Merge branch 'AZ-1088-rework-module' into 'master'

feat(AZ-1088)!: rework module

Closes AZ-1088

See merge request claranet/projects/cloud/azure/terraform/modules/waf-policy!65

.gitlab-ci.yml

@@ -1,10 +1,10 @@
 ---
 variables:
-  TF_MIN_VERSION: "1.3"
-  AZURERM_PROVIDER_MIN_VERSION: "3.80"
+  TF_MIN_VERSION: "1.8"
+  AZURERM_PROVIDER_MIN_VERSION: "4.0"
 
 include:
-  - project: 'claranet/projects/cloud/azure/terraform/ci'
+  - project: "claranet/projects/cloud/azure/terraform/ci"
     ref: master
-    file: '/pipeline.yml'
+    file: "/pipeline.yml"
 ...

README.md

@@ -34,23 +34,6 @@ More details about variables set by the `terraform-wrapper` available in the [do
 [Hashicorp Terraform](https://github.com/hashicorp/terraform/). Instead, we recommend to use [OpenTofu](https://github.com/opentofu/opentofu/).
 
 ```hcl
-module "azure_region" {
-  source  = "claranet/regions/azurerm"
-  version = "x.x.x"
-
-  azure_region = var.azure_region
-}
-
-module "rg" {
-  source  = "claranet/rg/azurerm"
-  version = "x.x.x"
-
-  location    = module.azure_region.location
-  client_name = var.client_name
-  environment = var.environment
-  stack       = var.stack
-}
-
 module "waf_policy" {
   source  = "claranet/waf-policy/azurerm"
   version = "x.x.x"
@@ -61,7 +44,7 @@ module "waf_policy" {
   location_short = module.azure_region.location_short
   stack          = var.stack
 
-  resource_group_name = module.rg.resource_group_name
+  resource_group_name = module.rg.name
 
   policy_mode = "Detection"
 
@@ -72,9 +55,7 @@ module "waf_policy" {
     }
   ]
 
-  exclusion_configuration = [
-
-  ]
+  exclusion_configuration = []
 
   custom_rules_configuration = [
     {
@@ -131,8 +112,8 @@ module "waf_policy" {
 
 | Name | Version |
 |------|---------|
-| azurecaf | ~> 1.2, >= 1.2.22 |
-| azurerm | ~> 3.80 |
+| azurecaf | ~> 1.2.28 |
+| azurerm | ~> 4.0 |
 
 ## Modules
 
@@ -142,14 +123,15 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [azurerm_web_application_firewall_policy.waf_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy) | resource |
+| [azurerm_web_application_firewall_policy.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy) | resource |
 | [azurecaf_name.wafp](https://registry.terraform.io/providers/claranet/azurecaf/latest/docs/data-sources/name) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | client\_name | Client name/account used in naming. | `string` | n/a | yes |
+| custom\_name | WAF Policy custom name. | `string` | `null` | no |
 | custom\_rules\_configuration | Custom rules configuration object with following attributes:<pre>- name:                           Gets name of the resource that is unique within a policy. This name can be used to access the resource.<br/>- priority:                       Describes priority of the rule. Rules with a lower value will be evaluated before rules with a higher value.<br/>- rule_type:                      Describes the type of rule. Possible values are `MatchRule` and `Invalid`.<br/>- action:                         Type of action. Possible values are `Allow`, `Block` and `Log`.<br/>- match_conditions_configuration: One or more `match_conditions` blocks as defined below.<br/>- match_variable_configuration:   One or more match_variables blocks as defined below.<br/>- variable_name:                  The name of the Match Variable. Possible values are RemoteAddr, RequestMethod, QueryString, PostArgs, RequestUri, RequestHeaders, RequestBody and RequestCookies.<br/>- selector:                       Describes field of the matchVariable collection<br/>- match_values:                   A list of match values.<br/>- operator:                       Describes operator to be matched. Possible values are IPMatch, GeoMatch, Equal, Contains, LessThan, GreaterThan, LessThanOrEqual, GreaterThanOrEqual, BeginsWith, EndsWith and Regex.