Azure App Service (Web Apps) Web App
This page shows how to write Terraform and Azure Resource Manager for App Service (Web Apps) Web App and write them securely.
azurerm_linux_web_app (Terraform)
The Web App in App Service (Web Apps) can be configured in Terraform with the resource name azurerm_linux_web_app
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
The following arguments are supported:
location
- (Required) The Azure Region where the Linux Web App should exist. Changing this forces a new Linux Web App to be created.name
- (Required) The name which should be used for this Linux Web App. Changing this forces a new Linux Web App to be created.
NOTE: Terraform will perform a name availability check as part of the creation progress, if this Web App is part of an App Service Environment terraform will require Read permission on the ASE for this to complete reliably.
resource_group_name
- (Required) The name of the Resource Group where the Linux Web App should exist. Changing this forces a new Linux Web App to be created.service_plan_id
- (Required) The ID of the Service Plan that this Linux App Service will be created in.site_config
- (Required) Asite_config
block as defined below.
app_settings
- (Optional) A map of key-value pairs of App Settings.auth_settings
- (Optional) Aauth_settings
block as defined below.backup
- (Optional) Abackup
block as defined below.client_affinity_enabled
- (Optional) Should Client Affinity be enabled?client_cert_enabled
- (Optional) Should Client Certificates be enabled?client_cert_mode
- (Optional) The Client Certificate mode. Possible values includeOptional
andRequired
. This property has no effect whenclient_cert_enabled
isfalse
connection_string
- (Optional) One or moreconnection_string
blocks as defined below.enabled
- (Optional) Should the Linux Web App be enabled? Defaults totrue
.https_only
- (Optional) Should the Linux Web App require HTTPS connections.identity
- (Optional) Anidentity
block as defined below.logs
- (Optional) Alogs
block as defined below.storage_account
- (Optional) One or morestorage_account
blocks as defined below.tags
- (Optional) A mapping of tags which should be assigned to the Linux Web App.
A action
block supports the following:
action_type
- (Required) Predefined action to be taken to an Auto Heal trigger. Possible values include:Recycle
.minimum_process_execution_time
- (Optional) The minimum amount of time inhh:mm:ss
the Linux Web App must have been running before the defined action will be run in the event of a trigger.
A active_directory
block supports the following:
client_id
- (Required) The ID of the Client to use to authenticate with Azure Active Directory.allowed_audiences
- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.
Note: The
client_id
value is always considered an allowed audience.
client_secret
- (Optional) The Client Secret for the Client ID. Cannot be used withclient_secret_setting_name
.client_secret_setting_name
- (Optional) The App Setting name that contains the client secret of the Client. Cannot be used withclient_secret
.
A application_logs
block supports the following:
azure_blob_storage
- (Optional) Anazure_blob_storage
block as defined below.file_system_level
- (Optional) Log level. Possible values include:Verbose
,Information
,Warning
, andError
.
A application_stack
block supports the following:
docker_image
- (Optional) The Docker image reference, including repository host as needed.docker_image_tag
- (Optional) The image Tag to use. e.g.latest
dotnet_version
- (Optional) The version of .Net to use. Possible values include2.1
,3.1
, and5.0
.java_server
- (Optional) The java server type. Possible values includeJAVA
,TOMCAT
, andJBOSSEAP
.
NOTE:
JBOSSEAP
requires a Premium Service Plan SKU to be a valid option.
java_server_version
- (Optional) The Version of thejava_server
to use.java_version
- (Optional) The Version of Java to use. Supported versions of Java vary depending on thejava_server
andjava_server_version
, as well as security and fixes to major versions. Please see Azure documentation for the latest information.
NOTE: The valid version combinations for
java_version
,java_server
andjava_server_version
can be checked from command line viaaz webapp list-runtimes --linux
.
node_version
- (Optional) The version of Node to run. Possible values include10.1
,10.6
,10.4
,10-lts
,12-lts
, and14-lts
. This property conflicts withjava_version
.
NOTE: 10.x versions have been / are being deprecated so may cease to work for new resources in future and may be removed from the provider.
php_version
- (Optional) The version of PHP to run. Possible values include5.6
,7.2
,7.3
, and7.4
.
NOTE: versions
5.6
and7.2
are deprecated and will be removed from the provider in a future version.
python_version
- (Optional) The version of Python to run. Possible values include2.7
,3.6
,3.7
, and3.8
.ruby_version
- (Optional) Te version of Ruby to run. Possible values include2.5
and2.6
.
A auth_settings
block supports the following:
enabled
- (Required) Should the Authentication / Authorization feature be enabled for the Linux Web App?active_directory
- (Optional) Anactive_directory
block as defined above.additional_login_params
- (Optional) Specifies a map of Login Parameters to send to the OpenID Connect authorization endpoint when a user logs in.allowed_external_redirect_urls
- (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Linux Web App.default_provider
- (Optional) The default authentication provider to use when multiple providers are configured. Possible values include:BuiltInAuthenticationProviderAzureActiveDirectory
,BuiltInAuthenticationProviderFacebook
,BuiltInAuthenticationProviderGoogle
,BuiltInAuthenticationProviderMicrosoftAccount
,BuiltInAuthenticationProviderTwitter
,BuiltInAuthenticationProviderGithub
NOTE: This setting is only needed if multiple providers are configured, and the
unauthenticated_client_action
is set to "RedirectToLoginPage".
facebook
- (Optional) Afacebook
block as defined below.github
- (Optional) Agithub
block as defined below.google
- (Optional) Agoogle
block as defined below.issuer
- (Optional) The OpenID Connect Issuer URI that represents the entity which issues access tokens for this Linux Web App.
NOTE: When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/[tenant-guid]/.
microsoft
- (Optional) Amicrosoft
block as defined below.runtime_version
- (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Linux Web App.token_refresh_extension_hours
- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72
hours.token_store_enabled
- (Optional) Should the Linux Web App durably store platform-specific security tokens that are obtained during login flows? Defaults tofalse
.twitter
- (Optional) Atwitter
block as defined below.unauthenticated_client_action
- (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include:RedirectToLoginPage
,AllowAnonymous
.
A auto_heal_setting
block supports the following:
action
- (Optional) Aaction
block as defined above.trigger
- (Optional) Atrigger
block as defined below.
A azure_blob_storage
block supports the following:
retention_in_days
- (Required) The time in days after which to remove blobs. A value of0
means no retention.sas_url
- (Required) SAS url to an Azure blob container with read/write/list/delete permissions.
A backup
block supports the following:
name
- (Required) The name which should be used for this Backup.schedule
- (Required) Aschedule
block as defined below.storage_account_url
- (Required) The SAS URL to the container.enabled
- (Optional) Should this backup job be enabled?
A connection_string
block supports the following:
type
- (Required) Type of database. Possible values include:MySQL
,SQLServer
,SQLAzure
,Custom
,NotificationHub
,ServiceBus
,EventHub
,APIHub
,DocDb
,RedisCache
, andPostgreSQL
.value
- (Required) The connection string value.
A cors
block supports the following:
allowed_origins
- (Required) Specifies a list of origins that should be allowed to make cross-origin calls.support_credentials
- (Optional) Whether CORS requests with credentials are allowed. Defaults tofalse
A facebook
block supports the following:
app_id
- (Required) The App ID of the Facebook app used for login.app_secret
- (Optional) The App Secret of the Facebook app used for Facebook Login. Cannot be specified withapp_secret_setting_name
.app_secret_setting_name
- (Optional) The app setting name that contains theapp_secret
value used for Facebook Login. Cannot be specified withapp_secret
.oauth_scopes
- (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook Login authentication.
A file_system
block supports the following:
retention_in_days
- (Required) The retention period in days. A values of0
means no retention.retention_in_mb
- (Required) The maximum size in megabytes that log files can use.
A github
block supports the following:
client_id
- (Required) The ID of the GitHub app used for login.client_secret
- (Optional) The Client Secret of the GitHub app used for GitHub Login. Cannot be specified withclient_secret_setting_name
.client_secret_setting_name
- (Optional) The app setting name that contains theclient_secret
value used for GitHub Login. Cannot be specified withclient_secret
.oauth_scopes
- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub Login authentication.
