azurerm_cdn_frontdoor_rule

Manages a Front Door (standard/premium) Rule.

!>IMPORTANT: The Rules resource must include a depends_on meta-argument which references the azurerm_cdn_frontdoor_origin and the azurerm_cdn_frontdoor_origin_group.

Example Usage

resource "azurerm_resource_group" "example" {
  name     = "example-cdn-frontdoor"
  location = "West Europe"
}

resource "azurerm_cdn_frontdoor_profile" "example" {
  name                = "example-profile"
  resource_group_name = azurerm_resource_group.example.name
  sku_name            = "Premium_AzureFrontDoor"
}

resource "azurerm_cdn_frontdoor_endpoint" "example" {
  name                     = "example-endpoint"
  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.example.id

  tags = {
    endpoint = "contoso.com"
  }
}

resource "azurerm_cdn_frontdoor_origin_group" "example" {
  name                     = "example-originGroup"
  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.example.id
  session_affinity_enabled = true

  restore_traffic_time_to_healed_or_new_endpoint_in_minutes = 10

  health_probe {
    interval_in_seconds = 240
    path                = "/healthProbe"
    protocol            = "Https"
    request_type        = "GET"
  }

  load_balancing {
    additional_latency_in_milliseconds = 0
    sample_size                        = 16
    successful_samples_required        = 3
  }
}

resource "azurerm_cdn_frontdoor_origin" "example" {
  name                          = "example-origin"
  cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.example.id
  enabled                       = true

  certificate_name_check_enabled = false

  host_name          = azurerm_cdn_frontdoor_endpoint.example.host_name
  http_port          = 80
  https_port         = 443
  origin_host_header = "contoso.com"
  priority           = 1
  weight             = 500
}

resource "azurerm_cdn_frontdoor_rule_set" "example" {
  name                     = "exampleruleset"
  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.example.id
}

resource "azurerm_cdn_frontdoor_rule" "example" {
  depends_on = [azurerm_cdn_frontdoor_origin_group.example, azurerm_cdn_frontdoor_origin.example]

  name                      = "examplerule"
  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.example.id
  order                     = 1
  behavior_on_match         = "Continue"

  actions {
    route_configuration_override_action {
      cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.example.id
      forwarding_protocol           = "HttpsOnly"
      query_string_caching_behavior = "IncludeSpecifiedQueryStrings"
      query_string_parameters       = ["foo", "clientIp={client_ip}"]
      compression_enabled           = true
      cache_behavior                = "OverrideIfOriginMissing"
      cache_duration                = "365.23:59:59"
    }

    url_redirect_action {
      redirect_type        = "PermanentRedirect"
      redirect_protocol    = "MatchRequest"
      query_string         = "clientIp={client_ip}"
      destination_path     = "/exampleredirection"
      destination_hostname = "contoso.com"
      destination_fragment = "UrlRedirect"
    }
  }

  conditions {
    host_name_condition {
      operator         = "Equal"
      negate_condition = false
      match_values     = ["www.contoso.com", "images.contoso.com", "video.contoso.com"]
      transforms       = ["Lowercase", "Trim"]
    }

    is_device_condition {
      operator         = "Equal"
      negate_condition = false
      match_values     = ["Mobile"]
    }

    post_args_condition {
      post_args_name = "customerName"
      operator       = "BeginsWith"
      match_values   = ["J", "K"]
      transforms     = ["Uppercase"]
    }

    request_method_condition {
      operator         = "Equal"
      negate_condition = false
      match_values     = ["DELETE"]
    }

    url_filename_condition {
      operator         = "Equal"
      negate_condition = false
      match_values     = ["media.mp4"]
      transforms       = ["Lowercase", "RemoveNulls", "Trim"]
    }
  }
}

Arguments Reference

The following arguments are supported:

->NOTE: If the Front Door Rule has an order value of 0 they do not require any conditions and the actions will always be applied.


An actions block supports the following:

->NOTE: You may include up to 5 separate actions in the actions block.

Some actions support Action Server Variables which provide access to structured information about the request. For more information about Action Server Variables see the Action Server Variables as defined below.


An url_redirect_action block supports the following:


A route_configuration_override_action block supports the following:

->NOTE: In the v3.x of the provider the cache_duration, cache_behavior and query_string_caching_behavior will have default values. You can use Terraform's ignore_changes functionality to ignore these default values. In v4.0 of the provider the cache_duration, cache_behavior and query_string_caching_behavior will NOT have default values and will need to be explicitly set in the configuration file.

