Azure App Service (Web Apps) App Service
This page shows how to write Terraform and Azure Resource Manager for App Service (Web Apps) App Service and write them securely.
azurerm_app_service (Terraform)
The App Service in App Service (Web Apps) can be configured in Terraform with the resource name azurerm_app_service
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_app_service" "app_service_catalog_staging" {
name = "pp-catalogSta"
location = azurerm_resource_group.PlayPadel-Sta.location
resource_group_name = azurerm_resource_group.PlayPadel-Sta.name
app_service_plan_id = azurerm_app_service_plan.PlayPadelASP-Sta.id
resource "azurerm_app_service" "example" {
name = "Nsama-Frontend-App"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
app_service_plan_id = azurerm_app_service_plan.example.id
app_settings = {
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
}
resource "azurerm_app_service" "webapp1" {
# creating web app
name = var.s1_name
resource_group_name=azurerm_resource_group.main.name
location=azurerm_resource_group.main.location
app_service_plan_id=azurerm_app_service_plan.sp.id
resource "azurerm_app_service" "SPJTestWebApp" {
name = "SPJTestWebApp"
location = "East Us"
resource_group_name = "POC_DevOps_RG"
app_service_plan_id = azurerm_app_service_plan.appserviceplan.id
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
resource "azurerm_app_service" "good_example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
client_cert_enabled = true
resource "azurerm_app_service" "webapp" {
name="wamdahhassan-frontend-service"
resource_group_name=azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
app_service_plan_id = azurerm_app_service_plan.sp.id
}
Security Best Practices for azurerm_app_service
There are 12 settings in azurerm_app_service that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure your App Service is accessible via HTTPS only
It is better to configure the App Service to be accessible via HTTPS only. By default, both HTTP and HTTPS are available.
Ensure to use the latest version of TLS protocols
It is better to use the latest SSL/TLS version to protect connections for App Services.
Ensure to enable authentication
It is better to enable authentication not to accept anonymous requests and make sure that all communications in the application are authenticated.
Ensure to disable FTP deployment
It is better to disable FTP deployment. This is a traditional way and FTPS complies with industry standards and regulations. However, for enhanced security, both FTP and FTPS should be disabled.
Ensure to register the app identity with AD
It is better to register the app identity with AD to avoid the utilization of a username and password. It is used by an app with the AD that allows it to interact with the other services.
Ensure to enable to indicate the details of error messages
It is better to enable to indicate the details of error messages. App Service can save the error page when application errors such as HTTP code 400 or greater occur. It would help determine why the server returns the error code.
Ensure to select the latest version of the .NET framework
It is better to select the latest version of the .NET framework for the utilization of the latest security fixes.
Ensure to enable the logging of failed request tracing
It is better to enable the logging of failed request tracing including the request and the time taken in each IIS component. It is beneficial when we face site performance issues and specific HTTP errors.
Ensure to enable HTTP logging
It is better to enable HTTP logging. This includes the fundamental HTTP communication details such as the HTTP method, resource URI, client IP, client port, user agent, etc.
Ensure to select the latest PHP Version
It is better to select the latest PHP version to adapt the latest security fixes.
Ensure to select the latest Python Version
It is better to select the latest Python version to adapt the latest security fixes.
Ensure to enable incoming certificates for clients
It is better to enable incoming certificates for clients. If this is enabled, only the authenticated clients with valid certificates are able to access the app.
