous, none of which exist in a CI sandbox yet. The full apply → verify → destroy gate runs once an Azure sandbox subscription is wired up. Schema is validated against the azurerm v4 provider docs (built against 4.76).

Global L7 entry point built on Azure Front Door (Standard/Premium): one profile, a managed endpoint, origin groups + origins, routes, optional custom domains with Front Door-managed TLS, and a Web Application Firewall policy bound to every fronted domain. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

The Front Door object graph is a set of cross-referencing resources (profile → endpoint/origin-group → origin → route, plus a separate firewall-policy → security-policy chain). This module flattens origins into group/origin-keyed instances, wires each route to the origin IDs it must depend on (Front Door requires this for correct create/destroy ordering), and attaches the WAF to the endpoint and all custom domains through one security policy.

Secure defaults

  • WAF on by default in Prevention mode, bound to the endpoint and every custom domain via a security policy — nothing is fronted without the firewall.
  • Premium SKU by default so the managed Microsoft DefaultRuleSet + BotManager rule sets are available (managed rules are Premium-only; on Standard only custom rules apply, enforced by a precondition).
  • Routes forward HttpsOnly to origins and redirect HTTP → HTTPS.
  • Origin certificate name checks on; custom domains use managed TLS 1.2+ (auto-renewing, no certificate material in state).
  • Lock your origins to this profile using the resource_guid output as the X-Azure-FDID header so the backend only accepts traffic from your Front Door.

Usage

module "front_door" {
  source              = "./azure-front-door"
  name                = "myapp-prod-fd"
  resource_group_name = "rg-myapp-prod"
  sku                 = "Premium_AzureFrontDoor"

  origin_groups = {
    app = {
      health_probe = { path = "/healthz", protocol = "Https" }
      origins = {
        primary = { host_name = "myapp-prod.azurewebsites.net" }
      }
    }
  }

  routes = {
    default = {
      origin_group_key   = "app"
      custom_domain_keys = ["www"]
    }
  }

  custom_domains = {
    www = {
      host_name   = "www.example.com"
      dns_zone_id = azurerm_dns_zone.example.id
    }
  }

  waf = {
    mode = "Prevention"
    managed_rules = [
      { type = "Microsoft_DefaultRuleSet", version = "2.1" },
      { type = "Microsoft_BotManagerRuleSet", version = "1.0" },
    ]
  }

  tags = { Environment = "prod" }
}

Inputs

NameTypeDefaultDescription
namestringProfile name; prefixes endpoint/WAF/security policy (required)
resource_group_namestringExisting resource group (required)
skustringPremium_AzureFrontDoorStandard_AzureFrontDoor or Premium_AzureFrontDoor
response_timeout_secondsnumber60Origin response timeout (16-240)
endpoint_namestringnullEndpoint name (defaults to name)
origin_groupsmap(object)Groups with health probe, load balancing and a map of origins (required)
routesmap(object)URL patterns → origin group; HttpsOnly + HTTP→HTTPS redirect by default (required)
custom_domainsmap(object){}Hostnames with managed TLS; pass dns_zone_id for auto-validation
wafobjectenabled / PreventionWAF mode, managed rule sets (Premium) and custom rules
tagsmap(string){}Tags applied to profile/endpoint/WAF

Outputs

profile_id, profile_name, resource_guid, endpoint_id, endpoint_host_name, origin_group_ids, origin_ids, route_ids, custom_domain_validation_tokens (sensitive), custom_domain_ids, waf_policy_id.

Requirements & notes

  • Terraform or OpenTofu >= 1.6; hashicorp/azurerm >= 4.0, < 5.0.
  • Managed WAF rule sets are Premium-only. Set sku = Standard_AzureFrontDoor only if you do not need managed rules; the module drops managed rules and applies custom rules instead (a precondition blocks the mismatch).
  • Custom domains with dns_zone_id set have their _dnsauth TXT and CNAME records managed for you; otherwise create the _dnsauth TXT record using the custom_domain_validation_tokens output before traffic flows.
  • Point apex/CNAME DNS at endpoint_host_name. Private Link origins require Premium and are out of scope for v1.

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/verify/ destroy testing pending an Azure sandbox subscription — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial