This module creates and manages Azure Container Apps, deployed within an Azure Virtual Network.
module "azure_container_apps_hosting" {
source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.13.0"
environment = "dev"
project_name = "myproject"
azure_location = "uksouth"
## Set launch_in_vnet to false to prevent deploying a new Virtual Network
# launch_in_vnet = false
## Specify the name of an existing Virtual Network if you want to use that instead of creating a new one
# existing_virtual_network = "my-vnet-example-name"
## Specify the name of an existing Resource Group to deploy resources into
# existing_resource_group = "my-existing-resource-group"
# Set the default IP Range that will be assigned to the Virtual Network used by the Container Apps
virtual_network_address_space = "172.32.10.0/24"
# Create an Azure Container Registry and connect it to the Container App Environment
enable_container_registry = true
# registry_ipv4_allow_list = [ "8.8.8.8/32" ]
## Specify the connection details for an existing Container Registry if 'enable_container_registry' is false
# registry_server = ""
# registry_username = ""
# registry_password = ""
## Change the SKU of ACR from "Standard"
# registry_sku = "Premium"
## Change the retention period (only applicable to Premium SKU)
# enable_registry_retention_policy = true
# registry_retention_days = 90
## Disable admin username and access keys if authenticating using a service principal
# registry_admin_enabled = false
## If you dont need a public registry, set this to false to prevent internet access
# registry_public_access_enabled = false
## If 'registry_admin_enabled' is disabled, you can create a User Assigned Managed Identity to authenticate with ACR
# registry_use_managed_identity = true
## The UAMI needs the 'AcrPull' role assignment which can be done manually or applied with terraform
# registry_managed_identity_assign_role = false
## Specify a custom name for the Container App
# container_app_name_override = "my-awesome-app"
# Specify the Container Image and Tag that will get pulled from the Container Registry
image_name = "my-app"
image_tag = "latest"
