Azure App Service (Web Apps) Source Control
This page shows how to write Terraform and Azure Resource Manager for App Service (Web Apps) Source Control and write them securely.
azurerm_app_service_source_control (Terraform)
The Source Control in App Service (Web Apps) can be configured in Terraform with the resource name azurerm_app_service_source_control
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
app_id
- (Required) The ID of the Windows or Linux Web App.branch
- (Required) The branch name to use for deployments.repo_url
- (Required) The URL for the repository.
github_action_configuration
- (Optional) Agithub_action_configuration
block as defined below.manual_integration
- (Optional) Should code be deployed manually. Set tofalse
to enable continuous integration, such as webhooks into online repos such as GitHub.rollback_enabled
- (Optional) Should the Deployment Rollback be enabled? Defaults tofalse
scm_type
- (Optional) The SCM System to use for Source Control. Possible values include 'ScmTypeNone', 'ScmTypeDropbox', 'ScmTypeTfs', 'ScmTypeLocalGit', 'ScmTypeGitHub', 'ScmTypeCodePlexGit', 'ScmTypeCodePlexHg', 'ScmTypeBitbucketGit', 'ScmTypeBitbucketHg', 'ScmTypeExternalGit', 'ScmTypeExternalHg', 'ScmTypeOneDrive', 'ScmTypeVSO'.
NOTE: Azure can typically set this value automatically based on the
repo_url
value.
NOTE: SCM Type
ScmTypeVSTSRM
is not supported as this is set by Azure DevOps and overrides Terraform's control of this resource.
use_mercurial
- (Optional) The repository specified is Mercurial. Defaults tofalse
.uses_github_action
- (Optional) Should deployment be performed by GitHub Action. Defaults tofalse
.
A code_configuration
block supports the following:
runtime_stack
- (Required) The value to use for the Runtime Stack in the workflow file content for code base apps.runtime_version
- (Optional) The value to use for the Runtime Version in the workflow file content for code base apps.
A container_configuration
block supports the following:
image_name
- (Required) The image name for the build.registry_url
- (Required) The server URL for the container registry where the build will be hosted.registry_password
- (Optional) The password used to upload the image to the container registry.registry_username
- (Optional) The username used to upload the image to the container registry.
A github_action_configuration
block supports the following:
code_configuration
- (Optional) Acode_configuration
block as defined above.container_configuration
- (Optional) Acontainer_configuration
block as defined above.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the App Service Source Control.
Explanation in Terraform Registry
Manages an App Service Web App or Function App Source Control Configuration. !> Note: This Resource is coming in version 3.0 of the Azure Provider and is available as an opt-in Beta - more information can be found in the upcoming version 3.0 of the Azure Provider.
Tips: Best Practices for The Other Azure App Service (Web Apps) Resources
In addition to the azurerm_app_service, Azure App Service (Web Apps) has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_app_service
Ensure your App Service is accessible via HTTPS only
It is better to configure the App Service to be accessible via HTTPS only. By default, both HTTP and HTTPS are available.
azurerm_function_app
Ensure to enable authentication to prevent anonymous request being accepted
It is better to enable authentication to prevent anonymous requests and ensure all communications in the application are authenticated.
Microsoft.Web/sites (Azure Resource Manager)
The sites in Microsoft.Web can be configured in Azure Resource Manager with the resource name Microsoft.Web/sites
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"ResourceType": "Microsoft.Web/sites",
"MetricName": "Http5xx",
"Operator": "GreaterThanOrEqual",
"Threshold": "50",
"TimeWindow": "PT5M",
"Aggregation": "Total"
"resourceType": "Microsoft.Web/sites",
"allOf": [
{
"path": "kind",
"regex": "api$"
},
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('FunctionAppName')]",
"location": "UK South",
"kind": "functionapp",
"properties": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"deploymentId": {
"type": "Microsoft.Web/sites",
"name": "[parameters('site_name')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('sites_chapter4_iac_dockerimage_name')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('serverfarms_ASP_Chapter4RG_ac17_name'))]"
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
Parameters
apiVersion
required - stringextendedLocation
optionalname
optional - stringName of extended location.
