Top / Microsoft Azure / Azure App Service (Web Apps) / Function App

Azure App Service (Web Apps) Function App

This page shows how to write Terraform and Azure Resource Manager for App Service (Web Apps) Function App and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_linux_function_app (Terraform)

The Function App in App Service (Web Apps) can be configured in Terraform with the resource name azurerm_linux_function_app. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • location - (Required) The Azure Region where the Linux Function App should exist. Changing this forces a new Linux Function App to be created.

  • name - (Required) The name which should be used for this Linux Function App. Changing this forces a new Linux Function App to be created.

  • resource_group_name - (Required) The name of the Resource Group where the Linux Function App should exist. Changing this forces a new Linux Function App to be created.

  • service_plan_id - (Required) The ID of the App Service Plan within which to create this Function App.

  • site_config - (Required) A site_config block as defined below.

  • storage_account_name - (Required) The backend storage account name which will be used by this Function App.

  • app_settings - (Optional) A map of key-value pairs for App Settings and custom values.

  • auth_settings - (Optional) A auth_settings block as defined below.

  • backup - (Optional) A backup block as defined below.

  • builtin_logging_enabled - (Optional) Should built in logging be enabled. Configures AzureWebJobsDashboard app setting based on the configured storage setting.

  • client_cert_enabled - (Optional) Should the function app use Client Certificates.

  • client_cert_mode - (Optional) The mode of the Function App's client certificates requirement for incoming requests. Possible values are Required, Optional, and OptionalInteractiveUser.

  • connection_string - (Optional) One or more connection_string blocks as defined below.

  • daily_memory_time_quota - (Optional) The amount of memory in gigabyte-seconds that your application is allowed to consume per day. Setting this value only affects function apps under the consumption plan. Defaults to 0.

  • enabled - (Optional) Is the Function App enabled?

  • force_disable_content_share - (Optional) Should the settings for linking the Function App to storage be suppressed.

  • functions_extension_version - (Optional) The runtime version associated with the Function App. Defaults to ~4.

  • https_only - (Optional) Can the Function App only be accessed via HTTPS? Defaults to false.

  • identity - (Optional) A identity block as defined below.

  • storage_account_access_key - (Optional) The access key which will be used to access the backend storage account for the Function App. Conflicts with storage_uses_managed_identity.

  • storage_uses_managed_identity - (Optional) Should the Function App use Managed Identity to access the storage account. Conflicts with storage_account_access_key.

NOTE: One of storage_account_access_key or storage_uses_managed_identity must be specified.

  • tags - (Optional) A mapping of tags which should be assigned to the Linux Function App.

An active_directory block supports the following:

  • client_id - (Required) The ID of the Client to use to authenticate with Azure Active Directory.

  • allowed_audiences - (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

Note: The client_id value is always considered an allowed audience.

  • client_secret - (Optional) The Client Secret for the Client ID. Cannot be used with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The App Setting name that contains the client secret of the Client. Cannot be used with client_secret.

A application_stack block supports the following:

  • docker - (Optional) One or more docker blocks as defined below.

  • dotnet_version - (Optional) The version of .Net to use. Possible values include 3.1 and 6.

  • java_version - (Optional) The Version of Java to use. Supported versions include 8, and 11.

  • node_version - (Optional) The version of Node to run. Possible values include 12, and 14.

  • python_version - (Optional) The version of Python to run. Possible values include 3.6, 3.7, 3.8, and 3.9.

  • use_custom_runtime - (Optional) Should the Linux Function App use a custom runtime?

An app_service_logs block supports the following:

  • disk_quota_mb - (Required) The amount of disk space to use for logs. Valid values are between 25 and 100.

  • retention_period_days - (Optional) The retention period for logs in days. Valid values are between 0 and 99999. Defaults to 0 (never delete).

NOTE: This block is not supported on Consumption plans.

An auth_settings block supports the following:

  • enabled - (Required) Should the Authentication / Authorization feature be enabled for the Linux Web App?

  • active_directory - (Optional) An active_directory block as defined above.

  • additional_login_params - (Optional) Specifies a map of Login Parameters to send to the OpenID Connect authorization endpoint when a user logs in.

  • allowed_external_redirect_urls - (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Linux Web App.

