Skip to content

azurermAppServiceSlot

Manages an App Service Slot (within an App Service).

!> NOTE: This resource has been deprecated in version 3.0 of the AzureRM provider and will be removed in version 4.0. Please use azurermLinuxWebAppSlot and azurermWindowsWebAppSlot resources instead.

-> Note: When using Slots - the appSettings, connectionString and siteConfig blocks on the azurermAppService resource will be overwritten when promoting a Slot using the azurermAppServiceActiveSlot resource.

Example Usage (.NET 4.x)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as random from "./.gen/providers/random";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, random.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "some-resource-group",
  }
);
const randomIdServer = new random.id.Id(this, "server", {
  byte_length: 8,
  keepers: [
    {
      azi_id: 1,
    },
  ],
});
const azurermAppServicePlanExample = new azurerm.appServicePlan.AppServicePlan(
  this,
  "example_2",
  {
    location: azurermResourceGroupExample.location,
    name: "some-app-service-plan",
    resource_group_name: azurermResourceGroupExample.name,
    sku: [
      {
        size: "S1",
        tier: "Standard",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServicePlanExample.overrideLogicalId("example");
const azurermAppServiceExample = new azurerm.appService.AppService(
  this,
  "example_3",
  {
    app_service_plan_id: azurermAppServicePlanExample.id,
    app_settings: [
      {
        SOME_KEY: "some-value",
      },
    ],
    connection_string: [
      {
        name: "Database",
        type: "SQLServer",
        value: "Server=some-server.mydomain.com;Integrated Security=SSPI",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: randomIdServer.hex,
    resource_group_name: azurermResourceGroupExample.name,
    site_config: [
      {
        dotnet_framework_version: "v4.0",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceExample.overrideLogicalId("example");
const azurermAppServiceSlotExample = new azurerm.appServiceSlot.AppServiceSlot(
  this,
  "example_4",
  {
    app_service_name: azurermAppServiceExample.name,
    app_service_plan_id: azurermAppServicePlanExample.id,
    app_settings: [
      {
        SOME_KEY: "some-value",
      },
    ],
    connection_string: [
      {
        name: "Database",
        type: "SQLServer",
        value: "Server=some-server.mydomain.com;Integrated Security=SSPI",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: randomIdServer.hex,
    resource_group_name: azurermResourceGroupExample.name,
    site_config: [
      {
        dotnet_framework_version: "v4.0",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceSlotExample.overrideLogicalId("example");

Example Usage (Java 1.8)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as random from "./.gen/providers/random";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, random.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "some-resource-group",
  }
);
const randomIdServer = new random.id.Id(this, "server", {
  byte_length: 8,
  keepers: [
    {
      azi_id: 1,
    },
  ],
});
const azurermAppServicePlanExample = new azurerm.appServicePlan.AppServicePlan(
  this,
  "example_2",
  {
    location: azurermResourceGroupExample.location,
    name: "some-app-service-plan",
    resource_group_name: azurermResourceGroupExample.name,
    sku: [
      {
        size: "S1",
        tier: "Standard",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServicePlanExample.overrideLogicalId("example");
const azurermAppServiceExample = new azurerm.appService.AppService(
  this,
  "example_3",
  {
    app_service_plan_id: azurermAppServicePlanExample.id,
    location: azurermResourceGroupExample.location,
    name: randomIdServer.hex,
    resource_group_name: azurermResourceGroupExample.name,
    site_config: [
      {
        java_container: "JETTY",
        java_container_version: "9.3",
        java_version: "1.8",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceExample.overrideLogicalId("example");
const azurermAppServiceSlotExample = new azurerm.appServiceSlot.AppServiceSlot(
  this,
  "example_4",
  {
    app_service_name: azurermAppServiceExample.name,
    app_service_plan_id: azurermAppServicePlanExample.id,
    location: azurermResourceGroupExample.location,
    name: randomIdServer.hex,
    resource_group_name: azurermResourceGroupExample.name,
    site_config: [
      {
        java_container: "JETTY",
        java_container_version: "9.3",
        java_version: "1.8",
      },
    ],
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermAppServiceSlotExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the App Service Slot component. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the App Service Slot component. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • appServicePlanId - (Required) The ID of the App Service Plan within which to create this App Service Slot. Changing this forces a new resource to be created.