A google
block supports the following:
client_id
- (Required) The OpenID Connect Client ID for the Google web application.client_secret
- (Optional) The client secret associated with the Google web application. Cannot be specified withclient_secret_setting_name
.client_secret_setting_name
- (Optional) The app setting name that contains theclient_secret
value used for Google Login. Cannot be specified withclient_secret
.oauth_scopes
- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified, "openid", "profile", and "email" are used as default scopes.
A headers
block supports the following:
NOTE: Please see the official Azure Documentation for details on using header filtering.
x_azure_fdid
- (Optional) Specifies a list of Azure Front Door IDs.x_fd_health_probe
- (Optional) Specifies if a Front Door Health Probe should be expected.x_forwarded_for
- (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.x_forwarded_host
- (Optional) Specifies a list of Hosts for which matching should be applied.
A http_logs
block supports the following:
azure_blob_storage
- (Optional) Aazure_blob_storage
block as defined above.file_system
- (Optional) Afile_system
block as defined above.
A identity
block supports the following:
type
- (Required) The type of managed service identity. Possible values include:SystemAssigned
,UserAssigned
, andSystemAssigned, UserAssigned
.identity_ids
- (Optional) Specifies a list of Identity IDs.
A ip_restriction
block supports the following:
action
- (Optional) The action to take. Possible values areAllow
orDeny
.headers
- (Optional) Aheaders
block as defined above.ip_address
- (Optional) The CIDR notation of the IP or IP Range to match. For example:10.0.0.0/24
or192.168.10.1/32
name
- (Optional) The name which should be used for thisip_restriction
.priority
- (Optional) The priority value of thisip_restriction
.service_tag
- (Optional) The Service Tag used for this IP Restriction.virtual_network_subnet_id
- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
NOTE: One and only one of
ip_address
,service_tag
orvirtual_network_subnet_id
must be specified.
A logs
block supports the following:
application_logs
- (Optional) Aapplication_logs
block as defined above.detailed_error_messages
- (Optional) Should detailed error messages be enabled.failed_request_tracing
- (Optional) Should failed request tracing be enabled.http_logs
- (Optional) Anhttp_logs
block as defined above.
A microsoft
block supports the following:
client_id
- (Required) The OAuth 2.0 client ID that was created for the app used for authentication.client_secret
- (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclient_secret_setting_name
.client_secret_setting_name
- (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclient_secret
.oauth_scopes
- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified, "wl.basic" is used as the default scope.
A requests
block supports the following:
count
- (Required) The number of requests in the specifiedinterval
to trigger this rule.interval
- (Required) The interval inhh:mm:ss
.
A schedule
block supports the following:
frequency_interval
- (Required) How often the backup should be executed (e.g. for weekly backup, this should be set to7
andfrequency_unit
should be set toDay
).
NOTE: Not all intervals are supported on all Linux Web App SKU's. Please refer to the official documentation for appropriate values.
frequency_unit
- (Required) The unit of time for how often the backup should take place. Possible values include:Day
,Hour
keep_at_least_one_backup
- (Optional) Should the service keep at least one backup, regardless of age of backup. Defaults tofalse
.retention_period_days
- (Optional) After how many days backups should be deleted.start_time
- (Optional) When the schedule should start working in RFC-3339 format.
A scm_ip_restriction
block supports the following:
action
- (Optional) The action to take. Possible values areAllow
orDeny
.headers
- (Optional) Aheaders
block as defined above.ip_address
- (Optional) The CIDR notation of the IP or IP Range to match. For example:10.0.0.0/24
or192.168.10.1/32
name
- (Optional) The name which should be used for thisip_restriction
.priority
- (Optional) The priority value of thisip_restriction
.service_tag
- (Optional) The Service Tag used for this IP Restriction.virtual_network_subnet_id
- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
NOTE: One and only one of
ip_address
,service_tag
orvirtual_network_subnet_id
must be specified.
