Skip to content

azurermLinuxFunctionApp

Manages a Linux Function App.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermServicePlanExample = new azurerm.servicePlan.ServicePlan(
  this,
  "example_2",
  {
    location: azurermResourceGroupExample.location,
    name: "example-app-service-plan",
    os_type: "Linux",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "Y1",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermServicePlanExample.overrideLogicalId("example");
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_3",
  {
    account_replication_type: "LRS",
    account_tier: "Standard",
    location: azurermResourceGroupExample.location,
    name: "linuxfunctionappsa",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const azurermLinuxFunctionAppExample =
  new azurerm.linuxFunctionApp.LinuxFunctionApp(this, "example_4", {
    location: azurermResourceGroupExample.location,
    name: "example-linux-function-app",
    resource_group_name: azurermResourceGroupExample.name,
    service_plan_id: azurermServicePlanExample.id,
    site_config: [{}],
    storage_account_access_key: azurermStorageAccountExample.primaryAccessKey,
    storage_account_name: azurermStorageAccountExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLinuxFunctionAppExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • location - (Required) The Azure Region where the Linux Function App should exist. Changing this forces a new Linux Function App to be created.

  • name - (Required) The name which should be used for this Linux Function App. Changing this forces a new Linux Function App to be created. Limit the function name to 32 characters to avoid naming collisions. For more information about Function App naming rule and Host ID Collisions

  • resourceGroupName - (Required) The name of the Resource Group where the Linux Function App should exist. Changing this forces a new Linux Function App to be created.

  • servicePlanId - (Required) The ID of the App Service Plan within which to create this Function App.

  • siteConfig - (Required) A siteConfig block as defined below.

  • appSettings - (Optional) A map of key-value pairs for App Settings and custom values.

\~> Note: for runtime related settings, please use nodeVersion in siteConfig to set the node version and use functionsExtensionVersion to set the function runtime version, terraform will assign the values to the key websiteNodeDefaultVersion and functionsExtensionVersion in app setting. \~> Note: For storage related settings, please use related properties that are available such as storageAccountAccessKey, terraform will assign the value to keys such as websiteContentazurefileconnectionstring, azureWebJobsStorage in app_setting. \~> Note: for application insight related settings, please use applicationInsightsConnectionString and applicationInsightsKey, terraform will assign the value to the key appinsightsInstrumentationkey and applicationinsightsConnectionString in app setting. \~> Note: for health check related settings, please use healthCheckEvictionTimeInMin, terraform will assign the value to the key websiteHealthcheckMaxpingfailures in app setting. \~> NOTE: Please create a predefined share if you are restricting your storage account to a virtual network by setting websiteContentovervnet to 1 in app_setting.

  • authSettings - (Optional) A authSettings block as defined below.

  • authSettingsV2 - (Optional) An authSettingsV2 block as defined below.

  • backup - (Optional) A backup block as defined below.

  • builtinLoggingEnabled - (Optional) Should built in logging be enabled. Configures azureWebJobsDashboard app setting based on the configured storage setting. Defaults to true.

  • clientCertificateEnabled - (Optional) Should the function app use Client Certificates.

  • clientCertificateMode - (Optional) The mode of the Function App's client certificates requirement for incoming requests. Possible values are required, optional, and optionalInteractiveUser.

  • clientCertificateExclusionPaths - (Optional) Paths to exclude when using client certificates, separated by ;

  • connectionString - (Optional) One or more connectionString blocks as defined below.

  • dailyMemoryTimeQuota - (Optional) The amount of memory in gigabyte-seconds that your application is allowed to consume per day. Setting this value only affects function apps under the consumption plan. Defaults to 0.

  • enabled - (Optional) Is the Function App enabled? Defaults to true.

  • contentShareForceDisabled - (Optional) Should the settings for linking the Function App to storage be suppressed.

  • functionsExtensionVersion - (Optional) The runtime version associated with the Function App. Defaults to ~4.

  • httpsOnly - (Optional) Can the Function App only be accessed via HTTPS? Defaults to false.

  • identity - (Optional) A identity block as defined below.

  • keyVaultReferenceIdentityId - (Optional) The User Assigned Identity ID used for accessing KeyVault secrets. The identity must be assigned to the application in the identity block. For more information see - Access vaults with a user-assigned identity

  • storageAccount - (Optional) One or more storageAccount blocks as defined below.

