azurermLinuxWebApp
Manages a Linux Web App.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [{}],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermServicePlanExample = new azurerm.servicePlan.ServicePlan(
this,
"example_2",
{
location: azurermResourceGroupExample.location,
name: "example",
os_type: "Linux",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "P1v2",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermServicePlanExample.overrideLogicalId("example");
const azurermLinuxWebAppExample = new azurerm.linuxWebApp.LinuxWebApp(
this,
"example_3",
{
location: azurermServicePlanExample.location,
name: "example",
resource_group_name: azurermResourceGroupExample.name,
service_plan_id: azurermServicePlanExample.id,
site_config: [{}],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermLinuxWebAppExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
location
- (Required) The Azure Region where the Linux Web App should exist. Changing this forces a new Linux Web App to be created. -
name
- (Required) The name which should be used for this Linux Web App. Changing this forces a new Linux Web App to be created.
\~> NOTE: Terraform will perform a name availability check as part of the creation progress, if this Web App is part of an App Service Environment terraform will require Read permission on the ASE for this to complete reliably.
-
resourceGroupName
- (Required) The name of the Resource Group where the Linux Web App should exist. Changing this forces a new Linux Web App to be created. -
servicePlanId
- (Required) The ID of the Service Plan that this Linux App Service will be created in. -
siteConfig
- (Required) AsiteConfig
block as defined below.
-
appSettings
- (Optional) A map of key-value pairs of App Settings. -
authSettings
- (Optional) AauthSettings
block as defined below. -
authSettingsV2
- (Optional) AnauthSettingsV2
block as defined below. -
backup
- (Optional) Abackup
block as defined below. -
clientAffinityEnabled
- (Optional) Should Client Affinity be enabled? -
clientCertificateEnabled
- (Optional) Should Client Certificates be enabled? -
clientCertificateMode
- (Optional) The Client Certificate mode. Possible values arerequired
,optional
, andoptionalInteractiveUser
. This property has no effect whenclientCertificateEnabled
isfalse
-
clientCertificateExclusionPaths
- (Optional) Paths to exclude when using client certificates, separated by ; -
connectionString
- (Optional) One or moreconnectionString
blocks as defined below. -
enabled
- (Optional) Should the Linux Web App be enabled? Defaults totrue
. -
httpsOnly
- (Optional) Should the Linux Web App require HTTPS connections. -
identity
- (Optional) Anidentity
block as defined below. -
keyVaultReferenceIdentityId
- (Optional) The User Assigned Identity ID used for accessing KeyVault secrets. The identity must be assigned to the application in theidentity
block. For more information see - Access vaults with a user-assigned identity. -
logs
- (Optional) Alogs
block as defined below. -
storageAccount
- (Optional) One or morestorageAccount
blocks as defined below. -
stickySettings
- (Optional) AstickySettings
block as defined below. -
virtualNetworkSubnetId
- (Optional) The subnet id which will be used by this Web App for regional virtual network integration.
\~> NOTE on regional virtual network integration: The AzureRM Terraform provider provides regional virtual network integration via the standalone resource app_service_virtual_network_swift_connection and in-line within this resource using the virtualNetworkSubnetId
property. You cannot use both methods simultaneously. If the virtual network is set via the resource appServiceVirtualNetworkSwiftConnection
then ignoreChanges
should be used in the web app configuration.
\~> Note: Assigning the virtualNetworkSubnetId
property requires RBAC permissions on the subnet
zipDeployFile
- (Optional) The local path and filename of the Zip packaged application to deploy to this Linux Web App.
\~> Note: Using this value requires either websiteRunFromPackage=1
or scmDoBuildDuringDeployment=true
to be set on the App in appSettings
. Refer to the Azure docs on running the Web App directly from the Zip package, or automating the build for Zip deploy for further details.
tags
- (Optional) A mapping of tags which should be assigned to the Linux Web App.