identity
optionaltype
optional - stringType of managed service identity.
userAssignedIdentities
optional - undefinedThe list of user assigned identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
kind
optional - stringKind of resource.
location
required - stringResource Location.
name
required - stringUnique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.
properties
requiredclientAffinityEnabled
optional - boolean<code>true</code> to enable client affinity; <code>false</code> to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is <code>true</code>.
clientCertEnabled
optional - boolean<code>true</code> to enable client certificate authentication (TLS mutual authentication); otherwise, <code>false</code>. Default is <code>false</code>.
clientCertExclusionPaths
optional - stringclient certificate authentication comma-separated exclusion paths
clientCertMode
optional - stringThis composes with ClientCertEnabled setting.
- ClientCertEnabled: false means ClientCert is ignored.
- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.
- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.
cloningInfo
optionalappSettingsOverrides
optional - stringApplication setting overrides for cloned app. If specified, these settings override the settings cloned from source app. Otherwise, application settings from source app are retained.
cloneCustomHostNames
optional - boolean<code>true</code> to clone custom hostnames from source app; otherwise, <code>false</code>.
cloneSourceControl
optional - boolean<code>true</code> to clone source control from source app; otherwise, <code>false</code>.
configureLoadBalancing
optional - boolean<code>true</code> to configure load balancing for source and destination app.
correlationId
optional - stringCorrelation ID of cloning operation. This ID ties multiple cloning operations together to use the same snapshot.
hostingEnvironment
optional - stringApp Service Environment.
overwrite
optional - boolean<code>true</code> to overwrite destination app; otherwise, <code>false</code>.
sourceWebAppId
required - stringARM resource ID of the source app. App resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName} for production slots and /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName}/slots/{slotName} for other slots.
sourceWebAppLocation
optional - stringLocation of source app ex: West US or North Europe
trafficManagerProfileId
optional - stringARM resource ID of the Traffic Manager profile to use, if it exists. Traffic Manager resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/trafficManagerProfiles/{profileName}.
trafficManagerProfileName
optional - stringName of Traffic Manager profile to create. This is only needed if Traffic Manager profile does not already exist.
containerSize
optional - integerSize of the function container.
customDomainVerificationId
optional - stringUnique identifier that verifies the custom domains assigned to the app. Customer will add this id to a txt record for verification.
dailyMemoryTimeQuota
optional - integerMaximum allowed daily memory-time quota (applicable on dynamic apps only).
enabled
optional - boolean<code>true</code> if the app is enabled; otherwise, <code>false</code>. Setting this value to false disables the app (takes the app offline).
hostingEnvironmentProfile
optionalid
optional - stringResource ID of the App Service Environment.
hostNamesDisabled
optional - boolean<code>true</code> to disable the public hostnames of the app; otherwise, <code>false</code>. If <code>true</code>, the app is only accessible via API management process.
hostNameSslStates
optional arrayhostType
optional - stringIndicates whether the hostname is a standard or repository hostname.
name
optional - stringHostname.
sslState
optional - stringSSL type.
thumbprint
optional - stringSSL certificate thumbprint.
toUpdate
optional - booleanSet to <code>true</code> to update existing hostname.
virtualIP
optional - stringVirtual IP address assigned to the hostname if IP based SSL is enabled.
httpsOnly
optional - booleanHttpsOnly: configures a web site to accept only https requests. Issues redirect for http requests
hyperV
optional - booleanHyper-V sandbox.
isXenon
optional - booleanObsolete: Hyper-V sandbox.
keyVaultReferenceIdentity
optional - stringIdentity to use for Key Vault Reference authentication.
redundancyMode
optional - stringSite redundancy mode.