## Deploy an Azure SQL Server and create an initial database
# enable_mssql_database = true
# mssql_sku_name = "Basic"
# mssql_max_size_gb = 2
# mssql_database_name = "my-database"
# mssql_firewall_ipv4_allow_list = [ "8.8.8.8", "1.1.1.1" ]
# mssql_server_public_access_enabled = true
# mssql_version = "12.0"
## If you want to use a local SQL administrator account you can set a password with
# mssql_server_admin_password = "change-me-!!!"
## Or, if you want to assign an Azure AD Administrator you must specify
# mssql_azuread_admin_username = "my-email-address@DOMAIN"
# mssql_azuread_admin_object_id = "aaaa-bbbb-cccc-dddd"
## Restrict SQL authentication to Azure AD
# mssql_azuread_auth_only = true
## Deploy an Azure Database for PostgreSQL flexible server and create an initial database
# enable_postgresql_database = true
# postgresql_server_version = "11"
# postgresql_administrator_password = "change-me-!!!"
# postgresql_administrator_login = "my-admin-user"
# postgresql_availability_zone = "1"
# postgresql_max_storage_mb = 32768
# postgresql_sku_name = "B_Standard_B1ms"
# postgresql_collation = "en_US.utf8"
# postgresql_charset = "utf8"
# postgresql_enabled_extensions = "citext,pgcrypto"
# postgresql_network_connectivity_method = "private" # or "public" to enable Public network access
# postgresql_firewall_ipv4_allow = {
# "my-rule-1" = {
# start_ip_address = "0.0.0.0",
# end_ip_address = "0.0.0.0"
# }
# # etc
# }
## Deploy an Azure Cache for Redis instance
# enable_redis_cache = true
# redis_cache_version = 6
# redis_cache_family = "C"
# redis_cache_sku = "Basic"
# redis_cache_capacity = 1
# redis_cache_patch_schedule_day = "Sunday"
# redis_cache_patch_schedule_hour = 23
# redis_cache_firewall_ipv4_allow_list = [ "8.8.8.8", "1.1.1.1" ]
## Deploy a Health insights Azure function
# enable_health_insights_api = true
## Deploy custom Azure Functions
## Note: Terraform will not deploy the app source itself, you will need to do that
# linux_function_apps = {
# "my-function" = {
# runtime = "python"
# runtime_version = "3.11"
# app_settings = {
# "MY_APP_SETTING" = "foo"
# }
# allowed_origins = ["*"]
# }
# }
## Deploy an Azure Storage Account and connect it to the Container App
# enable_container_app_blob_storage = false
# container_app_blob_storage_public_access_enabled = false
# container_app_blob_storage_ipv4_allow_list = [ "8.8.8.8", "1.1.1.1" ]
## This will remove the automatically generated 'ConnectionStrings__BlobStorage' environment var from the Container App
create_container_app_blob_storage_sas = false
## Change the expiration date for SAS tokens. Format 'DD.HH:MM:SS'
# storage_account_sas_expiration_period = "00.01:00:00"
## Deploy a File Share
# enable_container_app_file_share = true
## If you need maximum SMB compatibility for your File Share
# container_app_file_share_security_profile = "compatibility"
## Increase the hardware resources given to each Container
# container_cpu = 1 # core count
# container_memory = 2 # gigabyte
# Change the Port number that the Container is listening on
# container_port = 80
# Change the number of replicas (commonly called 'instances') for the Container.
# Setting 'container_max_replicas' to 1 will prevent scaling
container_min_replicas = 2
container_max_replicas = 10
# Maximum number of concurrent HTTP requests before a new replica is created
container_scale_http_concurrency = 100
## Enable out-of-hours scale down to reduce resource usage
# container_scale_out_at_defined_time = false
# container_scale_out_rule_start = "0 9 * * *" # Must be a valid cron time
# container_scale_out_rule_end = "0 17 * * *" # Must be a valid cron time
# Enable a Liveness probe that checks to ensure the Container is responding. If this fails, the Container is restarted
enable_container_health_probe = true
container_health_probe_interval = 60 # seconds
container_health_probe_protocol = "https" # or "tcp"
container_health_probe_path = "/" # relative url to your status page (e.g. /healthcheck, /health, /status)
# What command should be used to start your Container
container_command = [ "/bin/bash", "-c", "echo hello && sleep 86400" ]
## Set environment variables that are passed to the Container at runtime. (See note below)
## It is strongly recommended not to include any sensitive or secret values here
# container_environment_variables = {
# "Environment" = "Development"
# }
## Note: It is recommended to use `container_secret_environment_variables` rather than `container_environment_variables`.
## This ensures that environment variables are set as `secrets` within the container app revision.
## If they are set directly as `env`, they can be exposed when running `az containerapp` commands, especially
## if those commands are ran as part of CI/CD.
# container_secret_environment_variables = {
# "RedirectUri" = "https://www.example.com/signin"
# }
## If you want to secure your Container Secrets further, you can leverage Key Vault with RBAC roles
escrow_container_app_secrets_in_key_vault = true # Store all secret environment variables in a Key Vault
#existing_key_vault = "my-key-vault" # Set this to the name of an existing Key Vault to prevent the deployment of a new one
#key_vault_managed_identity_assign_role = true
key_vault_access_ipv4 = [ 8.8.8.8/32 ] # List of IP addresses that are permitted to modify the Key Vault that holds the secrets
## If your app requires a worker container, you can enable it by setting 'enable_worker_container' to true
# enable_worker_container = false
# worker_container_command = [ "/bin/bash", "-c", "echo hello && sleep 86400" ]
# worker_container_min_replicas = 1
# worker_container_max_replicas = 1
## Custom container apps
# custom_container_apps = {
# "my-container-app" = {
# # managedEnvironmentId = "/existing-managed-environment-id" # Use this if
# # you need to launch the container in a different
# # container app environment
# configuration = {
# activeRevisionsMode = "single",
# secrets = [
# {
# "name" = "my-secret",
# "value" = "S3creTz"
# }
# ],
# ingress = {
# external = false
# },
# registries = [
# {
# "server" = "my-registry.com",
# "username" = "me",
# "passwordSecretRef" = "my-secret"
# }
# ],
# dapr = {
# enabled = false
# }
# },
# template = {
# revisionSuffix = "my-container-app",
# containers = [
# {
# name = "app",
# image = "my-registry.com/my-app:latest",
# resources = {
# cpu = 0.25,
# memory = "0.5Gi"
# },
# command = [
# "say",
# "'hello world'",
# "-v",
# "10"
# ]
# }
# ],
# scale = {
# minReplicas = 0,
# maxReplicas = 1
# },
# volumes = [
# {
# "name": "myempty",
# "storageType": "EmptyDir"
# },
# {
# "name": "azure-files-volume",
# "storageType": "AzureFile",
# "storageName": "myazurefiles"
# }
# ]
# }
# }
# }
# Create a DNS Zone, associate a primary domain and map different DNS Records as you require.
enable_dns_zone = true
dns_zone_domain_name = "example.com"