  • default_provider - (Optional) The default authentication provider to use when multiple providers are configured. Possible values include: AzureActiveDirectory, Facebook, Google, MicrosoftAccount, Twitter, Github

NOTE: This setting is only needed if multiple providers are configured, and the unauthenticated_client_action is set to "RedirectToLoginPage".

  • facebook - (Optional) A facebook block as defined below.

  • github - (Optional) A github block as defined below.

  • google - (Optional) A google block as defined below.

  • issuer - (Optional) The OpenID Connect Issuer URI that represents the entity which issues access tokens for this Linux Web App.

NOTE: When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/[tenant-guid]/.

  • microsoft - (Optional) A microsoft block as defined below.

  • runtime_version - (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Linux Web App.

  • token_refresh_extension_hours - (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72 hours.

  • token_store_enabled - (Optional) Should the Linux Web App durably store platform-specific security tokens that are obtained during login flows? Defaults to false.

  • twitter - (Optional) A twitter block as defined below.

  • unauthenticated_client_action - (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include: RedirectToLoginPage, AllowAnonymous.

A backup block supports the following:

  • name - (Required) The name which should be used for this Backup.

  • schedule - (Required) A schedule block as defined below.

  • storage_account_url - (Required) The SAS URL to the container.

  • enabled - (Optional) Should this backup job be enabled?

A connection_string block supports the following:

  • name - (Required) The name which should be used for this Connection.

  • type - (Required) Type of database. Possible values include: MySQL, SQLServer, SQLAzure, Custom, NotificationHub, ServiceBus, EventHub, APIHub, DocDb, RedisCache, and PostgreSQL.

  • value - (Required) The connection string value.

A cors block supports the following:

  • allowed_origins - (Required) Specifies a list of origins that should be allowed to make cross-origin calls.

  • support_credentials - (Optional) Are credentials allowed in CORS requests? Defaults to false.

A docker block supports the following:

  • registry_url - (Required) The URL of the docker registry.

  • image_name - (Required) The name of the Docker image to use.

  • image_tag - (Required) The image tag of the image to use.

  • registry_username - (Optional) The username to use for connections to the registry.

NOTE: This value is required if container_registry_use_managed_identity is not set to true.

  • registry_password - (Optional) The password for the account to use to connect to the registry.

NOTE: This value is required if container_registry_use_managed_identity is not set to true.

A facebook block supports the following:

  • app_id - (Required) The App ID of the Facebook app used for login.

  • app_secret - (Optional) The App Secret of the Facebook app used for Facebook Login. Cannot be specified with app_secret_setting_name.

  • app_secret_setting_name - (Optional) The app setting name that contains the app_secret value used for Facebook Login. Cannot be specified with app_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook Login authentication.

A github block supports the following:

  • client_id - (Required) The ID of the GitHub app used for login.

  • client_secret - (Optional) The Client Secret of the GitHub app used for GitHub Login. Cannot be specified with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The app setting name that contains the client_secret value used for GitHub Login. Cannot be specified with client_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub Login authentication.

A google block supports the following:

  • client_id - (Required) The OpenID Connect Client ID for the Google web application.

  • client_secret - (Optional) The client secret associated with the Google web application. Cannot be specified with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The app setting name that contains the client_secret value used for Google Login. Cannot be specified with client_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified, "openid", "profile", and "email" are used as default scopes.

A headers block supports the following:

NOTE: Please see the official Azure Documentation for details on using header filtering.

  • x_azure_fdid - (Optional) Specifies a list of Azure Front Door IDs.

  • x_fd_health_probe - (Optional) Specifies if a Front Door Health Probe should be expected.

  • x_forwarded_for - (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.

  • x_forwarded_host - (Optional) Specifies a list of Hosts for which matching should be applied.

A identity block supports the following:

  • type - (Required) The type of managed service identity. Possible values include: SystemAssigned, UserAssigned, and SystemAssigned, UserAssigned.

  • identity_ids - (Optional) Specifies a list of User Assigned Identity IDs.

An ip_restriction block supports the following:

  • action - (Optional) The action to take. Possible values are Allow or Deny.

  • headers - (Optional) A headers block as defined above.

  • ip_address - (Optional) The CIDR notation of the IP or IP Range to match. For example: 10.0.0.0/24 or 192.168.10.1/32

  • name - (Optional) The name which should be used for this ip_restriction.