reserved
optional - boolean<code>true</code> if reserved; otherwise, <code>false</code>.
scmSiteAlsoStopped
optional - boolean<code>true</code> to stop SCM (KUDU) site when the app is stopped; otherwise, <code>false</code>. The default is <code>false</code>.
serverFarmId
optional - stringResource ID of the associated App Service plan, formatted as: "/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}".
siteConfig
optionalacrUseManagedIdentityCreds
optional - booleanFlag to use Managed Identity Creds for ACR pull
acrUserManagedIdentityID
optional - stringIf using user managed identity, the user managed identity ClientId
alwaysOn
optional - boolean<code>true</code> if Always On is enabled; otherwise, <code>false</code>.
apiDefinition
optionalurl
optional - stringThe URL of the API definition.
apiManagementConfig
optionalid
optional - stringAPIM-Api Identifier.
appCommandLine
optional - stringApp command line to launch.
appSettings
optional arrayname
optional - stringPair name.
value
optional - stringPair value.
autoHealEnabled
optional - boolean<code>true</code> if Auto Heal is enabled; otherwise, <code>false</code>.
autoHealRules
optionalactions
optionalactionType
optional - stringPredefined action to be taken.
customAction
optionalexe
optional - stringExecutable to be run.
parameters
optional - stringParameters for the executable.
minProcessExecutionTime
optional - stringMinimum time the process must execute before taking the action
triggers
optionalprivateBytesInKB
optional - integerA rule based on private bytes.
requests
optionalcount
optional - integerRequest Count.
timeInterval
optional - stringTime interval.
slowRequests
optionalcount
optional - integerRequest Count.
path
optional - stringRequest Path.
timeInterval
optional - stringTime interval.
timeTaken
optional - stringTime taken.
slowRequestsWithPath
optional arraycount
optional - integerRequest Count.
path
optional - stringRequest Path.
timeInterval
optional - stringTime interval.
timeTaken
optional - stringTime taken.
statusCodes
optional arraycount
optional - integerRequest Count.
path
optional - stringRequest Path
status
optional - integerHTTP status code.
subStatus
optional - integerRequest Sub Status.
timeInterval
optional - stringTime interval.
win32Status
optional - integerWin32 error code.
statusCodesRange
optional arraycount
optional - integerRequest Count.
path
optional - stringstatusCodes
optional - stringHTTP status code.
timeInterval
optional - stringTime interval.
autoSwapSlotName
optional - stringAuto-swap slot name.
azureStorageAccounts
optional - undefinedList of Azure Storage Accounts.
connectionStrings
optional arrayconnectionString
optional - stringConnection string value.
name
optional - stringName of connection string.
type
optional - stringType of database.
cors
optionalallowedOrigins
optional - arrayGets or sets the list of origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). Use "*" to allow all.
supportCredentials
optional - booleanGets or sets whether CORS requests with credentials are allowed. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials for more details.
defaultDocuments
optional - arrayDefault documents.
detailedErrorLoggingEnabled
optional - boolean<code>true</code> if detailed error logging is enabled; otherwise, <code>false</code>.
documentRoot
optional - stringDocument root.
experiments
optionalrampUpRules
optional arrayactionHostName
optional - stringHostname of a slot to which the traffic will be redirected if decided to. E.g. myapp-stage.azurewebsites.net.
changeDecisionCallbackUrl
optional - stringCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified. See TiPCallback site extension for the scaffold and contracts. https://www.siteextensions.net/packages/TiPCallback/
changeIntervalInMinutes
optional - integerSpecifies interval in minutes to reevaluate ReroutePercentage.
changeStep
optional - numberIn auto ramp up scenario this is the step to add/remove from <code>ReroutePercentage</code> until it reaches \n<code>MinReroutePercentage</code> or <code>MaxReroutePercentage</code>. Site metrics are checked every N minutes specified in <code>ChangeIntervalInMinutes</code>.\nCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified in <code>ChangeDecisionCallbackUrl</code>.