## The SOA record contains important information about a domain and who is responsible for it
# dns_zone_soa_record = {
# email = "hello.example.com"
# host_name = "ns1-03.azure-dns.com."
# expire_time = "2419200"
# minimum_ttl = "300"
# refresh_time = "3600"
# retry_time = "300"
# serial_number = "1"
# ttl = "3600"
# }
## An A record maps a domain to the physical IP address of the computer hosting that domain
# dns_a_records = {
# "example" = {
# ttl = 300,
# records = [
# "1.2.3.4",
# "5.6.7.8",
# ]
# }
# }
## An ALIAS record is a virtual record type DNSimple created to provide CNAME-like behavior on apex domains
# dns_alias_records = {
# "alias-example" = {
# ttl = 300,
# target_resource_id = "azure_resource_id",
# }
# }
## An AAAA record type is a foundational DNS record when IPv6 addresses are used
# dns_aaaa_records = {
# "aaaa-example" = {
# ttl = 300,
# records = [
# "2001:db8::1:0:0:1",
# "2606:2800:220:1:248:1893:25c8:1946",
# ]
# }
# }
# A CAA record is used to specify which certificate authorities (CAs) are allowed to issue certificates for a domain
# dns_caa_records = {
# "caa-example" = {
# ttl = 300,
# records = [
# {
# flags = 0,
# tag = "issue",
# value = "example.com"
# },
# {
# flags = 0
# tag = "issuewild"
# value = ";"
# },
# {
# flags = 0
# tag = "iodef"
# value = "mailto:caa@example.com"
# }
# ]
# }
# }
## A CNAME record provides an alias for another domain
# dns_cname_records = {
# "cname-example" = {
# ttl = 300,
# record = "example.com",
# }
# }
## A MX record directs email to a mail server
# dns_mx_records = {
# "mx-example" = {
# ttl = 300,
# records = [
# {
# preference = 10,
# exchange = "mail.example.com"
# }
# ]
# }
# }
## An NS record contains the name of the authoritative name server within the DNS zone
# dns_ns_records = {
# "ns-example" = {
# ttl = 300,
# records = [
# "ns-1.net",
# "ns-1.com",
# "ns-1.org",
# "ns-1.info"
# ]
# }
# }
## A PTR record is used for reverse DNS lookups, and it matches domain names with IP addresses
# dns_ptr_records = {
# "ptr-example" = {
# ttl = 300,
# records = [
# "example.com",
# ]
# }
# }
## A SRV record specifies a host and port for specific services such as voice over IP (VoIP), instant messaging etc
# dns_srv_records = {
# "srv-example" = {
# ttl = 300,
# records = [
# {
# priority = 1,
# weight = 5,
# port = 8080
# target = target.example.com
# }
# ]
# }
# }
## A TXT record stores text notes on a DNS server
# dns_txt_records = {
# "txt-example" = {
# ttl = 300,
# records = [
# "google-site-authenticator",
# "more site information here"
# ]
# }
# }
## Add additional service endpoints to the infrastructure subnet
# container_apps_infra_subnet_service_endpoints = ["Microsoft.KeyVault"]
# Deploy an Azure Front Door CDN. This will be configured as the entrypoint for all traffic accessing your Containers
enable_cdn_frontdoor = true
# cdn_frontdoor_sku = "Standard_AzureFrontDoor"
cdn_frontdoor_response_timeout = 300 # seconds
# Any domains defined here will be associated to the Front Door as acceptable hosts
cdn_frontdoor_custom_domains = [
"example.com",
"www.example.com"
]
# If you want to set up specific domain redirects, you can specify them with 'cdn_frontdoor_host_redirects'
cdn_frontdoor_host_redirects = [
{
"from" = "example.com",
"to" = "www.example.com",
}
]
## Override the default Origin hostname if you do not want to use the FQDN of the Container App
# cdn_frontdoor_origin_fqdn_override = "my-backend-host.acme.org"
## Override the default origin ports of 80 (HTTP) and 443 (HTTPS) if required
# cdn_frontdoor_origin_http_port = 8080
# cdn_frontdoor_origin_https_port = 4443
# Add additional HTTP Response Headers to include on every response
cdn_frontdoor_host_add_response_headers = [
{
"name" = "Strict-Transport-Security",
"value" = "max-age=31536000",
}
]
# Remove any surplus HTTP Response Headers that you might not want to include
cdn_frontdoor_remove_response_headers = [
"Server",
]