An action
block supports the following:
-
actionType
- (Required) Predefined action to be taken to an Auto Heal trigger. Possible values include:recycle
. -
minimumProcessExecutionTime
- (Optional) The minimum amount of time inhh:mm:ss
the Linux Web App must have been running before the defined action will be run in the event of a trigger.
An activeDirectory
block supports the following:
-
clientId
- (Required) The ID of the Client to use to authenticate with Azure Active Directory. -
allowedAudiences
- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.
\~> Note: The clientId
value is always considered an allowed audience.
-
clientSecret
- (Optional) The Client Secret for the Client ID. Cannot be used withclientSecretSettingName
. -
clientSecretSettingName
- (Optional) The App Setting name that contains the client secret of the Client. Cannot be used withclientSecret
.
An applicationLogs
block supports the following:
-
azureBlobStorage
- (Optional) AnazureBlobStorage
block as defined below. -
fileSystemLevel
- (Required) Log level. Possible values include:verbose
,information
,warning
, anderror
.
An applicationStack
block supports the following:
-
dockerImage
- (Optional) The Docker image reference, including repository host as needed. -
dockerImageTag
- (Optional) The image Tag to use. e.g.latest
. -
dotnetVersion
- (Optional) The version of .NET to use. Possible values include31
,50
,60
and70
. -
goVersion
- (Optional) The version of Go to use. Possible values include118
, and119
. -
javaServer
- (Optional) The Java server type. Possible values includejava
,tomcat
, andjbosseap
.
\~> NOTE: jbosseap
requires a Premium Service Plan SKU to be a valid option.
-
javaServerVersion
- (Optional) The Version of thejavaServer
to use. -
javaVersion
- (Optional) The Version of Java to use. Possible values include8
,11
, and17
.
\~> NOTE: The valid version combinations for javaVersion
, javaServer
and javaServerVersion
can be checked from the command line via azWebappListRuntimesLinux
.
nodeVersion
- (Optional) The version of Node to run. Possible values include12Lts
,14Lts
,16Lts
, and18Lts
. This property conflicts withjavaVersion
.
\~> NOTE: 10.x versions have been/are being deprecated so may cease to work for new resources in the future and may be removed from the provider.
phpVersion
- (Optional) The version of PHP to run. Possible values are74
,80
and81
.
\~> NOTE: versions 56
and 72
are deprecated and will be removed from the provider in a future version.
-
pythonVersion
- (Optional) The version of Python to run. Possible values include37
,38
,39
,310
and311
. -
rubyVersion
- (Optional) Te version of Ruby to run. Possible values include26
and27
.
An authSettings
block supports the following:
-
enabled
- (Required) Should the Authentication / Authorization feature be enabled for the Linux Web App? -
activeDirectory
- (Optional) AnactiveDirectory
block as defined above. -
additionalLoginParameters
- (Optional) Specifies a map of login Parameters to send to the OpenID Connect authorization endpoint when a user logs in. -
allowedExternalRedirectUrls
- (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Linux Web App. -
defaultProvider
- (Optional) The default authentication provider to use when multiple providers are configured. Possible values include:builtInAuthenticationProviderAzureActiveDirectory
,builtInAuthenticationProviderFacebook
,builtInAuthenticationProviderGoogle
,builtInAuthenticationProviderMicrosoftAccount
,builtInAuthenticationProviderTwitter
,builtInAuthenticationProviderGithub
\~> NOTE: This setting is only needed if multiple providers are configured, and the unauthenticatedClientAction
is set to "RedirectToLoginPage".
-
facebook
- (Optional) Afacebook
block as defined below. -
github
- (Optional) Agithub
block as defined below. -
google
- (Optional) Agoogle
block as defined below. -
issuer
- (Optional) The OpenID Connect Issuer URI that represents the entity that issues access tokens for this Linux Web App.
\~> NOTE: When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/{tenant-guid}/.