  • priority - (Optional) The priority value of this ip_restriction.

  • service_tag - (Optional) The Service Tag used for this IP Restriction.

  • virtual_network_subnet_id - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

NOTE: One and only one of ip_address, service_tag or virtual_network_subnet_id must be specified.

A microsoft block supports the following:

  • client_id - (Required) The OAuth 2.0 client ID that was created for the app used for authentication.

  • client_secret - (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified with client_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified, wl.basic is used as the default scope.

A schedule block supports the following:

  • frequency_interval - (Required) How often the backup should be executed (e.g. for weekly backup, this should be set to 7 and frequency_unit should be set to Day).

NOTE: Not all intervals are supported on all Linux Function App SKU's. Please refer to the official documentation for appropriate values.

  • frequency_unit - (Required) The unit of time for how often the backup should take place. Possible values include: Day and Hour.

  • keep_at_least_one_backup - (Optional) Should the service keep at least one backup, regardless of age of backup. Defaults to false.

  • retention_period_days - (Optional) After how many days backups should be deleted.

  • start_time - (Optional) When the schedule should start working in RFC-3339 format.

A scm_ip_restriction block supports the following:

  • action - (Optional) The action to take. Possible values are Allow or Deny.

  • headers - (Optional) A headers block as defined above.

  • ip_address - (Optional) The CIDR notation of the IP or IP Range to match. For example: 10.0.0.0/24 or 192.168.10.1/32

  • name - (Optional) The name which should be used for this ip_restriction.

  • priority - (Optional) The priority value of this ip_restriction.

  • service_tag - (Optional) The Service Tag used for this IP Restriction.

  • virtual_network_subnet_id - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

NOTE: One and only one of ip_address, service_tag or virtual_network_subnet_id must be specified.

A site_config block supports the following:

  • always_on - (Optional) If this Linux Web App is Always On enabled. Defaults to false.

  • api_definition_url - (Optional) The URL of the API definition that describes this Linux Function App.

  • api_management_api_id - (Optional) The ID of the API Management API for this Linux Function App.

  • app_command_line - (Optional) The App command line to launch.

  • app_scale_limit - (Optional) The number of workers this function app can scale out to. Only applicable to apps on the Consumption and Premium plan.

  • application_insights_connection_string - (Optional) The Connection String for linking the Linux Function App to Application Insights.

  • application_insights_key - (Optional) The Instrumentation Key for connecting the Linux Function App to Application Insights.

  • application_stack - (Optional) An application_stack block as defined above.

  • app_service_logs - (Optional) An app_service_logs block as defined above.

  • auto_swap_slot_name - (Optional) The Linux Function App Slot Name to automatically swap to when deployment to that slot is successfully completed.

  • container_registry_managed_identity_client_id - (Optional) The Client ID of the Managed Service Identity to use for connections to the Azure Container Registry.

  • container_registry_use_managed_identity - (Optional) Should connections for Azure Container Registry use Managed Identity.

  • cors - (Optional) A cors block as defined above.

  • default_documents - (Optional) Specifies a list of Default Documents for the Linux Web App.

  • elastic_instance_minimum - (Optional) The number of minimum instances for this Linux Function App. Only affects apps on Elastic Premium plans.

  • ftps_state - (Optional) State of FTP / FTPS service for this function app. Possible values include: AllAllowed, FtpsOnly and Disabled. Defaults to Disabled.

  • health_check_path - (Optional) The path to be checked for this function app health.

  • health_check_eviction_time_in_min - (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between 2 and 10. Only valid in conjunction with health_check_path.

  • http2_enabled - (Optional) Specifies if the http2 protocol should be enabled. Defaults to false.

  • ip_restriction - (Optional) One or more ip_restriction blocks as defined above.

  • load_balancing_mode - (Optional) The Site load balancing mode. Possible values include: WeightedRoundRobin, LeastRequests, LeastResponseTime, WeightedTotalTraffic, RequestHash, PerSiteRoundRobin. Defaults to LeastRequests if omitted.

  • managed_pipeline_mode - (Optional) Managed pipeline mode. Possible values include: Integrated, Classic. Defaults to Integrated.

  • minimum_tls_version - (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include: 1.0, 1.1, and 1.2. Defaults to 1.2.

