This is the module to deploy function apps in Azure.
NOTE: 0.12.0 introduces some breaking changes, such as no longer supporting azurerm 0.3.x. Please use 0.11.x and prior releases if support for azurerm 0.3.x is needed. Please review the release notes for a full breakdown of each release.
The following requirements are needed by this module:
The following resources are used by this module:
- azurerm_app_service_certificate.this (resource)
- azurerm_app_service_custom_hostname_binding.this (resource)
- azurerm_app_service_slot_custom_hostname_binding.slot (resource)
- azurerm_application_insights.this (resource)
- azurerm_dns_cname_record.this (resource)
- azurerm_dns_txt_record.this (resource)
- azurerm_function_app_active_slot.this (resource)
- azurerm_linux_function_app.this (resource)
- azurerm_linux_function_app_slot.this (resource)
- azurerm_linux_web_app.this (resource)
- azurerm_linux_web_app_slot.this (resource)
- azurerm_management_lock.pe (resource)
- azurerm_management_lock.slot (resource)
- azurerm_management_lock.this (resource)
- azurerm_monitor_diagnostic_setting.this (resource)
- azurerm_private_endpoint.slot (resource)
- azurerm_private_endpoint.slot_this_unmanaged_dns_zone_groups (resource)
- azurerm_private_endpoint.this (resource)
- azurerm_private_endpoint.this_unmanaged_dns_zone_groups (resource)
- azurerm_private_endpoint_application_security_group_association.slot (resource)
- azurerm_private_endpoint_application_security_group_association.this (resource)
- azurerm_role_assignment.pe (resource)
- azurerm_role_assignment.slot (resource)
- azurerm_role_assignment.slot_pe (resource)
- azurerm_role_assignment.this (resource)
- azurerm_web_app_active_slot.this (resource)
- azurerm_windows_function_app.this (resource)
- azurerm_windows_function_app_slot.this (resource)
- azurerm_windows_web_app.this (resource)
- azurerm_windows_web_app_slot.this (resource)
- modtm_telemetry.telemetry (resource)
- random_uuid.telemetry (resource)
- azurerm_client_config.telemetry (data source)
- modtm_module_source.telemetry (data source)
The following input variables are required:
Description: The type of App Service to deploy. Possible values are functionapp and webapp.
Type: string
Description: Azure region where the resource should be deployed.
Type: string
Description: The name which should be used for the Function App.
Type: string
Description: The operating system that should be the same type of the App Service Plan to deploy the App Service in.
Type: string
Description: The name of the Resource Group where the App Service will be deployed.
Type: string
Description: The resource ID of the App Service Plan to deploy the App Service in in.
Type: string
The following input variables are optional (have default values):
Description: Should the Function App inherit the lock from the parent resource? Defaults to true.
Type: bool
Default: true
Description: Should the Function App inherit tags from the parent resource? Defaults to true.
Type: bool
Default: true
Description:
Object that sets the active slot for the App Service.
`slot_key` - The key of the slot object to set as active.
`overwrite_network_config` - Determines if the network configuration should be overwritten. Defaults to `true`.
Type:
object({
slot_key = optional(string)
overwrite_network_config = optional(bool, true)
})Default: null
Description: A map of key-value pairs for App Settings and custom values to assign to the Function App.
app_settings = {
WEBSITE_NODE_DEFAULT_VERSION = "10.14.1"
WEBSITE_TIME_ZONE = "Pacific Standard Time"
WEB_CONCURRENCY = "1"
WEBSITE_RUN_FROM_PACKAGE = "1"
WEBSITE_ENABLE_SYNC_UPDATE_SITE = "true"
WEBSITE_ENABLE_SYNC_UPDATE_SITE_LOCKED = "false"
WEBSITE_NODE_DEFAULT_VERSION_LOCKED = "false"
WEBSITE_TIME_ZONE_LOCKED = "false"
WEB_CONCURRENCY_LOCKED = "false"
WEBSITE_RUN_FROM_PACKAGE_LOCKED = "false"
}Type: map(string)
Default: {}
Description:
The Application Insights settings to assign to the Function App.
-application_type: The type of Application Insights to create. Valid values are ios, java, MobileCenter, Node.JS, other, phone, store, and web. Defaults to web.
-inherit_tags: Should the Application Insights inherit tags from the parent resource? Defaults to false.
-location: The location of the Application Insights.
-name: The name of the Application Insights.
-resource_group_name: The name of the Resource Group where the Application Insights will be deployed.
-tags: A map of tags to assign to the Application Insights.
-workspace_resource_id: The resource ID of the Log Analytics Workspace to use for the Application Insights.
-daily_data_cap_in_gb: The daily data cap in GB for the Application Insights.
-daily_data_cap_notifications_disabled: Should the daily data cap notifications be disabled for the Application Insights?
-retention_in_days: The retention period in days for the Application Insights. Defaults to 90.
-sampling_percentage: The sampling percentage for the Application Insights. Defaults to 100.
-disable_ip_masking: Should the IP masking be disabled for the Application Insights? Defaults to false.
-local_authentication_disabled: Should the local authentication be disabled for the Application Insights? Defaults to false.
-internet_ingestion_enabled: Should the internet ingestion be enabled for the Application Insights? Defaults to true.
-internet_query_enabled: Should the internet query be enabled for the Application Insights? Defaults to true.
-force_customer_storage_for_profiler: Should the customer storage be forced for the profiler for the Application Insights? Defaults to false.
application_insights = {
name = module.naming.application_insights.name_unique
resource_group_name = module.avm_res_resources_resourcegroup.name
location = module.avm_res_resources_resourcegroup.resource.location
application_type = "web"
workspace_resource_id = azurerm_log_analytics_workspace.example.id
tags = {
environment = "dev-tf"
}
}Type:
object({
application_type = optional(string, "web")
inherit_tags = optional(bool, false)
location = optional(string)
name = optional(string)
resource_group_name = optional(string)
tags = optional(map(any), null)
workspace_resource_id = optional(string)
daily_data_cap_in_gb = optional(number)
daily_data_cap_notifications_disabled = optional(bool)
retention_in_days = optional(number, 90)
sampling_percentage = optional(number, 100)
disable_ip_masking = optional(bool, false)
local_authentication_disabled = optional(bool, false)
internet_ingestion_enabled = optional(bool, true)
internet_query_enabled = optional(bool, true)
force_customer_storage_for_profiler = optional(bool, false)
})Default: {}
Description: A map of authentication settings to assign to the Function App.
additional_login_parameters- (Optional) Specifies a map of login Parameters to send to the OpenID Connect authorization endpoint when a user logs in.allowed_external_redirect_urls- (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Linux Web App.default_provider- (Optional) The default authentication provider to use when multiple providers are configured. Possible values include:AzureActiveDirectory,Facebook,Google,MicrosoftAccount,Twitter,Githubenabled- (Required) Should the Authentication / Authorization feature be enabled for the Linux Web App?issuer- (Optional) The OpenID Connect Issuer URI that represents the entity which issues access tokens for this Linux Web App.runtime_version- (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Linux Web App.token_refresh_extension_hours- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72hours.token_store_enabled- (Optional) Should the Linux Web App durably store platform-specific security tokens that are obtained during login flows? Defaults tofalse.unauthenticated_client_action- (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include:RedirectToLoginPage,AllowAnonymous.