<br/>- negation_condition:             Describes if this is negate condition or not<br/>- transforms:                     A list of transformations to do before the match is attempted. Possible values are HtmlEntityDecode, Lowercase, RemoveNulls, Trim, UrlDecode and UrlEncode.</pre> | <pre>list(object({<br/>    name      = optional(string)<br/>    priority  = optional(number)<br/>    rule_type = optional(string)<br/>    action    = optional(string)<br/>    match_conditions_configuration = optional(list(object({<br/>      match_variable_configuration = optional(list(object({<br/>        variable_name = optional(string)<br/>        selector      = optional(string, null)<br/>      })))<br/>      match_values       = optional(list(string))<br/>      operator           = optional(string)<br/>      negation_condition = optional(string, null)<br/>      transforms         = optional(list(string), null)<br/>    })))<br/>  }))</pre> | `[]` | no |
 | default\_tags\_enabled | Option to enable or disable default tags. | `bool` | `true` | no |
 | environment | Project environment. | `string` | n/a | yes |
@@ -167,16 +149,16 @@ No modules.
 | policy\_request\_body\_check\_enabled | Describes if the Request Body Inspection is enabled. Defaults to `true`. | `string` | `true` | no |
 | resource\_group\_name | Resource Group Name. | `string` | n/a | yes |
 | stack | Project stack name. | `string` | n/a | yes |
-| use\_caf\_naming | Use the Azure CAF naming provider to generate default resource name. `waf_policy_custom_name` override this if set. Legacy default name is used if this is set to `false`. | `bool` | `true` | no |
-| waf\_policy\_custom\_name | Custom WAF Policy name, generated if not set. | `string` | `""` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | http\_listener\_ids | A list of HTTP Listener IDs from an azurerm\_application\_gateway. |
+| id | WAF Policy ID. |
+| name | WAF Policy name. |
 | path\_based\_rule\_ids | A list of URL Path Map Path Rule IDs from an azurerm\_application\_gateway. |
-| waf\_policy\_id | Waf Policy ID |
+| resource | WAF Policy resource object. |
 <!-- END_TF_DOCS -->
 ## Related documentation
 

r-naming.tf → d-naming.tf

@@ -2,8 +2,8 @@ data "azurecaf_name" "wafp" {
   name          = var.stack
   resource_type = "azurerm_web_application_firewall_policy"
   prefixes      = var.name_prefix == "" ? null : [local.name_prefix]
-  suffixes      = compact([var.client_name, var.location_short, var.environment, local.name_suffix, var.use_caf_naming ? "" : "wafp"])
-  use_slug      = var.use_caf_naming
+  suffixes      = compact([var.client_name, var.location_short, var.environment, local.name_suffix])
+  use_slug      = true
   clean_input   = true
   separator     = "-"
 }

examples/main/base.tf

@@ -0,0 +1,17 @@
+module "azure_region" {
+  source  = "claranet/regions/azurerm"
+  version = "x.x.x"
+
+  azure_region = var.azure_region
+}
+
+module "rg" {
+  source  = "claranet/rg/azurerm"
+  version = "x.x.x"
+
+  location       = module.azure_region.location
+  location_short = module.azure_region.location_short
+  client_name    = var.client_name
+  environment    = var.environment
+  stack          = var.stack
+}

examples/main/modules.tf

@@ -1,20 +1,3 @@
-module "azure_region" {
-  source  = "claranet/regions/azurerm"
-  version = "x.x.x"
-
-  azure_region = var.azure_region
-}
-
-module "rg" {
-  source  = "claranet/rg/azurerm"
-  version = "x.x.x"
-
-  location    = module.azure_region.location
-  client_name = var.client_name
-  environment = var.environment
-  stack       = var.stack
-}
-
 module "waf_policy" {
   source  = "claranet/waf-policy/azurerm"
   version = "x.x.x"
@@ -25,7 +8,7 @@ module "waf_policy" {
   location_short = module.azure_region.location_short
   stack          = var.stack
 
