Skip to content

azurermAppService

Manages an App Service (within an App Service Plan).

!> NOTE: This resource has been deprecated in version 3.0 of the AzureRM provider and will be removed in version 4.0. Please use azurermLinuxWebApp and azurermWindowsWebApp resources instead.

-> Note: When using Slots - the appSettings, connectionString and siteConfig blocks on the azurermAppService resource will be overwritten when promoting a Slot using the azurermAppServiceActiveSlot resource.

Example Usage

This example provisions a Windows App Service. Other examples of the azurermAppService resource can be found in the /examples/appService directory within the GitHub Repository

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermAppServicePlanExample = new azurerm.appServicePlan.AppServicePlan(
  this,
  "example_1",
  {
    location: azurermResourceGroupExample.location,
    name: "example-appserviceplan",
    resource_group_name: azurermResourceGroupExample.name,
    sku: [
      {
        size: "S1",
        tier: "Standard",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServicePlanExample.overrideLogicalId("example");
const azurermAppServiceExample = new azurerm.appService.AppService(
  this,
  "example_2",
  {
    app_service_plan_id: azurermAppServicePlanExample.id,
    app_settings: [
      {
        SOME_KEY: "some-value",
      },
    ],
    connection_string: [
      {
        name: "Database",
        type: "SQLServer",
        value: "Server=some-server.mydomain.com;Integrated Security=SSPI",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "example-app-service",
    resource_group_name: azurermResourceGroupExample.name,
    site_config: [
      {
        dotnet_framework_version: "v4.0",
        scm_type: "LocalGit",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the App Service. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the App Service. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • appServicePlanId - (Required) The ID of the App Service Plan within which to create this App Service.

  • appSettings - (Optional) A key-value pair of App Settings.

  • authSettings - (Optional) A authSettings block as defined below.

  • backup - (Optional) A backup block as defined below.

  • connectionString - (Optional) One or more connectionString blocks as defined below.

  • clientAffinityEnabled - (Optional) Should the App Service send session affinity cookies, which route client requests in the same session to the same instance?

  • clientCertEnabled - (Optional) Does the App Service require client certificates for incoming requests? Defaults to false.

  • clientCertMode - (Optional) Mode of client certificates for this App Service. Possible values are required, optional and optionalInteractiveUser. If this parameter is set, clientCertEnabled must be set to true, otherwise this parameter is ignored.

  • enabled - (Optional) Is the App Service Enabled? Defaults to true.

  • identity - (Optional) An identity block as defined below.

  • httpsOnly - (Optional) Can the App Service only be accessed via HTTPS? Defaults to false.

  • keyVaultReferenceIdentityId - (Optional) The User Assigned Identity Id used for looking up KeyVault secrets. The identity must be assigned to the application. For more information see - Access vaults with a user-assigned identity

  • logs - (Optional) A logs block as defined below.

  • storageAccount - (Optional) One or more storageAccount blocks as defined below.

  • siteConfig - (Optional) A siteConfig block as defined below.

  • sourceControl - (Optional) A Source Control block as defined below

  • tags - (Optional) A mapping of tags to assign to the resource.

A storageAccount block supports the following:

  • name - (Required) The name of the storage account identifier.

  • type - (Required) The type of storage. Possible values are azureBlob and azureFiles.

  • accountName - (Required) The name of the storage account.

  • shareName - (Required) The name of the file share (container name, for Blob storage).

  • accessKey - (Required) The access key for the storage account.

  • mountPath - (Optional) The path to mount the storage within the site's runtime environment.

A connectionString block supports the following:

  • name - (Required) The name of the Connection String.

  • type - (Required) The type of the Connection String. Possible values are apiHub, custom, docDb, eventHub, mySql, notificationHub, postgreSql, redisCache, serviceBus, sqlAzure and sqlServer.

  • value - (Required) The value for the Connection String.