# Deploy an Azure Front Door WAF Rate Limiting Policy
cdn_frontdoor_enable_rate_limiting = true
## Available options are "Prevention" for blocking any matching traffic, or "Detection" just to report on it
# cdn_frontdoor_waf_mode = "Prevention"
## Number of minutes to block the requester's IP Address
cdn_frontdoor_rate_limiting_duration_in_minutes = 5
## How many requests can a single IP make in a minute before the WAF policy gets applied
# cdn_frontdoor_rate_limiting_threshold = 300
## Provide a list of IP Addresses or Ranges that should be exempt from the WAF Policy
# cdn_frontdoor_rate_limiting_bypass_ip_list = [ "8.8.8.8/32" ]
# Prevent traffic from accessing the Container Apps directly
restrict_container_apps_to_cdn_inbound_only = true
## Should the CDN keep monitoring the backend pool to ensure traffic can be routed?
enable_cdn_frontdoor_health_probe = true
cdn_frontdoor_health_probe_interval = 300 # seconds
cdn_frontdoor_health_probe_path = "/" # relative url to your status page (e.g. /healthcheck, /health, /status)
cdn_frontdoor_health_probe_request_type = "GET" # HTTP Method (e.g. GET, POST, HEAD etc)
## Switch on/off diagnostic settings for the Azure Front Door CDN
# cdn_frontdoor_enable_waf_logs = false
cdn_frontdoor_enable_access_logs = true # default: false
cdn_frontdoor_enable_health_probe_logs = true # default: false
## Logs are by default exported to a Log Analytics Workspace so enabling these two values are only necessary if you
## want to ingest the logs using a 3rd party service (e.g. logit.io)
# enable_event_hub = true
# enable_logstash_consumer = true
## Specify which Log Analytics tables you want to send to Event Hub
# eventhub_export_log_analytics_table_names = [
# "AppExceptions"
# ]
# Monitoring is disabled by default. If enabled, the following metrics will be monitored:
# Container App: CPU usage, Memory usage, Latency, Revision count, HTTP regional availability
# Redis (if enabled): Server Load Average
enable_monitoring = true
monitor_email_receivers = [ "list@email.com" ]
monitor_endpoint_healthcheck = "/"
## If you have an existing Logic App Workflow for routing Alerts then you can specify it here
# existing_logic_app_workflow = {
# name = "my-logic-app"
# resource_group_name = "my-other-rg"
# trigger_url = "https://my-callback-url.tld"
# }
alarm_cpu_threshold_percentage = 80
alarm_memory_threshold_percentage = 80
alarm_latency_threshold_ms = 1000
alarm_log_ingestion_gb_per_day = 1
# Note: that only 1 network watcher can be created within an Azure Subscription
# It would probably be advisable to create a Network Watcher outside of this module, as it
# may need to be used by other things
## Deploy an Azure Network Watcher
# enable_network_watcher = true
existing_network_watcher_name = "MyNetworkWatcher"
existing_network_watcher_resource_group_name = "NetworkWatcherRG"
# network_watcher_flow_log_retention = 90 # Days
# enable_network_watcher_traffic_analytics = true
# network_watcher_traffic_analytics_interval = 60
## Use a user assigned identity on the Container App.
# container_app_identities = [azurerm_user_assigned_identity.user_assigned_identity.id]
# A user assigned managed identity is created for the container app by default, but can be disabled.
# container_app_use_managed_identity = false
# Tags are applied to every resource deployed by this module
# Include them as Key:Value pairs
tags = {
"Environment" = "Dev",
"My Custom Tag" = "My Value"
}
}
Name | Version |
---|---|
terraform | >= 1.9.5, < 2.0.0 |
archive | >= 2.6.0 |
azapi | >= 1.13.0 |
azurerm | >= 4.0.0, < 5.0.0 |
null | >= 3.2.1 |
Name | Version |
---|---|
archive | >= 2.6.0 |
azapi | >= 1.13.0 |
azurerm | >= 4.0.0, < 5.0.0 |
terraform | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
alarm_cpu_threshold_percentage | Specify a number (%) which should be set as a threshold for a CPU usage monitoring alarm | number |
80 |
no |
alarm_for_delete_events | Should Alert Rules be created for Administrative 'Delete' actions? | bool |
true |
no |
alarm_latency_threshold_ms | Specify a number in milliseconds which should be set as a threshold for a request latency monitoring alarm | number |
1000 |
no |
alarm_log_ingestion_gb_per_day | Define an alarm threshold for Log Analytics ingestion rate in GB (per day) (Defaults to no limit) | number |
0 |
no |
alarm_memory_threshold_percentage | Specify a number (%) which should be set as a threshold for a memory usage monitoring alarm | number |
80 |
no |
app_configuration_assign_role | Assign the 'App Configuration Data Reader' Role to the Container App User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'App Configuration Data Reader' Role to the identity | bool |
false |
no |
app_configuration_sku | The SKU name of the App Configuration. Possible values are free and standard. Defaults to free. | string |
"free" |
no |
app_insights_retention_days | Number of days to retain App Insights data for (Default: 2 years) | number |
730 |
no |
app_insights_smart_detection_enabled | Enable or Disable Smart Detection with App Insights | bool |
true |
no |
azure_location | Azure location in which to launch resources. | string |
n/a | yes |
cdn_frontdoor_custom_domains | Azure CDN Front Door custom domains | list(string) |
[] |
no |
cdn_frontdoor_custom_domains_create_dns_records | Should the TXT records and ALIAS/CNAME records be automatically created if the custom domains exist within the DNS Zone? | bool |
true |
no |
cdn_frontdoor_enable_access_logs | Toggle the Diagnostic Setting to log Access requests | bool |
false |
no |