  • appServiceName - (Required) The name of the App Service within which to create the App Service Slot. Changing this forces a new resource to be created.

  • appSettings - (Optional) A key-value pair of App Settings.

  • authSettings - (Optional) A authSettings block as defined below.

  • connectionString - (Optional) An connectionString block as defined below.

  • clientAffinityEnabled - (Optional) Should the App Service Slot send session affinity cookies, which route client requests in the same session to the same instance?

  • enabled - (Optional) Is the App Service Slot Enabled? Defaults to true.

  • httpsOnly - (Optional) Can the App Service Slot only be accessed via HTTPS? Defaults to false.

  • siteConfig - (Optional) A siteConfig object as defined below.

  • storageAccount - (Optional) One or more storageAccount blocks as defined below.

  • logs - (Optional) A logs block as defined below.

  • identity - (Optional) An identity block as defined below.

  • keyVaultReferenceIdentityId - (Optional) The User Assigned Identity Id used for looking up KeyVault secrets. The identity must be assigned to the application. See Access vaults with a user-assigned identity for more information.

  • tags - (Optional) A mapping of tags to assign to the resource.

A storageAccount block supports the following:

  • name - (Required) The name of the storage account identifier.

  • type - (Required) The type of storage. Possible values are azureBlob and azureFiles.

  • accountName - (Required) The name of the storage account.

  • shareName - (Required) The name of the file share (container name, for Blob storage).

  • accessKey - (Required) The access key for the storage account.

  • mountPath - (Optional) The path to mount the storage within the site's runtime environment.

The connectionString block supports the following:

  • name - (Required) The name of the Connection String.
  • type - (Required) The type of the Connection String. Possible values are apiHub, custom, docDb, eventHub, mySql, notificationHub, postgreSql, redisCache, serviceBus, sqlAzure, and sqlServer.
  • value - (Required) The value for the Connection String.

A siteConfig block supports the following:

  • acrUseManagedIdentityCredentials - (Optional) Are Managed Identity Credentials used for Azure Container Registry pull

  • acrUserManagedIdentityClientId - (Optional) If using User Managed Identity, the User Managed Identity Client Id

\~> NOTE: When using User Managed Identity with Azure Container Registry the Identity will need to have the ACRPull role assigned

  • alwaysOn - (Optional) Should the slot be loaded at all times? Defaults to false.

\~> NOTE: when using an App Service Plan in the free or shared Tiers alwaysOn must be set to false.

  • appCommandLine - (Optional) App command line to launch, e.g. /sbin/myserverB0000.

  • autoSwapSlotName - (Optional) The name of the slot to automatically swap to during deployment

  • cors - (Optional) A cors block as defined below.

  • defaultDocuments - (Optional) The ordering of default documents to load, if an address isn't specified.

  • dotnetFrameworkVersion - (Optional) The version of the .NET framework's CLR used in this App Service Slot. Possible values are v20 (which will use the latest version of the .NET framework for the .NET CLR v2 - currently net35), v40 (which corresponds to the latest version of the .NET CLR v4 - which at the time of writing is net471), v50 and v60. For more information on which .NET CLR version to use based on the .NET framework you're targeting - please see this table. Defaults to v40.

  • ftpsState - (Optional) State of FTP / FTPS service for this App Service Slot. Possible values include: allAllowed, ftpsOnly and disabled.

  • healthCheckPath - (Optional) The health check path to be pinged by App Service Slot. For more information - please see App Service health check announcement.

  • numberOfWorkers - (Optional) The scaled number of workers (for per site scaling) of this App Service Slot. Requires that perSiteScaling is enabled on the azurermAppServicePlan. For more information - please see Microsoft documentation on high-density hosting.