A identity block supports the following:

  • type - (Required) Specifies the identity type of the App Service. Possible values are systemAssigned (where Azure will generate a Service Principal for you), userAssigned where you can specify the Service Principal IDs in the identityIds field, and systemAssigned,UserAssigned which assigns both a system managed identity as well as the specified user assigned identities.

\~> NOTE: When type is set to systemAssigned, The assigned principalId and tenantId can be retrieved after the App Service has been created. More details are available below.

  • identityIds - (Optional) Specifies a list of user managed identity ids to be assigned. Required if type is userAssigned.

A logs block supports the following:

  • applicationLogs - (Optional) An applicationLogs block as defined below.

  • httpLogs - (Optional) An httpLogs block as defined below.

  • detailedErrorMessagesEnabled - (Optional) Should detailedErrorMessages be enabled on this App Service? Defaults to false.

  • failedRequestTracingEnabled - (Optional) Should failedRequestTracing be enabled on this App Service? Defaults to false.

An applicationLogs block supports the following:

  • azureBlobStorage - (Optional) An azureBlobStorage block as defined below.

  • fileSystemLevel - (Optional) Log level for filesystem based logging. Supported values are error, information, verbose, warning and off. Defaults to off.

An httpLogs block supports one of the following:

  • fileSystem - (Optional) A fileSystem block as defined below.

  • azureBlobStorage - (Optional) An azureBlobStorage block as defined below.

An azureBlobStorage block supports the following:

  • level - (Required) The level at which to log. Possible values include error, warning, information, verbose and off. NOTE: this field is not available for httpLogs

  • sasUrl - (Required) The URL to the storage container with a shared access signature token appended.

  • retentionInDays - (Required) The number of days to retain logs for.

A fileSystem block supports the following:

  • retentionInDays - (Required) The number of days to retain logs for.

  • retentionInMb - (Required) The maximum size in megabytes that HTTP log files can use before being removed.

A siteConfig block supports the following:

  • acrUseManagedIdentityCredentials - (Optional) Are Managed Identity Credentials used for Azure Container Registry pull

  • acrUserManagedIdentityClientId - (Optional) If using User Managed Identity, the User Managed Identity Client Id

\~> NOTE: When using User Managed Identity with Azure Container Registry the Identity will need to have the ACRPull role assigned

  • alwaysOn - (Optional) Should the app be loaded at all times? Defaults to false.

\~> NOTE: when using an App Service Plan in the free or shared Tiers alwaysOn must be set to false.

  • appCommandLine - (Optional) App command line to launch, e.g. /sbin/myserverB0000.

  • autoSwapSlotName - (Optional) The name of the slot to automatically swap to during deployment

  • cors - (Optional) A cors block as defined below.

  • defaultDocuments - (Optional) The ordering of default documents to load, if an address isn't specified.

  • dotnetFrameworkVersion - (Optional) The version of the .NET framework's CLR used in this App Service. Possible values are v20 (which will use the latest version of the .NET framework for the .NET CLR v2 - currently net35), v40 (which corresponds to the latest version of the .NET CLR v4 - which at the time of writing is net471), v50 and v60. For more information on which .NET CLR version to use based on the .NET framework you're targeting - please see this table. Defaults to v40.

  • ftpsState - (Optional) State of FTP / FTPS service for this App Service. Possible values include: allAllowed, ftpsOnly and disabled.

  • healthCheckPath - (Optional) The health check path to be pinged by App Service. For more information - please see App Service health check announcement.

  • numberOfWorkers - (Optional) The scaled number of workers (for per site scaling) of this App Service. Requires that perSiteScaling is enabled on the azurermAppServicePlan. For more information - please see Microsoft documentation on high-density hosting.

  • http2Enabled - (Optional) Is HTTP2 Enabled on this App Service? Defaults to false.

  • ipRestriction - (Optional) A List of objects representing IP restrictions as defined below.

-> NOTE User has to explicitly set ipRestriction to empty slice ([]) to remove it.

