claranet
terraform-azurerm-app-gateway
HCL

Terraform module for Azure Application Gateway

Last updated Jun 27, 2026
39
Stars
37
Forks
0
Issues
0
Stars/day
Attention Score
59
Language breakdown
HCL 100.0%
Files click to expand
README

Azure Application Gateway

Changelog Notice Apache V2 License OpenTofu Registry

This Terraform module creates an Application Gateway associated with a Public IP and with a Subnet, a Network Security Group and network security rules authorizing port 443 and ports for internal healthcheck of Application Gateway. The Diagnostics Logs are activated.

Naming

Resource naming is based on the Microsoft CAF naming convention best practices. Legacy naming is available by setting the parameter usecaf_naming to false. We rely on the official Terraform Azure CAF naming provider to generate resource names.

Global versioning rule for Claranet Azure modules

| Module version | Terraform version | OpenTofu version | AzureRM version | | -------------- | ----------------- | ---------------- | --------------- | | >= 8.x.x | Unverified | 1.8.x | >= 4.0 | | >= 7.x.x | 1.3.x | | >= 3.0 | | >= 6.x.x | 1.x | | >= 3.0 | | >= 5.x.x | 0.15.x | | >= 2.0 | | >= 4.x.x | 0.13.x / 0.14.x | | >= 2.0 | | >= 3.x.x | 0.12.x | | >= 2.0 | | >= 2.x.x | 0.12.x | | < 2.0 | | < 2.x.x | 0.11.x | | < 2.0 |

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "azurevirtualnetwork" {
  source  = "claranet/vnet/azurerm"
  version = "x.x.x"

location = module.azure_region.location locationshort = module.azureregion.location_short clientname = var.clientname environment = var.environment stack = var.stack

resourcegroupname = module.rg.name

cidrs = ["192.168.0.0/16"] }

module "waf_policy" { source = "claranet/waf-policy/azurerm" version = "x.x.x"

location = module.azure_region.location locationshort = module.azureregion.location_short clientname = var.clientname environment = var.environment stack = var.stack

resourcegroupname = module.rg.name

managedruleset_configuration = [ { type = "Microsoft_BotManagerRuleSet" version = "1.0" }, { type = "Microsoft_DefaultRuleSet" version = "2.1" }, ] }

locals { basename = "${var.stack}-${var.clientname}-${module.azureregion.locationshort}-${var.environment}" }

module "appgw" { source = "claranet/app-gateway/azurerm" version = "x.x.x"

location = module.azure_region.location locationshort = module.azureregion.location_short clientname = var.clientname environment = var.environment stack = var.stack

resourcegroupname = module.rg.name

virtualnetworkname = module.azurevirtualnetwork.name subnet_cidr = "192.168.1.0/24"

firewallpolicyid = module.waf_policy.id forcefirewallpolicy_association = true

backendhttpsettings = [ { name = "${local.base_name}-backhttpsettings-http" cookiebasedaffinity = "Disabled" path = "/" port = 80 protocol = "Http" request_timeout = 300 }, # { # name = "${local.base_name}-backhttpsettings-https" # cookiebasedaffinity = "Disabled" # path = "/" # port = 443 # protocol = "Https" # request_timeout = 300 # } ]

backendaddresspools = [{ name = "${local.base_name}-backendpool" fqdns = ["example.com"] }]

requestroutingrules = [ { name = "${local.base_name}-routing-http" rule_type = "Basic" httplistenername = "${local.base_name}-listener-http" backendaddresspoolname = "${local.basename}-backendpool" backendhttpsettingsname = "${local.basename}-backhttpsettings-http" }, # { # name = "${local.base_name}-routing-https" # rule_type = "Basic" # httplistenername = "${local.base_name}-listener-https" # backendaddresspoolname = "${local.basename}-backendpool" # backendhttpsettingsname = "${local.basename}-backhttpsettings-https" # } ]

frontendipconfigurationcustomname = "${local.base_name}-frontipconfig"

http_listeners = [ { name = "${local.base_name}-listener-http" frontendipconfigurationname = "${local.basename}-frontipconfig" frontendportname = "frontend-http-port" protocol = "Http" host_name = "example.com" }, # { # name = "${local.base_name}-listener-https" # frontendipconfigurationname = "${local.basename}-frontipconfig" # frontendportname = "frontend-https-port" # protocol = "Https" # sslcertificatename = "${local.base_name}-example-com-sslcert" # require_sni = true # host_name = "example.com" # } ]

frontend_ports = [{ name = "frontend-http-port" port = 80 }]