active_directory block supports the following:
allowed_audiences- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.client_id- (Required) The ID of the Client to use to authenticate with Azure Active Directory.client_secret- (Optional) The Client Secret for the Client ID. Cannot be used withclient_secret_setting_name.client_secret_setting_name- (Optional) The App Setting name that contains the client secret of the Client. Cannot be used withclient_secret.
facebook block supports the following:
app_id- (Required) The App ID of the Facebook app used for login.app_secret- (Optional) The App Secret of the Facebook app used for Facebook login. Cannot be specified withapp_secret_setting_name.app_secret_setting_name- (Optional) The app setting name that contains theapp_secretvalue used for Facebook login. Cannot be specified withapp_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook login authentication.
github block supports the following:
client_id- (Required) The ID of the GitHub app used for login.client_secret- (Optional) The Client Secret of the GitHub app used for GitHub login. Cannot be specified withclient_secret_setting_name.client_secret_setting_name- (Optional) The app setting name that contains theclient_secretvalue used for GitHub login. Cannot be specified withclient_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub login authentication.
google block supports the following:
client_id- (Required) The OpenID Connect Client ID for the Google web application.client_secret- (Optional) The client secret associated with the Google web application. Cannot be specified withclient_secret_setting_name.client_secret_setting_name- (Optional) The app setting name that contains theclient_secretvalue used for Google login. Cannot be specified withclient_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified,openid,profile, andemailare used as default scopes.
microsoft block supports the following:
client_id- (Required) The OAuth 2.0 client ID that was created for the app used for authentication.client_secret- (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclient_secret_setting_name.client_secret_setting_name- (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclient_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified,wl.basicis used as the default scope.
twitter block supports the following:
consumer_key- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.consumer_secret- (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumer_secret_setting_name.consumer_secret_setting_name- (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumer_secret.
auth_settings = {
example = {
enabled = true
active_directory = {
client_id = "00000000-0000-0000-0000-000000000000"
allowed_audiences = ["00000000-0000-0000-0000-000000000000"]
client_secret = "00000000-0000-0000-0000-000000000000"
client_secret_setting_name = "00000000-0000-0000-0000-000000000000"
}
}
}Type:
map(object({
additional_login_parameters = optional(list(string))
allowed_external_redirect_urls = optional(list(string))
default_provider = optional(string)
enabled = optional(bool, false)
issuer = optional(string)
runtime_version = optional(string)
token_refresh_extension_hours = optional(number, 72)
token_store_enabled = optional(bool, false)
unauthenticated_client_action = optional(string)
active_directory = optional(map(object({
client_id = optional(string)
allowed_audiences = optional(list(string))
client_secret = optional(string)
client_secret_setting_name = optional(string)
})))
facebook = optional(map(object({
app_id = optional(string)
app_secret = optional(string)
app_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
github = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
google = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
microsoft = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
twitter = optional(map(object({
consumer_key = optional(string)
consumer_secret = optional(string)
consumer_secret_setting_name = optional(string)
})))
}))Default: {}
Description: A map of authentication settings (V2) to assign to the Function App.
auth_enabled- (Optional) Should the AuthV2 Settings be enabled. Defaults tofalse.config_file_path- (Optional) The path to the App Auth settings.default_provider- (Optional) The Default Authentication Provider to use when theunauthenticated_actionis set toRedirectToLoginPage. Possible values include:apple,azureactivedirectory,facebook,github,google,twitterand thenameof yourcustom_oidc_v2provider.excluded_paths- (Optional) The paths which should be excluded from theunauthenticated_actionwhen it is set toRedirectToLoginPage.forward_proxy_convention- (Optional) The convention used to determine the url of the request made. Possible values includeNoProxy,Standard,Custom. Defaults toNoProxy.forward_proxy_custom_host_header_name- (Optional) The name of the custom header containing the host of the request.forward_proxy_custom_scheme_header_name- (Optional) The name of the custom header containing the scheme of the request.http_route_api_prefix- (Optional) The prefix that should precede all the authentication and authorisation paths. Defaults to/.auth.require_authentication- (Optional) Should the authentication flow be used for all requests.require_https- (Optional) Should HTTPS be required on connections? Defaults totrue.runtime_version- (Optional) The Runtime Version of the Authentication and Authorisation feature of this App. Defaults to~1.unauthenticated_action- (Optional) The action to take for requests made without authentication. Possible values includeRedirectToLoginPage,AllowAnonymous,Return401, andReturn403. Defaults toRedirectToLoginPage.
active_directory_v2 block supports the following:
allowed_applications- (Optional) The list of allowed Applications for the Default Authorisation Policy.allowed_audiences- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.allowed_groups- (Optional) The list of allowed Group Names for the Default Authorisation Policy.allowed_identities- (Optional) The list of allowed Identities for the Default Authorisation Policy.client_id- (Required) The ID of the Client to use to authenticate with Azure Active Directory.client_secret_certificate_thumbprint- (Optional) The thumbprint of the certificate used for signing purposes.client_secret_setting_name- (Optional) The App Setting name that contains the client secret of the Client.jwt_allowed_client_applications- (Optional) A list of Allowed Client Applications in the JWT Claim.jwt_allowed_groups- (Optional) A list of Allowed Groups in the JWT Claim.login_parameters- (Optional) A map of key-value pairs to send to the Authorisation Endpoint when a user logs in.tenant_auth_endpoint- (Required) The Azure Tenant Endpoint for the Authenticating Tenant. e.g.https://login.microsoftonline.com/v2.0/{tenant-guid}/www_authentication_disabled- (Optional) Should the www-authenticate provider should be omitted from the request? Defaults tofalse.
apple_v2 block supports the following:
client_id- (Required) The OpenID Connect Client ID for the Apple web application.client_secret_setting_name- (Required) The app setting name that contains theclient_secretvalue used for Apple Login.
azure_static_web_app_v2 block supports the following:
client_id- (Required) The ID of the Client to use to authenticate with Azure Static Web App Authentication.
custom_oidc_v2 block supports the following:
client_id- (Required) The ID of the Client to use to authenticate with the Custom OIDC.name- (Required) The name of the Custom OIDC Authentication Provider.name_claim_type- (Optional) The name of the claim that contains the users name.openid_configuration_endpoint- (Required) The app setting name that contains theclient_secretvalue used for the Custom OIDC Login.scopes- (Optional) The list of the scopes that should be requested while authenticating.
facebook_v2 block supports the following:
app_id- (Required) The App ID of the Facebook app used for login.app_secret_setting_name- (Required) The app setting name that contains theapp_secretvalue used for Facebook Login.graph_api_version- (Optional) The version of the Facebook API to be used while logging in.login_scopes- (Optional) The list of scopes that should be requested as part of Facebook Login authentication.
github_v2 block supports the following:
client_id- (Required) The ID of the GitHub app used for login..client_secret_setting_name- (Required) The app setting name that contains theclient_secretvalue used for GitHub Login.login_scopes- (Optional) The list of OAuth 2.0 scopes that should be requested as part of GitHub Login authentication.
google_v2 block supports the following:
allowed_audiences- (Optional) Specifies a list of Allowed Audiences that should be requested as part of Google Sign-In authentication.client_id- (Required) The OpenID Connect Client ID for the Google web application.client_secret_setting_name- (Required) The app setting name that contains theclient_secretvalue used for Google Login.login_scopes- (Optional) The list of OAuth 2.0 scopes that should be requested as part of Google Sign-In authentication.