  • stickySettings - (Optional) A stickySettings block as defined below.

  • storageAccountAccessKey - (Optional) The access key which will be used to access the backend storage account for the Function App. Conflicts with storageUsesManagedIdentity.

  • storageAccountName - (Optional) The backend storage account name which will be used by this Function App.

  • storageUsesManagedIdentity - (Optional) Should the Function App use Managed Identity to access the storage account. Conflicts with storageAccountAccessKey.

\~> NOTE: One of storageAccountAccessKey or storageUsesManagedIdentity must be specified when using storageAccountName.

  • storageKeyVaultSecretId - (Optional) The Key Vault Secret ID, optionally including version, that contains the Connection String to connect to the storage account for this Function App.

\~> NOTE: storageKeyVaultSecretId cannot be used with storageAccountName.

\~> NOTE: storageKeyVaultSecretId used without a version will use the latest version of the secret, however, the service can take up to 24h to pick up a rotation of the latest version. See the official docs for more information.

  • tags - (Optional) A mapping of tags which should be assigned to the Linux Function App.

  • virtualNetworkSubnetId - (Optional) The subnet id which will be used by this Function App for regional virtual network integration.

\~> NOTE on regional virtual network integration: The AzureRM Terraform provider provides regional virtual network integration via the standalone resource app_service_virtual_network_swift_connection and in-line within this resource using the virtualNetworkSubnetId property. You cannot use both methods simultaneously. If the virtual network is set via the resource appServiceVirtualNetworkSwiftConnection then ignoreChanges should be used in the function app configuration.

\~> Note: Assigning the virtualNetworkSubnetId property requires RBAC permissions on the subnet

  • zipDeployFile - (Optional) The local path and filename of the Zip packaged application to deploy to this Linux Function App.

\~> Note: Using this value requires either websiteRunFromPackage=1 or scmDoBuildDuringDeployment=true to be set on the App in appSettings. Refer to the Azure docs for further details.

An activeDirectory block supports the following:

  • clientId - (Required) The ID of the Client to use to authenticate with Azure Active Directory.

  • allowedAudiences - (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

\~> Note: The clientId value is always considered an allowed audience.

  • clientSecret - (Optional) The Client Secret for the Client ID. Cannot be used with clientSecretSettingName.

  • clientSecretSettingName - (Optional) The App Setting name that contains the client secret of the Client. Cannot be used with clientSecret.

A applicationStack block supports the following:

  • docker - (Optional) One or more docker blocks as defined below.

  • dotnetVersion - (Optional) The version of .NET to use. Possible values include 31, 60 and 70.

  • useDotnetIsolatedRuntime - (Optional) Should the DotNet process use an isolated runtime. Defaults to false.

  • javaVersion - (Optional) The Version of Java to use. Supported versions include 8, 11 & 17.

  • nodeVersion - (Optional) The version of Node to run. Possible values include 12, 14, 16 and 18.

  • pythonVersion - (Optional) The version of Python to run. Possible values are 310, 39, 38 and 37.

  • powershellCoreVersion - (Optional) The version of PowerShell Core to run. Possible values are 7, and 72.

  • useCustomRuntime - (Optional) Should the Linux Function App use a custom runtime?

An appServiceLogs block supports the following:

  • diskQuotaMb - (Optional) The amount of disk space to use for logs. Valid values are between 25 and 100. Defaults to 35.

  • retentionPeriodDays - (Optional) The retention period for logs in days. Valid values are between 0 and 99999.(never delete).

\~> NOTE: This block is not supported on Consumption plans.

An authSettings block supports the following:

  • enabled - (Required) Should the Authentication / Authorization feature be enabled for the Linux Web App?

  • activeDirectory - (Optional) An activeDirectory block as defined above.

  • additionalLoginParameters - (Optional) Specifies a map of login Parameters to send to the OpenID Connect authorization endpoint when a user logs in.

  • allowedExternalRedirectUrls - (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Linux Web App.

  • defaultProvider - (Optional) The default authentication provider to use when multiple providers are configured. Possible values include: azureActiveDirectory, facebook, google, microsoftAccount, twitter, github

\~> NOTE: This setting is only needed if multiple providers are configured, and the unauthenticatedClientAction is set to "RedirectToLoginPage".