-  resource_group_name = module.rg.resource_group_name
+  resource_group_name = module.rg.name
 
   policy_mode = "Detection"
 
@@ -36,9 +19,7 @@ module "waf_policy" {
     }
   ]
 
-  exclusion_configuration = [
-
-  ]
+  exclusion_configuration = []
 
   custom_rules_configuration = [
     {

examples/main/versions.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 1.0.0"
+  required_version = ">= 1.3"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 2.0.0"
+      version = "~> 4.0"
     }
   }
 }

locals-naming.tf

@@ -3,5 +3,5 @@ locals {
   name_prefix = lower(var.name_prefix)
   name_suffix = lower(var.name_suffix)
 
-  policy_name = coalesce(var.waf_policy_custom_name, lower(data.azurecaf_name.wafp.result))
+  name = coalesce(var.custom_name, data.azurecaf_name.wafp.result)
 }

outputs.tf

@@ -1,14 +1,24 @@
-output "waf_policy_id" {
-  description = "Waf Policy ID"
-  value       = azurerm_web_application_firewall_policy.waf_policy.id
+output "id" {
+  description = "WAF Policy ID."
+  value       = azurerm_web_application_firewall_policy.main.id
+}
+
+output "name" {
+  description = "WAF Policy name."
+  value       = azurerm_web_application_firewall_policy.main.name
+}
+
+output "resource" {
+  description = "WAF Policy resource object."
+  value       = azurerm_web_application_firewall_policy.main
 }
 
 output "http_listener_ids" {
   description = "A list of HTTP Listener IDs from an azurerm_application_gateway."
-  value       = azurerm_web_application_firewall_policy.waf_policy.http_listener_ids
+  value       = azurerm_web_application_firewall_policy.main.http_listener_ids
 }
 
 output "path_based_rule_ids" {
   description = "A list of URL Path Map Path Rule IDs from an azurerm_application_gateway."
-  value       = azurerm_web_application_firewall_policy.waf_policy.path_based_rule_ids
+  value       = azurerm_web_application_firewall_policy.main.path_based_rule_ids
 }

providers.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+    azurecaf = {
+      source  = "claranet/azurecaf"
+      version = "~> 1.2.28"
+    }
+  }
+}

r-waf-policy.tf

@@ -1,6 +1,6 @@
-resource "azurerm_web_application_firewall_policy" "waf_policy" {
+resource "azurerm_web_application_firewall_policy" "main" {
   location            = var.location
-  name                = local.policy_name
+  name                = local.name
   resource_group_name = var.resource_group_name
 
   policy_settings {
@@ -95,9 +95,10 @@ resource "azurerm_web_application_firewall_policy" "waf_policy" {
     }
   }
 
-  #
-  # Tags
-  #
-
   tags = merge(local.default_tags, var.extra_tags)
 }
+
+moved {
+  from = azurerm_web_application_firewall_policy.waf_policy
+  to   = azurerm_web_application_firewall_policy.main
+}

terraform.tfvars.ci

@@ -4,10 +4,3 @@ client_name         = "test"
 environment         = "test"
 stack               = "ci"
 resource_group_name = "test-rg"
-
-extra_tags = {
-  foo = "bar"
-}
-enable_logging          = true
-logs_retention          = 7
-logs_storage_account_id = "/subscriptions/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/resourceGroups/rg-test/providers/Microsoft.Storage/storageAccounts/storageaccountname"

variables-naming.tf

@@ -11,15 +11,9 @@ variable "name_suffix" {
   default     = ""
 }
 
-variable "use_caf_naming" {
-  description = "Use the Azure CAF naming provider to generate default resource name. `waf_policy_custom_name` override this if set. Legacy default name is used if this is set to `false`."
-  type        = bool
-  default     = true
-}
-
 # Custom naming override
-variable "waf_policy_custom_name" {
-  description = "Custom WAF Policy name, generated if not set."
+variable "custom_name" {
+  description = "WAF Policy custom name."
   type        = string
-  default     = ""
+  default     = null
 }