  • number_of_workers - (Optional) The number of Workers for this Linux Function App.

  • pre_warmed_instance_count - (Optional) The number of pre-warmed instances for this function app. Only affects apps on an Elastic Premium plan.

  • remote_debugging - (Optional) Should Remote Debugging be enabled. Defaults to false.

  • remote_debugging_version - (Optional) The Remote Debugging Version. Possible values include VS2017 and VS2019.

  • runtime_scale_monitoring_enabled - (Optional) Should Scale Monitoring of the Functions Runtime be enabled?

  • scm_ip_restriction - (Optional) One or more scm_ip_restriction blocks as defined above.

  • scm_minimum_tls_version - (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: 1.0, 1.1, and 1.2. Defaults to 1.2.

  • scm_use_main_ip_restriction - (Optional) Should the Linux Function App ip_restriction configuration be used for the SCM also.

  • use_32_bit_worker - (Optional) Should the Linux Web App use a 32-bit worker process. Defaults to true.

  • vnet_route_all_enabled - (Optional) Should all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied? Defaults to false.

  • websockets_enabled - (Optional) Should Web Sockets be enabled. Defaults to false.

A twitter block supports the following:

  • consumer_key - (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.

  • consumer_secret - (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified with consumer_secret_setting_name.

  • consumer_secret_setting_name - (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified with consumer_secret.

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Linux Function App.

  • custom_domain_verification_id - The identifier used by App Service to perform domain ownership verification via DNS TXT record.

  • default_hostname - The default hostname of the Linux Function App.

  • kind - The Kind value for this Linux Function App.

  • outbound_ip_address_list - A list of outbound IP addresses. For example ["52.23.25.3", "52.143.43.12"]

  • outbound_ip_addresses - A comma separated list of outbound IP addresses as a string. For example 52.23.25.3,52.143.43.12.

  • possible_outbound_ip_address_list - A list of possible outbound IP addresses, not all of which are necessarily in use. This is a superset of outbound_ip_address_list. For example ["52.23.25.3", "52.143.43.12"].

  • possible_outbound_ip_addresses - A comma separated list of possible outbound IP addresses as a string. For example 52.23.25.3,52.143.43.12,52.143.43.17. This is a superset of outbound_ip_addresses. For example ["52.23.25.3", "52.143.43.12","52.143.43.17"].

  • site_credential - A site_credential block as defined below.

A site_credential block exports the following:

  • name - The Site Credentials Username used for publishing.

  • password - The Site Credentials Password used for publishing.

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Linux Function App. !> Note: This Resource is coming in version 3.0 of the Azure Provider and is available as an opt-in Beta - more information can be found in the upcoming version 3.0 of the Azure Provider.

>> from Terraform Registry

Tips: Best Practices for The Other Azure App Service (Web Apps) Resources

In addition to the azurerm_app_service, Azure App Service (Web Apps) has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_app_service

Ensure your App Service is accessible via HTTPS only

It is better to configure the App Service to be accessible via HTTPS only. By default, both HTTP and HTTPS are available.

risk-label

azurerm_function_app

Ensure to enable authentication to prevent anonymous request being accepted

It is better to enable authentication to prevent anonymous requests and ensure all communications in the application are authenticated.

Review your Azure App Service (Web Apps) settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Web/sites (Azure Resource Manager)

The sites in Microsoft.Web can be configured in Azure Resource Manager with the resource name Microsoft.Web/sites. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

template.json#L101
                "ResourceType": "Microsoft.Web/sites",
                "MetricName": "Http5xx",
                "Operator": "GreaterThanOrEqual",
                "Threshold": "50",
                "TimeWindow": "PT5M",
                "Aggregation": "Total"
tests.json#L30
          "resourceType": "Microsoft.Web/sites",
          "allOf": [
              {
                  "path": "kind",
                  "regex": "api$"
              },
v1.6_Export.json#L17
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "[parameters('FunctionAppName')]",
      "location": "UK South",
      "kind": "functionapp",
      "properties": {
integration.json
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "deploymentId": {
web4.json#L38
            "type": "Microsoft.Web/sites",
            "name": "[parameters('site_name')]",
            "apiVersion": "2016-08-01",
            "location": "[resourceGroup().location]",
            "scale": null,
            "properties": {
chapter4-azure-template.json#L45
            "type": "Microsoft.Web/sites",
            "apiVersion": "2018-11-01",
            "name": "[parameters('sites_chapter4_iac_dockerimage_name')]",
            "location": "Central US",
            "dependsOn": [
                "[resourceId('Microsoft.Web/serverfarms', parameters('serverfarms_ASP_Chapter4RG_ac17_name'))]"
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {

Parameters

  • apiVersion required - string
  • extendedLocation optional
      • name optional - string

        Name of extended location.