-
microsoft
- (Optional) Amicrosoft
block as defined below. -
runtimeVersion
- (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Linux Web App. -
tokenRefreshExtensionHours
- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72
hours. -
tokenStoreEnabled
- (Optional) Should the Linux Web App durably store platform-specific security tokens that are obtained during login flows? Defaults tofalse
. -
twitter
- (Optional) Atwitter
block as defined below. -
unauthenticatedClientAction
- (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include:redirectToLoginPage
,allowAnonymous
.
An authSettingsV2
block supports the following:
-
authEnabled
- (Optional) Should the AuthV2 Settings be enabled. Defaults tofalse
. -
runtimeVersion
- (Optional) The Runtime Version of the Authentication and Authorisation feature of this App. Defaults to~1
. -
configFilePath
- (Optional) The path to the App Auth settings. -
\~> Note: Relative Paths are evaluated from the Site Root directory.
-
requireAuthentication
- (Optional) Should the authentication flow be used for all requests. -
unauthenticatedAction
- (Optional) The action to take for requests made without authentication. Possible values includeredirectToLoginPage
,allowAnonymous
,return401
, andreturn403
. Defaults toredirectToLoginPage
. -
defaultProvider
- (Optional) The Default Authentication Provider to use when more than one Authentication Provider is configured and theunauthenticatedAction
is set toredirectToLoginPage
. -
excludedPaths
- (Optional) The paths which should be excluded from theunauthenticatedAction
when it is set toredirectToLoginPage
. -
requireHttps
- (Optional) Should HTTPS be required on connections? Defaults totrue
. -
httpRouteApiPrefix
- (Optional) The prefix that should precede all the authentication and authorisation paths. Defaults to/Auth
. -
forwardProxyConvention
- (Optional) The convention used to determine the url of the request made. Possible values includeforwardProxyConventionNoProxy
,forwardProxyConventionStandard
,forwardProxyConventionCustom
. Defaults toforwardProxyConventionNoProxy
. -
forwardProxyCustomHostHeaderName
- (Optional) The name of the custom header containing the host of the request. -
forwardProxyCustomSchemeHeaderName
- (Optional) The name of the custom header containing the scheme of the request. -
appleV2
- (Optional) AnappleV2
block as defined below. -
activeDirectoryV2
- (Optional) AnactiveDirectoryV2
block as defined below. -
azureStaticWebAppV2
- (Optional) AnazureStaticWebAppV2
block as defined below. -
customOidcV2
- (Optional) Zero or morecustomOidcV2
blocks as defined below. -
facebookV2
- (Optional) AfacebookV2
block as defined below. -
githubV2
- (Optional) AgithubV2
block as defined below. -
googleV2
- (Optional) AgoogleV2
block as defined below. -
microsoftV2
- (Optional) AmicrosoftV2
block as defined below. -
twitterV2
- (Optional) AtwitterV2
block as defined below. -
login
- (Optional) Alogin
block as defined below.
An appleV2
block supports the following:
-
clientId
- (Required) The OpenID Connect Client ID for the Apple web application. -
clientSecretSettingName
- (Required) The app setting name that contains theclientSecret
value used for Apple Login.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
loginScopes
- A list of Login Scopes provided by this Authentication Provider.
\~> NOTE: This is configured on the Authentication Provider side and is Read Only here.
An activeDirectoryV2
block supports the following:
-
clientId
- (Required) The ID of the Client to use to authenticate with Azure Active Directory. -
tenantAuthEndpoint
- (Required) The Azure Tenant Endpoint for the Authenticating Tenant. e.g.https://loginMicrosoftonlineCom/v20/{tenantGuid}/
-
clientSecretSettingName
- (Optional) The App Setting name that contains the client secret of the Client.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
clientSecretCertificateThumbprint
- (Optional) The thumbprint of the certificate used for signing purposes.
\~> NOTE: One of clientSecretSettingName
or clientSecretCertificateThumbprint
must be specified.