login block supports the following:
allowed_external_redirect_urls- (Optional) External URLs that can be redirected to as part of logging in or logging out of the app. This is an advanced setting typically only needed by Windows Store application backends.cookie_expiration_convention- (Optional) The method by which cookies expire. Possible values include:FixedTime, andIdentityProviderDerived. Defaults toFixedTime.cookie_expiration_time- (Optional) The time after the request is made when the session cookie should expire. Defaults to08:00:00.logout_endpoint- (Optional) The endpoint to which logout requests should be made.nonce_expiration_time- (Optional) The time after the request is made when the nonce should expire. Defaults to00:05:00.preserve_url_fragments_for_logins- (Optional) Should the fragments from the request be preserved after the login request is made. Defaults tofalse.token_refresh_extension_time- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72hours.token_store_enabled- (Optional) Should the Token Store configuration Enabled. Defaults tofalsetoken_store_path- (Optional) The directory path in the App Filesystem in which the tokens will be stored.token_store_sas_setting_name- (Optional) The name of the app setting which contains the SAS URL of the blob storage containing the tokens.validate_nonce- (Optional) Should the nonce be validated while completing the login flow. Defaults totrue.
microsoft_v2 block supports the following:
allowed_audiences- (Optional) Specifies a list of Allowed Audiences that will be requested as part of Microsoft Sign-In authentication.client_id- (Required) The OAuth 2.0 client ID that was created for the app used for authentication.client_secret_setting_name- (Required) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication.login_scopes- (Optional) The list of Login scopes that should be requested as part of Microsoft Account authentication.
twitter_v2 block supports the following:
consumer_key- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.consumer_secret_setting_name- (Required) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.
auth_settings_v2 = {
setting1 = {
auth_enabled = true
default_provider = "AzureActiveDirectory"
active_directory_v2 = {
aad1 = {
client_id = "<client-id>"
tenant_auth_endpoint = "https://login.microsoftonline.com/{tenant-guid}/v2.0/"
}
}
login = {
login1 = {
token_store_enabled = true
}
}
}
}Type:
map(object({
auth_enabled = optional(bool, false)
config_file_path = optional(string)
default_provider = optional(string)
excluded_paths = optional(list(string))
forward_proxy_convention = optional(string, "NoProxy")
forward_proxy_custom_host_header_name = optional(string)
forward_proxy_custom_scheme_header_name = optional(string)
http_route_api_prefix = optional(string, "/.auth")
require_authentication = optional(bool, false)
require_https = optional(bool, true)
runtime_version = optional(string, "~1")
unauthenticated_action = optional(string, "RedirectToLoginPage")
active_directory_v2 = optional(map(object({
allowed_applications = optional(list(string))
allowed_audiences = optional(list(string))
allowed_groups = optional(list(string))
allowed_identities = optional(list(string))
client_id = optional(string)
client_secret_certificate_thumbprint = optional(string)
client_secret_setting_name = optional(string)
jwt_allowed_client_applications = optional(list(string))
jwt_allowed_groups = optional(list(string))
login_parameters = optional(map(any))
tenant_auth_endpoint = optional(string)
www_authentication_disabled = optional(bool, false)
})), {})
apple_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
azure_static_web_app_v2 = optional(map(object({
client_id = optional(string)
})), {})
custom_oidc_v2 = optional(map(object({
authorisation_endpoint = optional(string)
certification_uri = optional(string)
client_credential_method = optional(string)
client_id = optional(string)
client_secret_setting_name = optional(string)
issuer_endpoint = optional(string)
name = optional(string)
name_claim_type = optional(string)
openid_configuration_endpoint = optional(string)
scopes = optional(list(string))
token_endpoint = optional(string)
})), {})
facebook_v2 = optional(map(object({
app_id = optional(string)
app_secret_setting_name = optional(string)
graph_api_version = optional(string)
login_scopes = optional(list(string))
})), {})
github_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
google_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
login = optional(map(object({
allowed_external_redirect_urls = optional(list(string))
cookie_expiration_convention = optional(string, "FixedTime")
cookie_expiration_time = optional(string, "00:00:00")
logout_endpoint = optional(string)
nonce_expiration_time = optional(string, "00:05:00")
preserve_url_fragments_for_logins = optional(bool, false)
token_refresh_extension_time = optional(number, 72)
token_store_enabled = optional(bool, false)
token_store_path = optional(string)
token_store_sas_setting_name = optional(string)
validate_nonce = optional(bool, true)
})),
{
login = {
}
})
microsoft_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
twitter_v2 = optional(map(object({
consumer_key = optional(string)
consumer_secret_setting_name = optional(string)
})), {})
}))Default: {}
Description:
Configures the Auto Heal settings for the Function App. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
action- (Optional) The action to take when the trigger is activated.action_type- (Required) The type of action to take. Possible values include:CustomAction,Recycle,LogEvent,HttpRequst.custom_action- (Optional) The custom action to take when the trigger is activated.executable- (Required) The executable to run when the trigger is activated.parameters- (Optional) The parameters to pass to the executable.
minimum_process_execution_time- (Optional) The minimum process execution time before the action is taken. Defaults to00:00:00.
trigger- (Optional) The trigger to activate the action.private_memory_kb- (Optional) The private memory in kilobytes to trigger the action.requests- (Optional) The requests trigger to activate the action.count- (Required) The number of requests to trigger the action.interval- (Required) The interval to trigger the action.
slow_request- (Optional) The slow request trigger to activate the action.count- (Required) The number of slow requests to trigger the action.interval- (Required) The interval to trigger the action.take_taken- (Required) The time taken to trigger the action.path- (Optional) The path to trigger the action.
NOTE: The
pathproperty in theslow_requestblock is deprecated and will be removed in 4.0 of provider. Please useslow_request_with_pathto set a slow request trigger withpathspecified.status_code- (Optional) The status code trigger to activate the action.count- (Required) The number of status codes to trigger the action.interval- (Required) The interval to trigger the action.status_code_range- (Required) The status code range to trigger the action.path- (Optional) The path to trigger the action.sub_status- (Optional) The sub status to trigger the action.win32_status_code- (Optional) The Win32 status code to trigger the action.
site_config = {
auto_heal_enabled = true # `auto_heal_enabled` deprecated in azurerm 4.x
}
auto_heal_setting = { # auto_heal_setting should only be specified if auto_heal_enabled is set to `true`
setting_1 = {
action = {
action_type = "Recycle"
minimum_process_execution_time = "00:01:00"
}
trigger = {
requests = {
count = 100
interval = "00:00:30"
}
status_code = {
status_5000 = {
count = 5000
interval = "00:05:00"
path = "/HealthCheck"
status_code_range = 500
sub_status = 0
}
status_6000 = {
count = 6000
interval = "00:05:00"
path = "/Get"
status_code_range = 500
sub_status = 0
}
}
}
}
}Type:
map(object({
action = optional(object({
action_type = string
custom_action = optional(object({
executable = string
parameters = optional(string)
}))
minimum_process_execution_time = optional(string, "00:00:00")
}))
trigger = optional(object({
private_memory_kb = optional(number)
requests = optional(object({
count = number
interval = string
}))
slow_request = optional(map(object({
count = number
interval = string
take_taken = string
path = optional(string)
})), {})
slow_request_with_path = optional(map(object({
count = number
interval = string
take_taken = string
path = optional(string)
})), {})
status_code = optional(map(object({
count = number
interval = string
status_code_range = number
path = optional(string)
sub_status = optional(number)
win32_status_code = optional(number)
})), {})
}))
}))Default: {}
Description: A map of backup settings to assign to the Function App.