  • identity optional
      • type optional - string

        Type of managed service identity.

      • userAssignedIdentities optional - undefined

        The list of user assigned identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}

  • kind optional - string

    Kind of resource.

  • location required - string

    Resource Location.

  • name required - string

    Unique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.

  • properties required
      • clientAffinityEnabled optional - boolean

        <code>true</code> to enable client affinity; <code>false</code> to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is <code>true</code>.

      • clientCertEnabled optional - boolean

        <code>true</code> to enable client certificate authentication (TLS mutual authentication); otherwise, <code>false</code>. Default is <code>false</code>.

      • clientCertExclusionPaths optional - string

        client certificate authentication comma-separated exclusion paths

      • clientCertMode optional - string

        This composes with ClientCertEnabled setting.

        • ClientCertEnabled: false means ClientCert is ignored.
        • ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.
        • ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.
      • cloningInfo optional
          • appSettingsOverrides optional - string

            Application setting overrides for cloned app. If specified, these settings override the settings cloned from source app. Otherwise, application settings from source app are retained.

          • cloneCustomHostNames optional - boolean

            <code>true</code> to clone custom hostnames from source app; otherwise, <code>false</code>.

          • cloneSourceControl optional - boolean

            <code>true</code> to clone source control from source app; otherwise, <code>false</code>.

          • configureLoadBalancing optional - boolean

            <code>true</code> to configure load balancing for source and destination app.

          • correlationId optional - string

            Correlation ID of cloning operation. This ID ties multiple cloning operations together to use the same snapshot.

          • hostingEnvironment optional - string

            App Service Environment.

          • overwrite optional - boolean

            <code>true</code> to overwrite destination app; otherwise, <code>false</code>.

          • sourceWebAppId required - string

            ARM resource ID of the source app. App resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName} for production slots and /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName}/slots/{slotName} for other slots.

          • sourceWebAppLocation optional - string

            Location of source app ex: West US or North Europe

          • trafficManagerProfileId optional - string

            ARM resource ID of the Traffic Manager profile to use, if it exists. Traffic Manager resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/trafficManagerProfiles/{profileName}.

          • trafficManagerProfileName optional - string

            Name of Traffic Manager profile to create. This is only needed if Traffic Manager profile does not already exist.

      • containerSize optional - integer

        Size of the function container.

      • customDomainVerificationId optional - string

        Unique identifier that verifies the custom domains assigned to the app. Customer will add this id to a txt record for verification.

      • dailyMemoryTimeQuota optional - integer

        Maximum allowed daily memory-time quota (applicable on dynamic apps only).

      • enabled optional - boolean

        <code>true</code> if the app is enabled; otherwise, <code>false</code>. Setting this value to false disables the app (takes the app offline).

      • hostingEnvironmentProfile optional
          • id optional - string

            Resource ID of the App Service Environment.

      • hostNamesDisabled optional - boolean

        <code>true</code> to disable the public hostnames of the app; otherwise, <code>false</code>. If <code>true</code>, the app is only accessible via API management process.

      • hostNameSslStates optional array
          • hostType optional - string

            Indicates whether the hostname is a standard or repository hostname.

          • name optional - string

            Hostname.

          • sslState optional - string

            SSL type.

          • thumbprint optional - string

            SSL certificate thumbprint.

          • toUpdate optional - boolean

            Set to <code>true</code> to update existing hostname.

          • virtualIP optional - string

            Virtual IP address assigned to the hostname if IP based SSL is enabled.

      • httpsOnly optional - boolean

        HttpsOnly: configures a web site to accept only https requests. Issues redirect for http requests

      • hyperV optional - boolean

        Hyper-V sandbox.

      • isXenon optional - boolean

        Obsolete: Hyper-V sandbox.