A site_config
block supports the following:
always_on
- (Optional) If this Linux Web App is Always On enabled. Defaults tofalse
.api_management_config_id
- (Optional) The ID of the APIM configuration for this Linux Web App.app_command_line
- (Optional) The App command line to launch.application_stack
- (Optional) Aapplication_stack
block as defined above.auto_heal
- (Optional) Should Auto heal rules be enabled. Required withauto_heal_setting
.auto_heal_setting
- (Optional) Aauto_heal_setting
block as defined above. Required withauto_heal
.auto_swap_slot_name
- (Optional) The Linux Web App Slot Name to automatically swap to when deployment to that slot is successfully completed.container_registry_managed_identity_client_id
- (Optional) The Client ID of the Managed Service Identity to use for connections to the Azure Container Registry.container_registry_use_managed_identity
- (Optional) Should connections for Azure Container Registry use Managed Identity.cors
- (Optional) Acors
block as defined above.default_documents
- (Optional) Specifies a list of Default Documents for the Linux Web App.ftps_state
- (Optional) The State of FTP / FTPS service. Possible values include:AllAllowed
,FtpsOnly
,Disabled
.
NOTE: Azure defaults this value to
AllAllowed
, however, in the interests of security Terraform will default this toDisabled
to ensure the user makes a conscious choice to enable it.
health_check_path
- (Optional) The path to the Health Check.health_check_eviction_time_in_min
- (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between2
and10
. Only valid in conjunction withhealth_check_path
.http2_enabled
- (Optional) Should the HTTP2 be enabled?ip_restriction
- (Optional) One or moreip_restriction
blocks as defined above.load_balancing_mode
- (Optional) The Site load balancing. Possible values include:WeightedRoundRobin
,LeastRequests
,LeastResponseTime
,WeightedTotalTraffic
,RequestHash
,PerSiteRoundRobin
. Defaults toLeastRequests
if omitted.local_mysql
- (Optional) Use Local MySQL. Defaults tofalse
.managed_pipeline_mode
- (Optional) Managed pipeline mode. Possible values include:Integrated
,Classic
.minimum_tls_version
- (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include:1.0
,1.1
, and1.2
. Defaults to1.2
.number_of_workers
- (Optional) The number of Workers for this Linux App Service.remote_debugging
- (Optional) Should Remote Debugging be enabled. Defaults tofalse
.remote_debugging_version
- (Optional) The Remote Debugging Version. Possible values includeVS2017
andVS2019
scm_ip_restriction
- (Optional) One or morescm_ip_restriction
blocks as defined above.scm_minimum_tls_version
- (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include:1.0
,1.1
, and1.2
. Defaults to1.2
.scm_use_main_ip_restriction
- (Optional) Should the Linux Web Appip_restriction
configuration be used for the SCM also.use_32_bit_worker
- (Optional) Should the Linux Web App use a 32-bit worker. Defaults totrue
.websockets
- (Optional) Should Web Sockets be enabled. Defaults tofalse
.
A slow_request
block supports the following:
count
- (Required) The number of Slow Requests in the timeinterval
to trigger this rule.interval
- (Required) The time interval in the formhh:mm:ss
.time_taken
- (Required) The threshold of time passed to qualify as a Slow Request inhh:mm:ss
.path
- (Optional) The path for which this slow request rule applies.
A status_code
block supports the following:
count
- (Required) The number of occurrences of the definedstatus_code
in the specifiedinterval
on which to trigger this rule.interval
- (Required) The time interval in the formhh:mm:ss
.status_code_range
- (Required) The status code for this rule, accepts single status codes and status code ranges. e.g.500
or400-499
. Possible values are integers between101
and599
path
- (Optional) The path to which this rule status code applies.sub_status
- (Optional) The Request Sub Status of the Status Code.win32_status
- (Optional) The Win32 Status Code of the Request.
A storage_account
block supports the following:
access_key
- (Required) The Access key for the storage account.account_name
- (Required) The Name of the Storage Account.name
- (Required) The name which should be used for this Storage Account.share_name
- (Required) The Name of the File Share or Container Name for Blob storage.type
- (Required) The Azure Storage Type. Possible values includeAzureFiles
andAzureBlob
mount_path
- (Optional) The path at which to mount the storage share.