  • http2Enabled - (Optional) Is HTTP2 Enabled on this App Service? Defaults to false.

  • ipRestriction - (Optional) A List of objects representing IP restrictions as defined below.

-> NOTE User has to explicitly set ipRestriction to empty slice ([]) to remove it.

  • scmUseMainIpRestriction - (Optional) IP security restrictions for scm to use main. Defaults to false.

-> NOTE Any scmIpRestriction blocks configured are ignored by the service when scmUseMainIpRestriction is set to true. Any scm restrictions will become active if this is subsequently set to false or removed.

  • scmIpRestriction - (Optional) A List of objects representing IP restrictions as defined below.

-> NOTE User has to explicitly set scmIpRestriction to empty slice ([]) to remove it.

  • javaVersion - (Optional) The version of Java to use. If specified javaContainer and javaContainerVersion must also be specified. Possible values are 17, 18, and 11 and their specific versions - except for Java 11 (e.g. 17080, 180181, 11)

  • javaContainer - (Optional) The Java Container to use. If specified javaVersion and javaContainerVersion must also be specified. Possible values are java, jetty, and tomcat.

  • javaContainerVersion - (Optional) The version of the Java Container to use. If specified javaVersion and javaContainer must also be specified.

  • localMysqlEnabled - (Optional) Is "MySQL In App" Enabled? This runs a local MySQL instance with your app and shares resources from the App Service plan.

\~> NOTE: MySQL In App is not intended for production environments and will not scale beyond a single instance. Instead you may wish to use Azure Database for MySQL.

  • linuxFxVersion - (Optional) Linux App Framework and version for the App Service Slot. Possible options are a Docker container (docker|<user/image:tag>), a base-64 encoded Docker Compose file (compose|${filebase64("composeYml")}) or a base-64 encoded Kubernetes Manifest (kube|${filebase64("kubernetesYml")}).

\~> NOTE: To set this property the App Service Plan to which the App belongs must be configured with kind = "linux", and reserved =True or the API will reject any value supplied.

  • windowsFxVersion - (Optional) The Windows Docker container image (docker|<user/image:tag>)

Additional examples of how to run Containers via the azurermAppServiceSlot resource can be found in the /examples/appService directory within the GitHub Repository.

  • managedPipelineMode - (Optional) The Managed Pipeline Mode. Possible values are integrated and classic. Defaults to integrated.

  • minTlsVersion - (Optional) The minimum supported TLS version for the app service. Possible values are 10, 11, and 12. Defaults to 12 for new app services.

  • phpVersion - (Optional) The version of PHP to use in this App Service Slot. Possible values are 55, 56, 70, 71, 72, 73, and 74.

  • pythonVersion - (Optional) The version of Python to use in this App Service Slot. Possible values are 27 and 34.

  • remoteDebuggingEnabled - (Optional) Is Remote Debugging Enabled? Defaults to false.

  • remoteDebuggingVersion - (Optional) Which version of Visual Studio should the Remote Debugger be compatible with? Possible values are vs2017 and vs2019.

  • scmType - (Optional) The type of Source Control enabled for this App Service Slot. Defaults to none. Possible values are: bitbucketGit, bitbucketHg, codePlexGit, codePlexHg, dropbox, externalGit, externalHg, gitHub, localGit, none, oneDrive, tfs, vso, and vstsrm

  • use32BitWorkerProcess - (Optional) Should the App Service Slot run in 32 bit mode, rather than 64 bit mode?

\~> NOTE: when using an App Service Plan in the free or shared Tiers use32BitWorkerProcess must be set to true.

  • vnetRouteAllEnabled - (Optional) Should all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied? Defaults to false.

\~> NOTE: This setting supersedes the previous mechanism of setting the appSettings value of websiteVnetRouteAll. However, to prevent older configurations breaking Terraform will update this value if it not explicitly set to the value in appSettingsWebsiteVnetRouteAll.

  • websocketsEnabled - (Optional) Should WebSockets be enabled?