cdn_frontdoor_enable_health_probe_logs | Toggle the Diagnostic Setting to log Health Probe requests | bool |
false |
no |
cdn_frontdoor_enable_rate_limiting | Enable CDN Front Door Rate Limiting. This will create a WAF policy, and CDN security policy. For pricing reasons, there will only be one WAF policy created. | bool |
false |
no |
cdn_frontdoor_enable_waf_logs | Toggle the Diagnostic Setting to log Web Application Firewall requests | bool |
true |
no |
cdn_frontdoor_forwarding_protocol | Azure CDN Front Door forwarding protocol | string |
"HttpsOnly" |
no |
cdn_frontdoor_health_probe_interval | Specifies the number of seconds between health probes. | number |
120 |
no |
cdn_frontdoor_health_probe_path | Specifies the path relative to the origin that is used to determine the health of the origin. | string |
"/" |
no |
cdn_frontdoor_health_probe_protocol | Use Http or Https | string |
"Https" |
no |
cdn_frontdoor_health_probe_request_type | Specifies the type of health probe request that is made. | string |
"GET" |
no |
cdn_frontdoor_host_add_response_headers | List of response headers to add at the CDN Front Door [{ "Name" = "Strict-Transport-Security", "value" = "max-age=31536000" }] |
list(map(string)) |
[] |
no |
cdn_frontdoor_host_redirects | CDN FrontDoor host redirects [{ "from" = "example.com", "to" = "www.example.com" }] |
list(map(string)) |
[] |
no |
cdn_frontdoor_origin_fqdn_override | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | string |
"" |
no |
cdn_frontdoor_origin_host_header_override | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host_name (cdn_frontdoor_origin_fqdn_override ) |
string |
"" |
no |
cdn_frontdoor_origin_http_port | The value of the HTTP port used for the CDN Origin. Must be between 1 and 65535. Defaults to 80 | number |
80 |
no |
cdn_frontdoor_origin_https_port | The value of the HTTPS port used for the CDN Origin. Must be between 1 and 65535. Defaults to 443 | number |
443 |
no |
cdn_frontdoor_rate_limiting_bypass_ip_list | List if IP CIDRs to bypass CDN Front Door rate limiting | list(string) |
[] |
no |
cdn_frontdoor_rate_limiting_duration_in_minutes | CDN Front Door rate limiting duration in minutes | number |
1 |
no |
cdn_frontdoor_rate_limiting_threshold | Maximum number of concurrent requests before Rate Limiting policy is applied | number |
300 |
no |
cdn_frontdoor_remove_response_headers | List of response headers to remove at the CDN Front Door | list(string) |
[] |
no |
cdn_frontdoor_response_timeout | Azure CDN Front Door response timeout in seconds | number |
120 |
no |
cdn_frontdoor_sku | Azure CDN Front Door SKU | string |
"Standard_AzureFrontDoor" |
no |
cdn_frontdoor_vdp_destination_hostname | Requires 'enable_cdn_frontdoor_vdp_redirects' to be set to 'true'. Hostname to redirect security.txt and thanks.txt to | string |
"" |
no |
cdn_frontdoor_waf_custom_rules | Map of all Custom rules you want to apply to the CDN WAF | map(object({ |
{} |
no |
cdn_frontdoor_waf_managed_rulesets | Map of all Managed rules you want to apply to the CDN WAF, including any overrides, or exclusions | map(object({ |
{} |
no |
cdn_frontdoor_waf_mode | CDN Front Door waf mode | string |
"Prevention" |
no |
container_app_blob_storage_public_access_enabled | Enable anonymous public read access to blobs in Azure Storage? | bool |
false |
no |
container_app_environment_internal_load_balancer_enabled | Should the Container Environment operate in Internal Load Balancing Mode? | bool |
false |
no |
container_app_file_share_mount_path | A path inside your container where the File Share will be mounted to | string |
"/srv/app/storage" |
no |
container_app_file_share_security_profile | Choose whether the SMB protocol should be configured for maximum security, or maximum compatibility | string |
"security" |
no |
container_app_identities | Additional User Assigned Managed Identity Resource IDs to attach to the Container App | list(string) |
[] |
no |
container_app_name_override | A custom name for the Container App | string |
"" |
no |
container_app_storage_account_shared_access_key_enabled | Should the storage account for the container app permit requests to be authorized with the account access key via Shared Key? | bool |
true |
no |
container_app_storage_cross_tenant_replication_enabled | Should cross Tenant replication be enabled? | bool |
false |
no |
container_app_use_managed_identity | Deploy a User Assigned Managed Identity and attach it to the Container App | bool |
true |
no |
container_apps_allow_ips_inbound | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | list(string) |
[] |
no |
container_apps_infra_subnet_service_endpoints | Endpoints to assign to infra subnet | list(string) |
[] |
no |
container_command | Container command | list(any) |
[] |
no |
container_cpu | Number of container CPU cores | number |
1 |
no |
container_environment_variables | Container environment variables | map(string) |
{} |
no |
container_health_probe_interval | How often in seconds to poll the Container to determine liveness | number |
30 |
no |
container_health_probe_path | Specifies the path that is used to determine the liveness of the Container | string |
"/" |
no |
container_health_probe_protocol | Use HTTPS or a TCP connection for the Container liveness probe | string |
"http" |
no |
container_max_replicas | Container max replicas | number |
2 |
no |
container_memory | Container memory in GB | number |
2 |
no |
container_min_replicas | Container min replicas | number |
1 |
no |
container_port | Container port | number |
80 |
no |