->NOTE: If the cdn_frontdoor_origin_group_id is not defined you cannot set the forwarding_protocol.

->NOTE: query_string_parameters is a required field when the query_string_caching_behavior is set to IncludeSpecifiedQueryStrings or IgnoreSpecifiedQueryStrings.

->NOTE: Content won't be compressed on AzureFrontDoor when requested content is smaller than 1 byte or larger than 1 MB.


An url_rewrite_action block supports the following:


A request_header_action block supports the following:

->NOTE: value is required if the header_action is set to Append or Overwrite.


A response_header_action block supports the following:

->NOTE: value is required if the header_action is set to Append or Overwrite.


A conditions block supports the following:

->NOTE: You may include up to 10 separate conditions in the conditions block.


A ssl_protocol_condition block supports the following:

->The ssl_protocol_condition identifies requests based on the SSL protocol of an established TLS connection.


A host_name_condition block supports the following:

->The host_name_condition identifies requests based on the specified hostname in the request from client.


A server_port_condition block supports the following:

->The server_port_condition identifies requests based on which port of the Front Door server accepted the request on.


A client_port_condition block supports the following:

->The client_port_condition identifies requests based on the port of the client which made the request.


A socket_address_condition block supports the following:

->The socket_address_condition identifies requests based on the IP address of the direct connection to the Front Door Profiles edge. If the client used an HTTP proxy or a load balancer to send the request, the value of Socket address is the IP address of the proxy or load balancer.

->Remote Address represents the original client IP that is either from the network connection or typically the X-Forwarded-For request header if the user is behind a proxy.

->NOTE: If the value of the operator field is set to IpMatch then the match_values field is also required.

->NOTE: See the Specifying IP Address Ranges section below on how to correctly define the match_values field.


A remote_address_condition block supports the following:

->Remote Address represents the original client IP that is either from the network connection or typically the X-Forwarded-For request header if the user is behind a proxy.

->NOTE: See the Specifying IP Address Ranges section below on how to correctly define the match_values field.


A request_method_condition block supports the following:

->The request_method_condition identifies requests that use the specified HTTP request method.


A query_string_condition block supports the following:

->Use the query_string_condition to identify requests that contain a specific query string.


A post_args_condition block supports the following:

->Use the post_args_condition to identify requests based on the arguments provided within a POST request's body. A single match condition matches a single argument from the POST request's body.


A request_uri_condition block supports the following:

->The request_uri_condition identifies requests that match the specified URL. The entire URL is evaluated, including the protocol and query string, but not the fragment. When you use this rule condition, be sure to include the protocol(e.g. For example, use https://www.contoso.com instead of just www.contoso.com).


A request_header_condition block supports the following:

->The request_header_condition identifies requests that include a specific header in the request. You can use this match condition to check if a header exists whatever its value, or to check if the header matches a specified value.


A request_body_condition block supports the following:

->The request_body_condition identifies requests based on specific text that appears in the body of the request.

->NOTE: If a request body exceeds 64 KB in size, only the first 64 KB will be considered for the request body match condition.


A request_scheme_condition block supports the following:

->The request_scheme_condition identifies requests that use the specified protocol.


An url_path_condition block supports the following:

->The url_path_condition identifies requests that include the specified path in the request URL. The path is the part of the URL after the hostname and a slash(e.g. in the URL https://www.contoso.com/files/secure/file1.pdf, the path is files/secure/file1.pdf).


An url_file_extension_condition block supports the following:

->The url_file_extension_condition identifies requests that include the specified file extension in the file name in the request URL. Don't include a leading period(e.g. use html instead of .html).


An url_filename_condition block supports the following:

->The url_filename_condition identifies requests that include the specified file name in the request URL.


A http_version_condition block supports the following:

->Use the HTTP version match condition to identify requests that have been made by using a specific version of the HTTP protocol.


A cookies_condition block supports the following:

->Use the cookies_condition to identify requests that have include a specific cookie.


An is_device_condition block supports the following:

->Use the is_device_condition to identify requests that have been made from a mobile or desktop device.