Parameters
-
app_service_plan_id
required - string -
app_settings
optional computed - map from string to string -
client_affinity_enabled
optional - bool -
client_cert_enabled
optional - bool -
custom_domain_verification_id
optional computed - string -
default_site_hostname
optional computed - string -
enabled
optional - bool -
https_only
optional - bool -
id
optional computed - string -
location
required - string -
name
required - string -
outbound_ip_address_list
optional computed - list of string -
outbound_ip_addresses
optional computed - string -
possible_outbound_ip_address_list
optional computed - list of string -
possible_outbound_ip_addresses
optional computed - string -
resource_group_name
required - string -
site_credential
optional computed - list of object -
tags
optional - map from string to string -
auth_settings
list block-
additional_login_params
optional - map from string to string -
allowed_external_redirect_urls
optional - list of string -
default_provider
optional - string -
enabled
required - bool -
issuer
optional - string -
runtime_version
optional - string -
token_refresh_extension_hours
optional - number -
token_store_enabled
optional - bool -
unauthenticated_client_action
optional - string -
active_directory
list block-
allowed_audiences
optional - list of string -
client_id
required - string -
client_secret
optional - string
-
-
facebook
list block-
app_id
required - string -
app_secret
required - string -
oauth_scopes
optional - list of string
-
-
google
list block-
client_id
required - string -
client_secret
required - string -
oauth_scopes
optional - list of string
-
-
microsoft
list block-
client_id
required - string -
client_secret
required - string -
oauth_scopes
optional - list of string
-
-
twitter
list block-
consumer_key
required - string -
consumer_secret
required - string
-
-
-
backup
list block-
enabled
optional - bool -
name
required - string -
storage_account_url
required - string -
schedule
list block-
frequency_interval
required - number -
frequency_unit
required - string -
keep_at_least_one_backup
optional - bool -
retention_period_in_days
optional - number -
start_time
optional - string
-
-
-
connection_string
set block -
identity
list block-
identity_ids
optional - list of string -
principal_id
optional computed - string -
tenant_id
optional computed - string -
type
required - string
-
-
logs
list block-
detailed_error_messages_enabled
optional - bool -
failed_request_tracing_enabled
optional - bool -
application_logs
list block-
file_system_level
optional - string -
azure_blob_storage
list block-
level
required - string -
retention_in_days
required - number -
sas_url
required - string
-
-
-
http_logs
list block-
azure_blob_storage
list block-
retention_in_days
required - number -
sas_url
required - string
-
-
file_system
list block-
retention_in_days
required - number -
retention_in_mb
required - number
-
-
-
-
site_config
list block-
always_on
optional - bool -
app_command_line
optional - string -
auto_swap_slot_name
optional - string -
default_documents
optional - list of string -
dotnet_framework_version
optional - string -
ftps_state
optional computed - string -
health_check_path
optional - string -
http2_enabled
optional - bool -
ip_restriction
optional computed - list of object-
action
- string -
ip_address
- string -
name
- string -
priority
- number -
service_tag
- string -
virtual_network_subnet_id
- string
-
-
java_container
optional - string -
java_container_version
optional - string -
java_version
optional - string -
linux_fx_version
optional computed - string -
local_mysql_enabled
optional computed - bool -
managed_pipeline_mode
optional computed - string -
min_tls_version
optional computed - string -
number_of_workers
optional computed - number -
php_version
optional - string -
python_version
optional - string -
remote_debugging_enabled
optional - bool -
remote_debugging_version
optional computed - string -
scm_ip_restriction
optional computed - list of object-
action
- string -
ip_address
- string -
name
- string -
priority
- number -
service_tag
- string -
virtual_network_subnet_id
- string
-
-
scm_type
optional computed - string -
scm_use_main_ip_restriction
optional - bool -
use_32_bit_worker_process
optional - bool -
websockets_enabled
optional computed - bool -
windows_fx_version
optional computed - string -
cors
list block-
allowed_origins
required - set of string -
support_credentials
optional - bool
-
-
-
source_control
list block-
branch
optional computed - string -
manual_integration
optional computed - bool -
repo_url
optional computed - string -
rollback_enabled
optional computed - bool -
use_mercurial
optional computed - bool
-
-
storage_account
set block-
access_key
required - string -
account_name
required - string -
mount_path
optional - string -
name
required - string -
share_name
required - string -
type
required - string
-
-
timeouts
single block
Explanation in Terraform Registry
Manages an App Service (within an App Service Plan). -> Note: When using Slots - the
app_settings
,connection_string
andsite_config
blocks on theazurerm_app_service
resource will be overwritten when promoting a Slot using theazurerm_app_service_active_slot
resource.
Tips: Best Practices for The Other Azure App Service (Web Apps) Resources
In addition to the azurerm_function_app, Azure App Service (Web Apps) has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_function_app
Ensure to enable authentication to prevent anonymous request being accepted
It is better to enable authentication to prevent anonymous requests and ensure all communications in the application are authenticated.