container_scale_http_concurrency | When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount. | number |
10 |
no |
container_scale_out_at_defined_time | Should the Container App scale out to the max-replicas during a specified time window? | bool |
false |
no |
container_scale_out_rule_end | Specify a time using Linux cron format that represents the end of the scale-out window. Defaults to 18:00 | string |
"0 18 * * *" |
no |
container_scale_out_rule_start | Specify a time using Linux cron format that represents the start of the scale-out window. Defaults to 08:00 | string |
"0 8 * * *" |
no |
container_secret_environment_variables | Container environment variables, which are defined as secrets within the container app configuration. This is to help reduce the risk of accidentally exposing secrets. |
map(string) |
{} |
no |
create_container_app_blob_storage_sas | Generate a SAS connection string that is exposed to your App as an environment variable so that it can connect to the Storage Account | bool |
true |
no |
custom_container_apps | Custom container apps, by default deployed within the container app environment managed by this module. | map(object({ |
{} |
no |
dns_a_records | DNS A records to add to the DNS Zone | map( |
{} |
no |
dns_aaaa_records | DNS AAAA records to add to the DNS Zone | map( |
{} |
no |
dns_alias_records | DNS ALIAS records to add to the DNS Zone | map( |
{} |
no |
dns_caa_records | DNS CAA records to add to the DNS Zone | map( |
{} |
no |
dns_cname_records | DNS CNAME records to add to the DNS Zone | map( |
{} |
no |
dns_mx_records | DNS MX records to add to the DNS Zone | map( |
{} |
no |
dns_ns_records | DNS NS records to add to the DNS Zone | map( |
{} |
no |
dns_ptr_records | DNS PTR records to add to the DNS Zone | map( |
{} |
no |
dns_srv_records | DNS SRV records to add to the DNS Zone | map( |
{} |
no |
dns_txt_records | DNS TXT records to add to the DNS Zone | map( |
{} |
no |
dns_zone_domain_name | DNS zone domain name. If created, records will automatically be created to point to the CDN. | string |
"" |
no |
dns_zone_soa_record | DNS zone SOA record block (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone#soa_record) | map(string) |
{} |
no |
enable_app_configuration | Deploy an Azure App Configuration resource | bool |
false |
no |
enable_app_insights_integration | Deploy an App Insights instance and connect your Container Apps to it | bool |
true |
no |
enable_cdn_frontdoor | Enable Azure CDN Front Door. This will use the Container Apps endpoint as the origin. | bool |
false |
no |
enable_cdn_frontdoor_health_probe | Enable CDN Front Door health probe | bool |
true |
no |
enable_cdn_frontdoor_vdp_redirects | Deploy redirects for security.txt and thanks.txt to an external Vulnerability Disclosure Program service | bool |
false |
no |
enable_container_app_blob_storage | Create an Azure Storage Account and Storage Container to be used for this app | bool |
false |
no |
enable_container_app_file_share | Create an Azure Storage Account and File Share to be mounted to the Container Apps | bool |
false |
no |
enable_container_health_probe | Enable liveness probes for the Container | bool |
true |
no |
enable_container_registry | Set to true to create a container registry | bool |
n/a | yes |
enable_dns_zone | Conditionally create a DNS zone | bool |
false |
no |
enable_event_hub | Send Azure Container App logs to an Event Hub sink | bool |
false |
no |
enable_health_insights_api | Deploys a Function App that exposes the last 3 HTTP Web Tests via an API endpoint. 'enable_app_insights_integration' and 'enable_monitoring' must be set to 'true'. | bool |
false |
no |
enable_init_container | Deploy an Init Container. Init containers run before the primary app container and are used to perform initialization tasks such as downloading data or preparing the environment | bool |
false |
no |
enable_logstash_consumer | Create an Event Hub consumer group for Logstash | bool |
false |
no |
enable_monitoring | Create an App Insights instance and notification group for the Container App | bool |
false |
no |
enable_mssql_database | Set to true to create an Azure SQL server/database, with a private endpoint within the virtual network | bool |
false |
no |
enable_mssql_vulnerability_assessment | Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities | bool |
true |
no |
enable_network_watcher | Enable network watcher. Note: only 1 network watcher per subscription can be created. | bool |
false |
no |
enable_network_watcher_traffic_analytics | Enable network watcher traffic analytics (Requires enable_network_watcher to be true) |
bool |
true |
no |
enable_postgresql_database | Set to true to create an Azure Postgres server/database, with a private endpoint within the virtual network | bool |
false |
no |
enable_redis_cache | Set to true to create an Azure Redis Cache, with a private endpoint within the virtual network | bool |
false |
no |
enable_registry_retention_policy | Boolean value that indicates whether the policy is enabled | bool |
false |
no |
enable_resource_group_lock | Enabling this will add a Resource Lock to the Resource Group preventing any resources from being deleted. | bool |
false |
no |
enable_worker_container | Conditionally launch a worker container. This container uses the same image and environment variables as the default container app, but allows a different container command to be run. The worker container does not expose any ports. | bool |
false |
no |
environment | Environment name. Will be used along with project_name as a prefix for all resources. |