maxReroutePercentage
optional - numberSpecifies upper boundary below which ReroutePercentage will stay.
minReroutePercentage
optional - numberSpecifies lower boundary above which ReroutePercentage will stay.
name
optional - stringName of the routing rule. The recommended name would be to point to the slot which will receive the traffic in the experiment.
reroutePercentage
optional - numberPercentage of the traffic which will be redirected to <code>ActionHostName</code>.
ftpsState
optional - stringState of FTP / FTPS service.
functionAppScaleLimit
optional - integerMaximum number of workers that a site can scale out to. This setting only applies to the Consumption and Elastic Premium Plans
functionsRuntimeScaleMonitoringEnabled
optional - booleanGets or sets a value indicating whether functions runtime scale monitoring is enabled. When enabled, the ScaleController will not monitor event sources directly, but will instead call to the runtime to get scale status.
handlerMappings
optional arrayarguments
optional - stringCommand-line arguments to be passed to the script processor.
extension
optional - stringRequests with this extension will be handled using the specified FastCGI application.
scriptProcessor
optional - stringThe absolute path to the FastCGI application.
healthCheckPath
optional - stringHealth check path
http20Enabled
optional - booleanHttp20Enabled: configures a web site to allow clients to connect over http2.0
httpLoggingEnabled
optional - boolean<code>true</code> if HTTP logging is enabled; otherwise, <code>false</code>.
ipSecurityRestrictions
optional arrayaction
optional - stringAllow or Deny access for this IP range.
description
optional - stringIP restriction rule description.
headers
optional - arrayIP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..
- If the property is null or empty (default), all hosts(or lack of) are allowed.
- A value is compared using ordinal-ignore-case (excluding port number).
- Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
- Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
- If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
- If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
ipAddress
optional - stringIP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.
name
optional - stringIP restriction rule name.
priority
optional - integerPriority of IP restriction rule.
subnetMask
optional - stringSubnet mask for the range of IP addresses the restriction is valid for.
subnetTrafficTag
optional - integer(internal) Subnet traffic tag
tag
optional - stringDefines what this IP filter will be used for. This is to support IP filtering on proxies.
vnetSubnetResourceId
optional - stringVirtual network resource id
vnetTrafficTag
optional - integer(internal) Vnet traffic tag
javaContainer
optional - stringJava container.
javaContainerVersion
optional - stringJava container version.
javaVersion
optional - stringJava version.
keyVaultReferenceIdentity
optional - stringIdentity to use for Key Vault Reference authentication.
limits
optionalmaxDiskSizeInMb
optional - integerMaximum allowed disk size usage in MB.
maxMemoryInMb
optional - integerMaximum allowed memory usage in MB.
maxPercentageCpu
optional - numberMaximum allowed CPU usage percentage.
linuxFxVersion
optional - stringLinux App Framework and version
loadBalancing
optional - stringSite load balancing.
localMySqlEnabled
optional - boolean<code>true</code> to enable local MySQL; otherwise, <code>false</code>.
logsDirectorySizeLimit
optional - integerHTTP logs directory size limit.
managedPipelineMode
optional - stringManaged pipeline mode.
managedServiceIdentityId
optional - integerManaged Service Identity Id
minimumElasticInstanceCount
optional - integerNumber of minimum instance count for a site This setting only applies to the Elastic Plans
minTlsVersion
optional - stringMinTlsVersion: configures the minimum version of TLS required for SSL requests.
netFrameworkVersion
optional - string.NET Framework version.
nodeVersion
optional - stringVersion of Node.js.
numberOfWorkers
optional - integerNumber of workers.
phpVersion
optional - stringVersion of PHP.
powerShellVersion
optional - stringVersion of PowerShell.
preWarmedInstanceCount
optional - integerNumber of preWarmed instances. This setting only applies to the Consumption and Elastic Plans
publicNetworkAccess
optional - stringProperty to allow or block all public traffic.