Specifying IP Address Ranges

When specifying IP address ranges in the socket_address_condition and the remote_address_condition match_values use the following format:

Use CIDR notation when specifying IP address blocks. This means that the syntax for an IP address block is the base IP address followed by a forward slash and the prefix size For example:

When you specify multiple IP addresses and IP address blocks, OR logic is applied.


Action Server Variables

Rule Set server variables provide access to structured information about the request. You can use server variables to dynamically change the request/response headers or URL rewrite paths/query strings, for example, when a new page load or when a form is posted.

Supported Action Server Variables

Variable name Description
socket_ip The IP address of the direct connection to Front Door Profiles edge. If the client used an HTTP proxy or a load balancer to send the request, the value of socket_ip is the IP address of the proxy or load balancer.
client_ip The IP address of the client that made the original request. If there was an X-Forwarded-For header in the request, then the client IP address is picked from the header.
client_port The IP port of the client that made the request.
hostname The host name in the request from the client.
geo_country Indicates the requester's country/region of origin through its country/region code.
http_method The method used to make the URL request, such as GET or POST.
http_version The request protocol. Usually HTTP/1.0, HTTP/1.1, or HTTP/2.0.
query_string The list of variable/value pairs that follows the "?" in the requested URL. For example, in the request http://contoso.com:8080/article.aspx?id=123&title=fabrikam, the query_string value will be id=123&title=fabrikam.
request_scheme The request scheme: http or https.
request_uri The full original request URI (with arguments). For example, in the request http://contoso.com:8080/article.aspx?id=123&title=fabrikam, the request_uri value will be /article.aspx?id=123&title=fabrikam.
ssl_protocol The protocol of an established TLS connection.
server_port The port of the server that accepted a request.
url_path Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments. For example, in the request http://contoso.com:8080/article.aspx?id=123&title=fabrikam, the uri_path value will be /article.aspx.

Action Server Variable Format

Server variables can be specified using the following formats:

Action Server Variables Support

Action Server variables are supported on the following actions:


Condition Operator list

For rules that accept values from the standard operator list, the following operators are valid:

Operator Description Condition Value
Any Matches when there is any value, regardless of what it is. Any
Equal Matches when the value exactly matches the specified string. Equal
Contains Matches when the value contains the specified string. Contains
Less Than Matches when the length of the value is less than the specified integer. LessThan
Greater Than Matches when the length of the value is greater than the specified integer. GreaterThan
Less Than or Equal Matches when the length of the value is less than or equal to the specified integer. LessThanOrEqual
Greater Than or Equal Matches when the length of the value is greater than or equal to the specified integer. GreaterThanOrEqual
Begins With Matches when the value begins with the specified string. BeginsWith
Ends With Matches when the value ends with the specified string. EndsWith
RegEx Matches when the value matches the specified regular expression. See below for further details. RegEx
Not Any Matches when there is no value. Any and negateCondition = true
Not Equal Matches when the value does not match the specified string. Equal and negateCondition : true
Not Contains Matches when the value does not contain the specified string. Contains and negateCondition = true
Not Less Than Matches when the length of the value is not less than the specified integer. LessThan and negateCondition = true
Not Greater Than Matches when the length of the value is not greater than the specified integer. GreaterThan and negateCondition = true
Not Less Than or Equal Matches when the length of the value is not less than or equal to the specified integer. LessThanOrEqual and negateCondition = true
Not Greater Than or Equals Matches when the length of the value is not greater than or equal to the specified integer. GreaterThanOrEqual and negateCondition = true
Not Begins With Matches when the value does not begin with the specified string. BeginsWith and negateCondition = true
Not Ends With Matches when the value does not end with the specified string. EndsWith and negateCondition = true
Not RegEx Matches when the value does not match the specified regular expression. See Condition Regular Expressions for further details. RegEx and negateCondition = true

Condition Regular Expressions

Regular expressions don't support the following operations:


Condition Transform List

For rules that can transform strings, the following transforms are valid:

Transform Description
Lowercase Converts the string to the lowercase representation.
Uppercase Converts the string to the uppercase representation.
Trim Trims leading and trailing whitespace from the string.
RemoveNulls Removes null values from the string.
URLEncode URL-encodes the string.
URLDecode URL-decodes the string.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

Import

Front Door Rules can be imported using the resource id, e.g.

terraform import azurerm_cdn_frontdoor_rule.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Cdn/profiles/profile1/ruleSets/ruleSet1/rules/rule1