A cors block supports the following:

  • allowedOrigins - (Required) A list of origins which should be able to make cross-origin calls. * can be used to allow all calls.

  • supportCredentials - (Optional) Are credentials supported?

A authSettings block supports the following:

  • enabled - (Required) Is Authentication enabled?

  • activeDirectory - (Optional) A activeDirectory block as defined below.

  • additionalLoginParams - (Optional) Login parameters to send to the OpenID Connect authorization endpoint when a user logs in. Each parameter must be in the form "key=value".

  • allowedExternalRedirectUrls - (Optional) External URLs that can be redirected to as part of logging in or logging out of the app.

  • defaultProvider - (Optional) The default provider to use when multiple providers have been set up. Possible values are azureActiveDirectory, facebook, google, microsoftAccount and twitter.

\~> NOTE: When using multiple providers, the default provider must be set for settings like unauthenticatedClientAction to work.

  • facebook - (Optional) A facebook block as defined below.

  • google - (Optional) A google block as defined below.

  • issuer - (Optional) Issuer URI. When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/{tenant-guid}/.

  • microsoft - (Optional) A microsoft block as defined below.

  • runtimeVersion - (Optional) The runtime version of the Authentication/Authorization module.

  • tokenRefreshExtensionHours - (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72.

  • tokenStoreEnabled - (Optional) If enabled the module will durably store platform-specific security tokens that are obtained during login flows. Defaults to false.

  • twitter - (Optional) A twitter block as defined below.

  • unauthenticatedClientAction - (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values are allowAnonymous and redirectToLoginPage.

A activeDirectory block supports the following:

  • clientId - (Required) The Client ID of this relying party application. Enables OpenIDConnection authentication with Azure Active Directory.

  • clientSecret - (Optional) The Client Secret of this relying party application. If no secret is provided, implicit flow will be used.

  • allowedAudiences - (Optional) Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

A facebook block supports the following:

  • appId - (Required) The App ID of the Facebook app used for login

  • appSecret - (Required) The App Secret of the Facebook app used for Facebook login.

  • oauthScopes - (Optional) The OAuth 2.0 scopes that will be requested as part of Facebook login authentication. https://developers.facebook.com/docs/facebook-login

A twitter block supports the following:

  • consumerKey - (Required) The consumer key of the Twitter app used for login

  • consumerSecret - (Required) The consumer secret of the Twitter app used for login.

A google block supports the following:

  • clientId - (Required) The OpenID Connect Client ID for the Google web application.

  • clientSecret - (Required) The client secret associated with the Google web application.

  • oauthScopes - (Optional) The OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. https://developers.google.com/identity/sign-in/web/

A ipRestriction block supports the following:

  • ipAddress - (Optional) The IP Address used for this IP Restriction in CIDR notation.

  • serviceTag - (Optional) The Service Tag used for this IP Restriction.

  • virtualNetworkSubnetId - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

-> NOTE: One of either ipAddress, serviceTag or virtualNetworkSubnetId must be specified

  • name - (Optional) The name for this IP Restriction.

  • priority - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified.

  • action - (Optional) Does this restriction allow or deny access for this IP range. Defaults to allow.

  • headers - (Optional) The headers for this specific ipRestriction as defined below. The HTTP header filters are evaluated after the rule itself and both conditions must be true for the rule to apply.

A headers block supports the following:

  • xAzureFdid - (Optional) A list of allowed Azure FrontDoor IDs in UUID notation with a maximum of 8.

  • xFdHealthProbe - (Optional) A list to allow the Azure FrontDoor health probe header. Only allowed value is "1".

  • xForwardedFor - (Optional) A list of allowed 'X-Forwarded-For' IPs in CIDR notation with a maximum of 8

  • xForwardedHost - (Optional) A list of allowed 'X-Forwarded-Host' domains with a maximum of 8.

A scmIpRestriction block supports the following:

  • ipAddress - (Optional) The IP Address used for this IP Restriction in CIDR notation.

  • serviceTag - (Optional) The Service Tag used for this IP Restriction.

