4.2.0¶

Release Date: April 9, 2026

✨ New Features¶

`azure-networking`: Front Door Endpoint Module (`frontdoor_endpoint`)¶

A new frontdoor_endpoint module is available under azure-networking. It provisions an Azure Front Door endpoint with an always-on WAF security policy enforced through an internal security submodule — teams get a single module that handles the full endpoint + WAF lifecycle without needing to wire resources together manually.

Features:

Always-on WAF — WAF policy is always created and attached; there is no opt-out. Prevention mode is enforced across all environments.
Security submodule — all WAF concerns (policy naming, managed rule set versions, SAIF corporate IP list) are owned by the internal security/ submodule and are not configurable by consumers, ensuring consistent enforcement.
Hostname bypass prevention — WAF policy is automatically attached to both the *.azurefd.net endpoint and the custom domain (when present).
only_allow_saif_traffic — restricts endpoint access to SAIF corporate CIDRs (module-owned, not configurable).
ip_allow_list — caller-supplied CIDR allowlist; cannot be used together with only_allow_saif_traffic when it contains one or more CIDRs.
Mutual exclusivity enforcement — a check block fails with a descriptive error if only_allow_saif_traffic = true and ip_allow_list contains one or more CIDRs.
Optional custom domain — set subdomain to create a *.saif.com custom domain with managed TLS certificate.
security_policy_name override — optionally override the generated security policy name.

Example:

module "my_endpoint" {
  source = "../../modules/azure-networking/modules/frontdoor_endpoint"

  name                     = "my-api"
  cdn_frontdoor_profile_id = module.frontdoor.profile_id
  resource_group_name      = "rg-networking-prd"
  waf_owner                = "saif"
  environment_short_name   = "prd"
  subdomain                = "my-api"

  only_allow_saif_traffic = true
}

`azure-networking`: Front Door WAF Firewall Policy Module (`frontdoor_firewall_policy`)¶

A standalone frontdoor_firewall_policy module is available for teams with existing shared Front Door profiles who are not yet ready to migrate to the frontdoor_endpoint module.

Features:

Managed rule sets — Microsoft_DefaultRuleSet (v2.1) and Microsoft_BotManagerRuleSet (v1.1), both in Block mode, with configurable versions.
internal_access_only — embeds int or ext in the generated policy name, distinguishing internal vs external-facing policies.
ip_allow_list — generic CIDR allowlist; a priority-2 Block rule denies all source IPs not in the list.
only_allow_saif_traffic + saif_corp_ip_allow_list — SAIF Corp-specific IP restriction at priority 1.
mode — Detection (default) or Prevention.
sku_name — locked to Premium_AzureFrontDoor (required for managed rule sets).
Outputs firewall_policy_id for use with azurerm_cdn_frontdoor_security_policy.

Example:

module "waf_policy" {
  source = "../../modules/azure-networking/modules/frontdoor_firewall_policy"

  resource_group_name    = "rg-networking-prd"
  owner                  = "saif"
  environment_short_name = "prd"
  internal_access_only   = false
  mode                   = "Prevention"
}

🔧 Enhancements¶

`azure-networking`: `private_endpoint` — Manual Connection Request Message Support¶

The private_endpoint module now supports the request_message input for manual connection approvals. A lifecycle precondition enforces that request_message is only set when is_manual_connection = true, providing a clear plan-time error for invalid combinations.

New variable: request_message (string, default null) — message sent to the remote resource owner when requesting a manual connection.
Precondition added: plan fails with a descriptive error if request_message != null and is_manual_connection = false.

🔄 Breaking Changes¶

None in this release ✅

📋 Additional Notes¶

Total commits: 1
Files changed: 15
Contributors: Jason Coria Corona Yue

Support¶

📧 Teams Support Channel: Support