# ssl_certificates = [{ # name = "${local.base_name}-example-com-sslcert" # data = var.certificateexamplecom_filebase64 # password = var.certificateexamplecom_password # }]

ssl_policy = { policy_type = "Predefined" policy_name = "AppGwSslPolicy20170401S" }

rewriterulesets = [{ name = "${local.base_name}-example-rewrite-rule-set" rewrite_rules = [ { name = "${local.base_name}-example-rewrite-rule-response-header" rule_sequence = 100 conditions = [ { ignore_case = true negate = false pattern = "text/html(.*)" variable = "httprespContent-Type" } ] responseheaderconfigurations = [{ header_name = "X-Frame-Options" header_value = "DENY" }] }, { name = "${local.base_name}-example-rewrite-rule-url" rule_sequence = 100 conditions = [ { ignore_case = false negate = false pattern = ".*-R[0-9]{10,10}\\.html" variable = "varuripath" }, { ignore_case = true negate = false pattern = ".*\\.fr" variable = "var_host" } ] url_reroute = { path = "/fr{varuripath}" query_string = null reroute = false } } ] }]

urlpathmaps = [ { name = "${local.base_name}-example-url-path-map" defaultbackendhttpsettingsname = "${local.base_name}-backhttpsettings-http" defaultbackendaddresspoolname = "${local.base_name}-backendpool" defaultrewriterulesetname = "${local.base_name}-example-rewrite-rule-set" # defaultredirectconfigurationname = "${local.basename}-redirect" path_rules = [ { name = "${local.base_name}-example-url-path-rule" backendaddresspoolname = "${local.basename}-backendpool" backendhttpsettingsname = "${local.basename}-backhttpsettings-http" rewriterulesetname = "${local.basename}-example-rewrite-rule-set" paths = ["/demo/"] } ] } ]

autoscale_configuration = { min_capacity = 2 max_capacity = 15 }

logsdestinationsids = [ # module.logs.id, # module.logs.storageaccountid, ] }

Providers

| Name | Version | | ---- | ------- | | azurecaf | >= 1.2.28 | | azurerm | ~> 4.31 | | terraform | n/a |

Modules

| Name | Source | Version | | ---- | ------ | ------- | | diagnostics | claranet/diagnostic-settings/azurerm | ~> 8.2.0 | | nsg | claranet/nsg/azurerm | ~> 8.1.0 | | subnet | claranet/subnet/azurerm | ~> 8.1.0 |

Resources

| Name | Type | | ---- | ---- | | azurermapplicationgateway.main | resource | | azurermpublicip.main | resource | | terraformdata.createsubnetcondition | resource | | azurecafname.appgw | data source | | azurecafname.frontipconfig | data source | | azurecafname.frontipconfig_priv | data source | | azurecafname.gwipconfig | data source | | azurecafname.nsg_appgw | data source | | azurecafname.nsr_healthcheck | data source | | azurecafname.nsr_https | data source | | azurecafname.pip_appgw | data source | | azurecafname.subnet_appgw | data source |

Inputs

| Name | Description | Type | Default | Required | | ---- | ----------- | ---- | ------- | :------: | | app\gateway\tags | Application Gateway tags. | map(string) | {} | no | | authentication\certificates | List of objects with authentication certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:

data = filebase64("./filepath")
|
list(object({
name = string
data = string
}))
| [] | no | | autoscale\configuration | Map containing autoscaling parameters. Must contain at least min\capacity. |
object({
mincapacity = number
max
capacity = optional(number, 5)
})
| null | no | | backend\address\pools | List of objects with backend pool configurations. |
list(object({
name = string
fqdns = optional(list(string))
ip_addresses = optional(list(string))
}))
| n/a | yes | | backend\http\settings | List of objects including backend http settings configurations. |
list(object({
name = string
port = optional(number, 443)
protocol = optional(string, "Https")

path = optional(string)
probename = optional(string)

cookie
basedaffinity = optional(string, "Disabled")
affinity
cookiename = optional(string, "ApplicationGatewayAffinity")
request
timeout = optional(number, 20)
hostname = optional(string)
pick
hostnamefrombackendaddress = optional(bool, true)
trustedrootcertificatenames = optional(list(string), [])
authentication
certificate = optional(string)