name- (Optional) The name of the backup. One will be generated if not set.schedule- (Optional) A map of backup schedule settings.frequency_interval- (Optional) The frequency interval of the backup.frequency_unit- (Optional) The frequency unit of the backup.keep_at_least_one_backup- (Optional) Should at least one backup be kept?.retention_period_in_days- (Optional) The retention period in days of the backup.start_time- (Optional) The start time of the backup.
storage_account_url- (Optional) The URL of the Storage Account to store the backup in.enabled- (Optional) Is the backup enabled? Defaults totrue.
backup = {
example = {
name = "example"
schedule = {
frequency_interval = 1
frequency_unit = "Day"
keep_at_least_one_backup = true
retention_period_in_days = 7
start_time = "2020-01-01T00:00:00Z"
}
storage_account_url = "https://example.blob.core.windows.net/example"
enabled = true
}
}Type:
map(object({
enabled = optional(bool, true)
name = optional(string)
storage_account_url = optional(string)
schedule = optional(map(object({
frequency_interval = optional(number)
frequency_unit = optional(string)
keep_at_least_one_backup = optional(bool)
retention_period_days = optional(number)
start_time = optional(string)
})))
}))Default: {}
Description: Should builtin logging be enabled for the Function App?
Type: bool
Default: true
Description: Should client affinity be enabled for the Function App?
Type: bool
Default: false
Description: Should client certificate be enabled for the Function App?
Type: bool
Default: false
Description: The client certificate exclusion paths for the Function App.
Type: string
Default: null
Description: The client certificate mode for the Function App.
Type: string
Default: "Required"
Description: A map of connection strings to assign to the Function App.
name- (Optional) The name of the connection string.type- (Optional) The type of the connection string.value- (Optional) The value of the connection string.
connection_strings = {
example = {
name = "example"
type = "example"
value = "example"
}
}Type:
map(object({
name = optional(string)
type = optional(string)
value = optional(string)
}))Default: {}
Description: Should content share be force disabled for the Function App?
Type: bool
Default: false
Description: A map of custom domains to assign to the Function App.
slot_as_target- (optional) Will this custom domain configuration be used for a App Service slot? Defaults tofalse.app_service_slot_key- (Optional) The key of the App Service Slot to use as the target for the custom domain.app_service_plan_resource_id- (Optional) The resource ID of the App Service Plan to use for the custom domain.key_vault_secret_id- (Optional) The ID of the Key Vault Secret to use for the custom domain.create_certificate- (Optional) Should a certificate be created for the custom domain? Defaults tofalse.create_txt_records- (Optional) Should TXT records be created for the custom domain? Defaults tofalse.create_cname_records- (Optional) Should CNAME records be created for the custom domain? Defaults tofalse.
custom_domains = {
# Allows for the configuration of custom domains for the Function App
# If not already set, the module allows for the creation of TXT and CNAME records
custom_domain_1 = {
zone_resource_group_name = "<zone_resource_group_name>"
create_txt_records = true
txt_name = "asuid.<module.naming.function_app.name_unique>"
txt_zone_name = "<zone_name>"
txt_records = {
record = {
value = "" # Leave empty as module will reference Function App ID after Function App creation
}
}
create_cname_records = true
cname_name = "<module.naming.function_app.name_unique>"
cname_zone_name = "<zone_name>"
cname_record = "<module.naming.function_app.name_unique>-custom-domain.azurewebsites.net"
create_certificate = true
certificate_name = "<module.naming.function_app.name_unique>-<data.azurerm_key_vault_secret.stored_certificate.name>"
certificate_location = azurerm_resource_group.example.location
pfx_blob = data.azurerm_key_vault_secret.stored_certificate.value
app_service_name = "<module.naming.function_app.name_unique>-custom-domain"
hostname = "<module.naming.function_app.name_unique>.<root_domain>"
resource_group_name = azurerm_resource_group.example.name
ssl_state = "SniEnabled"
thumbprint_key = "custom_domain_1" # Currently the key of the custom domain
}
}Type:
map(object({
slot_as_target = optional(bool, false)
app_service_slot_key = optional(string)
create_certificate = optional(bool, false)
certificate_name = optional(string)
certificate_location = optional(string)
pfx_blob = optional(string)
pfx_password = optional(string)
hostname = optional(string)
app_service_name = optional(string)
app_service_plan_resource_id = optional(string)
key_vault_secret_id = optional(string)
key_vault_id = optional(string)
zone_resource_group_name = optional(string)
resource_group_name = optional(string)
ssl_state = optional(string)
inherit_tags = optional(bool, true)
tags = optional(map(any), {})
thumbprint_key = optional(string)
thumbprint_value = optional(string)
ttl = optional(number, 300)
validation_type = optional(string, "cname-delegation")
create_cname_records = optional(bool, false)
cname_name = optional(string)
cname_zone_name = optional(string)
cname_record = optional(string)
cname_target_resource_id = optional(string)
create_txt_records = optional(bool, false)
txt_name = optional(string)
txt_zone_name = optional(string)
txt_records = optional(map(object({ value = string })))
}))Default: {}
Description: (Optional) The amount of memory in gigabyte-seconds that your application is allowed to consume per day. Setting this value only affects Function Apps under the consumption plan. Defaults to 0.