      • keyVaultReferenceIdentity optional - string

        Identity to use for Key Vault Reference authentication.

      • redundancyMode optional - string

        Site redundancy mode.

      • reserved optional - boolean

        <code>true</code> if reserved; otherwise, <code>false</code>.

      • scmSiteAlsoStopped optional - boolean

        <code>true</code> to stop SCM (KUDU) site when the app is stopped; otherwise, <code>false</code>. The default is <code>false</code>.

      • serverFarmId optional - string

        Resource ID of the associated App Service plan, formatted as: "/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}".

      • siteConfig optional
          • acrUseManagedIdentityCreds optional - boolean

            Flag to use Managed Identity Creds for ACR pull

          • acrUserManagedIdentityID optional - string

            If using user managed identity, the user managed identity ClientId

          • alwaysOn optional - boolean

            <code>true</code> if Always On is enabled; otherwise, <code>false</code>.

          • apiDefinition optional
              • url optional - string

                The URL of the API definition.

          • apiManagementConfig optional
              • id optional - string

                APIM-Api Identifier.

          • appCommandLine optional - string

            App command line to launch.

          • appSettings optional array
              • name optional - string

                Pair name.

              • value optional - string

                Pair value.

          • autoHealEnabled optional - boolean

            <code>true</code> if Auto Heal is enabled; otherwise, <code>false</code>.

          • autoHealRules optional
              • actions optional
                  • actionType optional - string

                    Predefined action to be taken.

                  • customAction optional
                      • exe optional - string

                        Executable to be run.

                      • parameters optional - string

                        Parameters for the executable.

                  • minProcessExecutionTime optional - string

                    Minimum time the process must execute before taking the action

              • triggers optional
                  • privateBytesInKB optional - integer

                    A rule based on private bytes.

                  • requests optional
                      • count optional - integer

                        Request Count.

                      • timeInterval optional - string

                        Time interval.

                  • slowRequests optional
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path.

                      • timeInterval optional - string

                        Time interval.

                      • timeTaken optional - string

                        Time taken.

                  • slowRequestsWithPath optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path.

                      • timeInterval optional - string

                        Time interval.

                      • timeTaken optional - string

                        Time taken.

                  • statusCodes optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path

                      • status optional - integer

                        HTTP status code.

                      • subStatus optional - integer

                        Request Sub Status.

                      • timeInterval optional - string

                        Time interval.

                      • win32Status optional - integer

                        Win32 error code.

                  • statusCodesRange optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string
                      • statusCodes optional - string

                        HTTP status code.

                      • timeInterval optional - string

                        Time interval.

          • autoSwapSlotName optional - string

            Auto-swap slot name.

          • azureStorageAccounts optional - undefined

            List of Azure Storage Accounts.

          • connectionStrings optional array
              • connectionString optional - string

                Connection string value.

              • name optional - string

                Name of connection string.

              • type optional - string

                Type of database.

          • cors optional
          • defaultDocuments optional - array

            Default documents.

          • detailedErrorLoggingEnabled optional - boolean

            <code>true</code> if detailed error logging is enabled; otherwise, <code>false</code>.

          • documentRoot optional - string

            Document root.

          • experiments optional
              • rampUpRules optional array
                  • actionHostName optional - string

                    Hostname of a slot to which the traffic will be redirected if decided to. E.g. myapp-stage.azurewebsites.net.

                  • changeDecisionCallbackUrl optional - string

                    Custom decision algorithm can be provided in TiPCallback site extension which URL can be specified. See TiPCallback site extension for the scaffold and contracts. https://www.siteextensions.net/packages/TiPCallback/

                  • changeIntervalInMinutes optional - integer

                    Specifies interval in minutes to reevaluate ReroutePercentage.

                  • changeStep optional - number

                    In auto ramp up scenario this is the step to add/remove from <code>ReroutePercentage</code> until it reaches \n<code>MinReroutePercentage</code> or <code>MaxReroutePercentage</code>. Site metrics are checked every N minutes specified in <code>ChangeIntervalInMinutes</code>.\nCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified in <code>ChangeDecisionCallbackUrl</code>.

                  • maxReroutePercentage optional - number

                    Specifies upper boundary below which ReroutePercentage will stay.

