subcategory | layout | page_title | description |
---|---|---|---|
Container Apps |
azurerm |
Azure Resource Manager: azurerm_container_app |
Manages a Container App. |
Manages a Container App.
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_log_analytics_workspace" "example" {
name = "acctest-01"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_container_app_environment" "example" {
name = "Example-Environment"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
}
resource "azurerm_container_app" "example" {
name = "example-app"
container_app_environment_id = azurerm_container_app_environment.example.id
resource_group_name = azurerm_resource_group.example.name
revision_mode = "Single"
template {
container {
name = "examplecontainerapp"
image = "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest"
cpu = 0.25
memory = "0.5Gi"
}
}
}
The following arguments are supported:
-
container_app_environment_id
- (Required) The ID of the Container App Environment within which this Container App should exist. Changing this forces a new resource to be created. -
name
- (Required) The name for this Container App. Changing this forces a new resource to be created. -
resource_group_name
- (Required) The name of the resource group in which the Container App Environment is to be created. Changing this forces a new resource to be created. -
revision_mode
- (Required) The revisions operational mode for the Container App. Possible values includeSingle
andMultiple
. InSingle
mode, a single revision is in operation at any given time. InMultiple
mode, more than one revision can be active at a time and can be configured with load distribution via thetraffic_weight
block in theingress
configuration. -
template
- (Required) Atemplate
block as detailed below.
-
dapr
- (Optional) Adapr
block as detailed below. -
identity
- (Optional) Anidentity
block as detailed below. -
ingress
- (Optional) Aningress
block as detailed below. -
registry
- (Optional) Aregistry
block as detailed below. -
secret
- (Optional) One or moresecret
block as detailed below. -
workload_profile_name
- (Optional) The name of the Workload Profile in the Container App Environment to place this Container App.
~> Note: Omit this value to use the default Consumption
Workload Profile.
tags
- (Optional) A mapping of tags to assign to the Container App.
A secret
block supports the following:
identity
- (Optional) The identity to use for accessing the Key Vault secret reference. This can either be the Resource ID of a User Assigned Identity, orSystem
for the System Assigned Identity.
!> Note: identity
must be used together with key_vault_secret_id
key_vault_secret_id
- (Optional) The ID of a Key Vault secret. This can be a versioned or version-less ID.
!> Note: When using key_vault_secret_id
, ignore_changes
should be used to ignore any changes to value
.
-
name
- (Required) The secret name. -
value
- (Optional) The value for this secret.
!> Note: value
will be ignored if key_vault_secret_id
and identity
are provided.
A template
block supports the following:
-
init_container
- (Optional) The definition of an init container that is part of the group as documented in theinit_container
block below. -
container
- (Required) One or morecontainer
blocks as detailed below. -
max_replicas
- (Optional) The maximum number of replicas for this container. -
min_replicas
- (Optional) The minimum number of replicas for this container. -
azure_queue_scale_rule
- (Optional) One or moreazure_queue_scale_rule
blocks as defined below. -
custom_scale_rule
- (Optional) One or morecustom_scale_rule
blocks as defined below. -
http_scale_rule
- (Optional) One or morehttp_scale_rule
blocks as defined below. -
tcp_scale_rule
- (Optional) One or moretcp_scale_rule
blocks as defined below. -
revision_suffix
- (Optional) The suffix for the revision. This value must be unique for the lifetime of the Resource. If omitted the service will use a hash function to create one. -
volume
- (Optional) Avolume
block as detailed below.
An azure_queue_scale_rule
block supports the following:
-
name
- (Required) The name of the Scaling Rule -
queue_name
- (Required) The name of the Azure Queue -
queue_length
- (Required) The value of the length of the queue to trigger scaling actions. -
authentication
- (Required) One or moreauthentication
blocks as defined below.
A custom_scale_rule
block supports the following:
-
name
- (Required) The name of the Scaling Rule -
custom_rule_type
- (Required) The Custom rule type. Possible values include:activemq
,artemis-queue
,kafka
,pulsar
,aws-cloudwatch
,aws-dynamodb
,aws-dynamodb-streams
,aws-kinesis-stream
,aws-sqs-queue
,azure-app-insights
,azure-blob
,azure-data-explorer
,azure-eventhub
,azure-log-analytics
,azure-monitor
,azure-pipelines
,azure-servicebus
,azure-queue
,cassandra
,cpu
,cron
,datadog
,elasticsearch
,external
,external-push
,gcp-stackdriver
,gcp-storage
,gcp-pubsub
,graphite
,http
,huawei-cloudeye
,ibmmq
,influxdb
,kubernetes-workload
,liiklus
,memory
,metrics-api
,mongodb
,mssql
,mysql
,nats-jetstream
,stan
,tcp
,new-relic
,openstack-metric
,openstack-swift
,postgresql
,predictkube
,prometheus
,rabbitmq
,redis
,redis-cluster
,redis-sentinel
,redis-streams
,redis-cluster-streams
,redis-sentinel-streams
,selenium-grid
,solace-event-queue
, andgithub-runner
. -
metadata
- (Required) - A map of string key-value pairs to configure the Custom Scale Rule. -
authentication
- (Optional) Zero or moreauthentication
blocks as defined below.
