[AVM Module Issue]: keyvault self ssl example recommendations

Azure / terraform-azurerm-avm-res-network-applicationgateway

Azure Application Gateway serves as a web traffic load balancer, allowing you to efficiently handle traffic for your web applications. This Terraform module is designed for the rapid creation of an Application Gateway that includes various customizable features.

MIT License

7 stars 6 forks source link

[AVM Module Issue]: keyvault self ssl example recommendations #71

Closed kewalaka closed 3 weeks ago

kewalaka commented 1 month ago

Check for previous/existing GitHub issues

[x] I have checked for previous/existing GitHub issues

Issue Type?

Bug

(Optional) Module Version

0.1.0

(Optional) Correlation Id

No response

Description

If using an external WAF configuration (as is advised), it is not necessary to include a waf_configuration block here:

https://github.com/kewalaka/terraform-azurerm-avm-res-network-applicationgateway-upstream/blob/f890af9e28f013b937ae038881d5e7cfe8b66bfd/examples/kv_selfssl_waf_https_app_gateway/main.tf#L147-L154

The Keyvault should not be using access policies, instead Azure RBAC should be used, and the permissions applied are not following least privilege.

kewalaka commented 1 month ago

there are also several unnecessary depends on blocks - if directly referencing an attribute from another resource it is not necessary to do this;

e.g.

# Required for to deploy VMSS and Web Server to host application
resource "azurerm_subnet" "workload" {
  address_prefixes     = ["10.90.2.0/24"]
  name                 = "workload"
  resource_group_name  = azurerm_resource_group.rg_group.name
  virtual_network_name = azurerm_virtual_network.vnet.name

  depends_on = [azurerm_virtual_network.vnet, azurerm_resource_group.rg_group]
}

The above depends_on is not needed because the resources are directly referenced.

kewalaka commented 1 month ago

rather than create a self signed certificate via bash, it is also possible to do this in a more terraform-like way via the tls provider.

https://registry.terraform.io/providers/hashicorp/tls/latest/docs

mofaizal commented 4 weeks ago

I agree, there is more than one method to achieve the same outcome. :-)

microsoft-github-policy-service[bot] commented 3 weeks ago

[!WARNING] Tagging the AVM Core Team (@Azure/avm-core-team-technical-terraform) due to a module owner or contributor having not responded to this issue within 3 business days. The AVM Core Team will attempt to contact the module owners/contributors directly.

[!TIP]

To prevent further actions to take effect, the "Status: Response Overdue 🚩" label must be removed, once this issue has been responded to.

To avoid this rule being (re)triggered, the ""Needs: Triage :mag:" label must be removed as part of the triage process (when the issue is first responded to)!