Microsoft.Web/sites (Azure Resource Manager)
The sites in Microsoft.Web can be configured in Azure Resource Manager with the resource name Microsoft.Web/sites
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"ResourceType": "Microsoft.Web/sites",
"MetricName": "Http5xx",
"Operator": "GreaterThanOrEqual",
"Threshold": "50",
"TimeWindow": "PT5M",
"Aggregation": "Total"
"resourceType": "Microsoft.Web/sites",
"allOf": [
{
"path": "kind",
"regex": "api$"
},
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('FunctionAppName')]",
"location": "UK South",
"kind": "functionapp",
"properties": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"deploymentId": {
"type": "Microsoft.Web/sites",
"name": "[parameters('site_name')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('sites_chapter4_iac_dockerimage_name')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('serverfarms_ASP_Chapter4RG_ac17_name'))]"
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
Parameters
apiVersion
required - stringextendedLocation
optionalname
optional - stringName of extended location.
identity
optionaltype
optional - stringType of managed service identity.
userAssignedIdentities
optional - undefinedThe list of user assigned identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
kind
optional - stringKind of resource.
location
required - stringResource Location.
name
required - stringUnique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.
properties
requiredclientAffinityEnabled
optional - boolean<code>true</code> to enable client affinity; <code>false</code> to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is <code>true</code>.
clientCertEnabled
optional - boolean<code>true</code> to enable client certificate authentication (TLS mutual authentication); otherwise, <code>false</code>. Default is <code>false</code>.
clientCertExclusionPaths
optional - stringclient certificate authentication comma-separated exclusion paths
clientCertMode
optional - stringThis composes with ClientCertEnabled setting.
- ClientCertEnabled: false means ClientCert is ignored.
- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.
- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.
cloningInfo
optionalappSettingsOverrides
optional - stringApplication setting overrides for cloned app. If specified, these settings override the settings cloned from source app. Otherwise, application settings from source app are retained.
cloneCustomHostNames
optional - boolean<code>true</code> to clone custom hostnames from source app; otherwise, <code>false</code>.
cloneSourceControl
optional - boolean<code>true</code> to clone source control from source app; otherwise, <code>false</code>.
configureLoadBalancing
optional - boolean<code>true</code> to configure load balancing for source and destination app.
correlationId
optional - stringCorrelation ID of cloning operation. This ID ties multiple cloning operations together to use the same snapshot.
hostingEnvironment
optional - stringApp Service Environment.
overwrite
optional - boolean<code>true</code> to overwrite destination app; otherwise, <code>false</code>.
sourceWebAppId
required - stringARM resource ID of the source app. App resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName} for production slots and /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName}/slots/{slotName} for other slots.
sourceWebAppLocation
optional - stringLocation of source app ex: West US or North Europe
trafficManagerProfileId
optional - stringARM resource ID of the Traffic Manager profile to use, if it exists. Traffic Manager resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/trafficManagerProfiles/{profileName}.
trafficManagerProfileName
optional - stringName of Traffic Manager profile to create. This is only needed if Traffic Manager profile does not already exist.
containerSize
optional - integerSize of the function container.
customDomainVerificationId
optional - stringUnique identifier that verifies the custom domains assigned to the app. Customer will add this id to a txt record for verification.
dailyMemoryTimeQuota
optional - integerMaximum allowed daily memory-time quota (applicable on dynamic apps only).
enabled
optional - boolean<code>true</code> if the app is enabled; otherwise, <code>false</code>. Setting this value to false disables the app (takes the app offline).
hostingEnvironmentProfile
optionalid
optional - stringResource ID of the App Service Environment.
hostNamesDisabled
optional - boolean<code>true</code> to disable the public hostnames of the app; otherwise, <code>false</code>. If <code>true</code>, the app is only accessible via API management process.
hostNameSslStates
optional arrayhostType
optional - stringIndicates whether the hostname is a standard or repository hostname.
name
optional - stringHostname.
sslState
optional - stringSSL type.
thumbprint
optional - stringSSL certificate thumbprint.
toUpdate
optional - booleanSet to <code>true</code> to update existing hostname.
virtualIP
optional - stringVirtual IP address assigned to the hostname if IP based SSL is enabled.