  • facebook - (Optional) A facebook block as defined below.

  • github - (Optional) A github block as defined below.

  • google - (Optional) A google block as defined below.

  • issuer - (Optional) The OpenID Connect Issuer URI that represents the entity which issues access tokens for this Linux Web App.

\~> NOTE: When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/{tenant-guid}/.

  • microsoft - (Optional) A microsoft block as defined below.

  • runtimeVersion - (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Linux Web App.

  • tokenRefreshExtensionHours - (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72 hours.

  • tokenStoreEnabled - (Optional) Should the Linux Web App durably store platform-specific security tokens that are obtained during login flows? Defaults to false.

  • twitter - (Optional) A twitter block as defined below.

  • unauthenticatedClientAction - (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include: redirectToLoginPage, allowAnonymous.

An authSettingsV2 block supports the following:

  • authEnabled - (Optional) Should the AuthV2 Settings be enabled. Defaults to false.

  • runtimeVersion - (Optional) The Runtime Version of the Authentication and Authorisation feature of this App. Defaults to ~1.

  • configFilePath - (Optional) The path to the App Auth settings.

  • \~> Note: Relative Paths are evaluated from the Site Root directory.

  • requireAuthentication - (Optional) Should the authentication flow be used for all requests.

  • unauthenticatedAction - (Optional) The action to take for requests made without authentication. Possible values include redirectToLoginPage, allowAnonymous, return401, and return403. Defaults to redirectToLoginPage.

  • defaultProvider - (Optional) The Default Authentication Provider to use when more than one Authentication Provider is configured and the unauthenticatedAction is set to redirectToLoginPage.

  • excludedPaths - (Optional) The paths which should be excluded from the unauthenticatedAction when it is set to redirectToLoginPage.

  • requireHttps - (Optional) Should HTTPS be required on connections? Defaults to true.

  • httpRouteApiPrefix - (Optional) The prefix that should precede all the authentication and authorisation paths. Defaults to /Auth.

  • forwardProxyConvention - (Optional) The convention used to determine the url of the request made. Possible values include forwardProxyConventionNoProxy, forwardProxyConventionStandard, forwardProxyConventionCustom. Defaults to forwardProxyConventionNoProxy.

  • forwardProxyCustomHostHeaderName - (Optional) The name of the custom header containing the host of the request.

  • forwardProxyCustomSchemeHeaderName - (Optional) The name of the custom header containing the scheme of the request.

  • appleV2 - (Optional) An appleV2 block as defined below.

  • activeDirectoryV2 - (Optional) An activeDirectoryV2 block as defined below.

  • azureStaticWebAppV2 - (Optional) An azureStaticWebAppV2 block as defined below.

  • customOidcV2 - (Optional) Zero or more customOidcV2 blocks as defined below.

  • facebookV2 - (Optional) A facebookV2 block as defined below.

  • githubV2 - (Optional) A githubV2 block as defined below.

  • googleV2 - (Optional) A googleV2 block as defined below.

  • microsoftV2 - (Optional) A microsoftV2 block as defined below.

  • twitterV2 - (Optional) A twitterV2 block as defined below.

  • login - (Optional) A login block as defined below.

An appleV2 block supports the following:

  • clientId - (Required) The OpenID Connect Client ID for the Apple web application.

  • clientSecretSettingName - (Required) The app setting name that contains the clientSecret value used for Apple Login.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

  • loginScopes - A list of Login Scopes provided by this Authentication Provider.

\~> NOTE: This is configured on the Authentication Provider side and is Read Only here.

An activeDirectoryV2 block supports the following:

  • clientId - (Required) The ID of the Client to use to authenticate with Azure Active Directory.

  • tenantAuthEndpoint - (Required) The Azure Tenant Endpoint for the Authenticating Tenant. e.g. https://loginMicrosoftonlineCom/v20/{tenantGuid}/

  • clientSecretSettingName - (Optional) The App Setting name that contains the client secret of the Client.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

  • clientSecretCertificateThumbprint - (Optional) The thumbprint of the certificate used for signing purposes.

\~> NOTE: One of clientSecretSettingName or clientSecretCertificateThumbprint must be specified.

  • jwtAllowedGroups - (Optional) A list of Allowed Groups in the JWT Claim.

  • jwtAllowedClientApplications - (Optional) A list of Allowed Client Applications in the JWT Claim.