A trigger
block supports the following:
requests
- (Optional) Arequests
block as defined above.slow_request
- (Optional) One or moreslow_request
blocks as defined above.status_code
- (Optional) One or morestatus_code
blocks as defined above.
A twitter
block supports the following:
consumer_key
- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.consumer_secret
- (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumer_secret_setting_name
.consumer_secret_setting_name
- (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumer_secret
.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Linux Web App.app_metadata
- Aapp_metadata
block as defined below.custom_domain_verification_id
- The identifier used by App Service to perform domain ownership verification via DNS TXT record.default_hostname
- The default hostname of the Linux Web App.kind
- The Kind value for this Linux Web App.outbound_ip_address_list
- A list of outbound IP addresses - such as["52.23.25.3", "52.143.43.12"]
outbound_ip_addresses
- A comma separated list of outbound IP addresses - such as52.23.25.3,52.143.43.12
.possible_outbound_ip_address_list
- Apossible_outbound_ip_address_list
block as defined below.possible_outbound_ip_addresses
- A comma separated list of outbound IP addresses - such as52.23.25.3,52.143.43.12,52.143.43.17
- not all of which are necessarily in use. Superset ofoutbound_ip_addresses
.site_credential
- Asite_credential
block as defined below.identity
- Anidentity
block as defined below, which contains the Managed Service Identity information for this App Service.
A identity
block exports the following:
principal_id
- The Principal ID for the Service Principal associated with the Managed Service Identity of this App Service.tenant_id
- The Tenant ID for the Service Principal associated with the Managed Service Identity of this App Service.
-> You can access the Principal ID via azurerm_linux_web_app.example.identity.0.principal_id
and the Tenant ID via azurerm_linux_web_app.example.identity.0.tenant_id
A site_credential
block exports the following:
name
- The Site Credentials Username used for publishing.password
- The Site Credentials Password used for publishing.
Explanation in Terraform Registry
Manages a Linux Web App. !> Note: This Resource is coming in version 3.0 of the Azure Provider and is available as an opt-in Beta - more information can be found in the upcoming version 3.0 of the Azure Provider.
Tips: Best Practices for The Other Azure App Service (Web Apps) Resources
In addition to the azurerm_app_service, Azure App Service (Web Apps) has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_app_service
Ensure your App Service is accessible via HTTPS only
It is better to configure the App Service to be accessible via HTTPS only. By default, both HTTP and HTTPS are available.
azurerm_function_app
Ensure to enable authentication to prevent anonymous request being accepted
It is better to enable authentication to prevent anonymous requests and ensure all communications in the application are authenticated.
Microsoft.Web/sites (Azure Resource Manager)
The sites in Microsoft.Web can be configured in Azure Resource Manager with the resource name Microsoft.Web/sites
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"ResourceType": "Microsoft.Web/sites",
"MetricName": "Http5xx",
"Operator": "GreaterThanOrEqual",
"Threshold": "50",
"TimeWindow": "PT5M",
"Aggregation": "Total"
"resourceType": "Microsoft.Web/sites",
"allOf": [
{
"path": "kind",
"regex": "api$"
},
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('FunctionAppName')]",
"location": "UK South",
"kind": "functionapp",
"properties": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"deploymentId": {
"type": "Microsoft.Web/sites",
"name": "[parameters('site_name')]",
"apiVersion": "2016-08-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[parameters('sites_chapter4_iac_dockerimage_name')]",
"location": "Central US",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('serverfarms_ASP_Chapter4RG_ac17_name'))]"
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"infrastructure": {
Parameters
apiVersion
required - stringextendedLocation
optionalname
optional - stringName of extended location.
identity
optionaltype
optional - stringType of managed service identity.
userAssignedIdentities
optional - undefinedThe list of user assigned identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}
kind
optional - stringKind of resource.
location
required - stringResource Location.
name
required - stringUnique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.
properties
requiredclientAffinityEnabled
optional - boolean<code>true</code> to enable client affinity; <code>false</code> to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is <code>true</code>.
clientCertEnabled
optional - boolean<code>true</code> to enable client certificate authentication (TLS mutual authentication); otherwise, <code>false</code>. Default is <code>false</code>.
clientCertExclusionPaths
optional - stringclient certificate authentication comma-separated exclusion paths
clientCertMode
optional - stringThis composes with ClientCertEnabled setting.