Type: number
Default: 0
Description:
Type:
map(object({
name = optional(string)
app_settings = optional(map(string))
builtin_logging_enabled = optional(bool, true)
content_share_force_disabled = optional(bool, false)
client_affinity_enabled = optional(bool, false)
client_certificate_enabled = optional(bool, false)
client_certificate_exclusion_paths = optional(string, null)
client_certificate_mode = optional(string, "Required")
daily_memory_time_quota = optional(number, 0)
enabled = optional(bool, true)
functions_extension_version = optional(string, "~4")
ftp_publish_basic_authentication_enabled = optional(bool, true)
https_only = optional(bool, false)
key_vault_reference_identity_id = optional(string, null)
public_network_access_enabled = optional(bool, true)
service_plan_id = optional(string, null)
tags = optional(map(string))
virtual_network_subnet_id = optional(string, null)
webdeploy_publish_basic_authentication_enabled = optional(bool, true)
zip_deploy_file = optional(string, null)
auth_settings = optional(map(object({
additional_login_parameters = optional(list(string))
allowed_external_redirect_urls = optional(list(string))
default_provider = optional(string)
enabled = optional(bool, false)
issuer = optional(string)
runtime_version = optional(string)
token_refresh_extension_hours = optional(number, 72)
token_store_enabled = optional(bool, false)
unauthenticated_client_action = optional(string)
active_directory = optional(map(object({
client_id = optional(string)
allowed_audiences = optional(list(string))
client_secret = optional(string)
client_secret_setting_name = optional(string)
})))
facebook = optional(map(object({
app_id = optional(string)
app_secret = optional(string)
app_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
github = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
google = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
microsoft = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
twitter = optional(map(object({
consumer_key = optional(string)
consumer_secret = optional(string)
consumer_secret_setting_name = optional(string)
})))
})), {})
auth_settings_v2 = optional(map(object({
auth_enabled = optional(bool, false)
config_file_path = optional(string)
default_provider = optional(string)
excluded_paths = optional(list(string))
forward_proxy_convention = optional(string, "NoProxy")
forward_proxy_custom_host_header_name = optional(string)
forward_proxy_custom_scheme_header_name = optional(string)
http_route_api_prefix = optional(string, "/.auth")
require_authentication = optional(bool, false)
require_https = optional(bool, true)
runtime_version = optional(string, "~1")
unauthenticated_action = optional(string, "RedirectToLoginPage")
active_directory_v2 = optional(map(object({
allowed_applications = optional(list(string))
allowed_audiences = optional(list(string))
allowed_groups = optional(list(string))
allowed_identities = optional(list(string))
client_id = optional(string)
client_secret_certificate_thumbprint = optional(string)
client_secret_setting_name = optional(string)
jwt_allowed_client_applications = optional(list(string))
jwt_allowed_groups = optional(list(string))
login_parameters = optional(map(any))
tenant_auth_endpoint = optional(string)
www_authentication_disabled = optional(bool, false)
})), {})
apple_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
azure_static_web_app_v2 = optional(map(object({
client_id = optional(string)
})), {})
custom_oidc_v2 = optional(map(object({
authorisation_endpoint = optional(string)
certification_uri = optional(string)
client_credential_method = optional(string)
client_id = optional(string)
client_secret_setting_name = optional(string)
issuer_endpoint = optional(string)
name = optional(string)
name_claim_type = optional(string)
openid_configuration_endpoint = optional(string)
scopes = optional(list(string))
token_endpoint = optional(string)
})), {})
facebook_v2 = optional(map(object({
app_id = optional(string)
app_secret_setting_name = optional(string)
graph_api_version = optional(string)
login_scopes = optional(list(string))
})), {})
github_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
google_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
login = map(object({
allowed_external_redirect_urls = optional(list(string))
cookie_expiration_convention = optional(string, "FixedTime")
cookie_expiration_time = optional(string, "00:00:00")
logout_endpoint = optional(string)
nonce_expiration_time = optional(string, "00:05:00")
preserve_url_fragments_for_logins = optional(bool, false)
token_refresh_extension_time = optional(number, 72)
token_store_enabled = optional(bool, false)
token_store_path = optional(string)
token_store_sas_setting_name = optional(string)
validate_nonce = optional(bool, true)
}))
microsoft_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
twitter_v2 = optional(map(object({
consumer_key = optional(string)
consumer_secret_setting_name = optional(string)
})), {})
})), {})
auto_heal_setting = optional(map(object({
action = optional(object({
action_type = string
custom_action = optional(object({
executable = string
parameters = optional(string)
}))
minimum_process_execution_time = optional(string, "00:00:00")
}))
trigger = optional(object({
private_memory_kb = optional(number)
requests = optional(object({
count = number
interval = string
}))
slow_request = optional(map(object({
count = number
interval = string
take_taken = string
path = optional(string)
})), {})
slow_request_with_path = optional(map(object({
count = number
interval = string
take_taken = string
path = optional(string)
})), {})
status_code = optional(map(object({
count = number
interval = string
status_code_range = number
path = optional(string)
sub_status = optional(number)
win32_status_code = optional(number)
})), {})
}))
})), {})
backup = optional(map(object({
enabled = optional(bool, true)
name = optional(string)
storage_account_url = optional(string)
schedule = optional(map(object({
frequency_interval = optional(number)
frequency_unit = optional(string)
keep_at_least_one_backup = optional(bool)
retention_period_days = optional(number)
start_time = optional(string)
})))
})), {})
connection_strings = optional(map(object({
name = optional(string)
type = optional(string)
value = optional(string)
})), {})
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
logs = optional(map(object({
application_logs = optional(map(object({
azure_blob_storage = optional(object({
level = optional(string, "Off")
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system_level = optional(string, "Off")
})), {})
detailed_error_messages = optional(bool, false)
failed_request_tracing = optional(bool, false)
http_logs = optional(map(object({
azure_blob_storage_http = optional(object({
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system = optional(object({
retention_in_days = optional(number, 0)
retention_in_mb = number
}))
})), {})
})), {})
private_endpoints = optional(map(object({
name = optional(string, null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
tags = optional(map(string), null)
subnet_resource_id = string
private_dns_zone_group_name = optional(string, "default")
private_dns_zone_resource_ids = optional(set(string), [])
application_security_group_associations = optional(map(string), {})
private_service_connection_name = optional(string, null)
network_interface_name = optional(string, null)
location = optional(string, null)
resource_group_name = optional(string, null)
ip_configurations = optional(map(object({
name = string
private_ip_address = string
})), {})
})), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
storage_shares_to_mount = optional(map(object({
access_key = string
account_name = string
mount_path = string
name = string
share_name = string
type = optional(string, "AzureFiles")
})), {})
site_config = optional(object({
always_on = optional(bool, false) # when running in a Consumption or Premium Plan, `always_on` feature should be turned off. Please turn it off before upgrading the service plan from standard to premium.
api_definition_url = optional(string) # (Optional) The URL of the OpenAPI (Swagger) definition that provides schema for the function's HTTP endpoints.
api_management_api_id = optional(string) # (Optional) The API Management API identifier.
app_command_line = optional(string) # (Optional) The command line to launch the application.
auto_heal_enabled = optional(bool) # (Optional) Should auto-heal be enabled for the Function App?
app_scale_limit = optional(number) # (Optional) The maximum number of workers that the Function App can scale out to.
application_insights_connection_string = optional(string) # (Optional) The connection string of the Application Insights resource to send telemetry to.
application_insights_key = optional(string) # (Optional) The instrumentation key of the Application Insights resource to send telemetry to.
container_registry_managed_identity_client_id = optional(string)
container_registry_use_managed_identity = optional(bool)
default_documents = optional(list(string)) #(Optional) Specifies a list of Default Documents for the Windows Function App.
elastic_instance_minimum = optional(number) #(Optional) The number of minimum instances for this Windows Function App. Only affects apps on Elastic Premium plans.
ftps_state = optional(string, "Disabled") #(Optional) State of FTP / FTPS service for this Windows Function App. Possible values include: AllAllowed, FtpsOnly and Disabled. Defaults to Disabled.
health_check_eviction_time_in_min = optional(number) #(Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between 2 and 10. Only valid in conjunction with health_check_path.
health_check_path = optional(string) #(Optional) The path to be checked for this Windows Function App health.
http2_enabled = optional(bool, false) #(Optional) Specifies if the HTTP2 protocol should be enabled. Defaults to false.
ip_restriction_default_action = optional(string, "Allow") #(Optional) The default action for IP restrictions. Possible values include: Allow and Deny. Defaults to Allow.
load_balancing_mode = optional(string, "LeastRequests") #(Optional) The Site load balancing mode. Possible values include: WeightedRoundRobin, LeastRequests, LeastResponseTime, WeightedTotalTraffic, RequestHash, PerSiteRoundRobin. Defaults to LeastRequests if omitted.
local_mysql_enabled = optional(bool, false) #(Optional) Should local MySQL be enabled. Defaults to false.