  • wwwAuthenticationDisabled - (Optional) Should the www-authenticate provider should be omitted from the request? Defaults to false

  • allowedGroups - (Optional) The list of allowed Group Names for the Default Authorisation Policy.

  • allowedIdentities - (Optional) The list of allowed Identities for the Default Authorisation Policy.

  • allowedApplications - (Optional) The list of allowed Applications for the Default Authorisation Policy.

  • loginParameters - (Optional) A map of key-value pairs to send to the Authorisation Endpoint when a user logs in.

  • allowedAudiences - (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

\~> NOTE: This is configured on the Authentication Provider side and is Read Only here.

An azureStaticWebAppV2 block supports the following:

  • clientId - (Required) The ID of the Client to use to authenticate with Azure Static Web App Authentication.

A customOidcV2 block supports the following:

  • name - (Required) The name of the Custom OIDC Authentication Provider.

\~> NOTE: An appSetting matching this value in upper case with the suffix of providerAuthenticationSecret is required. e.g. myoidcProviderAuthenticationSecret for a value of myoidc.

  • clientId - (Required) The ID of the Client to use to authenticate with the Custom OIDC.

  • openidConfigurationEndpoint - (Required) The app setting name that contains the clientSecret value used for the Custom OIDC Login.

  • nameClaimType - (Optional) The name of the claim that contains the users name.

  • scopes - (Optional) The list of the scopes that should be requested while authenticating.

  • clientCredentialMethod - The Client Credential Method used.

  • clientSecretSettingName - The App Setting name that contains the secret for this Custom OIDC Client. This is generated from name above and suffixed with providerAuthenticationSecret.

  • authorisationEndpoint - The endpoint to make the Authorisation Request as supplied by openidConfigurationEndpoint response.

  • tokenEndpoint - The endpoint used to request a Token as supplied by openidConfigurationEndpoint response.

  • issuerEndpoint - The endpoint that issued the Token as supplied by openidConfigurationEndpoint response.

  • certificationUri - The endpoint that provides the keys necessary to validate the token as supplied by openidConfigurationEndpoint response.

A facebookV2 block supports the following:

  • appId - (Required) The App ID of the Facebook app used for login.

  • appSecretSettingName - (Required) The app setting name that contains the appSecret value used for Facebook Login.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

  • graphApiVersion - (Optional) The version of the Facebook API to be used while logging in.

  • loginScopes - (Optional) The list of scopes that should be requested as part of Facebook Login authentication.

A githubV2 block supports the following:

  • clientId - (Required) The ID of the GitHub app used for login..

  • clientSecretSettingName - (Required) The app setting name that contains the clientSecret value used for GitHub Login.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

  • loginScopes - (Optional) The list of OAuth 2.0 scopes that should be requested as part of GitHub Login authentication.

A googleV2 block supports the following:

  • clientId - (Required) The OpenID Connect Client ID for the Google web application.

  • clientSecretSettingName - (Required) The app setting name that contains the clientSecret value used for Google Login.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

  • allowedAudiences - (Optional) Specifies a list of Allowed Audiences that should be requested as part of Google Sign-In authentication.

  • loginScopes - (Optional) The list of OAuth 2.0 scopes that should be requested as part of Google Sign-In authentication.

A microsoftV2 block supports the following:

  • clientId - (Required) The OAuth 2.0 client ID that was created for the app used for authentication.

  • clientSecretSettingName - (Required) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

  • allowedAudiences - (Optional) Specifies a list of Allowed Audiences that will be requested as part of Microsoft Sign-In authentication.

  • loginScopes - (Optional) The list of Login scopes that should be requested as part of Microsoft Account authentication.

A twitterV2 block supports the following:

  • consumerKey - (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.

  • consumerSecretSettingName - (Required) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.

!> NOTE: A setting with this name must exist in appSettings to function correctly.

A login block supports the following:

  • logoutEndpoint - (Optional) The endpoint to which logout requests should be made.

  • tokenStoreEnabled - (Optional) Should the Token Store configuration Enabled. Defaults to false

  • tokenRefreshExtensionTime - (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72 hours.

  • tokenStorePath - (Optional) The directory path in the App Filesystem in which the tokens will be stored.

  • tokenStoreSasSettingName - (Optional) The name of the app setting which contains the SAS URL of the blob storage containing the tokens.

