subcategory | layout | page_title | description |
---|---|---|---|
App Service (Web Apps) |
azurerm |
Azure Resource Manager: azurerm_app_service |
Manages an App Service (within an App Service Plan). |
Manages an App Service (within an App Service Plan).
-> Note: When using Slots - the app_settings
, connection_string
and site_config
blocks on the azurerm_app_service
resource will be overwritten when promoting a Slot using the azurerm_app_service_active_slot
resource.
This example provisions a Windows App Service. Other examples of the azurerm_app_service
resource can be found in the ./examples/app-service
directory within the Github Repository
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_app_service_plan" "example" {
name = "example-appserviceplan"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku {
tier = "Standard"
size = "S1"
}
}
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
site_config {
dotnet_framework_version = "v4.0"
scm_type = "LocalGit"
}
app_settings = {
"SOME_KEY" = "some-value"
}
connection_string {
name = "Database"
type = "SQLServer"
value = "Server=some-server.mydomain.com;Integrated Security=SSPI"
}
}
The following arguments are supported:
-
name
- (Required) Specifies the name of the App Service. Changing this forces a new resource to be created. -
resource_group_name
- (Required) The name of the resource group in which to create the App Service. -
location
- (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. -
app_service_plan_id
- (Required) The ID of the App Service Plan within which to create this App Service. -
app_settings
- (Optional) A key-value pair of App Settings. -
auth_settings
- (Optional) Aauth_settings
block as defined below. -
storage_account
- (Optional) One or morestorage_account
blocks as defined below. -
backup
- (Optional) Abackup
block as defined below. -
connection_string
- (Optional) One or moreconnection_string
blocks as defined below. -
client_affinity_enabled
- (Optional) Should the App Service send session affinity cookies, which route client requests in the same session to the same instance? -
client_cert_enabled
- (Optional) Does the App Service require client certificates for incoming requests? Defaults tofalse
. -
enabled
- (Optional) Is the App Service Enabled? -
https_only
- (Optional) Can the App Service only be accessed via HTTPS? Defaults tofalse
. -
logs
- (Optional) Alogs
block as defined below. -
site_config
- (Optional) Asite_config
block as defined below. -
tags
- (Optional) A mapping of tags to assign to the resource. -
identity
- (Optional) A Managed Service Identity block as defined below.
A storage_account
block supports the following:
-
name
- (Required) The name of the storage account identifier. -
type
- (Required) The type of storage. Possible values areAzureBlob
andAzureFiles
. -
account_name
- (Required) The name of the storage account. -
share_name
- (Required) The name of the file share (container name, for Blob storage). -
access_key
- (Required) The access key for the storage account. -
mount_path
- (Optional) The path to mount the storage within the site's runtime environment.
A connection_string
block supports the following:
-
name
- (Required) The name of the Connection String. -
type
- (Required) The type of the Connection String. Possible values areAPIHub
,Custom
,DocDb
,EventHub
,MySQL
,NotificationHub
,PostgreSQL
,RedisCache
,ServiceBus
,SQLAzure
andSQLServer
. -
value
- (Required) The value for the Connection String.
A identity
block supports the following:
type
- (Required) Specifies the identity type of the App Service. Possible values areSystemAssigned
(where Azure will generate a Service Principal for you),UserAssigned
where you can specify the Service Principal IDs in theidentity_ids
field, andSystemAssigned, UserAssigned
which assigns both a system managed identity as well as the specified user assigned identities.
~> NOTE: When type
is set to SystemAssigned
, The assigned principal_id
and tenant_id
can be retrieved after the App Service has been created. More details are available below.
identity_ids
- (Optional) Specifies a list of user managed identity ids to be assigned. Required iftype
isUserAssigned
.
A logs
block supports the following:
-
application_logs
- (Optional) Anapplication_logs
block as defined below. -
http_logs
- (Optional) Anhttp_logs
block as defined below.
An application_logs
block supports the following:
azure_blob_storage
- (Optional) Anazure_blob_storage
block as defined below.
An http_logs
block supports one of the following:
-
file_system
- (Optional) Afile_system
block as defined below. -
azure_blob_storage
- (Optional) Anazure_blob_storage
block as defined below.
An azure_blob_storage
block supports the following:
-
level
- (Required) The level at which to log. Possible values includeError
,Warning
,Information
,Verbose
andOff
. NOTE: this field is not available forhttp_logs
-
sas_url
- (Required) The URL to the storage container, with a Service SAS token appended. NOTE: there is currently no means of generating Service SAS tokens with theazurerm
provider. -
retention_in_days
- (Required) The number of days to retain logs for.
A file_system
block supports the following:
-
retention_in_days
- (Required) The number of days to retain logs for. -
retention_in_mb
- (Required) The maximum size in megabytes that http log files can use before being removed.