managed_pipeline_mode = optional(string, "Integrated") #(Optional) Managed pipeline mode. Possible values include: Integrated, Classic. Defaults to Integrated.
minimum_tls_version = optional(string, "1.2") #(Optional) Configures the minimum version of TLS required for SSL requests. Possible values include: 1.0, 1.1, and 1.2. Defaults to 1.2.
pre_warmed_instance_count = optional(number) #(Optional) The number of pre-warmed instances for this Windows Function App. Only affects apps on an Elastic Premium plan.
remote_debugging_enabled = optional(bool, false) #(Optional) Should Remote Debugging be enabled. Defaults to false.
remote_debugging_version = optional(string) #(Optional) The Remote Debugging Version. Possible values include VS2017, VS2019, and VS2022.
runtime_scale_monitoring_enabled = optional(bool) #(Optional) Should runtime scale monitoring be enabled.
scm_ip_restriction_default_action = optional(string, "Allow") #(Optional) The default action for SCM IP restrictions. Possible values include: Allow and Deny. Defaults to Allow.
scm_minimum_tls_version = optional(string, "1.2") #(Optional) Configures the minimum version of TLS required for SSL requests to Kudu. Possible values include: 1.0, 1.1, and 1.2. Defaults to 1.2.
scm_use_main_ip_restriction = optional(bool, false) #(Optional) Should the SCM use the same IP restrictions as the main site. Defaults to false.
use_32_bit_worker = optional(bool, false) #(Optional) Should the 32-bit worker process be used. Defaults to false.
vnet_route_all_enabled = optional(bool, false) #(Optional) Should all traffic be routed to the virtual network. Defaults to false.
websockets_enabled = optional(bool, false) #(Optional) Should Websockets be enabled. Defaults to false.
worker_count = optional(number) #(Optional) The number of workers for this Windows Function App. Only affects apps on an Elastic Premium plan.
app_service_logs = optional(map(object({
disk_quota_mb = optional(number, 35)
retention_period_days = optional(number)
})), {})
application_stack = optional(map(object({
dotnet_version = optional(string)
java_version = optional(string)
node_version = optional(string)
powershell_core_version = optional(string)
python_version = optional(string)
go_version = optional(string)
ruby_version = optional(string)
java_server = optional(string)
java_server_version = optional(string)
php_version = optional(string)
use_custom_runtime = optional(bool)
use_dotnet_isolated_runtime = optional(bool)
docker = optional(list(object({
image_name = string
image_tag = string
registry_password = optional(string)
registry_url = string
registry_username = optional(string)
})))
current_stack = optional(string)
docker_image_name = optional(string)
docker_registry_url = optional(string)
docker_registry_username = optional(string)
docker_registry_password = optional(string)
docker_container_name = optional(string)
docker_container_tag = optional(string)
java_embedded_server_enabled = optional(bool)
tomcat_version = optional(bool)
})), {})
cors = optional(map(object({
allowed_origins = optional(list(string))
support_credentials = optional(bool, false)
})), {}) #(Optional) A cors block as defined above.
ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {}) #(Optional) One or more ip_restriction blocks as defined above.
scm_ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {}) #(Optional) One or more scm_ip_restriction blocks as defined above.
virtual_application = optional(map(object({
physical_path = optional(string, "site\\wwwroot")
preload_enabled = optional(bool, false)
virtual_directory = optional(map(object({
physical_path = optional(string)
virtual_path = optional(string)
})), {})
virtual_path = optional(string, "/")
})),
{
default = {
physical_path = "site\\wwwroot"
preload_enabled = false
virtual_path = "/"
}
}
)
}), {})
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}), null)
}))Default: {}
Description: Whether to inherit the lock from the parent resource for the deployment slots. Defaults to true.
Type: bool
Default: true
Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name- (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.log_categories- (Optional) A set of log categories to send to the log analytics workspace. Defaults to[].log_groups- (Optional) A set of log groups to send to the log analytics workspace. Defaults to["allLogs"].metric_categories- (Optional) A set of metric categories to send to the log analytics workspace. Defaults to["AllMetrics"].log_analytics_destination_type- (Optional) The destination type for the diagnostic setting. Possible values areDedicatedandAzureDiagnostics. Defaults toDedicated. Will resolve tonullas Function App / web App does not support Destination Table.workspace_resource_id- (Optional) The resource ID of the log analytics workspace to send logs and metrics to.storage_account_resource_id- (Optional) The resource ID of the Storage Account to send logs and metrics to.event_hub_authorization_rule_resource_id- (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.event_hub_name- (Optional) The name of the event hub. If none is specified, the default event hub will be selected.marketplace_partner_resource_id- (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.
Type:
map(object({
name = optional(string, null)
log_categories = optional(set(string), [])
log_groups = optional(set(string), ["allLogs"])
metric_categories = optional(set(string), ["AllMetrics"])
log_analytics_destination_type = optional(string, "Dedicated")
workspace_resource_id = optional(string, null)
storage_account_resource_id = optional(string, null)
event_hub_authorization_rule_resource_id = optional(string, null)
event_hub_name = optional(string, null)
marketplace_partner_resource_id = optional(string, null)
}))Default: {}
Description: Should Application Insights be enabled for the Function App?
Type: bool
Default: true
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Is the Function App enabled? Defaults to true.
Type: bool
Default: true
Description: Should basic authentication be enabled for FTP publish?
Type: bool
Default: true
Description: The version of the Azure Functions runtime to use. Defaults to ~4.
Type: string
Default: "~4"
Description: Should the Function App only be accessible over HTTPS?
Type: bool
Default: false
Description: The identity ID to use for Key Vault references.
Type: string
Default: null
Description: The lock level to apply. Possible values for kind are None, CanNotDelete, and ReadOnly.
Type:
object({
kind = string
name = optional(string, null)
})Default: null
Description:
A map of logs to create on the Function App.
Type:
map(object({
application_logs = optional(map(object({
azure_blob_storage = optional(object({
level = optional(string, "Off")
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system_level = optional(string, "Off")
})), {})
detailed_error_messages = optional(bool, false)
failed_request_tracing = optional(bool, false)
http_logs = optional(map(object({
azure_blob_storage_http = optional(object({
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system = optional(object({
retention_in_days = optional(number, 0)
retention_in_mb = number
}))
})), {})
}))Default: {}
Description: Managed identities to be created for the resource.
Type:
object({
system_assigned = optional(bool, false)
user_assigned_resource_ids = optional(set(string), [])
})Default: {}
Description: A map of private endpoints to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name- (Optional) The name of the private endpoint. One will be generated if not set.role_assignments- (Optional) A map of role assignments to create on the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. Seevar.role_assignmentsfor more information.principal_type- (Optional) The type of theprincipal_id. Possible values areUser,GroupandServicePrincipal. It is necessary to explicitly set this attribute when creating private endpoints if the principal creating the assignment is constrained by RBAC rules that filters on the PrincipalType attribute.lock- (Optional) The lock level to apply to the private endpoint. Default isNone. Possible values areNone,CanNotDelete, andReadOnly.tags- (Optional) A mapping of tags to assign to the private endpoint.subnet_resource_id- The resource ID of the subnet to deploy the private endpoint in.private_dns_zone_group_name- (Optional) The name of the private DNS zone group. One will be generated if not set.private_dns_zone_resource_ids- (Optional) A set of resource IDs of private DNS zones to associate with the private endpoint. If not set, no zone groups will be created and the private endpoint will not be associated with any private DNS zones. DNS records must be managed external to this module.application_security_group_resource_ids- (Optional) A map of resource IDs of application security groups to associate with the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.private_service_connection_name- (Optional) The name of the private service connection. One will be generated if not set.network_interface_name- (Optional) The name of the network interface. One will be generated if not set.location- (Optional) The Azure location where the resources will be deployed. Defaults to the location of the resource group.resource_group_name- (Optional) The resource group where the resources will be deployed. Defaults to the resource group of this resource.ip_configurations- (Optional) A map of IP configurations to create on the private endpoint. If not specified the platform will create one. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.name- The name of the IP configuration.private_ip_address- The private IP address of the IP configuration.