- ClientCertEnabled: false means ClientCert is ignored.
- ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.
- ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.
cloningInfo
optionalappSettingsOverrides
optional - stringApplication setting overrides for cloned app. If specified, these settings override the settings cloned from source app. Otherwise, application settings from source app are retained.
cloneCustomHostNames
optional - boolean<code>true</code> to clone custom hostnames from source app; otherwise, <code>false</code>.
cloneSourceControl
optional - boolean<code>true</code> to clone source control from source app; otherwise, <code>false</code>.
configureLoadBalancing
optional - boolean<code>true</code> to configure load balancing for source and destination app.
correlationId
optional - stringCorrelation ID of cloning operation. This ID ties multiple cloning operations together to use the same snapshot.
hostingEnvironment
optional - stringApp Service Environment.
overwrite
optional - boolean<code>true</code> to overwrite destination app; otherwise, <code>false</code>.
sourceWebAppId
required - stringARM resource ID of the source app. App resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName} for production slots and /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName}/slots/{slotName} for other slots.
sourceWebAppLocation
optional - stringLocation of source app ex: West US or North Europe
trafficManagerProfileId
optional - stringARM resource ID of the Traffic Manager profile to use, if it exists. Traffic Manager resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/trafficManagerProfiles/{profileName}.
trafficManagerProfileName
optional - stringName of Traffic Manager profile to create. This is only needed if Traffic Manager profile does not already exist.
containerSize
optional - integerSize of the function container.
customDomainVerificationId
optional - stringUnique identifier that verifies the custom domains assigned to the app. Customer will add this id to a txt record for verification.
dailyMemoryTimeQuota
optional - integerMaximum allowed daily memory-time quota (applicable on dynamic apps only).
enabled
optional - boolean<code>true</code> if the app is enabled; otherwise, <code>false</code>. Setting this value to false disables the app (takes the app offline).
hostingEnvironmentProfile
optionalid
optional - stringResource ID of the App Service Environment.
hostNamesDisabled
optional - boolean<code>true</code> to disable the public hostnames of the app; otherwise, <code>false</code>. If <code>true</code>, the app is only accessible via API management process.
hostNameSslStates
optional arrayhostType
optional - stringIndicates whether the hostname is a standard or repository hostname.
name
optional - stringHostname.
sslState
optional - stringSSL type.
thumbprint
optional - stringSSL certificate thumbprint.
toUpdate
optional - booleanSet to <code>true</code> to update existing hostname.
virtualIP
optional - stringVirtual IP address assigned to the hostname if IP based SSL is enabled.
httpsOnly
optional - booleanHttpsOnly: configures a web site to accept only https requests. Issues redirect for http requests
hyperV
optional - booleanHyper-V sandbox.
isXenon
optional - booleanObsolete: Hyper-V sandbox.
keyVaultReferenceIdentity
optional - stringIdentity to use for Key Vault Reference authentication.
redundancyMode
optional - stringSite redundancy mode.
reserved
optional - boolean<code>true</code> if reserved; otherwise, <code>false</code>.
scmSiteAlsoStopped
optional - boolean<code>true</code> to stop SCM (KUDU) site when the app is stopped; otherwise, <code>false</code>. The default is <code>false</code>.
serverFarmId
optional - stringResource ID of the associated App Service plan, formatted as: "/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}".
siteConfig
optionalacrUseManagedIdentityCreds
optional - booleanFlag to use Managed Identity Creds for ACR pull
acrUserManagedIdentityID
optional - stringIf using user managed identity, the user managed identity ClientId
alwaysOn
optional - boolean<code>true</code> if Always On is enabled; otherwise, <code>false</code>.
apiDefinition
optionalurl
optional - stringThe URL of the API definition.
apiManagementConfig
optionalid
optional - stringAPIM-Api Identifier.