  • scmUseMainIpRestriction - (Optional) IP security restrictions for scm to use main. Defaults to false.

-> NOTE Any scmIpRestriction blocks configured are ignored by the service when scmUseMainIpRestriction is set to true. Any scm restrictions will become active if this is subsequently set to false or removed.

  • scmIpRestriction - (Optional) A List of objects representing IP restrictions as defined below.

-> NOTE User has to explicitly set scmIpRestriction to empty slice ([]) to remove it.

  • javaVersion - (Optional) The version of Java to use. If specified javaContainer and javaContainerVersion must also be specified. Possible values are 17, 18 and 11 and their specific versions - except for Java 11 (e.g. 17080, 180181, 11)

  • javaContainer - (Optional) The Java Container to use. If specified javaVersion and javaContainerVersion must also be specified. Possible values are java, jetty, and tomcat.

  • javaContainerVersion - (Optional) The version of the Java Container to use. If specified javaVersion and javaContainer must also be specified.

  • localMysqlEnabled - (Optional) Is "MySQL In App" Enabled? This runs a local MySQL instance with your app and shares resources from the App Service plan.

\~> NOTE: MySQL In App is not intended for production environments and will not scale beyond a single instance. Instead you may wish to use Azure Database for MySQL.

  • linuxFxVersion - (Optional) Linux App Framework and version for the App Service. Possible options are a Docker container (docker|<user/image:tag>), a base-64 encoded Docker Compose file (compose|${filebase64("composeYml")}) or a base-64 encoded Kubernetes Manifest (kube|${filebase64("kubernetesYml")}).

\~> NOTE: To set this property the App Service Plan to which the App belongs must be configured with kind = "linux", and reserved =True or the API will reject any value supplied.

  • windowsFxVersion - (Optional) The Windows Docker container image (docker|<user/image:tag>)

Additional examples of how to run Containers via the azurermAppService resource can be found in the /examples/appService directory within the GitHub Repository.

  • managedPipelineMode - (Optional) The Managed Pipeline Mode. Possible values are integrated and classic. Defaults to integrated.

  • minTlsVersion - (Optional) The minimum supported TLS version for the app service. Possible values are 10, 11, and 12. Defaults to 12 for new app services.

  • phpVersion - (Optional) The version of PHP to use in this App Service. Possible values are 55, 56, 70, 71, 72, 73 and 74.

  • pythonVersion - (Optional) The version of Python to use in this App Service. Possible values are 27 and 34.

  • remoteDebuggingEnabled - (Optional) Is Remote Debugging Enabled? Defaults to false.

  • remoteDebuggingVersion - (Optional) Which version of Visual Studio should the Remote Debugger be compatible with? Possible values are vs2017 and vs2019.

  • scmType - (Optional) The type of Source Control enabled for this App Service. Defaults to none. Possible values are: bitbucketGit, bitbucketHg, codePlexGit, codePlexHg, dropbox, externalGit, externalHg, gitHub, localGit, none, oneDrive, tfs, vso, and vstsrm

  • use32BitWorkerProcess - (Optional) Should the App Service run in 32 bit mode, rather than 64 bit mode?

\~> NOTE: when using an App Service Plan in the free or shared Tiers use32BitWorkerProcess must be set to true.

  • vnetRouteAllEnabled - (Optional) Should all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied? Defaults to false.

\~> NOTE: This setting supersedes the previous mechanism of setting the appSettings value of websiteVnetRouteAll. However, to prevent older configurations breaking Terraform will update this value if it not explicitly set to the value in appSettingsWebsiteVnetRouteAll.

  • websocketsEnabled - (Optional) Should WebSockets be enabled?

A cors block supports the following:

  • allowedOrigins - (Required) A list of origins which should be able to make cross-origin calls. * can be used to allow all calls.

  • supportCredentials - (Optional) Are credentials supported?

A authSettings block supports the following:

  • enabled - (Required) Is Authentication enabled?