publishingUsername
optional - stringPublishing user name.
push
optionalkind
optional - stringKind of resource.
properties
optionaldynamicTagsJson
optional - stringGets or sets a JSON string containing a list of dynamic tags that will be evaluated from user claims in the push registration endpoint.
isPushEnabled
required - booleanGets or sets a flag indicating whether the Push endpoint is enabled.
tagsRequiringAuth
optional - stringGets or sets a JSON string containing a list of tags that require user authentication to be used in the push registration endpoint. Tags can consist of alphanumeric characters and the following: '_', '@', '#', '.', ':', '-'. Validation should be performed at the PushRequestHandler.
tagWhitelistJson
optional - stringGets or sets a JSON string containing a list of tags that are whitelisted for use by the push registration endpoint.
pythonVersion
optional - stringVersion of Python.
remoteDebuggingEnabled
optional - boolean<code>true</code> if remote debugging is enabled; otherwise, <code>false</code>.
remoteDebuggingVersion
optional - stringRemote debugging version.
requestTracingEnabled
optional - boolean<code>true</code> if request tracing is enabled; otherwise, <code>false</code>.
requestTracingExpirationTime
optional - stringRequest tracing expiration time.
scmIpSecurityRestrictions
optional arrayaction
optional - stringAllow or Deny access for this IP range.
description
optional - stringIP restriction rule description.
headers
optional - arrayIP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..
- If the property is null or empty (default), all hosts(or lack of) are allowed.
- A value is compared using ordinal-ignore-case (excluding port number).
- Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
- Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
- If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
- If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
ipAddress
optional - stringIP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.
name
optional - stringIP restriction rule name.
priority
optional - integerPriority of IP restriction rule.
subnetMask
optional - stringSubnet mask for the range of IP addresses the restriction is valid for.
subnetTrafficTag
optional - integer(internal) Subnet traffic tag
tag
optional - stringDefines what this IP filter will be used for. This is to support IP filtering on proxies.
vnetSubnetResourceId
optional - stringVirtual network resource id
vnetTrafficTag
optional - integer(internal) Vnet traffic tag
scmIpSecurityRestrictionsUseMain
optional - booleanIP security restrictions for scm to use main.
scmMinTlsVersion
optional - stringScmMinTlsVersion: configures the minimum version of TLS required for SSL requests for SCM site.
scmType
optional - stringSCM type.
tracingOptions
optional - stringTracing options.
use32BitWorkerProcess
optional - boolean<code>true</code> to use 32-bit worker process; otherwise, <code>false</code>.
virtualApplications
optional arrayphysicalPath
optional - stringPhysical path.
preloadEnabled
optional - boolean<code>true</code> if preloading is enabled; otherwise, <code>false</code>.
virtualDirectories
optional arrayphysicalPath
optional - stringPhysical path.
virtualPath
optional - stringPath to virtual application.
virtualPath
optional - stringVirtual path.
vnetName
optional - stringVirtual Network name.
vnetPrivatePortsCount
optional - integerThe number of private ports assigned to this app. These will be assigned dynamically on runtime.
vnetRouteAllEnabled
optional - booleanVirtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.
websiteTimeZone
optional - stringSets the time zone a site uses for generating timestamps. Compatible with Linux and Windows App Service. Setting the WEBSITE_TIME_ZONE app setting takes precedence over this config. For Linux, expects tz database values https://www.iana.org/time-zones (for a quick reference see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For Windows, expects one of the time zones listed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
webSocketsEnabled
optional - boolean<code>true</code> if WebSocket is enabled; otherwise, <code>false</code>.
windowsFxVersion
optional - stringXenon App Framework and version
xManagedServiceIdentityId
optional - integerExplicit Managed Service Identity Id
storageAccountRequired
optional - booleanChecks if Customer provided storage account is required
virtualNetworkSubnetId
optional - stringAzure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
tags
optional - stringResource tags.
type
required - string