A http_scale_rule
block supports the following:
-
name
- (Required) The name of the Scaling Rule -
concurrent_requests
- (Required) - The number of concurrent requests to trigger scaling. -
authentication
- (Optional) Zero or moreauthentication
blocks as defined below.
A tcp_scale_rule
block supports the following:
-
name
- (Required) The name of the Scaling Rule -
concurrent_requests
- (Required) - The number of concurrent requests to trigger scaling. -
authentication
- (Optional) Zero or moreauthentication
blocks as defined below.
An authentication
block supports the following:
-
secret_name
- (Required) The name of the Container App Secret to use for this Scale Rule Authentication. -
trigger_parameter
- (Required) The Trigger Parameter name to use the supply the value retrieved from thesecret_name
.
A volume
block supports the following:
-
name
- (Required) The name of the volume. -
storage_name
- (Optional) The name of theAzureFile
storage. -
storage_type
- (Optional) The type of storage volume. Possible values areAzureFile
,EmptyDir
andSecret
. Defaults toEmptyDir
.
An init_container
block supports:
-
args
- (Optional) A list of extra arguments to pass to the container. -
command
- (Optional) A command to pass to the container to override the default. This is provided as a list of command line elements without spaces. -
cpu
- (Optional) The amount of vCPU to allocate to the container. Possible values include0.25
,0.5
,0.75
,1.0
,1.25
,1.5
,1.75
, and2.0
. When there's a workload profile specified, there's no such constraint.
~> NOTE: cpu
and memory
must be specified in 0.25'/'0.5Gi
combination increments. e.g. 1.0
/ 2.0
or 0.5
/ 1.0
-
env
- (Optional) One or moreenv
blocks as detailed below. -
ephemeral_storage
- The amount of ephemeral storage available to the Container App.
~> NOTE: ephemeral_storage
is currently in preview and not configurable at this time.
-
image
- (Required) The image to use to create the container. -
memory
- (Optional) The amount of memory to allocate to the container. Possible values are0.5Gi
,1Gi
,1.5Gi
,2Gi
,2.5Gi
,3Gi
,3.5Gi
and4Gi
. When there's a workload profile specified, there's no such constraint.
~> NOTE: cpu
and memory
must be specified in 0.25'/'0.5Gi
combination increments. e.g. 1.25
/ 2.5Gi
or 0.75
/ 1.5Gi
-
name
- (Required) The name of the container -
volume_mounts
- (Optional) Avolume_mounts
block as detailed below.
A container
block supports the following:
-
args
- (Optional) A list of extra arguments to pass to the container. -
command
- (Optional) A command to pass to the container to override the default. This is provided as a list of command line elements without spaces. -
cpu
- (Required) The amount of vCPU to allocate to the container. Possible values include0.25
,0.5
,0.75
,1.0
,1.25
,1.5
,1.75
, and2.0
. When there's a workload profile specified, there's no such constraint.
~> NOTE: cpu
and memory
must be specified in 0.25'/'0.5Gi
combination increments. e.g. 1.0
/ 2.0
or 0.5
/ 1.0
-
env
- (Optional) One or moreenv
blocks as detailed below. -
ephemeral_storage
- The amount of ephemeral storage available to the Container App.
~> NOTE: ephemeral_storage
is currently in preview and not configurable at this time.
-
image
- (Required) The image to use to create the container. -
liveness_probe
- (Optional) Aliveness_probe
block as detailed below. -
memory
- (Required) The amount of memory to allocate to the container. Possible values are0.5Gi
,1Gi
,1.5Gi
,2Gi
,2.5Gi
,3Gi
,3.5Gi
and4Gi
. When there's a workload profile specified, there's no such constraint.