-
jwtAllowedGroups
- (Optional) A list of Allowed Groups in the JWT Claim. -
jwtAllowedClientApplications
- (Optional) A list of Allowed Client Applications in the JWT Claim. -
wwwAuthenticationDisabled
- (Optional) Should the www-authenticate provider should be omitted from the request? Defaults tofalse
-
allowedGroups
- (Optional) The list of allowed Group Names for the Default Authorisation Policy. -
allowedIdentities
- (Optional) The list of allowed Identities for the Default Authorisation Policy. -
allowedApplications
- (Optional) The list of allowed Applications for the Default Authorisation Policy. -
loginParameters
- (Optional) A map of key-value pairs to send to the Authorisation Endpoint when a user logs in. -
allowedAudiences
- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.
\~> NOTE: This is configured on the Authentication Provider side and is Read Only here.
An azureStaticWebAppV2
block supports the following:
clientId
- (Required) The ID of the Client to use to authenticate with Azure Static Web App Authentication.
A customOidcV2
block supports the following:
name
- (Required) The name of the Custom OIDC Authentication Provider.
\~> NOTE: An appSetting
matching this value in upper case with the suffix of providerAuthenticationSecret
is required. e.g. myoidcProviderAuthenticationSecret
for a value of myoidc
.
-
clientId
- (Required) The ID of the Client to use to authenticate with the Custom OIDC. -
openidConfigurationEndpoint
- (Required) The app setting name that contains theclientSecret
value used for the Custom OIDC Login. -
nameClaimType
- (Optional) The name of the claim that contains the users name. -
scopes
- (Optional) The list of the scopes that should be requested while authenticating. -
clientCredentialMethod
- The Client Credential Method used. -
clientSecretSettingName
- The App Setting name that contains the secret for this Custom OIDC Client. This is generated fromname
above and suffixed withproviderAuthenticationSecret
. -
authorisationEndpoint
- The endpoint to make the Authorisation Request as supplied byopenidConfigurationEndpoint
response. -
tokenEndpoint
- The endpoint used to request a Token as supplied byopenidConfigurationEndpoint
response. -
issuerEndpoint
- The endpoint that issued the Token as supplied byopenidConfigurationEndpoint
response. -
certificationUri
- The endpoint that provides the keys necessary to validate the token as supplied byopenidConfigurationEndpoint
response.
A facebookV2
block supports the following:
-
appId
- (Required) The App ID of the Facebook app used for login. -
appSecretSettingName
- (Required) The app setting name that contains theappSecret
value used for Facebook Login.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
-
graphApiVersion
- (Optional) The version of the Facebook API to be used while logging in. -
loginScopes
- (Optional) The list of scopes that should be requested as part of Facebook Login authentication.
A githubV2
block supports the following:
-
clientId
- (Required) The ID of the GitHub app used for login.. -
clientSecretSettingName
- (Required) The app setting name that contains theclientSecret
value used for GitHub Login.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
loginScopes
- (Optional) The list of OAuth 2.0 scopes that should be requested as part of GitHub Login authentication.
A googleV2
block supports the following:
-
clientId
- (Required) The OpenID Connect Client ID for the Google web application. -
clientSecretSettingName
- (Required) The app setting name that contains theclientSecret
value used for Google Login.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
-
allowedAudiences
- (Optional) Specifies a list of Allowed Audiences that should be requested as part of Google Sign-In authentication. -
loginScopes
- (Optional) The list of OAuth 2.0 scopes that should be requested as part of Google Sign-In authentication.
A microsoftV2
block supports the following:
-
clientId
- (Required) The OAuth 2.0 client ID that was created for the app used for authentication. -
clientSecretSettingName
- (Required) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
-
allowedAudiences
- (Optional) Specifies a list of Allowed Audiences that will be requested as part of Microsoft Sign-In authentication. -
loginScopes
- (Optional) The list of Login scopes that should be requested as part of Microsoft Account authentication.
A twitterV2
block supports the following:
-
consumerKey
- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in. -
consumerSecretSettingName
- (Required) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.