  • preserveUrlFragmentsForLogins - (Optional) Should the fragments from the request be preserved after the login request is made. Defaults to false.

  • allowedExternalRedirectUrls - (Optional) External URLs that can be redirected to as part of logging in or logging out of the app. This is an advanced setting typically only needed by Windows Store application backends.

\~> Note: URLs within the current domain are always implicitly allowed.

  • cookieExpirationConvention - (Optional) The method by which cookies expire. Possible values include: fixedTime, and identityProviderDerived. Defaults to fixedTime.

  • cookieExpirationTime - (Optional) The time after the request is made when the session cookie should expire. Defaults to 08:00:00.

  • validateNonce - (Optional) Should the nonce be validated while completing the login flow. Defaults to true.

  • nonceExpirationTime - (Optional) The time after the request is made when the nonce should expire. Defaults to 00:05:00.

A backup block supports the following:

  • name - (Required) The name which should be used for this Backup.

  • schedule - (Required) A schedule block as defined below.

  • storageAccountUrl - (Required) The SAS URL to the container.

  • enabled - (Optional) Should this backup job be enabled? Defaults to true.

A connectionString block supports the following:

  • name - (Required) The name which should be used for this Connection.

  • type - (Required) Type of database. Possible values include: mySql, sqlServer, sqlAzure, custom, notificationHub, serviceBus, eventHub, apiHub, docDb, redisCache, and postgreSql.

  • value - (Required) The connection string value.

A cors block supports the following:

  • allowedOrigins - (Required) Specifies a list of origins that should be allowed to make cross-origin calls.

  • supportCredentials - (Optional) Are credentials allowed in CORS requests? Defaults to false.

A docker block supports the following:

  • registryUrl - (Required) The URL of the docker registry.

  • imageName - (Required) The name of the Docker image to use.

  • imageTag - (Required) The image tag of the image to use.

  • registryUsername - (Optional) The username to use for connections to the registry.

\~> NOTE: This value is required if containerRegistryUseManagedIdentity is not set to true.

  • registryPassword - (Optional) The password for the account to use to connect to the registry.

\~> NOTE: This value is required if containerRegistryUseManagedIdentity is not set to true.

A facebook block supports the following:

  • appId - (Required) The App ID of the Facebook app used for login.

  • appSecret - (Optional) The App Secret of the Facebook app used for Facebook login. Cannot be specified with appSecretSettingName.

  • appSecretSettingName - (Optional) The app setting name that contains the appSecret value used for Facebook login. Cannot be specified with appSecret.

  • oauthScopes - (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook login authentication.

A github block supports the following:

  • clientId - (Required) The ID of the GitHub app used for login.

  • clientSecret - (Optional) The Client Secret of the GitHub app used for GitHub login. Cannot be specified with clientSecretSettingName.

  • clientSecretSettingName - (Optional) The app setting name that contains the clientSecret value used for GitHub login. Cannot be specified with clientSecret.

  • oauthScopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub login authentication.

A google block supports the following:

  • clientId - (Required) The OpenID Connect Client ID for the Google web application.

  • clientSecret - (Optional) The client secret associated with the Google web application. Cannot be specified with clientSecretSettingName.

  • clientSecretSettingName - (Optional) The app setting name that contains the clientSecret value used for Google login. Cannot be specified with clientSecret.

  • oauthScopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified, openid, profile, and email are used as default scopes.

A headers block supports the following:

\~> NOTE: Please see the official Azure Documentation for details on using header filtering.

  • xAzureFdid - (Optional) Specifies a list of Azure Front Door IDs.

  • xFdHealthProbe - (Optional) Specifies if a Front Door Health Probe should be expected. The only possible value is 1.

  • xForwardedFor - (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.

  • xForwardedHost - (Optional) Specifies a list of Hosts for which matching should be applied.

An identity block supports the following:

  • type - (Required) Specifies the type of Managed Service Identity that should be configured on this Linux Function App. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) A list of User Assigned Managed Identity IDs to be assigned to this Linux Function App.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

An ipRestriction block supports the following:

  • action - (Optional) The action to take. Possible values are allow or deny.

  • headers - (Optional) A headers block as defined above.

  • ipAddress - (Optional) The CIDR notation of the IP or IP Range to match. For example: 10000/24 or 192168101/32

  • name - (Optional) The name which should be used for this ipRestriction.