string |
n/a | yes |
escrow_container_app_secrets_in_key_vault | Set sensitive Container App secrets in Key Vault | bool |
false |
no |
eventhub_export_log_analytics_table_names | List of Log Analytics table names that you want to export to Event Hub. See https://learn.microsoft.com/en-gb/azure/azure-monitor/logs/logs-data-export?tabs=portal#supported-tables for a list of supported tables | list(string) |
[] |
no |
existing_key_vault | An existing Key Vault that you want to store Container App secrets in | string |
"" |
no |
existing_logic_app_workflow | Name, Resource Group and HTTP Trigger URL of an existing Logic App Workflow to route Alerts to | object({ |
{ |
no |
existing_network_watcher_name | Use an existing network watcher to add flow logs. | string |
"" |
no |
existing_network_watcher_resource_group_name | Existing network watcher resource group. | string |
"" |
no |
existing_resource_group | Conditionally launch resources into an existing resource group. Specifying this will NOT create a resource group. | string |
"" |
no |
existing_virtual_network | Conditionally use an existing virtual network. The virtual_network_address_space must match an existing address space in the VNet. This also requires the resource group name. |
string |
"" |
no |
health_insights_api_cors_origins | List of hostnames that are permitted to contact the Health insights API | list(string) |
[ |
no |
health_insights_api_ipv4_allow_list | List of IPv4 addresses that are permitted to contact the Health insights API | list(string) |
[] |
no |
image_name | Image name | string |
n/a | yes |
image_tag | Image tag | string |
"latest" |
no |
init_container_command | Container command for the Init Container | list(any) |
[] |
no |
init_container_image | Image name for the Init Container. Leave blank to use the same Container image from the primary app | string |
"" |
no |
key_vault_access_ipv4 | List of IPv4 Addresses that are permitted to access the Key Vault | list(string) |
[] |
no |
key_vault_managed_identity_assign_role | Assign the Key Vault Secret User role to the Container App managed identity | bool |
false |
no |
launch_in_vnet | Conditionally launch into a VNet | bool |
true |
no |
linux_function_apps | A list of Linux Function Apps with their corresponding app settings | map(object({ |
{} |
no |
monitor_email_receivers | A list of email addresses that should be notified by monitoring alerts | list(string) |
[] |
no |
monitor_endpoint_healthcheck | Specify a route that should be monitored for a 200 OK status | string |
"/" |
no |
mssql_azuread_admin_object_id | Object ID of a User within Azure AD that you want to assign as the SQL Server Administrator | string |
"" |
no |
mssql_azuread_admin_username | Username of a User within Azure AD that you want to assign as the SQL Server Administrator | string |
"" |
no |
mssql_azuread_auth_only | Set to true to only permit SQL logins from Azure AD users | bool |
false |
no |
mssql_database_name | The name of the MSSQL database to create. Must be set if enable_mssql_database is true |
string |
"" |
no |
mssql_firewall_ipv4_allow_list | A list of IPv4 Addresses that require remote access to the MSSQL Server | map(object({ |
{} |
no |
mssql_managed_identity_assign_role | Assign the 'Storage Blob Data Contributor' Role to the SQL Server User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'Storage Blob Data Contributor' Role to the identity | bool |
true |
no |
mssql_max_size_gb | The max size of the database in gigabytes | number |
2 |
no |
mssql_security_storage_access_key_rotation_reminder_days | Number of days to set for access key rotation reminder on the SQL Security Storage Account. If not set will default to 'storage_account_access_key_rotation_reminder_days' | number |
0 |
no |
mssql_security_storage_cross_tenant_replication_enabled | Should cross Tenant replication be enabled? | bool |
false |
no |
mssql_security_storage_firewall_ipv4_allow_list | Additional IP addresses to add to the Storage Account that holds the Vulnerability Assessments | list(string) |
[] |
no |
mssql_server_admin_password | The local administrator password for the MSSQL server | string |
"" |
no |
mssql_server_public_access_enabled | Enable public internet access to your MSSQL instance. Be sure to specify 'mssql_firewall_ipv4_allow_list' to restrict inbound connections | bool |
false |
no |
mssql_sku_name | Specifies the name of the SKU used by the database | string |
"Basic" |
no |
mssql_storage_account_shared_access_key_enabled | Should the storage account for mssql security permit requests to be authorized with the account access key via Shared Key? | bool |
true |
no |
mssql_version | Specify the version of Microsoft SQL Server you want to run | string |
"12.0" |
no |
network_watcher_flow_log_retention | Number of days to retain flow logs. Set to 0 to keep all logs. | number |
90 |
no |
network_watcher_nsg_storage_access_key_rotation_reminder_days | Number of days to set for access key rotation reminder on the Network Watcher NSG Flow Log Storage Account. If not set will default to 'storage_account_access_key_rotation_reminder_days' | number |
0 |
no |
network_watcher_traffic_analytics_interval | Interval in minutes for Traffic Analytics. | number |
60 |
no |
postgresql_administrator_login | Specify a login that will be assigned to the administrator when creating the Postgres server | string |
"" |
no |
postgresql_administrator_password | Specify a password that will be assigned to the administrator when creating the Postgres server | string |