A site_config
block supports the following:
-
always_on
- (Optional) Should the app be loaded at all times? Defaults tofalse
. -
app_command_line
- (Optional) App command line to launch, e.g./sbin/myserver -b 0.0.0.0
. -
cors
- (Optional) Acors
block as defined below. -
default_documents
- (Optional) The ordering of default documents to load, if an address isn't specified. -
dotnet_framework_version
- (Optional) The version of the .net framework's CLR used in this App Service. Possible values arev2.0
(which will use the latest version of the .net framework for the .net CLR v2 - currently.net 3.5
) andv4.0
(which corresponds to the latest version of the .net CLR v4 - which at the time of writing is.net 4.7.1
). For more information on which .net CLR version to use based on the .net framework you're targeting - please see this table. Defaults tov4.0
. -
ftps_state
- (Optional) State of FTP / FTPS service for this App Service. Possible values include:AllAllowed
,FtpsOnly
andDisabled
. -
health_check_path
- (Optional) The health check path to be pinged by App Service. For more information - please see the corresponding Kudu Wiki page.
~> Note: This functionality is in Preview and is subject to changes (including breaking changes) on Azure's end
-
http2_enabled
- (Optional) Is HTTP2 Enabled on this App Service? Defaults tofalse
. -
ip_restriction
- (Optional) A List of objects representing ip restrictions as defined below.
-> NOTE User has to explicitly set ip_restriction
to empty slice ([]
) to remove it.
-
java_version
- (Optional) The version of Java to use. If specifiedjava_container
andjava_container_version
must also be specified. Possible values are1.7
,1.8
and11
and their specific versions - except for Java 11 (e.g.1.7.0_80
,1.8.0_181
,11
) -
java_container
- (Optional) The Java Container to use. If specifiedjava_version
andjava_container_version
must also be specified. Possible values areJAVA
,JETTY
, andTOMCAT
. -
java_container_version
- (Optional) The version of the Java Container to use. If specifiedjava_version
andjava_container
must also be specified. -
local_mysql_enabled
- (Optional) Is "MySQL In App" Enabled? This runs a local MySQL instance with your app and shares resources from the App Service plan.
~> NOTE: MySQL In App is not intended for production environments and will not scale beyond a single instance. Instead you may wish to use Azure Database for MySQL.
-
linux_fx_version
- (Optional) Linux App Framework and version for the App Service. Possible options are a Docker container (DOCKER|<user/image:tag>
), a base-64 encoded Docker Compose file (COMPOSE|${filebase64("compose.yml")}
) or a base-64 encoded Kubernetes Manifest (KUBE|${filebase64("kubernetes.yml")}
). -
windows_fx_version
- (Optional) The Windows Docker container image (DOCKER|<user/image:tag>
)
Additional examples of how to run Containers via the azurerm_app_service
resource can be found in the ./examples/app-service
directory within the Github Repository.
-
managed_pipeline_mode
- (Optional) The Managed Pipeline Mode. Possible values areIntegrated
andClassic
. Defaults toIntegrated
. -
min_tls_version
- (Optional) The minimum supported TLS version for the app service. Possible values are1.0
,1.1
, and1.2
. Defaults to1.2
for new app services. -
php_version
- (Optional) The version of PHP to use in this App Service. Possible values are5.5
,5.6
,7.0
,7.1
,7.2
, and7.3
. -
python_version
- (Optional) The version of Python to use in this App Service. Possible values are2.7
and3.4
. -
remote_debugging_enabled
- (Optional) Is Remote Debugging Enabled? Defaults tofalse
. -
remote_debugging_version
- (Optional) Which version of Visual Studio should the Remote Debugger be compatible with? Possible values areVS2012
,VS2013
,VS2015
andVS2017
. -
scm_type
- (Optional) The type of Source Control enabled for this App Service. Defaults toNone
. Possible values are:BitbucketGit
,BitbucketHg
,CodePlexGit
,CodePlexHg
,Dropbox
,ExternalGit
,ExternalHg
,GitHub
,LocalGit
,None
,OneDrive
,Tfs
,VSO
, andVSTSRM
-
use_32_bit_worker_process
- (Optional) Should the App Service run in 32 bit mode, rather than 64 bit mode?
~> NOTE: when using an App Service Plan in the Free
or Shared
Tiers use_32_bit_worker_process
must be set to true
.
websockets_enabled
- (Optional) Should WebSockets be enabled?
A cors
block supports the following:
-
allowed_origins
- (Optional) A list of origins which should be able to make cross-origin calls.*
can be used to allow all calls. -
support_credentials
- (Optional) Are credentials supported?
A auth_settings
block supports the following:
-
enabled
- (Required) Is Authentication enabled? -
active_directory
- (Optional) Aactive_directory
block as defined below. -
additional_login_params
- (Optional) Login parameters to send to the OpenID Connect authorization endpoint when a user logs in. Each parameter must be in the form "key=value". -
allowed_external_redirect_urls
- (Optional) External URLs that can be redirected to as part of logging in or logging out of the app. -
default_provider
- (Optional) The default provider to use when multiple providers have been set up. Possible values areAzureActiveDirectory
,Facebook
,Google
,MicrosoftAccount
andTwitter
.
~> NOTE: When using multiple providers, the default provider must be set for settings like unauthenticated_client_action
to work.