connectiondrainingtimeout_sec = optional(number)
}))
| n/a | yes | | client\_name | Client name/account used in naming. | string | n/a | yes | | create\_nsg | Boolean to create the network security group. | bool | false | no | | create\nsg\healthprobe\_rule | Boolean to create the network security group rule for the health probes. | bool | true | no | | create\nsg\https\_rule | Boolean to create the network security group rule opening https to everyone. | bool | true | no | | create\_subnet | Boolean to create subnet with this module. | bool | true | no | | custom\error\configurations | List of objects with global level custom error configurations. |
list(object({
statuscode = string
custom
errorpageurl = string
}))
| [] | no | | custom\_name | Custom Application Gateway name, generated if not set. | string | "" | no | | default\tags\enabled | Option to enable or disable default tags. | bool | true | no | | diagnostic\settings\custom\_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string | "default" | no | | environment | Project environment. | string | n/a | yes | | extra\_tags | Extra tags to add. | map(string) | {} | no | | firewall\policy\id | ID of a Web Application Firewall Policy. | string | null | no | | flow\log\enabled | Provision network watcher flow logs. | bool | false | no | | flow\log\location | The location where the Network Watcher Flow Log resides. Changing this forces a new resource to be created. Defaults to the location of the Network Watcher. | string | null | no | | flow\log\logging\_enabled | Enable Network Flow Logging. | bool | true | no | | flow\log\retention\policy\days | The number of days to retain flow log records. | number | 31 | no | | flow\log\retention\policy\enabled | Boolean flag to enable/disable retention. | bool | true | no | | flow\log\storage\account\id | Network watcher flow log storage account ID. | string | null | no | | flow\log\traffic\analytics\enabled | Boolean flag to enable/disable traffic analytics. | bool | true | no | | flow\log\traffic\analytics\interval\in\minutes | How frequently service should do flow analytics in minutes. | number | 10 | no | | force\firewall\policy\_association | Enable if the Firewall Policy is associated with the Application Gateway. | bool | false | no | | frontend\ip\configuration\custom\name | The custom name of the Frontend IP Configuration used. Generated by default. | string | "" | no | | frontend\_ports | List of objects with frontend ports. Each one contains the name and the port for the frontend port. |
list(object({
name = string
port = number
}))
| [] | no | | frontend\private\ip\configuration | Configuration of frontend private IP. |
object({
private
ipaddressallocation = optional(string, "Static")
privateipaddress = optional(string)
privatelinkconfiguration_name = optional(string)
})
| null | no | | frontend\private\ip\configuration\custom\_name | The Name of the private Frontend IP Configuration used for this HTTP Listener. | string | "" | no | | gateway\ip\configuration\custom\name | The Name of the Application Gateway IP Configuration. | string | "" | no | | http2\_enabled | Whether to enable http2 or not. | bool | true | no | | http\listeners | List of objects with HTTP listeners configurations and custom error configurations. |
list(object({
name = string

frontend
ipconfigurationname = optional(string)
frontendportname = optional(string)
hostname = optional(string)
host
names = optional(list(string))
protocol = optional(string, "Https")
requiresni = optional(bool, false)
ssl
certificatename = optional(string)
ssl
profilename = optional(string)
firewall
policyid = optional(string)

custom
errorconfigurations = optional(list(object({
status
code = string
customerrorpage_url = string
})), [])
}))
| n/a | yes | | ip\_tags | Public IP tags. | map(string) | {} | no | | location | Azure location. | string | n/a | yes | | location\_short | Short string for Azure location. | string | n/a | yes | | log\analytics\workspace\_guid | The resource GUID of the attached workspace. | string | null | no | | log\analytics\workspace\_id | The resource ID of the attached workspace. | string | null | no | | log\analytics\workspace\_location | The location of the attached workspace. | string | null | no | | logs\_categories | Log categories to send to destinations. | list(string) | null | no | | logs\destinations\ids | List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character. | list(string) | n/a | yes | | logs\metrics\categories | Metrics categories to send to destinations. | list(string) | null | no | | name\_prefix | Optional prefix for the generated name. | string | "" | no | | name\_suffix | Optional suffix for the generated name. | string | "" | no | | network\watcher\name | The name of the Network Watcher. Changing this forces a new resource to be created. | string | null | no | | network\watcher\resource\group\name | The name of the resource group in which the Network Watcher was deployed. Changing this forces a new resource to be created. | string | null | no | | nsg\custom\name | Custom name for the network security group. | string | null | no | | nsg\resource\group\_name | Resource group name of the network security group. | string | null | no | | nsg\_tags | Network Security Group tags. | map(string) | {} | no | | nsr\healthcheck\custom\_name | Custom name for the network security rule for internal health check of Application Gateway. | string | null | no | | nsr\https\custom\_name | Custom name for the network security rule for HTTPS protocol. | string | null | no | | nsr\https\source\address\prefix | Source address prefix to allow to access on port 443 defined in dedicated network security rule. | string | "*" | no | | private\links | Configuration of private link. Feature AllowApplicationGatewayPrivateLink must be registered on the subscription. |
list(object({
name = string
ip
configurations = list(object({
name = string
subnet_id = string
primary = optional(bool, true)
}))
}))
| [] | no | | probes | List of objects with probes configurations. |
list(object({
name = string
host = optional(string)
port = optional(number, null)
interval = optional(number, 30)
path = optional(string, "/")
protocol = optional(string, "Https")
timeout = optional(number, 30)