"" |
no |
postgresql_availability_zone | Specify the availibility zone in which the Postgres server should be located | string |
"1" |
no |
postgresql_charset | Specify the charset to be used for the Postgres database | string |
"utf8" |
no |
postgresql_collation | Specify the collation to be used for the Postgres database | string |
"en_US.utf8" |
no |
postgresql_enabled_extensions | Specify a comma seperated list of Postgres extensions to enable. See https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#postgres-14-extensions | string |
"" |
no |
postgresql_firewall_ipv4_allow | Map of IP address ranges to add into the postgres firewall. Note: only applicable if postgresql_network_connectivity_method is set to public. | map(object({ |
{} |
no |
postgresql_max_storage_mb | Specify the max amount of storage allowed for the Postgres server | number |
32768 |
no |
postgresql_network_connectivity_method | Specify postgresql networking method, public or private. See https://learn.microsoft.com/en-gb/azure/postgresql/flexible-server/concepts-networking | string |
"private" |
no |
postgresql_server_version | Specify the version of postgres server to run (either 11,12,13 or 14) | string |
"" |
no |
postgresql_sku_name | Specify the SKU to be used for the Postgres server | string |
"B_Standard_B1ms" |
no |
project_name | Project name. Will be used along with environment as a prefix for all resources. |
string |
n/a | yes |
redis_cache_capacity | Redis Cache Capacity | number |
0 |
no |
redis_cache_family | Redis Cache family | string |
"C" |
no |
redis_cache_firewall_ipv4_allow_list | A list of IPv4 address that require remote access to the Redis server | list(string) |
[] |
no |
redis_cache_patch_schedule_day | Redis Cache patch schedule day | string |
"Sunday" |
no |
redis_cache_patch_schedule_hour | Redis Cache patch schedule hour | number |
18 |
no |
redis_cache_sku | Redis Cache SKU | string |
"Basic" |
no |
redis_cache_version | Redis Cache version | number |
6 |
no |
redis_config | Overrides for Redis Cache Configuration options | object({ |
{} |
no |
registry_admin_enabled | Do you want to enable access key based authentication for your Container Registry? | bool |
true |
no |
registry_ipv4_allow_list | List of IPv4 CIDR blocks that require access to the Container Registry | list(string) |
[] |
no |
registry_managed_identity_assign_role | Assign the 'AcrPull' Role to the Container App User-Assigned Managed Identity. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity | bool |
true |
no |
registry_password | Container registry password (required if enable_container_registry is false) |
string |
"" |
no |
registry_public_access_enabled | Should your Container Registry be publicly accessible? | bool |
true |
no |
registry_retention_days | The number of days to retain an untagged manifest after which it gets purged | number |
7 |
no |
registry_server | Container registry server (required if enable_container_registry is false) |
string |
"" |
no |
registry_sku | The SKU name of the container registry. Possible values are 'Basic', 'Standard' and 'Premium'. | string |
"Standard" |
no |
registry_use_managed_identity | Create a User-Assigned Managed Identity for the Container App. Note: If you do not have 'Microsoft.Authorization/roleAssignments/write' permission, you will need to manually assign the 'AcrPull' Role to the identity | bool |
false |
no |
registry_username | Container registry username (required if enable_container_registry is false) |
string |
"" |
no |
restrict_container_apps_to_cdn_inbound_only | Restricts access to the Container Apps by creating a network security group rule that only allows 'AzureFrontDoor.Backend' inbound, and attaches it to the subnet of the container app environment. | bool |
true |
no |
storage_account_access_key_rotation_reminder_days | Number of days to set for access key rotation reminder on Storage Accounts | number |
90 |
no |
storage_account_file_share_quota_gb | The maximum size of the share, in gigabytes. | number |
2 |
no |
storage_account_ipv4_allow_list | A list of public IPv4 address to grant access to the Storage Account | list(string) |
[] |
no |
storage_account_public_access_enabled | Should the Azure Storage Account have Public visibility? | bool |
false |
no |
storage_account_sas_expiration_period | The SAS expiration period in format of DD.HH:MM:SS | string |
"02.00:00:00" |
no |
tags | Tags to be applied to all resources | map(string) |
{} |
no |
virtual_network_address_space | Virtual Network address space CIDR | string |
"172.16.0.0/12" |
no |
worker_container_command | Container command for the Worker container. enable_worker_container must be set to true for this to have any effect. |
list(string) |
[] |
no |
worker_container_max_replicas | Worker ontainer max replicas | number |
2 |
no |
worker_container_min_replicas | Worker container min replicas | number |
1 |
no |
Name | Description |
---|---|
azurerm_container_registry | Container Registry |
azurerm_dns_zone_name_servers | Name servers of the DNS Zone |
azurerm_eventhub_container_app | Container App Event Hub |
azurerm_log_analytics_workspace_container_app | Container App Log Analytics Workspace |
azurerm_resource_group_default | Default Azure Resource Group |
cdn_frontdoor_dns_records | Azure Front Door DNS Records that must be created manually |
container_app_managed_identity | User-Assigned Managed Identity assigned to the Container App |
container_fqdn | FQDN for the Container App |
networking | IDs for various VNet resources if created |