                  • minReroutePercentage optional - number

                    Specifies lower boundary above which ReroutePercentage will stay.

                  • name optional - string

                    Name of the routing rule. The recommended name would be to point to the slot which will receive the traffic in the experiment.

                  • reroutePercentage optional - number

                    Percentage of the traffic which will be redirected to <code>ActionHostName</code>.

          • ftpsState optional - string

            State of FTP / FTPS service.

          • functionAppScaleLimit optional - integer

            Maximum number of workers that a site can scale out to. This setting only applies to the Consumption and Elastic Premium Plans

          • functionsRuntimeScaleMonitoringEnabled optional - boolean

            Gets or sets a value indicating whether functions runtime scale monitoring is enabled. When enabled, the ScaleController will not monitor event sources directly, but will instead call to the runtime to get scale status.

          • handlerMappings optional array
              • arguments optional - string

                Command-line arguments to be passed to the script processor.

              • extension optional - string

                Requests with this extension will be handled using the specified FastCGI application.

              • scriptProcessor optional - string

                The absolute path to the FastCGI application.

          • healthCheckPath optional - string

            Health check path

          • http20Enabled optional - boolean

            Http20Enabled: configures a web site to allow clients to connect over http2.0

          • httpLoggingEnabled optional - boolean

            <code>true</code> if HTTP logging is enabled; otherwise, <code>false</code>.

          • ipSecurityRestrictions optional array
              • action optional - string

                Allow or Deny access for this IP range.

              • description optional - string

                IP restriction rule description.

              • headers optional - array

                IP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..

                • If the property is null or empty (default), all hosts(or lack of) are allowed.
                • A value is compared using ordinal-ignore-case (excluding port number).
                • Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
                • Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
                • If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
                • If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
              • ipAddress optional - string

                IP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.

              • name optional - string

                IP restriction rule name.

              • priority optional - integer

                Priority of IP restriction rule.

              • subnetMask optional - string

                Subnet mask for the range of IP addresses the restriction is valid for.

              • subnetTrafficTag optional - integer

                (internal) Subnet traffic tag

              • tag optional - string

                Defines what this IP filter will be used for. This is to support IP filtering on proxies.

              • vnetSubnetResourceId optional - string

                Virtual network resource id

              • vnetTrafficTag optional - integer

                (internal) Vnet traffic tag

          • javaContainer optional - string

            Java container.

          • javaContainerVersion optional - string

            Java container version.

          • javaVersion optional - string

            Java version.

          • keyVaultReferenceIdentity optional - string

            Identity to use for Key Vault Reference authentication.

          • limits optional
              • maxDiskSizeInMb optional - integer

                Maximum allowed disk size usage in MB.

              • maxMemoryInMb optional - integer

                Maximum allowed memory usage in MB.

              • maxPercentageCpu optional - number

                Maximum allowed CPU usage percentage.

          • linuxFxVersion optional - string

            Linux App Framework and version

          • loadBalancing optional - string

            Site load balancing.

          • localMySqlEnabled optional - boolean

            <code>true</code> to enable local MySQL; otherwise, <code>false</code>.

          • logsDirectorySizeLimit optional - integer

            HTTP logs directory size limit.

          • managedPipelineMode optional - string

            Managed pipeline mode.

          • managedServiceIdentityId optional - integer

            Managed Service Identity Id

          • minimumElasticInstanceCount optional - integer

            Number of minimum instance count for a site This setting only applies to the Elastic Plans

          • minTlsVersion optional - string

            MinTlsVersion: configures the minimum version of TLS required for SSL requests.

          • netFrameworkVersion optional - string

            .NET Framework version.

          • nodeVersion optional - string

            Version of Node.js.

          • numberOfWorkers optional - integer

            Number of workers.

          • phpVersion optional - string

            Version of PHP.

          • powerShellVersion optional - string

            Version of PowerShell.

          • preWarmedInstanceCount optional - integer

            Number of preWarmed instances. This setting only applies to the Consumption and Elastic Plans

          • publicNetworkAccess optional - string

            Property to allow or block all public traffic.

          • publishingUsername optional - string

            Publishing user name.

          • push optional
              • kind optional - string

                Kind of resource.

              • properties optional
                  • dynamicTagsJson optional - string

                    Gets or sets a JSON string containing a list of dynamic tags that will be evaluated from user claims in the push registration endpoint.