~> NOTE: cpu
and memory
must be specified in 0.25'/'0.5Gi
combination increments. e.g. 1.25
/ 2.5Gi
or 0.75
/ 1.5Gi
-
name
- (Required) The name of the container -
readiness_probe
- (Optional) Areadiness_probe
block as detailed below. -
startup_probe
- (Optional) Astartup_probe
block as detailed below. -
volume_mounts
- (Optional) Avolume_mounts
block as detailed below.
A liveness_probe
block supports the following:
-
failure_count_threshold
- (Optional) The number of consecutive failures required to consider this probe as failed. Possible values are between1
and10
. Defaults to3
. -
header
- (Optional) Aheader
block as detailed below. -
host
- (Optional) The probe hostname. Defaults to the pod IP address. Setting a value forHost
inheaders
can be used to override this forHTTP
andHTTPS
type probes. -
initial_delay
- (Optional) The time in seconds to wait after the container has started before the probe is started. -
interval_seconds
- (Optional) How often, in seconds, the probe should run. Possible values are in the range1
-240
. Defaults to10
. -
path
- (Optional) The URI to use with thehost
for http type probes. Not valid forTCP
type probes. Defaults to/
. -
port
- (Required) The port number on which to connect. Possible values are between1
and65535
. -
termination_grace_period_seconds
- The time in seconds after the container is sent the termination signal before the process if forcibly killed. -
timeout
- (Optional) Time in seconds after which the probe times out. Possible values are in the range1
-240
. Defaults to1
. -
transport
- (Required) Type of probe. Possible values areTCP
,HTTP
, andHTTPS
.
A header
block supports the following:
-
name
- (Required) The HTTP Header Name. -
value
- (Required) The HTTP Header value.
An env
block supports the following:
-
name
- (Required) The name of the environment variable for the container. -
secret_name
- (Optional) The name of the secret that contains the value for this environment variable. -
value
- (Optional) The value for this environment variable.
~> NOTE: This value is ignored if secret_name
is used
A readiness_probe
block supports the following:
-
failure_count_threshold
- (Optional) The number of consecutive failures required to consider this probe as failed. Possible values are between1
and10
. Defaults to3
. -
header
- (Optional) Aheader
block as detailed below. -
host
- (Optional) The probe hostname. Defaults to the pod IP address. Setting a value forHost
inheaders
can be used to override this forHTTP
andHTTPS
type probes. -
interval_seconds
- (Optional) How often, in seconds, the probe should run. Possible values are between1
and240
. Defaults to10
-
path
- (Optional) The URI to use for http type probes. Not valid forTCP
type probes. Defaults to/
. -
port
- (Required) The port number on which to connect. Possible values are between1
and65535
. -
success_count_threshold
- (Optional) The number of consecutive successful responses required to consider this probe as successful. Possible values are between1
and10
. Defaults to3
. -
timeout
- (Optional) Time in seconds after which the probe times out. Possible values are in the range1
-240
. Defaults to1
. -
transport
- (Required) Type of probe. Possible values areTCP
,HTTP
, andHTTPS
.
A header
block supports the following:
-
name
- (Required) The HTTP Header Name. -
value
- (Required) The HTTP Header value.
A startup_probe
block supports the following:
-
failure_count_threshold
- (Optional) The number of consecutive failures required to consider this probe as failed. Possible values are between1
and10
. Defaults to3
. -
header
- (Optional) Aheader
block as detailed below. -
host
- (Optional) The value for the host header which should be sent with this probe. If unspecified, the IP Address of the Pod is used as the host header. Setting a value forHost
inheaders
can be used to override this forHTTP
andHTTPS
type probes. -
interval_seconds
- (Optional) How often, in seconds, the probe should run. Possible values are between1
and240
. Defaults to10
-
path
- (Optional) The URI to use with thehost
for http type probes. Not valid forTCP
type probes. Defaults to/
. -
port
- (Required) The port number on which to connect. Possible values are between1
and65535
. -
termination_grace_period_seconds
- The time in seconds after the container is sent the termination signal before the process if forcibly killed. -
timeout
- (Optional) Time in seconds after which the probe times out. Possible values are in the range1
-240
. Defaults to1
. -
transport
- (Required) Type of probe. Possible values areTCP
,HTTP
, andHTTPS
.
A header
block supports the following:
-
name
- (Required) The HTTP Header Name. -
value
- (Required) The HTTP Header value.
A volume_mounts
block supports the following:
-
name
- (Required) The name of the Volume to be mounted in the container. -
path
- (Required) The path in the container at which to mount this volume.