  • priority - (Optional) The priority value of this ipRestriction. Defaults to 65000.

  • serviceTag - (Optional) The Service Tag used for this IP Restriction.

  • virtualNetworkSubnetId - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

\~> NOTE: One and only one of ipAddress, serviceTag or virtualNetworkSubnetId must be specified.

A microsoft block supports the following:

  • clientId - (Required) The OAuth 2.0 client ID that was created for the app used for authentication.

  • clientSecret - (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified with clientSecretSettingName.

  • clientSecretSettingName - (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified with clientSecret.

  • oauthScopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified, wlBasic is used as the default scope.

A schedule block supports the following:

  • frequencyInterval - (Required) How often the backup should be executed (e.g. for weekly backup, this should be set to 7 and frequencyUnit should be set to day).

\~> NOTE: Not all intervals are supported on all Linux Function App SKUs. Please refer to the official documentation for appropriate values.

  • frequencyUnit - (Required) The unit of time for how often the backup should take place. Possible values include: day and hour.

  • keepAtLeastOneBackup - (Optional) Should the service keep at least one backup, regardless of age of backup. Defaults to false.

  • retentionPeriodDays - (Optional) After how many days backups should be deleted. Defaults to 30.

  • startTime - (Optional) When the schedule should start working in RFC-3339 format.

A scmIpRestriction block supports the following:

  • action - (Optional) The action to take. Possible values are allow or deny.

  • headers - (Optional) A headers block as defined above.

  • ipAddress - (Optional) The CIDR notation of the IP or IP Range to match. For example: 10000/24 or 192168101/32

  • name - (Optional) The name which should be used for this ipRestriction.

  • priority - (Optional) The priority value of this ipRestriction. Defaults to 65000.

  • serviceTag - (Optional) The Service Tag used for this IP Restriction.

  • virtualNetworkSubnetId - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

\~> NOTE: One and only one of ipAddress, serviceTag or virtualNetworkSubnetId must be specified.

A siteConfig block supports the following:

  • alwaysOn - (Optional) If this Linux Web App is Always On enabled. Defaults to false.

\~> NOTE: when running in a Consumption or Premium Plan, alwaysOn feature should be turned off. Please turn it off before upgrading the service plan from standard to premium.

  • apiDefinitionUrl - (Optional) The URL of the API definition that describes this Linux Function App.

  • apiManagementApiId - (Optional) The ID of the API Management API for this Linux Function App.

  • appCommandLine - (Optional) The App command line to launch.

  • appScaleLimit - (Optional) The number of workers this function app can scale out to. Only applicable to apps on the Consumption and Premium plan.

  • applicationInsightsConnectionString - (Optional) The Connection String for linking the Linux Function App to Application Insights.

  • applicationInsightsKey - (Optional) The Instrumentation Key for connecting the Linux Function App to Application Insights.

  • applicationStack - (Optional) An applicationStack block as defined above.

\~> Note: If this is set, there must not be an application setting functionsWorkerRuntime.

  • appServiceLogs - (Optional) An appServiceLogs block as defined above.

  • containerRegistryManagedIdentityClientId - (Optional) The Client ID of the Managed Service Identity to use for connections to the Azure Container Registry.

  • containerRegistryUseManagedIdentity - (Optional) Should connections for Azure Container Registry use Managed Identity.

  • cors - (Optional) A cors block as defined above.

  • defaultDocuments - (Optional) Specifies a list of Default Documents for the Linux Web App.

  • elasticInstanceMinimum - (Optional) The number of minimum instances for this Linux Function App. Only affects apps on Elastic Premium plans.

  • ftpsState - (Optional) State of FTP / FTPS service for this function app. Possible values include: allAllowed, ftpsOnly and disabled. Defaults to disabled.

  • healthCheckPath - (Optional) The path to be checked for this function app health.

  • healthCheckEvictionTimeInMin - (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between 2 and 10. Only valid in conjunction with healthCheckPath.

  • http2Enabled - (Optional) Specifies if the HTTP2 protocol should be enabled. Defaults to false.

  • ipRestriction - (Optional) One or more ipRestriction blocks as defined above.

  • loadBalancingMode - (Optional) The Site load balancing mode. Possible values include: weightedRoundRobin, leastRequests, leastResponseTime, weightedTotalTraffic, requestHash, perSiteRoundRobin. Defaults to leastRequests if omitted.