  • activeDirectory - (Optional) A activeDirectory block as defined below.

  • additionalLoginParams - (Optional) Login parameters to send to the OpenID Connect authorization endpoint when a user logs in. Each parameter must be in the form "key=value".

  • allowedExternalRedirectUrls - (Optional) External URLs that can be redirected to as part of logging in or logging out of the app.

  • defaultProvider - (Optional) The default provider to use when multiple providers have been set up. Possible values are azureActiveDirectory, facebook, google, microsoftAccount and twitter.

\~> NOTE: When using multiple providers, the default provider must be set for settings like unauthenticatedClientAction to work.

  • facebook - (Optional) A facebook block as defined below.

  • google - (Optional) A google block as defined below.

  • issuer - (Optional) Issuer URI. When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/{tenant-guid}/.

  • microsoft - (Optional) A microsoft block as defined below.

  • runtimeVersion - (Optional) The runtime version of the Authentication/Authorization module.

  • tokenRefreshExtensionHours - (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72.

  • tokenStoreEnabled - (Optional) If enabled the module will durably store platform-specific security tokens that are obtained during login flows. Defaults to false.

  • twitter - (Optional) A twitter block as defined below.

  • unauthenticatedClientAction - (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values are allowAnonymous and redirectToLoginPage.

A activeDirectory block supports the following:

  • clientId - (Required) The Client ID of this relying party application. Enables OpenIDConnection authentication with Azure Active Directory.

  • clientSecret - (Optional) The Client Secret of this relying party application. If no secret is provided, implicit flow will be used.

  • allowedAudiences - (Optional) Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

A facebook block supports the following:

  • appId - (Required) The App ID of the Facebook app used for login

  • appSecret - (Required) The App Secret of the Facebook app used for Facebook login.

  • oauthScopes - (Optional) The OAuth 2.0 scopes that will be requested as part of Facebook login authentication. https://developers.facebook.com/docs/facebook-login

A google block supports the following:

  • clientId - (Required) The OpenID Connect Client ID for the Google web application.

  • clientSecret - (Required) The client secret associated with the Google web application.

  • oauthScopes - (Optional) The OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. https://developers.google.com/identity/sign-in/web/

A twitter block supports the following:

  • consumerKey - (Required) The consumer key of the Twitter app used for login

  • consumerSecret - (Required) The consumer secret of the Twitter app used for login.

A ipRestriction block supports the following:

  • ipAddress - (Optional) The IP Address used for this IP Restriction in CIDR notation.

  • serviceTag - (Optional) The Service Tag used for this IP Restriction.

  • virtualNetworkSubnetId - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

-> NOTE: One of either ipAddress, serviceTag or virtualNetworkSubnetId must be specified

  • name - (Optional) The name for this IP Restriction.

  • priority - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified.

  • action - (Optional) Does this restriction allow or deny access for this IP range. Defaults to allow.

  • headers - (Optional) The headers for this specific ipRestriction as defined below.

A scmIpRestriction block supports the following:

  • ipAddress - (Optional) The IP Address used for this IP Restriction in CIDR notation.

  • serviceTag - (Optional) The Service Tag used for this IP Restriction.

  • virtualNetworkSubnetId - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

-> NOTE: One of either ipAddress, serviceTag or virtualNetworkSubnetId must be specified

  • name - (Optional) The name for this IP Restriction.

  • priority - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified.

  • action - (Optional) Allow or Deny access for this IP range. Defaults to allow.

  • headers - (Optional) The headers for this specific scmIpRestriction as defined below.

A headers block supports the following:

  • xAzureFdid - (Optional) A list of allowed Azure FrontDoor IDs in UUID notation with a maximum of 8.

  • xFdHealthProbe - (Optional) A list to allow the Azure FrontDoor health probe header. Only allowed value is "1".