-
facebook
- (Optional) Afacebook
block as defined below. -
google
- (Optional) Agoogle
block as defined below. -
issuer
- (Optional) Issuer URI. When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/{tenant-guid}/. -
microsoft
- (Optional) Amicrosoft
block as defined below. -
runtime_version
- (Optional) The runtime version of the Authentication/Authorization module. -
token_refresh_extension_hours
- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72. -
token_store_enabled
- (Optional) If enabled the module will durably store platform-specific security tokens that are obtained during login flows. Defaults to false. -
twitter
- (Optional) Atwitter
block as defined below. -
unauthenticated_client_action
- (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values areAllowAnonymous
andRedirectToLoginPage
.
A active_directory
block supports the following:
-
client_id
- (Required) The Client ID of this relying party application. Enables OpenIDConnection authentication with Azure Active Directory. -
client_secret
- (Optional) The Client Secret of this relying party application. If no secret is provided, implicit flow will be used. -
allowed_audiences
(Optional) Allowed audience values to consider when validating JWTs issued by Azure Active Directory.
A facebook
block supports the following:
-
app_id
- (Required) The App ID of the Facebook app used for login -
app_secret
- (Required) The App Secret of the Facebook app used for Facebook Login. -
oauth_scopes
(Optional) The OAuth 2.0 scopes that will be requested as part of Facebook Login authentication. https://developers.facebook.com/docs/facebook-login
A google
block supports the following:
-
client_id
- (Required) The OpenID Connect Client ID for the Google web application. -
client_secret
- (Required) The client secret associated with the Google web application. -
oauth_scopes
(Optional) The OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. https://developers.google.com/identity/sign-in/web/
A ip_restriction
block supports the following:
-
ip_address
- (Optional) The IP Address used for this IP Restriction in CIDR notation. -
virtual_network_subnet_id
- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
-> NOTE: One of either ip_address
or virtual_network_subnet_id
must be specified
-
name
- (Optional) The name for this IP Restriction. -
priority
- (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified. -
action
- (Optional) Does this restrictionAllow
orDeny
access for this IP range. Defaults toAllow
.
A microsoft
block supports the following:
-
client_id
- (Required) The OAuth 2.0 client ID that was created for the app used for authentication. -
client_secret
- (Required) The OAuth 2.0 client secret that was created for the app used for authentication. -
oauth_scopes
(Optional) The OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. https://msdn.microsoft.com/en-us/library/dn631845.aspx
A backup
block supports the following:
-
name
(Required) Specifies the name for this Backup. -
enabled
- (Required) Is this Backup enabled? -
storage_account_url
(Optional) The SAS URL to a Storage Container where Backups should be saved. -
schedule
- (Optional) Aschedule
block as defined below.
A schedule
block supports the following:
-
frequency_interval
- (Required) Sets how often the backup should be executed. -
frequency_unit
- (Optional) Sets the unit of time for how often the backup should be executed. Possible values areDay
orHour
. -
keep_at_least_one_backup
- (Optional) Should at least one backup always be kept in the Storage Account by the Retention Policy, regardless of how old it is? -
retention_period_in_days
- (Optional) Specifies the number of days after which Backups should be deleted. -
start_time
- (Optional) Sets when the schedule should start working.
The following attributes are exported:
-
id
- The ID of the App Service. -
default_site_hostname
- The Default Hostname associated with the App Service - such asmysite.azurewebsites.net
-
outbound_ip_addresses
- A comma separated list of outbound IP addresses - such as52.23.25.3,52.143.43.12
-
possible_outbound_ip_addresses
- A comma separated list of outbound IP addresses - such as52.23.25.3,52.143.43.12,52.143.43.17
- not all of which are necessarily in use. Superset ofoutbound_ip_addresses
. -
source_control
- Asource_control
block as defined below, which contains the Source Control information whenscm_type
is set toLocalGit
. -
site_credential
- Asite_credential
block as defined below, which contains the site-level credentials used to publish to this App Service. -
identity
- Anidentity
block as defined below, which contains the Managed Service Identity information for this App Service.
A identity
block exports the following:
-
principal_id
- The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service. -
tenant_id
- The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service.
-> You can access the Principal ID via ${azurerm_app_service.example.identity.0.principal_id}
and the Tenant ID via ${azurerm_app_service.example.identity.0.tenant_id}
A site_credential
block exports the following:
username
- The username which can be used to publish to this App Servicepassword
- The password associated with the username, which can be used to publish to this App Service.
~> NOTE: both username
and password
for the site_credential
block are only exported when scm_type
is set to LocalGit
A source_control
block exports the following:
repo_url
- URL of the Git repository for this App Service.branch
- Branch name of the Git repository for this App Service.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the App Service.update
- (Defaults to 30 minutes) Used when updating the App Service.read
- (Defaults to 5 minutes) Used when retrieving the App Service.delete
- (Defaults to 30 minutes) Used when deleting the App Service.
App Services can be imported using the resource id
, e.g.
terraform import azurerm_app_service.instance1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Web/sites/instance1