httpsOnly
optional - booleanHttpsOnly: configures a web site to accept only https requests. Issues redirect for http requests
hyperV
optional - booleanHyper-V sandbox.
isXenon
optional - booleanObsolete: Hyper-V sandbox.
keyVaultReferenceIdentity
optional - stringIdentity to use for Key Vault Reference authentication.
redundancyMode
optional - stringSite redundancy mode.
reserved
optional - boolean<code>true</code> if reserved; otherwise, <code>false</code>.
scmSiteAlsoStopped
optional - boolean<code>true</code> to stop SCM (KUDU) site when the app is stopped; otherwise, <code>false</code>. The default is <code>false</code>.
serverFarmId
optional - stringResource ID of the associated App Service plan, formatted as: "/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}".
siteConfig
optionalacrUseManagedIdentityCreds
optional - booleanFlag to use Managed Identity Creds for ACR pull
acrUserManagedIdentityID
optional - stringIf using user managed identity, the user managed identity ClientId
alwaysOn
optional - boolean<code>true</code> if Always On is enabled; otherwise, <code>false</code>.
apiDefinition
optionalurl
optional - stringThe URL of the API definition.
apiManagementConfig
optionalid
optional - stringAPIM-Api Identifier.
appCommandLine
optional - stringApp command line to launch.
appSettings
optional arrayname
optional - stringPair name.
value
optional - stringPair value.
autoHealEnabled
optional - boolean<code>true</code> if Auto Heal is enabled; otherwise, <code>false</code>.
autoHealRules
optionalactions
optionalactionType
optional - stringPredefined action to be taken.
customAction
optionalexe
optional - stringExecutable to be run.
parameters
optional - stringParameters for the executable.
minProcessExecutionTime
optional - stringMinimum time the process must execute before taking the action
triggers
optionalprivateBytesInKB
optional - integerA rule based on private bytes.
requests
optionalcount
optional - integerRequest Count.
timeInterval
optional - stringTime interval.
slowRequests
optionalcount
optional - integerRequest Count.
path
optional - stringRequest Path.
timeInterval
optional - stringTime interval.
timeTaken
optional - stringTime taken.
slowRequestsWithPath
optional arraycount
optional - integerRequest Count.
path
optional - stringRequest Path.
timeInterval
optional - stringTime interval.
timeTaken
optional - stringTime taken.
statusCodes
optional arraycount
optional - integerRequest Count.
path
optional - stringRequest Path
status
optional - integerHTTP status code.
subStatus
optional - integerRequest Sub Status.
timeInterval
optional - stringTime interval.
win32Status
optional - integerWin32 error code.
statusCodesRange
optional arraycount
optional - integerRequest Count.
path
optional - stringstatusCodes
optional - stringHTTP status code.
timeInterval
optional - stringTime interval.
autoSwapSlotName
optional - stringAuto-swap slot name.
azureStorageAccounts
optional - undefinedList of Azure Storage Accounts.
connectionStrings
optional arrayconnectionString
optional - stringConnection string value.
name
optional - stringName of connection string.
type
optional - stringType of database.
cors
optionalallowedOrigins
optional - arrayGets or sets the list of origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). Use "*" to allow all.
supportCredentials
optional - booleanGets or sets whether CORS requests with credentials are allowed. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials for more details.
defaultDocuments
optional - arrayDefault documents.
detailedErrorLoggingEnabled
optional - boolean<code>true</code> if detailed error logging is enabled; otherwise, <code>false</code>.
documentRoot
optional - stringDocument root.
experiments
optionalrampUpRules
optional arrayactionHostName
optional - stringHostname of a slot to which the traffic will be redirected if decided to. E.g. myapp-stage.azurewebsites.net.
changeDecisionCallbackUrl
optional - stringCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified. See TiPCallback site extension for the scaffold and contracts. https://www.siteextensions.net/packages/TiPCallback/
changeIntervalInMinutes
optional - integerSpecifies interval in minutes to reevaluate ReroutePercentage.
changeStep
optional - numberIn auto ramp up scenario this is the step to add/remove from <code>ReroutePercentage</code> until it reaches \n<code>MinReroutePercentage</code> or <code>MaxReroutePercentage</code>. Site metrics are checked every N minutes specified in <code>ChangeIntervalInMinutes</code>.\nCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified in <code>ChangeDecisionCallbackUrl</code>.