  • xForwardedFor - (Optional) A list of allowed 'X-Forwarded-For' IPs in CIDR notation with a maximum of 8

  • xForwardedHost - (Optional) A list of allowed 'X-Forwarded-Host' domains with a maximum of 8.

A microsoft block supports the following:

  • clientId - (Required) The OAuth 2.0 client ID that was created for the app used for authentication.

  • clientSecret - (Required) The OAuth 2.0 client secret that was created for the app used for authentication.

  • oauthScopes - (Optional) The OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. https://msdn.microsoft.com/en-us/library/dn631845.aspx

A backup block supports the following:

  • name - (Required) Specifies the name for this Backup.

  • enabled - (Optional) Is this Backup enabled? Defaults to true.

  • storageAccountUrl - (Required) The SAS URL to a Storage Container where Backups should be saved.

  • schedule - (Required) A schedule block as defined below.

A schedule block supports the following:

  • frequencyInterval - (Required) Sets how often the backup should be executed.

  • frequencyUnit - (Required) Sets the unit of time for how often the backup should be executed. Possible values are day or hour.

  • keepAtLeastOneBackup - (Optional) Should at least one backup always be kept in the Storage Account by the Retention Policy, regardless of how old it is?

  • retentionPeriodInDays - (Optional) Specifies the number of days after which Backups should be deleted. Defaults to 30.

  • startTime - (Optional) Sets when the schedule should start working.

A sourceControl block supports the following:

  • repoUrl - (Optional) The URL of the source code repository.

  • branch - (Optional) The branch of the remote repository to use. Defaults to 'master'.

  • manualIntegration - (Optional) Limits to manual integration. Defaults to false if not specified.

  • rollbackEnabled - (Optional) Enable roll-back for the repository. Defaults to false if not specified.

  • useMercurial - (Optional) Use Mercurial if true, otherwise uses Git.

Attributes Reference

The following attributes are exported:

  • id - The ID of the App Service.

  • customDomainVerificationId - An identifier used by App Service to perform domain ownership verification via DNS TXT record.

  • defaultSiteHostname - The Default Hostname associated with the App Service - such as mysiteAzurewebsitesNet

  • outboundIpAddresses - A comma separated list of outbound IP addresses - such as 5223253,521434312

  • outboundIpAddressList - A list of outbound IP addresses - such as ["5223253", "521434312"]

  • possibleOutboundIpAddresses - A comma separated list of outbound IP addresses - such as 5223253,521434312,521434317 - not all of which are necessarily in use. Superset of outboundIpAddresses.

  • possibleOutboundIpAddressList - A list of outbound IP addresses - such as ["5223253", "521434312", "521434317"] - not all of which are necessarily in use. Superset of outboundIpAddressList.

  • sourceControl - A sourceControl block as defined below, which contains the Source Control information when scmType is set to localGit.

  • siteCredential - A siteCredential block as defined below, which contains the site-level credentials used to publish to this App Service.

  • identity - An identity block as defined below, which contains the Managed Service Identity information for this App Service.

A identity block exports the following:

  • principalId - The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service.

  • tenantId - The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service.

-> You can access the Principal ID via azurermAppServiceExampleIdentity0PrincipalId and the Tenant ID via azurermAppServiceExampleIdentity0TenantId

A siteCredential block exports the following:

  • username - The username which can be used to publish to this App Service

  • password - The password associated with the username, which can be used to publish to this App Service.

\~> NOTE: both username and password for the siteCredential block are only exported when scmType is set to localGit

A sourceControl block exports the following:

  • repoUrl - URL of the Git repository for this App Service.
  • branch - Branch name of the Git repository for this App Service.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the App Service.
  • update - (Defaults to 30 minutes) Used when updating the App Service.
  • read - (Defaults to 5 minutes) Used when retrieving the App Service.
  • delete - (Defaults to 30 minutes) Used when deleting the App Service.

Import

App Services can be imported using the resourceId, e.g.

terraform import azurerm_app_service.instance1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Web/sites/instance1