!> NOTE: A setting with this name must exist in appSettings
to function correctly.
A login
block supports the following:
-
logoutEndpoint
- (Optional) The endpoint to which logout requests should be made. -
tokenStoreEnabled
- (Optional) Should the Token Store configuration Enabled. Defaults tofalse
-
tokenRefreshExtensionTime
- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72
hours. -
tokenStorePath
- (Optional) The directory path in the App Filesystem in which the tokens will be stored. -
tokenStoreSasSettingName
- (Optional) The name of the app setting which contains the SAS URL of the blob storage containing the tokens. -
preserveUrlFragmentsForLogins
- (Optional) Should the fragments from the request be preserved after the login request is made. Defaults tofalse
. -
allowedExternalRedirectUrls
- (Optional) External URLs that can be redirected to as part of logging in or logging out of the app. This is an advanced setting typically only needed by Windows Store application backends.
\~> Note: URLs within the current domain are always implicitly allowed.
-
cookieExpirationConvention
- (Optional) The method by which cookies expire. Possible values include:fixedTime
, andidentityProviderDerived
. Defaults tofixedTime
. -
cookieExpirationTime
- (Optional) The time after the request is made when the session cookie should expire. Defaults to08:00:00
. -
validateNonce
- (Optional) Should the nonce be validated while completing the login flow. Defaults totrue
. -
nonceExpirationTime
- (Optional) The time after the request is made when the nonce should expire. Defaults to00:05:00
.
An autoHealSetting
block supports the following:
-
action
- (Optional) Aaction
block as defined above. -
trigger
- (Optional) Atrigger
block as defined below.
An azureBlobStorage
block supports the following:
-
level
- (Required) The level at which to log. Possible values includeerror
,warning
,information
,verbose
andoff
. NOTE: this field is not available forhttpLogs
-
retentionInDays
- (Required) The time in days after which to remove blobs. A value of0
means no retention. -
sasUrl
- (Required) SAS url to an Azure blob container with read/write/list/delete permissions.
A backup
block supports the following:
-
name
- (Required) The name which should be used for this Backup. -
schedule
- (Required) Aschedule
block as defined below. -
storageAccountUrl
- (Required) The SAS URL to the container. -
enabled
- (Optional) Should this backup job be enabled? Defaults totrue
.
A connectionString
block supports the following:
-
name
- (Required) The name of the Connection String. -
type
- (Required) Type of database. Possible values include:mySql
,sqlServer
,sqlAzure
,custom
,notificationHub
,serviceBus
,eventHub
,apiHub
,docDb
,redisCache
, andpostgreSql
. -
value
- (Required) The connection string value.
A cors
block supports the following:
-
allowedOrigins
- (Required) Specifies a list of origins that should be allowed to make cross-origin calls. -
supportCredentials
- (Optional) Whether CORS requests with credentials are allowed. Defaults tofalse
A facebook
block supports the following:
-
appId
- (Required) The App ID of the Facebook app used for login. -
appSecret
- (Optional) The App Secret of the Facebook app used for Facebook login. Cannot be specified withappSecretSettingName
. -
appSecretSettingName
- (Optional) The app setting name that contains theappSecret
value used for Facebook login. Cannot be specified withappSecret
. -
oauthScopes
- (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook login authentication.
A fileSystem
block supports the following:
-
retentionInDays
- (Required) The retention period in days. A value of0
means no retention. -
retentionInMb
- (Required) The maximum size in megabytes that log files can use.
A github
block supports the following:
-
clientId
- (Required) The ID of the GitHub app used for login. -
clientSecret
- (Optional) The Client Secret of the GitHub app used for GitHub login. Cannot be specified withclientSecretSettingName
. -
clientSecretSettingName
- (Optional) The app setting name that contains theclientSecret
value used for GitHub login. Cannot be specified withclientSecret
. -
oauthScopes
- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub login authentication.