unhealthythreshold = optional(number, 3)
pick
hostnamefrombackendhttpsettings = optional(bool, false)
minimum
servers = optional(number, 0)

match = optional(object({
body = optional(string, "")
status_code = optional(list(string), ["200-399"])
}), {})
}))
| [] | no | | public\ip | Public IP parameters. |
object({
enabled = optional(bool, true)
existing
id = optional(string)
ddosprotectionmode = optional(string, "VirtualNetworkInherited")
ddosprotectionplanid = optional(string)
extra
tags = optional(map(string), {})
})
| {} | no | | public\ip\custom\_name | Public IP custom name. Generated by default. | string | "" | no | | public\ip\label\custom\name | Domain name label for public IP. | string | "" | no | | redirect\configurations | List of objects with redirect configurations. |
list(object({
name = string

redirect
type = optional(string, "Permanent")
targetlistenername = optional(string)
targeturl = optional(string)

include
path = optional(bool, true)
includequerystring = optional(bool, true)
}))
| [] | no | | request\routing\rules | List of objects with request routing rules configurations. With AzureRM v3+ provider, priority attribute becomes mandatory. |
list(object({
name = string
ruletype = optional(string, "Basic")
http
listenername = optional(string)
backend
addresspoolname = optional(string)
backendhttpsettingsname = optional(string)
url
pathmapname = optional(string)
redirectconfigurationname = optional(string)
rewriteruleset_name = optional(string)
priority = optional(number)
}))
| n/a | yes | | resource\group\name | Resource group name. | string | n/a | yes | | rewrite\rule\sets | List of rewrite rule set objects with rewrite rules. |
list(object({
name = string
rewriterules = list(object({
name = string
rule
sequence = string

conditions = optional(list(object({
variable = string
pattern = string
ignorecase = optional(bool, false)
negate = optional(bool, false)
})), [])

response
headerconfigurations = optional(list(object({
header
name = string
headervalue = string
})), [])

request
headerconfigurations = optional(list(object({
header
name = string
headervalue = string
})), [])

url
reroute = optional(object({
path = optional(string)
query_string = optional(string)
components = optional(string)
reroute = optional(bool)
}))
}))
}))
| [] | no | | route\table\name | The Route Table name to associate with the subnet | string | null | no | | route\table\rg | The Route Table RG to associate with the subnet. Default is the same RG than the subnet. | string | null | no | | sku | The Name of the SKU to use for this Application Gateway. Possible values are Standard\v2 and WAF\v2. | string | "WAF_v2" | no | | sku\capacity | The capacity of the SKU to use for this Application Gateway - which must be between 1 and 10, optional if autoscale\configuration is set. | number | 2 | no | | ssl\certificates | List of objects with SSL certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:
data = filebase64("./filepath")
|
list(object({
name = string
data = optional(string)
password = optional(string)
keyvaultsecret_id = optional(string)
}))
| [] | no | | ssl\policy | List of objects with SSL configurations. The list of available policies can be found here. |
object({
disabledprotocols = optional(list(string), [])
policy
type = optional(string, "Predefined")
policyname = optional(string, "AppGwSslPolicy20170401S")
cipher
suites = optional(list(string), [])
minprotocolversion = optional(string, "TLSv1_2")
})
| {} | no | | ssl\profiles | List of objects with SSL profiles. Default profile is used when this variable is set to null. |
list(object({
name = string
trusted
clientcertificatenames = optional(list(string), [])
verifyclientcertissuerdn = optional(bool, false)
sslpolicy = optional(object({
disabled
protocols = optional(list(string), [])
policytype = optional(string, "Predefined")
policy
name = optional(string, "AppGwSslPolicy20170401S")
ciphersuites = optional(list(string), [])
min
protocolversion = optional(string, "TLSv12")
}))
}))
| [] | no | | stack | Project stack name. | string | n/a | yes | | subnet\_cidr | Subnet CIDR to create. | string | "" | no | | subnet\custom\name | Custom name for the subnet. | string | "" | no | | subnet\id | Custom subnet ID for attaching the Application Gateway. Used only when the variable createsubnet = false. | string | "" | no | | subnet\resource\group\_name | Resource group name of the subnet. | string | "" | no | | subnet\service\endpoints | Service endpoints to enable on the subnet. | list(string) |
[
"Microsoft.KeyVault"
]
| no | | trusted\client\certificates | List of objects with trusted client certificates configurations.
The path to a base-64 encoded certificate is expected in the 'data' attribute:
data = filebase64("./file_path")
|
list(object({
name = string
data = string
}))
| [] | no | | trusted\root\certificates | List of trusted root certificates. filepath is checked first, using data (base64 cert content) if null. This parameter is required if you are not using a trusted certificate authority (eg. selfsigned certificate). |
list(object({
name = string
data = optional(string)
file
path = optional(string)
keyvaultsecret_id = optional(string)
}))
| [] | no | | url\path\maps | List of objects with URL path map configurations. |
list(object({
name = string