Type:
map(object({
name = optional(string, null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
tags = optional(map(string), null)
subnet_resource_id = string
private_dns_zone_group_name = optional(string, "default")
private_dns_zone_resource_ids = optional(set(string), [])
application_security_group_associations = optional(map(string), {})
private_service_connection_name = optional(string, null)
network_interface_name = optional(string, null)
location = optional(string, null)
resource_group_name = optional(string, null)
ip_configurations = optional(map(object({
name = string
private_ip_address = string
})), {})
}))Default: {}
Description: Should the private endpoints inherit the lock from the parent resource? Defaults to true.
Type: bool
Default: true
Description: Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy.
Type: bool
Default: true
Description: Should the Function App be accessible from the public network? Defaults to true.
Type: bool
Default: true
Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
role_definition_id_or_name- The ID or name of the role definition to assign to the principal.principal_id- The ID of the principal to assign the role to.description- The description of the role assignment.skip_service_principal_aad_check- If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults tofalse.condition- The condition which will be used to scope the role assignment.condition_version- The version of the condition syntax. Valid values are2.0.delegated_managed_identity_resource_id- (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.principal_type- (Optional) The type of theprincipal_id. Possible values areUser,GroupandServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
Note: only set
skip_service_principal_aad_checkto true if you are assigning a role to a service principal.
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
}))Default: {}
Description: An object that configures the Function App's site_config block.
always_on- (Optional) If this Linux Web App is Always On enabled. Defaults tofalse.api_definition_url- (Optional) The URL of the API definition that describes this Linux Function App.api_management_api_id- (Optional) The ID of the API Management API for this Linux Function App.app_command_line- (Optional) The App command line to launch.app_scale_limit- (Optional) The number of workers this function app can scale out to. Only applicable to apps on the Consumption and Premium plan.application_insights_connection_string- (Optional) The Connection String for linking the Linux Function App to Application Insights.application_insights_key- (Optional) The Instrumentation Key for connecting the Linux Function App to Application Insights.container_registry_managed_identity_client_id- (Optional) The Client ID of the Managed Service Identity to use for connections to the Azure Container Registry.container_registry_use_managed_identity- (Optional) Should connections for Azure Container Registry use Managed Identity.default_documents- (Optional) Specifies a list of Default Documents for the Linux Web App.elastic_instance_minimum- (Optional) The number of minimum instances for this Linux Function App. Only affects apps on Elastic Premium plans.ftps_state- (Optional) State of FTP / FTPS service for this function app. Possible values include:AllAllowed,FtpsOnlyandDisabled. Defaults toDisabled.health_check_eviction_time_in_min- (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between2and10. Only valid in conjunction withhealth_check_path.health_check_path- (Optional) The path to be checked for this function app health.http2_enabled- (Optional) Specifies if the HTTP2 protocol should be enabled. Defaults tofalse.load_balancing_mode- (Optional) The Site load balancing mode. Possible values include:WeightedRoundRobin,LeastRequests,LeastResponseTime,WeightedTotalTraffic,RequestHash,PerSiteRoundRobin. Defaults toLeastRequestsif omitted.managed_pipeline_mode- (Optional) Managed pipeline mode. Possible values include:Integrated,Classic. Defaults toIntegrated.minimum_tls_version- (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include:1.0,1.1,1.2, and1.3. Defaults to1.2.pre_warmed_instance_count- (Optional) The number of pre-warmed instances for this function app. Only affects apps on an Elastic Premium plan.remote_debugging_enabled- (Optional) Should Remote Debugging be enabled. Defaults tofalse.remote_debugging_version- (Optional) The Remote Debugging Version. Possible values includeVS2017,VS2019, andVS2022.runtime_scale_monitoring_enabled- (Optional) Should Scale Monitoring of the Functions Runtime be enabled?scm_minimum_tls_version- (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include:1.0,1.1,1.2, and1.3. Defaults to1.2.scm_use_main_ip_restriction- (Optional) Should the Linux Function Appip_restrictionconfiguration be used for the SCM also.use_32_bit_worker- (Optional) Should the Linux Web App use a 32-bit worker process. Defaults tofalse.vnet_route_all_enabled- (Optional) Should all outbound traffic to have NAT Gateways, Network Security Groups and User Defined Routes applied? Defaults tofalse.websockets_enabled- (Optional) Should Web Sockets be enabled. Defaults tofalse.worker_count- (Optional) The number of Workers for this Linux Function App.
app_service_logs block supports the following:
disk_quota_mb- (Optional) The amount of disk space to use for logs. Valid values are between25and100. Defaults to35.retention_period_days- (Optional) The retention period for logs in days. Valid values are between0and99999.(never delete).
application_stack block supports the following:
dotnet_version- (Optional) The version of .NET to use. Possible values include3.1,6.0,7.0and8.0.java_version- (Optional) The Version of Java to use. Supported versions include8,11&17.node_version- (Optional) The version of Node to run. Possible values include12,14,16and18.powershell_core_version- (Optional) The version of PowerShell Core to run. Possible values are7, and7.2.python_version- (Optional) The version of Python to run. Possible values are3.12,3.11,3.10,3.9,3.8and3.7.go_version- (Optional) The version of Go to use. Possible values are1.18, and1.19.ruby_version- (Optional) The version of Ruby to use. Possible values are2.6, and2.7.java_server- (Optional) The Java server type. Possible values areJAVA,TOMCAT, andJBOSSEAP.java_server_version- (Optional) The version of the Java server to use.php_version- (Optional) The version of PHP to use. Possible values are7.4,8.0,8.1, and8.2.use_custom_runtime- (Optional) Should the Linux Function App use a custom runtime?use_dotnet_isolated_runtime- (Optional) Should the DotNet process use an isolated runtime. Defaults tofalse.
docker block supports the following:
image_name- (Required) The name of the Docker image to use.image_tag- (Required) The image tag of the image to use.registry_password- (Optional) The password for the account to use to connect to the registry.registry_url- (Required) The URL of the docker registry.registry_username- (Optional) The username to use for connections to the registry.
cors block supports the following:
allowed_origins- (Optional) Specifies a list of origins that should be allowed to make cross-origin calls.support_credentials- (Optional) Are credentials allowed in CORS requests? Defaults tofalse.