A google
block supports the following:
-
clientId
- (Required) The OpenID Connect Client ID for the Google web application. -
clientSecret
- (Optional) The client secret associated with the Google web application. Cannot be specified withclientSecretSettingName
. -
clientSecretSettingName
- (Optional) The app setting name that contains theclientSecret
value used for Google login. Cannot be specified withclientSecret
. -
oauthScopes
- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified,openid
,profile
, andemail
are used as default scopes.
A headers
block supports the following:
\~> NOTE: Please see the official Azure Documentation for details on using header filtering.
-
xAzureFdid
- (Optional) Specifies a list of Azure Front Door IDs. -
xFdHealthProbe
- (Optional) Specifies if a Front Door Health Probe should be expected. The only possible value is1
. -
xForwardedFor
- (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any. -
xForwardedHost
- (Optional) Specifies a list of Hosts for which matching should be applied.
A httpLogs
block supports the following:
-
azureBlobStorage
- (Optional) AazureBlobStorageHttp
block as defined below. -
fileSystem
- (Optional) AfileSystem
block as defined above.
An azureBlobStorageHttp
block supports the following:
-
retentionInDays
- (Optional) The time in days after which to remove blobs. A value of0
means no retention. -
sasUrl
- (Required) SAS url to an Azure blob container with read/write/list/delete permissions.
An identity
block supports the following:
-
type
- (Required) Specifies the type of Managed Service Identity that should be configured on this Linux Web App. Possible values aresystemAssigned
,userAssigned
, andsystemAssigned,UserAssigned
(to enable both). -
identityIds
- (Optional) A list of User Assigned Managed Identity IDs to be assigned to this Linux Web App.
\~> NOTE: This is required when type
is set to userAssigned
or systemAssigned,UserAssigned
.
An ipRestriction
block supports the following:
-
action
- (Optional) The action to take. Possible values areallow
ordeny
. -
headers
- (Optional) Aheaders
block as defined above. -
ipAddress
- (Optional) The CIDR notation of the IP or IP Range to match. For example:10000/24
or192168101/32
-
name
- (Optional) The name which should be used for thisipRestriction
. -
priority
- (Optional) The priority value of thisipRestriction
. Defaults to65000
. -
serviceTag
- (Optional) The Service Tag used for this IP Restriction. -
virtualNetworkSubnetId
- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
\~> NOTE: One and only one of ipAddress
, serviceTag
or virtualNetworkSubnetId
must be specified.
A logs
block supports the following:
-
applicationLogs
- (Optional) AapplicationLogs
block as defined above. -
detailedErrorMessages
- (Optional) Should detailed error messages be enabled? -
failedRequestTracing
- (Optional) Should the failed request tracing be enabled? -
httpLogs
- (Optional) AnhttpLogs
block as defined above.
A microsoft
block supports the following:
-
clientId
- (Required) The OAuth 2.0 client ID that was created for the app used for authentication. -
clientSecret
- (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclientSecretSettingName
. -
clientSecretSettingName
- (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclientSecret
. -
oauthScopes
- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified, "wl.basic" is used as the default scope.
A requests
block supports the following:
-
count
- (Required) The number of requests in the specifiedinterval
to trigger this rule. -
interval
- (Required) The interval inhh:mm:ss
.
A schedule
block supports the following:
frequencyInterval
- (Required) How often the backup should be executed (e.g. for weekly backup, this should be set to7
andfrequencyUnit
should be set today
).
\~> NOTE: Not all intervals are supported on all Linux Web App SKUs. Please refer to the official documentation for appropriate values.
-
frequencyUnit
- (Required) The unit of time for how often the backup should take place. Possible values include:day
,hour
-
keepAtLeastOneBackup
- (Optional) Should the service keep at least one backup, regardless of the age of backup? Defaults tofalse
. -
retentionPeriodDays
- (Optional) After how many days backups should be deleted. Defaults to30
. -
startTime
- (Optional) When the schedule should start working in RFC-3339 format.