defaultbackendaddresspoolname = optional(string)
defaultredirectconfigurationname = optional(string)
default
backendhttpsettingsname = optional(string)
default
rewriterulesetname = optional(string)

path
rules = list(object({
name = string

backendaddresspoolname = optional(string)
backend
httpsettingsname = optional(string)
rewriterulesetname = optional(string)
redirect
configurationname = optional(string)
firewall
policy_id = optional(string)

paths = optional(list(string), [])
}))
}))
| [] | no | | user\assigned\identity\_id | User assigned identity id assigned to this resource. | string | null | no | | virtual\network\name | Virtual network name to attach the subnet. | string | null | no | | zones | A collection of availability zones to spread the Application Gateway over. This option is only supported for v2 SKUs. | list(number) |
[
1,
2,
3
]
| no |

Outputs

| Name | Description | | ---- | ----------- | | backend\address\pool\_ids | List of backend address pool IDs. | | backend\http\settings\_ids | List of backend HTTP settings IDs. | | backend\http\settings\probe\ids | List of probe IDs from backend HTTP settings. | | custom\error\configuration\_ids | List of custom error configuration IDs. | | frontend\ip\configuration\_ids | List of frontend IP configuration IDs. | | frontend\port\ids | List of frontend port IDs. | | gateway\ip\configuration\_ids | List of IP configuration IDs. | | http\listener\frontend\ip\configuration\_ids | List of frontend IP configuration IDs from HTTP listeners. | | http\listener\frontend\port\ids | List of frontend port IDs from HTTP listeners. | | http\listener\ids | List of HTTP listener IDs. | | id | Application Gateway ID. | | module\_nsg | Network Security Group module object. | | module\_subnet | Subnet module object. | | name | Application Gateway name. | | nsg\_id | The ID of the network security group from the subnet where the Application Gateway is attached. | | nsg\_name | The name of the network security group from the subnet where the Application Gateway is attached. | | public\ip\address | The public IP address of Application Gateway. | | public\ip\domain\_name | Domain Name part from FQDN of the A DNS record associated with the public IP. | | public\ip\fqdn | Fully qualified domain name of the A DNS record associated with the public IP. | | redirect\configuration\ids | List of redirect configuration IDs. | | request\routing\rule\backend\address\pool\ids | List of backend address pool IDs attached to request routing rules. | | request\routing\rule\backend\http\settings\ids | List of HTTP settings IDs attached to request routing rules. | | request\routing\rule\http\listener\_ids | List of HTTP listener ICs attached to request routing rules. | | request\routing\rule\_ids | List of request routing rules IDs. | | request\routing\rule\redirect\configuration\_ids | List of redirect configuration IDs attached to request routing rules. | | request\routing\rule\rewrite\rule\set\ids | List of rewrite rule set IDs attached to request routing rules. | | request\routing\rule\url\path\map\ids | List of URL path map IDs attached to request routing rules. | | resource | Application Gateway resource object. | | resource\public\ip | Public IP resource object. | | ssl\certificate\ids | List of SSL certificate IDs. | | subnet\_id | The ID of the subnet where the Application Gateway is attached. | | subnet\_name | The name of the subnet where the Application Gateway is attached. | | url\path\map\default\backend\address\pool\_ids | List of default backend address pool IDs attached to URL path maps. | | url\path\map\default\backend\http\settings\_ids | List of default backend HTTP settings IDs attached to URL path maps. | | url\path\map\default\redirect\configuration\ids | List of default redirect configuration IDs attached to URL path maps. | | url\path\map\_ids | List of URL path map IDs. |

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/application-gateway/overview

🔗 More in this category

© 2026 GitRepoTrend · claranet/terraform-azurerm-app-gateway · Updated daily from GitHub