ip_restriction block supports the following:
action- (Optional) The action to take. Possible values areAlloworDeny. Defaults toAllow.ip_address- (Optional) The CIDR notation of the IP or IP Range to match. For example:10.0.0.0/24or192.168.10.1/32name- (Optional) The name which should be used for thisip_restriction.priority- (Optional) The priority value of thisip_restriction. Defaults to65000.service_tag- (Optional) The Service Tag used for this IP Restriction.virtual_network_subnet_id- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
headers block supports the following:
x_azure_fdid- (Optional) Specifies a list of Azure Front Door IDs.x_fd_health_probe- (Optional) Specifies if a Front Door Health Probe should be expected. The only possible value is1.x_forwarded_for- (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.x_forwarded_host- (Optional) Specifies a list of Hosts for which matching should be applied.
scm_ip_restriction block supports the following:
action- (Optional) The action to take. Possible values areAlloworDeny. Defaults toAllow.ip_address- (Optional) The CIDR notation of the IP or IP Range to match. For example:10.0.0.0/24or192.168.10.1/32name- (Optional) The name which should be used for thisip_restriction.priority- (Optional) The priority value of thisip_restriction. Defaults to65000.service_tag- (Optional) The Service Tag used for this IP Restriction.virtual_network_subnet_id- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
headers block supports the following:
x_azure_fdid- (Optional) Specifies a list of Azure Front Door IDs.x_fd_health_probe- (Optional) Specifies if a Front Door Health Probe should be expected. The only possible value is1.x_forwarded_for- (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.x_forwarded_host- (Optional) Specifies a list of Hosts for which matching should be applied.
Type:
object({
always_on = optional(bool, false)
api_definition_url = optional(string)
api_management_api_id = optional(string)
app_command_line = optional(string)
auto_heal_enabled = optional(bool)
app_scale_limit = optional(number)
application_insights_connection_string = optional(string)
application_insights_key = optional(string)
container_registry_managed_identity_client_id = optional(string)
container_registry_use_managed_identity = optional(bool)
default_documents = optional(list(string))
elastic_instance_minimum = optional(number)
ftps_state = optional(string, "Disabled")
health_check_eviction_time_in_min = optional(number)
health_check_path = optional(string)
http2_enabled = optional(bool, false)
ip_restriction_default_action = optional(string, "Allow")
load_balancing_mode = optional(string, "LeastRequests")
local_mysql_enabled = optional(bool, false)
managed_pipeline_mode = optional(string, "Integrated")
minimum_tls_version = optional(string, "1.2")
pre_warmed_instance_count = optional(number)
remote_debugging_enabled = optional(bool, false)
remote_debugging_version = optional(string)
runtime_scale_monitoring_enabled = optional(bool)
scm_ip_restriction_default_action = optional(string, "Allow")
scm_minimum_tls_version = optional(string, "1.2")
scm_use_main_ip_restriction = optional(bool, false)
use_32_bit_worker = optional(bool, false)
vnet_route_all_enabled = optional(bool, false)
websockets_enabled = optional(bool, false)
worker_count = optional(number)
app_service_logs = optional(map(object({
disk_quota_mb = optional(number, 35)
retention_period_days = optional(number)
})), {})
application_stack = optional(map(object({
dotnet_version = optional(string)
java_version = optional(string)
node_version = optional(string)
powershell_core_version = optional(string)
python_version = optional(string)
go_version = optional(string)
ruby_version = optional(string)
java_server = optional(string)
java_server_version = optional(string)
php_version = optional(string)
use_custom_runtime = optional(bool)
use_dotnet_isolated_runtime = optional(bool)
docker = optional(list(object({
image_name = string
image_tag = string
registry_password = optional(string)
registry_url = string
registry_username = optional(string)
})))
current_stack = optional(string)
docker_image_name = optional(string)
docker_registry_url = optional(string)
docker_registry_username = optional(string)
docker_registry_password = optional(string)
docker_container_name = optional(string)
docker_container_tag = optional(string)
java_embedded_server_enabled = optional(bool)
tomcat_version = optional(bool)
})), {})
cors = optional(map(object({
allowed_origins = optional(list(string))
support_credentials = optional(bool, false)
})), {})
ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {})
scm_ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {})
virtual_application = optional(map(object({
physical_path = optional(string, "site\\wwwroot")
preload_enabled = optional(bool, false)
virtual_directory = optional(map(object({
physical_path = optional(string)
virtual_path = optional(string)
})), {})
virtual_path = optional(string, "/")
})),
{
default = {
physical_path = "site\\wwwroot"
preload_enabled = false
virtual_path = "/"
}
})
})Default: {}
Description: A map of sticky settings to assign to the Function App.
app_setting_names- (Optional) A list of app setting names to make sticky.connection_string_names- (Optional) A list of connection string names to make sticky.
sticky_settings = {
sticky1 = {
app_setting_names = ["example1", "example2"]
connection_string_names = ["example1", "example2"]
}
}Type:
map(object({
app_setting_names = optional(list(string))
connection_string_names = optional(list(string))
}))Default: {}
Description: The access key of the Storage Account to deploy the Function App in. Conflicts with storage_uses_managed_identity.
Type: string
Default: null
Description: The name of the Storage Account to deploy the Function App in.
Type: string
Default: null
Description: The ID of the secret in the key vault to use for the Storage Account access key.
Type: string
Default: null
Description: A map of objects that represent Storage Account FILE SHARES to mount to the Function App.
This functionality is only available for Linux Function Apps, via documentation
The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
access_key- (Optional) The access key of the Storage Account.account_name- (Optional) The name of the Storage Account.name- (Optional) The name of the Storage Account to mount.share_name- (Optional) The name of the share to mount.type- (Optional) The type of Storage Account. Currently, only atypeofAzureFilesis supported. Defaults toAzureFiles.mount_path- (Optional) The path to mount the Storage Account to.
storage_accounts = {
storacc1 = {
access_key = "00000000-0000-0000-0000-000000000000"
account_name = "example"
name = "example"
share_name = "example"
type = "AzureFiles"
mount_path = "/mnt/example"
}
}Type:
map(object({
access_key = string
account_name = string
mount_path = string
name = string
share_name = string
type = optional(string, "AzureFiles")
}))Default: {}
Description: Should the Storage Account use a Managed Identity? Conflicts with storage_account_access_key.
Type: bool
Default: false
Description: The map of tags to be applied to the resource
Type: map(string)
Default: null
Description: - create - (Defaults to 30 minutes) Used when creating the Linux Function App.
delete- (Defaults to 30 minutes) Used when deleting the Linux Function App.read- (Defaults to 5 minutes) Used when retrieving the Linux Function App.update- (Defaults to 30 minutes) Used when updating the Linux Function App.
Type:
object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
})Default: null
Description: The ID of the subnet to deploy the Function App in.
Type: string
Default: null
Description: Should basic authentication be enabled for web deploy?
Type: bool
Default: true
Description: The path to the zip file to deploy to the Function App.
Type: string
Default: null
The following outputs are exported:
Description: The application insights resource.
Description: The locks of the deployment slots.
Description: The active slot.
Description: The deployment slots.
Description: The object principal id of the resource.
Description: The kind of app service.
Description: The location of the resource.
Description: The name of the resource.
Description: The operating system type of the resource.
Description: The locks of the deployment slots.
Description: This is the full output for the resource.
Description: This is the full output for the resource.
Description: The locks of the resources.
Description: A map of private endpoints. The map key is the supplied input to var.private_endpoints. The map value is the entire azurerm_private_endpoint resource.
Description: The default hostname of the resource.
Description: value
Description: The thumbprint of the certificate.
Description: The active slot.
Description: The deployment slots.
No modules.
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.