An identity
block supports the following:
-
type
- (Required) The type of managed identity to assign. Possible values areSystemAssigned
,UserAssigned
, andSystemAssigned, UserAssigned
(to enable both). -
identity_ids
- (Optional) - A list of one or more Resource IDs for User Assigned Managed identities to assign. Required whentype
is set toUserAssigned
orSystemAssigned, UserAssigned
.
An ingress
block supports the following:
-
allow_insecure_connections
- (Optional) Should this ingress allow insecure connections? -
custom_domain
- (Optional) One or morecustom_domain
block as detailed below. -
fqdn
- The FQDN of the ingress. -
external_enabled
- (Optional) Are connections to this Ingress from outside the Container App Environment enabled? Defaults tofalse
. -
ip_security_restriction
- (Optional) One or moreip_security_restriction
blocks for IP-filtering rules as defined below. -
target_port
- (Required) The target port on the container for the Ingress traffic. -
exposed_port
- (Optional) The exposed port on the container for the Ingress traffic.
~> Note: exposed_port
can only be specified when transport
is set to tcp
.
-
traffic_weight
- (Required) One or moretraffic_weight
blocks as detailed below. -
transport
- (Optional) The transport method for the Ingress. Possible values areauto
,http
,http2
andtcp
. Defaults toauto
.
A custom_domain
block supports the following:
-
certificate_binding_type
- (Optional) The Binding type. Possible values includeDisabled
andSniEnabled
. Defaults toDisabled
. -
certificate_id
- (Required) The ID of the Container App Environment Certificate. -
name
- (Required) The hostname of the Certificate. Must be the CN or a named SAN in the certificate.
A ip_security_restriction
block supports the following:
action
- (Required) The IP-filter action.Allow
orDeny
.
~> NOTE: The action
types in an all ip_security_restriction
blocks must be the same for the ingress
, mixing Allow
and Deny
rules is not currently supported by the service.
-
description
- (Optional) Describe the IP restriction rule that is being sent to the container-app. -
ip_address_range
- (Required) The incoming IP address or range of IP addresses (in CIDR notation). -
name
- (Required) Name for the IP restriction rule.
A traffic_weight
block supports the following:
~> Note: This block only applies when revision_mode
is set to Multiple
.
-
label
- (Optional) The label to apply to the revision as a name prefix for routing traffic. -
latest_revision
- (Optional) This traffic Weight applies to the latest stable Container Revision. At most only onetraffic_weight
block can have thelatest_revision
set totrue
. -
revision_suffix
- (Optional) The suffix string to which thistraffic_weight
applies.
~> Note: latest_revision
conflicts with revision_suffix
, which means you shall either set latest_revision
to true
or specify revision_suffix
. Especially for creation, there shall only be one traffic_weight
, with the latest_revision
set to true
, and leave the revision_suffix
empty.
percentage
- (Required) The percentage of traffic which should be sent this revision.
~> Note: The cumulative values for weight
must equal 100 exactly and explicitly, no default weights are assumed.
A dapr
block supports the following:
-
app_id
- (Required) The Dapr Application Identifier. -
app_port
- (Optional) The port which the application is listening on. This is the same as theingress
port. -
app_protocol
- (Optional) The protocol for the app. Possible values includehttp
andgrpc
. Defaults tohttp
.
A registry
block supports the following:
server
- (Required) The hostname for the Container Registry.
The authentication details must also be supplied, identity
and username
/password_secret_name
are mutually exclusive.
identity
- (Optional) Resource ID for the User Assigned Managed identity to use when pulling from the Container Registry.
~> Note: The Resource ID must be of a User Assigned Managed identity defined in an identity
block.
-
password_secret_name
- (Optional) The name of the Secret Reference containing the password value for this user on the Container Registry,username
must also be supplied. -
username
- (Optional) The username to use for this Container Registry,password_secret_name
must also be supplied..
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Container App. -
custom_domain_verification_id
- The ID of the Custom Domain Verification for this Container App. -
latest_revision_fqdn
- The FQDN of the Latest Revision of the Container App. -
latest_revision_name
- The name of the latest Container Revision. -
location
- The location this Container App is deployed in. This is the same as the Environment in which it is deployed. -
outbound_ip_addresses
- A list of the Public IP Addresses which the Container App uses for outbound network access.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Container App.update
- (Defaults to 30 minutes) Used when updating the Container App.read
- (Defaults to 5 minutes) Used when retrieving the Container App.delete
- (Defaults to 30 minutes) Used when deleting the Container App.
A Container App can be imported using the resource id
, e.g.
terraform import azurerm_container_app.example "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resGroup1/providers/Microsoft.App/containerApps/myContainerApp"