maxReroutePercentage
optional - numberSpecifies upper boundary below which ReroutePercentage will stay.
minReroutePercentage
optional - numberSpecifies lower boundary above which ReroutePercentage will stay.
name
optional - stringName of the routing rule. The recommended name would be to point to the slot which will receive the traffic in the experiment.
reroutePercentage
optional - numberPercentage of the traffic which will be redirected to <code>ActionHostName</code>.
ftpsState
optional - stringState of FTP / FTPS service.
functionAppScaleLimit
optional - integerMaximum number of workers that a site can scale out to. This setting only applies to the Consumption and Elastic Premium Plans
functionsRuntimeScaleMonitoringEnabled
optional - booleanGets or sets a value indicating whether functions runtime scale monitoring is enabled. When enabled, the ScaleController will not monitor event sources directly, but will instead call to the runtime to get scale status.
handlerMappings
optional arrayarguments
optional - stringCommand-line arguments to be passed to the script processor.
extension
optional - stringRequests with this extension will be handled using the specified FastCGI application.
scriptProcessor
optional - stringThe absolute path to the FastCGI application.
healthCheckPath
optional - stringHealth check path
http20Enabled
optional - booleanHttp20Enabled: configures a web site to allow clients to connect over http2.0
httpLoggingEnabled
optional - boolean<code>true</code> if HTTP logging is enabled; otherwise, <code>false</code>.
ipSecurityRestrictions
optional arrayaction
optional - stringAllow or Deny access for this IP range.
description
optional - stringIP restriction rule description.
headers
optional - arrayIP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..
- If the property is null or empty (default), all hosts(or lack of) are allowed.
- A value is compared using ordinal-ignore-case (excluding port number).
- Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
- Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
- If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
- If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
ipAddress
optional - stringIP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.
name
optional - stringIP restriction rule name.
priority
optional - integerPriority of IP restriction rule.
subnetMask
optional - stringSubnet mask for the range of IP addresses the restriction is valid for.
subnetTrafficTag
optional - integer(internal) Subnet traffic tag
tag
optional - stringDefines what this IP filter will be used for. This is to support IP filtering on proxies.
vnetSubnetResourceId
optional - stringVirtual network resource id
vnetTrafficTag
optional - integer(internal) Vnet traffic tag
javaContainer
optional - stringJava container.
javaContainerVersion
optional - stringJava container version.
javaVersion
optional - stringJava version.
keyVaultReferenceIdentity
optional - stringIdentity to use for Key Vault Reference authentication.
limits
optionalmaxDiskSizeInMb
optional - integerMaximum allowed disk size usage in MB.
maxMemoryInMb
optional - integerMaximum allowed memory usage in MB.
maxPercentageCpu
optional - numberMaximum allowed CPU usage percentage.
linuxFxVersion
optional - stringLinux App Framework and version
loadBalancing
optional - stringSite load balancing.
localMySqlEnabled
optional - boolean<code>true</code> to enable local MySQL; otherwise, <code>false</code>.
logsDirectorySizeLimit
optional - integerHTTP logs directory size limit.
managedPipelineMode
optional - stringManaged pipeline mode.
managedServiceIdentityId
optional - integerManaged Service Identity Id
minimumElasticInstanceCount
optional - integerNumber of minimum instance count for a site This setting only applies to the Elastic Plans
minTlsVersion
optional - stringMinTlsVersion: configures the minimum version of TLS required for SSL requests.
netFrameworkVersion
optional - string.NET Framework version.
nodeVersion
optional - stringVersion of Node.js.
numberOfWorkers
optional - integerNumber of workers.
phpVersion
optional - stringVersion of PHP.
powerShellVersion
optional - stringVersion of PowerShell.
preWarmedInstanceCount
optional - integerNumber of preWarmed instances. This setting only applies to the Consumption and Elastic Plans
publicNetworkAccess
optional - stringProperty to allow or block all public traffic.
publishingUsername
optional - stringPublishing user name.
push
optionalkind
optional - stringKind of resource.
properties
optionaldynamicTagsJson
optional - stringGets or sets a JSON string containing a list of dynamic tags that will be evaluated from user claims in the push registration endpoint.