  • virtualNetworkSubnetId - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

-> NOTE: One of either ipAddress, serviceTag or virtualNetworkSubnetId must be specified

  • name - (Optional) The name for this IP Restriction.

  • priority - (Optional) The priority for this IP Restriction. Restrictions are enforced in priority order. By default, priority is set to 65000 if not specified.

  • action - (Optional) Allow or Deny access for this IP range. Defaults to allow.

  • headers - (Optional) The headers for this specific scmIpRestriction as defined below.

A microsoft block supports the following:

  • clientId - (Required) The OAuth 2.0 client ID that was created for the app used for authentication.

  • clientSecret - (Required) The OAuth 2.0 client secret that was created for the app used for authentication.

  • oauthScopes - (Optional) The OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. https://msdn.microsoft.com/en-us/library/dn631845.aspx

A identity block supports the following:

  • type - (Required) Specifies the identity type of the App Service. Possible values are systemAssigned (where Azure will generate a Service Principal for you), userAssigned where you can specify the Service Principal IDs in the identityIds field, and systemAssigned,UserAssigned which assigns both a system managed identity as well as the specified user assigned identities.

\~> NOTE: When type is set to systemAssigned, The assigned principalId and tenantId can be retrieved after the App Service has been created. More details are available below.

  • identityIds - (Optional) Specifies a list of user managed identity ids to be assigned. Required if type is userAssigned.

A logs block supports the following:

  • applicationLogs - (Optional) An applicationLogs block as defined below.

  • httpLogs - (Optional) An httpLogs block as defined below.

  • detailedErrorMessagesEnabled - (Optional) Should detailedErrorMessages be enabled on this App Service slot? Defaults to false.

  • failedRequestTracingEnabled - (Optional) Should failedRequestTracing be enabled on this App Service slot? Defaults to false.

An applicationLogs block supports the following:

  • fileSystemLevel - (Optional) The file system log level. Possible values are off, error, warning, information, and verbose.

  • azureBlobStorage - (Optional) An azureBlobStorage block as defined below.

An httpLogs block supports one of the following:

  • fileSystem - (Optional) A fileSystem block as defined below.

  • azureBlobStorage - (Optional) An azureBlobStorage block as defined below.

An azureBlobStorage block supports the following:

  • level - (Required) The level at which to log. Possible values include error, warning, information, verbose and off. NOTE: this field is not available for httpLogs

  • sasUrl - (Required) The URL to the storage container, with a Service SAS token appended. NOTE: there is currently no means of generating Service SAS tokens with the azurerm provider.

  • retentionInDays - (Required) The number of days to retain logs for.

A fileSystem block supports the following:

  • retentionInDays - (Required) The number of days to retain logs for.

  • retentionInMb - (Required) The maximum size in megabytes that HTTP log files can use before being removed.

Attributes Reference

The following attributes are exported:

  • id - The ID of the App Service Slot.

  • defaultSiteHostname - The Default Hostname associated with the App Service Slot - such as mysiteAzurewebsitesNet

  • siteCredential - A siteCredential block as defined below, which contains the site-level credentials used to publish to this App Service slot.

  • identity - An identity block as defined below, which contains the Managed Service Identity information for this App Service slot.

A identity block exports the following:

  • principalId - The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service slot.

  • tenantId - The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service slot.

-> You can access the Principal ID via azurermAppServiceSlotExampleIdentity0PrincipalId and the Tenant ID via azurermAppServiceSlotExampleIdentity0TenantId

The siteCredential block exports the following:

  • username - The username which can be used to publish to this App Service
  • password - The password associated with the username, which can be used to publish to this App Service.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the App Service Slot.
  • update - (Defaults to 30 minutes) Used when updating the App Service Slot.
  • read - (Defaults to 5 minutes) Used when retrieving the App Service Slot.
  • delete - (Defaults to 30 minutes) Used when deleting the App Service Slot.

Import

App Service Slots can be imported using the resourceId, e.g.

terraform import azurerm_app_service_slot.instance1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Web/sites/website1/slots/instance1