Skip to content

azurermAppConfiguration

Manages an Azure App Configuration.

Disclaimers

-> Note: Version 3.27.0 and later of the Azure Provider include a Feature Toggle which will purge an App Configuration resource on destroy, rather than the default soft-delete. The Provider will automatically recover a soft-deleted App Configuration during creation if one is found. See the Features block documentation for more information on Feature Toggles within Terraform.

-> Note: Reading and purging soft-deleted App Configurations requires the microsoftAppConfiguration/locations/deletedConfigurationStores/read and microsoftAppConfiguration/locations/deletedConfigurationStores/purge/action permission on Subscription scope. Recovering a soft-deleted App Configuration requires the microsoftAppConfiguration/configurationStores/write permission on Subscription or Resource Group scope. More information can be found in the Azure Documentation for App Configuration. See the following links for more information on assigning Azure custom roles or using the azurermRoleAssignment resource to assign a custom role.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
new azurerm.appConfiguration.AppConfiguration(this, "appconf", {
  location: azurermResourceGroupExample.location,
  name: "appConf1",
  resource_group_name: azurermResourceGroupExample.name,
});

Example Usage (encryption)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [
    {
      app_configuration: [
        {
          purge_soft_delete_on_destroy: true,
          recover_soft_deleted: true,
        },
      ],
    },
  ],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermUserAssignedIdentityExample =
  new azurerm.userAssignedIdentity.UserAssignedIdentity(this, "example_2", {
    location: azurermResourceGroupExample.location,
    name: "example-identity",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermUserAssignedIdentityExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_4",
  {
    location: azurermResourceGroupExample.location,
    name: "exampleKVt123",
    purge_protection_enabled: true,
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "standard",
    soft_delete_retention_days: 7,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyClient =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "client", {
    key_permissions: [
      "Get",
      "Create",
      "Delete",
      "List",
      "Restore",
      "Recover",
      "UnwrapKey",
      "WrapKey",
      "Purge",
      "Encrypt",
      "Decrypt",
      "Sign",
      "Verify",
      "GetRotationPolicy",
    ],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: dataAzurermClientConfigCurrent.objectId,
    secret_permissions: ["Get"],
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
const azurermKeyVaultAccessPolicyServer =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "server", {
    key_permissions: ["Get", "UnwrapKey", "WrapKey"],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: azurermUserAssignedIdentityExample.principalId,
    secret_permissions: ["Get"],
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
  this,
  "example_7",
  {
    depends_on: [
      `\${${azurermKeyVaultAccessPolicyClient.fqn}}`,
      `\${${azurermKeyVaultAccessPolicyServer.fqn}}`,
    ],
    key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
    key_size: 2048,
    key_type: "RSA",
    key_vault_id: azurermKeyVaultExample.id,
    name: "exampleKVkey",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermAppConfigurationExample =
  new azurerm.appConfiguration.AppConfiguration(this, "example_8", {
    depends_on: [
      `\${${azurermKeyVaultAccessPolicyClient.fqn}}`,
      `\${${azurermKeyVaultAccessPolicyServer.fqn}}`,
    ],
    encryption: [
      {
        identity_client_id: azurermUserAssignedIdentityExample.clientId,
        key_vault_key_identifier: azurermKeyVaultKeyExample.id,
      },
    ],
    identity: [
      {
        identity_ids: [azurermUserAssignedIdentityExample.id],
        type: "UserAssigned",
      },
    ],
    local_auth_enabled: true,
    location: azurermResourceGroupExample.location,
    name: "appConf2",
    public_network_access: "Enabled",
    purge_protection_enabled: false,
    resource_group_name: azurermResourceGroupExample.name,
    sku: "standard",
    soft_delete_retention_days: 1,
    tags: {
      environment: "development",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppConfigurationExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the App Configuration. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the App Configuration. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • identity - (Optional) An identity block as defined below.

\~> NOTE: Azure does not allow a downgrade from standard to free.

  • encryption - (Optional) An encryption block as defined below.

  • localAuthEnabled - (Optional) Whether local authentication methods is enabled. Defaults to true.

  • publicNetworkAccess - (Optional) The Public Network Access setting of the App Configuration. Possible values are enabled and disabled.

\~> NOTE: If publicNetworkAccess is not specified, the App Configuration will be created as automatic. However, once a different value is defined, can not be set again as automatic.

  • purgeProtectionEnabled - (Optional) Whether Purge Protection is enabled. This field only works for standard sku. Defaults to false.

!> Note: Once Purge Protection has been enabled it's not possible to disable it. Deleting the App Configuration with Purge Protection enabled will schedule the App Configuration to be deleted (which will happen by Azure in the configured number of days).

  • sku - (Optional) The SKU name of the App Configuration. Possible values are free and standard.

  • softDeleteRetentionDays - (Optional) The number of days that items should be retained for once soft-deleted. This field only works for standard sku. This value can be between 1 and 7 days. Defaults to 7. Changing this forces a new resource to be created.

\~> Note: If Purge Protection is enabled, this field can only be configured one time and cannot be updated.

  • tags - (Optional) A mapping of tags to assign to the resource.

An encryption block supports the following:

  • keyVaultKeyIdentifier - (Optional) Specifies the URI of the key vault key used to encrypt data.

  • identityClientId - (Optional) Specifies the client id of the identity which will be used to access key vault.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this App Configuration. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) A list of User Assigned Managed Identity IDs to be assigned to this App Configuration.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

Attributes Reference

The following attributes are exported:

  • id - The App Configuration ID.

  • endpoint - The URL of the App Configuration.

  • primaryReadKey - A primaryReadKey block as defined below containing the primary read access key.

  • primaryWriteKey - A primaryWriteKey block as defined below containing the primary write access key.

  • secondaryReadKey - A secondaryReadKey block as defined below containing the secondary read access key.

  • secondaryWriteKey - A secondaryWriteKey block as defined below containing the secondary write access key.

  • identity - An identity block as defined below.

An identity block exports the following:

  • principalId - The Principal ID associated with this Managed Service Identity.

  • tenantId - The Tenant ID associated with this Managed Service Identity.

A primaryReadKey block exports the following:

  • connectionString - The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.

  • id - The ID of the Access Key.

  • secret - The Secret of the Access Key.

A primaryWriteKey block exports the following:

  • connectionString - The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.

  • id - The ID of the Access Key.

  • secret - The Secret of the Access Key.

A secondaryReadKey block exports the following:

  • connectionString - The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.

  • id - The ID of the Access Key.

  • secret - The Secret of the Access Key.

A secondaryWriteKey block exports the following:

  • connectionString - The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.

  • id - The ID of the Access Key.

  • secret - The Secret of the Access Key.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the App Configuration.
  • update - (Defaults to 30 minutes) Used when updating the App Configuration.
  • read - (Defaults to 5 minutes) Used when retrieving the App Configuration.
  • delete - (Defaults to 30 minutes) Used when deleting the App Configuration.

Import

App Configurations can be imported using the resourceId, e.g.

terraform import azurerm_app_configuration.appconf /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.AppConfiguration/configurationStores/appConf1