isPushEnabled
required - booleanGets or sets a flag indicating whether the Push endpoint is enabled.
tagsRequiringAuth
optional - stringGets or sets a JSON string containing a list of tags that require user authentication to be used in the push registration endpoint. Tags can consist of alphanumeric characters and the following: '_', '@', '#', '.', ':', '-'. Validation should be performed at the PushRequestHandler.
tagWhitelistJson
optional - stringGets or sets a JSON string containing a list of tags that are whitelisted for use by the push registration endpoint.
pythonVersion
optional - stringVersion of Python.
remoteDebuggingEnabled
optional - boolean<code>true</code> if remote debugging is enabled; otherwise, <code>false</code>.
remoteDebuggingVersion
optional - stringRemote debugging version.
requestTracingEnabled
optional - boolean<code>true</code> if request tracing is enabled; otherwise, <code>false</code>.
requestTracingExpirationTime
optional - stringRequest tracing expiration time.
scmIpSecurityRestrictions
optional arrayaction
optional - stringAllow or Deny access for this IP range.
description
optional - stringIP restriction rule description.
headers
optional - arrayIP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..
- If the property is null or empty (default), all hosts(or lack of) are allowed.
- A value is compared using ordinal-ignore-case (excluding port number).
- Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
- Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
- If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
- If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
ipAddress
optional - stringIP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.
name
optional - stringIP restriction rule name.
priority
optional - integerPriority of IP restriction rule.
subnetMask
optional - stringSubnet mask for the range of IP addresses the restriction is valid for.
subnetTrafficTag
optional - integer(internal) Subnet traffic tag
tag
optional - stringDefines what this IP filter will be used for. This is to support IP filtering on proxies.
vnetSubnetResourceId
optional - stringVirtual network resource id
vnetTrafficTag
optional - integer(internal) Vnet traffic tag
scmIpSecurityRestrictionsUseMain
optional - booleanIP security restrictions for scm to use main.
scmMinTlsVersion
optional - stringScmMinTlsVersion: configures the minimum version of TLS required for SSL requests for SCM site.
scmType
optional - stringSCM type.
tracingOptions
optional - stringTracing options.
use32BitWorkerProcess
optional - boolean<code>true</code> to use 32-bit worker process; otherwise, <code>false</code>.
virtualApplications
optional arrayphysicalPath
optional - stringPhysical path.
preloadEnabled
optional - boolean<code>true</code> if preloading is enabled; otherwise, <code>false</code>.
virtualDirectories
optional arrayphysicalPath
optional - stringPhysical path.
virtualPath
optional - stringPath to virtual application.
virtualPath
optional - stringVirtual path.
vnetName
optional - stringVirtual Network name.
vnetPrivatePortsCount
optional - integerThe number of private ports assigned to this app. These will be assigned dynamically on runtime.
vnetRouteAllEnabled
optional - booleanVirtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.
websiteTimeZone
optional - stringSets the time zone a site uses for generating timestamps. Compatible with Linux and Windows App Service. Setting the WEBSITE_TIME_ZONE app setting takes precedence over this config. For Linux, expects tz database values https://www.iana.org/time-zones (for a quick reference see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For Windows, expects one of the time zones listed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
webSocketsEnabled
optional - boolean<code>true</code> if WebSocket is enabled; otherwise, <code>false</code>.
windowsFxVersion
optional - stringXenon App Framework and version
xManagedServiceIdentityId
optional - integerExplicit Managed Service Identity Id
storageAccountRequired
optional - booleanChecks if Customer provided storage account is required
virtualNetworkSubnetId
optional - stringAzure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
tags
optional - stringResource tags.
type
required - string
Frequently asked questions
What is Azure App Service (Web Apps) App Service?
Azure App Service (Web Apps) App Service is a resource for App Service (Web Apps) of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure App Service (Web Apps) App Service?
For Terraform, the miguelsierramartin/PlayPadel, NsamaChibulu/Project2Services and returntocorp/semgrep-rules source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the SkillsFundingAgency/dfc-providerportal-monitoring, ajf214/personal-arm-templates and mrpaulandrew/procfwk source code examples are useful. See the Azure Resource Manager Example section for further details.