  • managedPipelineMode - (Optional) Managed pipeline mode. Possible values include: integrated, classic. Defaults to integrated.

  • minimumTlsVersion - (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include: 10, 11, and 12. Defaults to 12.

  • preWarmedInstanceCount - (Optional) The number of pre-warmed instances for this function app. Only affects apps on an Elastic Premium plan.

  • remoteDebuggingEnabled - (Optional) Should Remote Debugging be enabled. Defaults to false.

  • remoteDebuggingVersion - (Optional) The Remote Debugging Version. Possible values include vs2017, vs2019, and vs2022.

  • runtimeScaleMonitoringEnabled - (Optional) Should Scale Monitoring of the Functions Runtime be enabled?

\~> NOTE: Functions runtime scale monitoring can only be enabled for Elastic Premium Function Apps or Workflow Standard Logic Apps and requires a minimum prewarmed instance count of 1.

  • scmIpRestriction - (Optional) One or more scmIpRestriction blocks as defined above.

  • scmMinimumTlsVersion - (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: 10, 11, and 12. Defaults to 12.

  • scmUseMainIpRestriction - (Optional) Should the Linux Function App ipRestriction configuration be used for the SCM also.

  • use32BitWorker - (Optional) Should the Linux Web App use a 32-bit worker process. Defaults to true.

  • vnetRouteAllEnabled - (Optional) Should all outbound traffic to have NAT Gateways, Network Security Groups and User Defined Routes applied? Defaults to false.

  • websocketsEnabled - (Optional) Should Web Sockets be enabled. Defaults to false.

  • workerCount - (Optional) The number of Workers for this Linux Function App.

A stickySettings block supports the following:

  • appSettingNames - (Optional) A list of appSetting names that the Linux Function App will not swap between Slots when a swap operation is triggered.

  • connectionStringNames - (Optional) A list of connectionString names that the Linux Function App will not swap between Slots when a swap operation is triggered.

A storageAccount block supports the following:

  • accessKey - (Required) The Access key for the storage account.

  • accountName - (Required) The Name of the Storage Account.

  • name - (Required) The name which should be used for this Storage Account.

  • shareName - (Required) The Name of the File Share or Container Name for Blob storage.

  • type - (Required) The Azure Storage Type. Possible values include azureFiles and azureBlob.

  • mountPath - (Optional) The path at which to mount the storage share.

A twitter block supports the following:

  • consumerKey - (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.

  • consumerSecret - (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified with consumerSecretSettingName.

  • consumerSecretSettingName - (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified with consumerSecret.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Linux Function App.

  • customDomainVerificationId - The identifier used by App Service to perform domain ownership verification via DNS TXT record.

  • defaultHostname - The default hostname of the Linux Function App.

  • identity - An identity block as defined below.

  • kind - The Kind value for this Linux Function App.

  • outboundIpAddressList - A list of outbound IP addresses. For example ["5223253", "521434312"]

  • outboundIpAddresses - A comma separated list of outbound IP addresses as a string. For example 5223253,521434312.

  • possibleOutboundIpAddressList - A list of possible outbound IP addresses, not all of which are necessarily in use. This is a superset of outboundIpAddressList. For example ["5223253", "521434312"].

  • possibleOutboundIpAddresses - A comma separated list of possible outbound IP addresses as a string. For example 5223253,521434312,521434317. This is a superset of outboundIpAddresses. For example ["5223253", "521434312","521434317"].

  • siteCredential - A siteCredential block as defined below.

An identity block exports the following:

  • principalId - The Principal ID associated with this Managed Service Identity.

  • tenantId - The Tenant ID associated with this Managed Service Identity.

A siteCredential block exports the following:

  • name - The Site Credentials Username used for publishing.

  • password - The Site Credentials Password used for publishing.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Linux Function App.
  • read - (Defaults to 5 minutes) Used when retrieving the Linux Function App.
  • update - (Defaults to 30 minutes) Used when updating the Linux Function App.
  • delete - (Defaults to 30 minutes) Used when deleting the Linux Function App.

Import

Linux Function Apps can be imported using the resourceId, e.g.

terraform import azurerm_linux_function_app.example /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/resGroup1/providers/Microsoft.Web/sites/site1