                  • isPushEnabled required - boolean

                    Gets or sets a flag indicating whether the Push endpoint is enabled.

                  • tagsRequiringAuth optional - string

                    Gets or sets a JSON string containing a list of tags that require user authentication to be used in the push registration endpoint. Tags can consist of alphanumeric characters and the following: '_', '@', '#', '.', ':', '-'. Validation should be performed at the PushRequestHandler.

                  • tagWhitelistJson optional - string

                    Gets or sets a JSON string containing a list of tags that are whitelisted for use by the push registration endpoint.

          • pythonVersion optional - string

            Version of Python.

          • remoteDebuggingEnabled optional - boolean

            <code>true</code> if remote debugging is enabled; otherwise, <code>false</code>.

          • remoteDebuggingVersion optional - string

            Remote debugging version.

          • requestTracingEnabled optional - boolean

            <code>true</code> if request tracing is enabled; otherwise, <code>false</code>.

          • requestTracingExpirationTime optional - string

            Request tracing expiration time.

          • scmIpSecurityRestrictions optional array
              • action optional - string

                Allow or Deny access for this IP range.

              • description optional - string

                IP restriction rule description.

              • headers optional - array

                IP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..

                • If the property is null or empty (default), all hosts(or lack of) are allowed.
                • A value is compared using ordinal-ignore-case (excluding port number).
                • Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
                • Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
                • If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
                • If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
              • ipAddress optional - string

                IP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.

              • name optional - string

                IP restriction rule name.

              • priority optional - integer

                Priority of IP restriction rule.

              • subnetMask optional - string

                Subnet mask for the range of IP addresses the restriction is valid for.

              • subnetTrafficTag optional - integer

                (internal) Subnet traffic tag

              • tag optional - string

                Defines what this IP filter will be used for. This is to support IP filtering on proxies.

              • vnetSubnetResourceId optional - string

                Virtual network resource id

              • vnetTrafficTag optional - integer

                (internal) Vnet traffic tag

          • scmIpSecurityRestrictionsUseMain optional - boolean

            IP security restrictions for scm to use main.

          • scmMinTlsVersion optional - string

            ScmMinTlsVersion: configures the minimum version of TLS required for SSL requests for SCM site.

          • scmType optional - string

            SCM type.

          • tracingOptions optional - string

            Tracing options.

          • use32BitWorkerProcess optional - boolean

            <code>true</code> to use 32-bit worker process; otherwise, <code>false</code>.

          • virtualApplications optional array
              • physicalPath optional - string

                Physical path.

              • preloadEnabled optional - boolean

                <code>true</code> if preloading is enabled; otherwise, <code>false</code>.

              • virtualDirectories optional array
                  • physicalPath optional - string

                    Physical path.

                  • virtualPath optional - string

                    Path to virtual application.

              • virtualPath optional - string

                Virtual path.

          • vnetName optional - string

            Virtual Network name.

          • vnetPrivatePortsCount optional - integer

            The number of private ports assigned to this app. These will be assigned dynamically on runtime.

          • vnetRouteAllEnabled optional - boolean

            Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.

          • websiteTimeZone optional - string

            Sets the time zone a site uses for generating timestamps. Compatible with Linux and Windows App Service. Setting the WEBSITE_TIME_ZONE app setting takes precedence over this config. For Linux, expects tz database values https://www.iana.org/time-zones (for a quick reference see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For Windows, expects one of the time zones listed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

          • webSocketsEnabled optional - boolean

            <code>true</code> if WebSocket is enabled; otherwise, <code>false</code>.

          • windowsFxVersion optional - string

            Xenon App Framework and version

          • xManagedServiceIdentityId optional - integer

            Explicit Managed Service Identity Id

      • storageAccountRequired optional - boolean

        Checks if Customer provided storage account is required

      • virtualNetworkSubnetId optional - string

        Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}

  • tags optional - string

    Resource tags.

  • type required - string

>> from Azure Resource Manager Documentation

The Other Related Azure App Service (Web Apps) Resources

Frequently asked questions

What is Azure App Service (Web Apps) Function App?

Azure App Service (Web Apps) Function App is a resource for App Service (Web Apps) of Microsoft Azure. Settings can be wrote in Terraform.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents