diff --git a/infrastructure/modules/application-insights-availability-test/tfdocs.md b/infrastructure/modules/application-insights-availability-test/tfdocs.md
index edef5041..8ca1e20a 100644
--- a/infrastructure/modules/application-insights-availability-test/tfdocs.md
+++ b/infrastructure/modules/application-insights-availability-test/tfdocs.md
@@ -38,6 +38,23 @@ Type: `string`
The following input variables are optional (have default values):
+### [alert](#input\_alert)
+
+Description: n/a
+
+Type:
+
+```hcl
+object({
+ description = optional(string, "Availability test alert")
+ frequency = optional(string, "PT1M")
+ window_size = optional(string, "PT5M")
+ auto_mitigate = optional(bool, true)
+ })
+```
+
+Default: `{}`
+
### [frequency](#input\_frequency)
Description: Frequency of test in seconds, defaults to 300.
@@ -62,77 +79,53 @@ Default:
]
```
-### [location](#input\_location)
-
-Description: The location/region where the availability test is deployed (must match App Insights location)
-
-Type: `string`
-
-Default: `"UK South"`
-
-### [timeout](#input\_timeout)
+### [headers](#input\_headers)
-Description: Timeout in seconds, defaults to 30.
+Description: Map of request headers to send (name => value)
-Type: `number`
+Type: `map(string)`
-Default: `30`
+Default: `{}`
-### [http_verb](#input\_http\_verb)
+### [http\_verb](#input\_http\_verb)
-Description: The HTTP verb used for the request.
+Description: HTTP verb (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS)
Type: `string`
-Allowed values: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
+Default: `"GET"`
-Default: GET
-
-### [headers](#input\_headers)
+### [location](#input\_location)
-Description: A map of HTTP request headers (name => value).
+Description: The location/region where the availability test is deployed (must match App Insights location)
-Type: `map(string)`
+Type: `string`
-Default: {}
+Default: `"UK South"`
-### [ssl_validation](#input\_ssl\_validation)
+### [ssl\_validation](#input\_ssl\_validation)
Description: SSL validation configuration for the availability test.
Type:
+
```hcl
object({
- expected_status_code = optional(number, null)
- ssl_cert_remaining_lifetime = optional(number, null)
-})
+ expected_status_code = optional(number, null)
+ ssl_cert_remaining_lifetime = optional(number, null)
+ })
```
-Default: null
+Default: `null`
-Validations:
-- expected_status_code must be 0 ('0' means 'response code < 400') or a valid HTTP status code (100–599)
-- ssl_cert_remaining_lifetime must be null or between 1–365
-
-### [alert](#input\_alert)
+### [timeout](#input\_timeout)
-Description: Configuration for the availability alert rule.
+Description: Timeout in seconds, defaults to 30.
-Type:
-```hcl
-object({
- description = optional(string, "Availability test alert")
- frequency = optional(string, "PT1M")
- window_size = optional(string, "PT5M")
- auto_mitigate = optional(bool, true)
-})
-```
+Type: `number`
-Defaults: {}
+Default: `30`
-Validations:
-- frequency must be one of: PT1M, PT5M, PT15M, PT30M, PT1H
-- window_size must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, P1D
## Resources
diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/data.tf b/infrastructure/modules/cdn-frontdoor-endpoint/data.tf
index 9c6f7ac3..7dc0f9af 100644
--- a/infrastructure/modules/cdn-frontdoor-endpoint/data.tf
+++ b/infrastructure/modules/cdn-frontdoor-endpoint/data.tf
@@ -8,7 +8,7 @@ data "azurerm_dns_zone" "custom" {
}
data "azurerm_cdn_frontdoor_firewall_policy" "waf" {
- for_each = var.security_policies
+ for_each = { for k, v in var.security_policies : k => v if v.cdn_frontdoor_firewall_policy_name != null }
name = each.value.cdn_frontdoor_firewall_policy_name
resource_group_name = each.value.cdn_frontdoor_firewall_policy_rg_name
diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/main.tf b/infrastructure/modules/cdn-frontdoor-endpoint/main.tf
index ab1a1daa..1f30dee2 100644
--- a/infrastructure/modules/cdn-frontdoor-endpoint/main.tf
+++ b/infrastructure/modules/cdn-frontdoor-endpoint/main.tf
@@ -112,7 +112,7 @@ resource "azurerm_cdn_frontdoor_security_policy" "this" {
security_policies {
firewall {
- cdn_frontdoor_firewall_policy_id = data.azurerm_cdn_frontdoor_firewall_policy.waf[each.key].id
+ cdn_frontdoor_firewall_policy_id = each.value.cdn_frontdoor_firewall_policy_id != null ? each.value.cdn_frontdoor_firewall_policy_id : data.azurerm_cdn_frontdoor_firewall_policy.waf[each.key].id
association {
patterns_to_match = ["/*"]
diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/tfdocs.md b/infrastructure/modules/cdn-frontdoor-endpoint/tfdocs.md
index 315436bb..eaaa13a0 100644
--- a/infrastructure/modules/cdn-frontdoor-endpoint/tfdocs.md
+++ b/infrastructure/modules/cdn-frontdoor-endpoint/tfdocs.md
@@ -130,8 +130,9 @@ Type:
```hcl
map(object({
associated_domain_keys = list(string) # From var.custom_domains above, use "endpoint" for the default domain
- cdn_frontdoor_firewall_policy_name = string
- cdn_frontdoor_firewall_policy_rg_name = string
+ cdn_frontdoor_firewall_policy_id = optional(string, null) # Pass ID directly to avoid data source lookup when policy is created in the same apply
+ cdn_frontdoor_firewall_policy_name = optional(string, null)
+ cdn_frontdoor_firewall_policy_rg_name = optional(string, null)
}))
```
diff --git a/infrastructure/modules/cdn-frontdoor-endpoint/variables.tf b/infrastructure/modules/cdn-frontdoor-endpoint/variables.tf
index a16cded4..67317fde 100644
--- a/infrastructure/modules/cdn-frontdoor-endpoint/variables.tf
+++ b/infrastructure/modules/cdn-frontdoor-endpoint/variables.tf
@@ -90,8 +90,9 @@ variable "security_policies" {
description = "Optional map of security policies to apply. Each must include the WAF policy and domain associations"
type = map(object({
associated_domain_keys = list(string) # From var.custom_domains above, use "endpoint" for the default domain
- cdn_frontdoor_firewall_policy_name = string
- cdn_frontdoor_firewall_policy_rg_name = string
+ cdn_frontdoor_firewall_policy_id = optional(string, null) # Pass ID directly to avoid data source lookup when policy is created in the same apply
+ cdn_frontdoor_firewall_policy_name = optional(string, null)
+ cdn_frontdoor_firewall_policy_rg_name = optional(string, null)
}))
default = {}
}
diff --git a/infrastructure/modules/container-app/tfdocs.md b/infrastructure/modules/container-app/tfdocs.md
index a98f419e..8584ea66 100644
--- a/infrastructure/modules/container-app/tfdocs.md
+++ b/infrastructure/modules/container-app/tfdocs.md
@@ -306,11 +306,11 @@ Description: URL of the container app. Only available if is\_web\_app is true.
The following resources are used by this module:
- [azapi_resource.auth](https://registry.terraform.io/providers/azure/azapi/2.5.0/docs/resources/resource) (resource)
-- [azurerm_container_app.main](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/container_app) (resource)
-- [azurerm_monitor_metric_alert.cpu](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/monitor_metric_alert) (resource)
-- [azurerm_monitor_metric_alert.memory](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/monitor_metric_alert) (resource)
-- [azurerm_monitor_metric_alert.replica_restart_alert](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/resources/monitor_metric_alert) (resource)
-- [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/client_config) (data source)
-- [azurerm_key_vault.infra](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/key_vault) (data source)
-- [azurerm_key_vault_secret.infra](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/key_vault_secret) (data source)
-- [azurerm_key_vault_secrets.app](https://registry.terraform.io/providers/hashicorp/azurerm/4.34.0/docs/data-sources/key_vault_secrets) (data source)
+- [azurerm_container_app.main](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app) (resource)
+- [azurerm_monitor_metric_alert.cpu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
+- [azurerm_monitor_metric_alert.memory](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
+- [azurerm_monitor_metric_alert.replica_restart_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) (resource)
+- [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
+- [azurerm_key_vault.infra](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) (data source)
+- [azurerm_key_vault_secret.infra](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) (data source)
+- [azurerm_key_vault_secrets.app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secrets) (data source)
diff --git a/infrastructure/modules/function-app/tfdocs.md b/infrastructure/modules/function-app/tfdocs.md
index 771c4123..73a31ded 100644
--- a/infrastructure/modules/function-app/tfdocs.md
+++ b/infrastructure/modules/function-app/tfdocs.md
@@ -146,6 +146,14 @@ Type: `number`
Default: `10`
+### [alert\_auto\_mitigate](#input\_alert\_auto\_mitigate)
+
+Description: Enable or disable automatic mitigation of the alert when the issue is resolved.
+
+Type: `bool`
+
+Default: `true`
+
### [alert\_window\_size](#input\_alert\_window\_size)
Description: The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly.
diff --git a/infrastructure/modules/key-vault/tfdocs.md b/infrastructure/modules/key-vault/tfdocs.md
index 39148419..037432da 100644
--- a/infrastructure/modules/key-vault/tfdocs.md
+++ b/infrastructure/modules/key-vault/tfdocs.md
@@ -60,6 +60,46 @@ Type: `string`
The following input variables are optional (have default values):
+### [action\_group\_id](#input\_action\_group\_id)
+
+Description: The ID of the Action Group to use for alerts.
+
+Type: `string`
+
+Default: `null`
+
+### [certificate\_expired\_alert](#input\_certificate\_expired\_alert)
+
+Description: n/a
+
+Type:
+
+```hcl
+object({
+ evaluation_frequency = string
+ window_duration = string
+ threshold = number
+ })
+```
+
+Default: `null`
+
+### [certificate\_near\_expiry\_alert](#input\_certificate\_near\_expiry\_alert)
+
+Description: n/a
+
+Type:
+
+```hcl
+object({
+ evaluation_frequency = string
+ window_duration = string
+ threshold = number
+ })
+```
+
+Default: `null`
+
### [disk\_encryption](#input\_disk\_encryption)
Description: Should the disk encryption be enabled
@@ -68,6 +108,14 @@ Type: `bool`
Default: `true`
+### [enable\_alerting](#input\_enable\_alerting)
+
+Description: Whether monitoring and alerting is enabled for the Key Vault.
+
+Type: `bool`
+
+Default: `false`
+
### [enable\_rbac\_authorization](#input\_enable\_rbac\_authorization)
Description: n/a
@@ -108,118 +156,69 @@ Type: `list(string)`
Default: `[]`
-### [sku\_name](#input\_sku\_name)
-
-Description: Type of the Key Vault's SKU.
-
-Type: `string`
-
-Default: `"standard"`
-
-### [soft\_delete\_retention](#input\_soft\_delete\_retention)
-
-Description: Number of days to retain a deleted vault
-
-Type: `number`
-
-Default: `"7"`
-
-### [tags](#input\_tags)
-
-Description: Resource tags to be applied throughout the deployment.
-
-Type: `map(string)`
-
-Default: `{}`
-
### [resource\_group\_name\_monitoring](#input\_resource\_group\_name\_monitoring)
-Description: The name of the resource group in which to create monitoring resources for the Key Vault. Changing this forces a new resource to be created.
-
-Type: `string`
-
-Default: `null`
-
-### [action\_group\_id](#input\_action\_group\_id)
-
-Description: The ID of the Action Group to use for alerts.
+Description: The name of the resource group in which to create the Monitoring resources for the Key Vault. Changing this forces a new resource to be created.
Type: `string`
Default: `null`
-### [enable\_alerting](#input\_enable\_alerting)
-
-Description: Whether monitoring and alerting is enabled for the Key Vault.
-
-Type: `bool`
-
-Default: `false`
-
-### [secret\_near\_expiry\_alert](#input\_secret\_near\_expiry\_alert)
+### [secret\_expired\_alert](#input\_secret\_expired\_alert)
-Description: Configuration for the Key Vault secret near expiry alert.
+Description: n/a
Type:
```hcl
object({
- evaluation_frequency = string
- window_duration = string
- threshold = number
-})
+ evaluation_frequency = string
+ window_duration = string
+ threshold = number
+ })
```
Default: `null`
-### [secret\_expired\_alert](#input\_secret\_expired\_alert)
+### [secret\_near\_expiry\_alert](#input\_secret\_near\_expiry\_alert)
-Description: Configuration for the Key Vault secret expired alert.
+Description: n/a
Type:
```hcl
object({
- evaluation_frequency = string
- window_duration = string
- threshold = number
-})
+ evaluation_frequency = string
+ window_duration = string
+ threshold = number
+ })
```
Default: `null`
-### [certificate\_near\_expiry\_alert](#input\_certificate\_near\_expiry\_alert)
+### [sku\_name](#input\_sku\_name)
-Description: Configuration for the Key Vault certificate near expiry alert.
+Description: Type of the Key Vault's SKU.
-Type:
+Type: `string`
-```hcl
-object({
- evaluation_frequency = string
- window_duration = string
- threshold = number
-})
-```
+Default: `"standard"`
-Default: `null`
+### [soft\_delete\_retention](#input\_soft\_delete\_retention)
-### [secret\_certificate\_alert](#input\_certificate\_expired\_alert)
+Description: Number of days to retain a deleted vault
-Description: Configuration for the Key Vault certificate expired alert.
+Type: `number`
-Type:
+Default: `"7"`
-```hcl
-object({
- evaluation_frequency = string
- window_duration = string
- threshold = number
-})
-```
+### [tags](#input\_tags)
-Default: `null`
+Description: Resource tags to be applied throughout the deployment.
+Type: `map(string)`
+
+Default: `{}`
## Modules
The following Modules are called:
@@ -261,4 +260,8 @@ Description: n/a
The following resources are used by this module:
- [azurerm_key_vault.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) (resource)
+- [azurerm_monitor_scheduled_query_rules_alert_v2.kv_certificate_expired](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) (resource)
+- [azurerm_monitor_scheduled_query_rules_alert_v2.kv_certificate_near_expiry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) (resource)
+- [azurerm_monitor_scheduled_query_rules_alert_v2.kv_secret_expired](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) (resource)
+- [azurerm_monitor_scheduled_query_rules_alert_v2.kv_secret_near_expiry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) (resource)
- [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
index f9a96ab2..9546da04 100644
--- a/infrastructure/modules/storage/tfdocs.md
+++ b/infrastructure/modules/storage/tfdocs.md
@@ -37,13 +37,13 @@ Type: `string`
### [monitor\_diagnostic\_setting\_storage\_account\_enabled\_logs](#input\_monitor\_diagnostic\_setting\_storage\_account\_enabled\_logs)
-Description: Controls what logs will be enabled for the storage
+Description: Controls what logs will be enabled for the storage services
Type: `list(string)`
### [monitor\_diagnostic\_setting\_storage\_account\_metrics](#input\_monitor\_diagnostic\_setting\_storage\_account\_metrics)
-Description: Controls what metrics will be enabled for the storage
+Description: Controls what metrics will be enabled for the storage services
Type: `list(string)`
@@ -153,6 +153,20 @@ Type: `bool`
Default: `false`
+### [monitor\_diagnostic\_setting\_storage\_account\_resource\_metrics](#input\_monitor\_diagnostic\_setting\_storage\_account\_resource\_metrics)
+
+Description: Controls what metrics will be enabled for the storage account itself
+
+Type: `list(string)`
+
+Default:
+
+```json
+[
+ "Transaction"
+]
+```
+
### [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled)
Description: Controls whether data in the account may be accessed from public networks.
@@ -227,6 +241,12 @@ Source: ../diagnostic-settings
Version:
+### [diagnostic-settings-sa-resource](#module\_diagnostic-settings-sa-resource)
+
+Source: ../diagnostic-settings
+
+Version:
+
### [private\_endpoint\_blob\_storage](#module\_private\_endpoint\_blob\_storage)
Source: ../private-endpoint