A scmIpRestriction
block supports the following:
-
action
- (Optional) The action to take. Possible values areallow
ordeny
. -
headers
- (Optional) Aheaders
block as defined above. -
ipAddress
- (Optional) The CIDR notation of the IP or IP Range to match. For example:10000/24
or192168101/32
-
name
- (Optional) The name which should be used for thisipRestriction
. -
priority
- (Optional) The priority value of thisipRestriction
. Defaults to65000
. -
serviceTag
- (Optional) The Service Tag used for this IP Restriction. -
virtualNetworkSubnetId
- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
\~> NOTE: One and only one of ipAddress
, serviceTag
or virtualNetworkSubnetId
must be specified.
A siteConfig
block supports the following:
alwaysOn
- (Optional) If this Linux Web App is Always On enabled. Defaults totrue
.
\~> NOTE: alwaysOn
must be explicitly set to false
when using free
, f1
, d1
, or shared
Service Plans.
-
apiDefinitionUrl
- (Optional) The URL to the API Definition for this Linux Web App. -
apiManagementApiId
- (Optional) The API Management API ID this Linux Web App is associated with. -
appCommandLine
- (Optional) The App command line to launch. -
applicationStack
- (Optional) AapplicationStack
block as defined above. -
autoHealEnabled
- (Optional) Should Auto heal rules be enabled? Required withautoHealSetting
. -
autoHealSetting
- (Optional) AautoHealSetting
block as defined above. Required withautoHeal
. -
containerRegistryManagedIdentityClientId
- (Optional) The Client ID of the Managed Service Identity to use for connections to the Azure Container Registry. -
containerRegistryUseManagedIdentity
- (Optional) Should connections for Azure Container Registry use Managed Identity. -
cors
- (Optional) Acors
block as defined above. -
defaultDocuments
- (Optional) Specifies a list of Default Documents for the Linux Web App. -
ftpsState
- (Optional) The State of FTP / FTPS service. Possible values includeallAllowed
,ftpsOnly
, anddisabled
.
\~> NOTE: Azure defaults this value to allAllowed
, however, in the interests of security Terraform will default this to disabled
to ensure the user makes a conscious choice to enable it.
-
healthCheckPath
- (Optional) The path to the Health Check. -
healthCheckEvictionTimeInMin
- (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between2
and10
. Only valid in conjunction withhealthCheckPath
. -
http2Enabled
- (Optional) Should the HTTP2 be enabled? -
ipRestriction
- (Optional) One or moreipRestriction
blocks as defined above. -
loadBalancingMode
- (Optional) The Site load balancing. Possible values include:weightedRoundRobin
,leastRequests
,leastResponseTime
,weightedTotalTraffic
,requestHash
,perSiteRoundRobin
. Defaults toleastRequests
if omitted. -
localMysqlEnabled
- (Optional) Use Local MySQL. Defaults tofalse
. -
managedPipelineMode
- (Optional) Managed pipeline mode. Possible values includeintegrated
, andclassic
. -
minimumTlsVersion
- (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include:10
,11
, and12
. Defaults to12
. -
remoteDebuggingEnabled
- (Optional) Should Remote Debugging be enabled? Defaults tofalse
. -
remoteDebuggingVersion
- (Optional) The Remote Debugging Version. Possible values includevs2017
andvs2019
-
scmIpRestriction
- (Optional) One or morescmIpRestriction
blocks as defined above. -
scmMinimumTlsVersion
- (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include:10
,11
, and12
. Defaults to12
. -
scmUseMainIpRestriction
- (Optional) Should the Linux Web AppipRestriction
configuration be used for the SCM also. -
use32BitWorker
- (Optional) Should the Linux Web App use a 32-bit worker? Defaults totrue
. -
vnetRouteAllEnabled
- (Optional) Should all outbound traffic have NAT Gateways, Network Security Groups and User Defined Routes applied? Defaults tofalse
. -
websocketsEnabled
- (Optional) Should Web Sockets be enabled? Defaults tofalse
. -
workerCount
- (Optional) The number of Workers for this Linux App Service.
A slowRequest
block supports the following:
-
count
- (Required) The number of Slow Requests in the timeinterval
to trigger this rule. -
interval
- (Required) The time interval in the formhh:mm:ss
. -
timeTaken
- (Required) The threshold of time passed to qualify as a Slow Request inhh:mm:ss
. -
path
- (Optional) The path for which this slow request rule applies.
A statusCode
block supports the following:
-
count
- (Required) The number of occurrences of the definedstatusCode
in the specifiedinterval
on which to trigger this rule. -
interval
- (Required) The time interval in the formhh:mm:ss
. -
statusCodeRange
- (Required) The status code for this rule, accepts single status codes and status code ranges. e.g.500
or400499
. Possible values are integers between101
and599
-
path
- (Optional) The path to which this rule status code applies. -
subStatus
- (Optional) The Request Sub Status of the Status Code. -
win32Status
- (Optional) The Win32 Status Code of the Request.
A stickySettings
block exports the following:
-
appSettingNames
- (Optional) A list ofappSetting
names that the Linux Web App will not swap between Slots when a swap operation is triggered. -
connectionStringNames
- (Optional) A list ofconnectionString
names that the Linux Web App will not swap between Slots when a swap operation is triggered.
A storageAccount
block supports the following:
-
accessKey
- (Required) The Access key for the storage account. -
accountName
- (Required) The Name of the Storage Account. -
name
- (Required) The name which should be used for this Storage Account. -
shareName
- (Required) The Name of the File Share or Container Name for Blob storage. -
type
- (Required) The Azure Storage Type. Possible values includeazureFiles
andazureBlob
-
mountPath
- (Optional) The path at which to mount the storage share.
A trigger
block supports the following:
-
requests
- (Optional) Arequests
block as defined above. -
slowRequest
- (Optional) One or moreslowRequest
blocks as defined above. -
statusCode
- (Optional) One or morestatusCode
blocks as defined above.
A twitter
block supports the following:
-
consumerKey
- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in. -
consumerSecret
- (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumerSecretSettingName
. -
consumerSecretSettingName
- (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumerSecret
.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Linux Web App. -
customDomainVerificationId
- The identifier used by App Service to perform domain ownership verification via DNS TXT record. -
defaultHostname
- The default hostname of the Linux Web App. -
kind
- The Kind value for this Linux Web App. -
outboundIpAddressList
- A list of outbound IP addresses - such as["5223253", "521434312"]
-
outboundIpAddresses
- A comma separated list of outbound IP addresses - such as5223253,521434312
. -
possibleOutboundIpAddressList
- ApossibleOutboundIpAddressList
block as defined below. -
possibleOutboundIpAddresses
- A comma-separated list of outbound IP addresses - such as5223253,521434312,521434317
- not all of which are necessarily in use. Superset ofoutboundIpAddresses
. -
siteCredential
- AsiteCredential
block as defined below. -
identity
- Anidentity
block as defined below, which contains the Managed Service Identity information for this App Service.
An identity
block exports the following:
-
principalId
- The Principal ID associated with this Managed Service Identity. -
tenantId
- The Tenant ID associated with this Managed Service Identity.
-> You can access the Principal ID via azurermLinuxWebAppExampleIdentity0PrincipalId
and the Tenant ID via azurermLinuxWebAppExampleIdentity0TenantId
A siteCredential
block exports the following:
-
name
- The Site Credentials Username used for publishing. -
password
- The Site Credentials Password used for publishing.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Linux Web App.read
- (Defaults to 5 minutes) Used when retrieving the Linux Web App.update
- (Defaults to 30 minutes) Used when updating the Linux Web App.delete
- (Defaults to 30 minutes) Used when deleting the Linux Web App.
Import
Linux Web Apps can be imported using the resourceId
, e.g.