appCommandLine
optional - stringApp command line to launch.
appSettings
optional arrayname
optional - stringPair name.
value
optional - stringPair value.
autoHealEnabled
optional - boolean<code>true</code> if Auto Heal is enabled; otherwise, <code>false</code>.
autoHealRules
optionalactions
optionalactionType
optional - stringPredefined action to be taken.
customAction
optionalexe
optional - stringExecutable to be run.
parameters
optional - stringParameters for the executable.
minProcessExecutionTime
optional - stringMinimum time the process must execute before taking the action
triggers
optionalprivateBytesInKB
optional - integerA rule based on private bytes.
requests
optionalcount
optional - integerRequest Count.
timeInterval
optional - stringTime interval.
slowRequests
optionalcount
optional - integerRequest Count.
path
optional - stringRequest Path.
timeInterval
optional - stringTime interval.
timeTaken
optional - stringTime taken.
slowRequestsWithPath
optional arraycount
optional - integerRequest Count.
path
optional - stringRequest Path.
timeInterval
optional - stringTime interval.
timeTaken
optional - stringTime taken.
statusCodes
optional arraycount
optional - integerRequest Count.
path
optional - stringRequest Path
status
optional - integerHTTP status code.
subStatus
optional - integerRequest Sub Status.
timeInterval
optional - stringTime interval.
win32Status
optional - integerWin32 error code.
statusCodesRange
optional arraycount
optional - integerRequest Count.
path
optional - stringstatusCodes
optional - stringHTTP status code.
timeInterval
optional - stringTime interval.
autoSwapSlotName
optional - stringAuto-swap slot name.
azureStorageAccounts
optional - undefinedList of Azure Storage Accounts.
connectionStrings
optional arrayconnectionString
optional - stringConnection string value.
name
optional - stringName of connection string.
type
optional - stringType of database.
cors
optionalallowedOrigins
optional - arrayGets or sets the list of origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). Use "*" to allow all.
supportCredentials
optional - booleanGets or sets whether CORS requests with credentials are allowed. See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Requests_with_credentials for more details.
defaultDocuments
optional - arrayDefault documents.
detailedErrorLoggingEnabled
optional - boolean<code>true</code> if detailed error logging is enabled; otherwise, <code>false</code>.
documentRoot
optional - stringDocument root.
experiments
optionalrampUpRules
optional arrayactionHostName
optional - stringHostname of a slot to which the traffic will be redirected if decided to. E.g. myapp-stage.azurewebsites.net.
changeDecisionCallbackUrl
optional - stringCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified. See TiPCallback site extension for the scaffold and contracts. https://www.siteextensions.net/packages/TiPCallback/
changeIntervalInMinutes
optional - integerSpecifies interval in minutes to reevaluate ReroutePercentage.
changeStep
optional - numberIn auto ramp up scenario this is the step to add/remove from <code>ReroutePercentage</code> until it reaches \n<code>MinReroutePercentage</code> or <code>MaxReroutePercentage</code>. Site metrics are checked every N minutes specified in <code>ChangeIntervalInMinutes</code>.\nCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified in <code>ChangeDecisionCallbackUrl</code>.
maxReroutePercentage
optional - numberSpecifies upper boundary below which ReroutePercentage will stay.
minReroutePercentage
optional - numberSpecifies lower boundary above which ReroutePercentage will stay.
name
optional - stringName of the routing rule. The recommended name would be to point to the slot which will receive the traffic in the experiment.
reroutePercentage
optional - numberPercentage of the traffic which will be redirected to <code>ActionHostName</code>.
ftpsState
optional - stringState of FTP / FTPS service.
functionAppScaleLimit
optional - integerMaximum number of workers that a site can scale out to. This setting only applies to the Consumption and Elastic Premium Plans
functionsRuntimeScaleMonitoringEnabled
optional - booleanGets or sets a value indicating whether functions runtime scale monitoring is enabled. When enabled, the ScaleController will not monitor event sources directly, but will instead call to the runtime to get scale status.
handlerMappings
optional arrayarguments
optional - stringCommand-line arguments to be passed to the script processor.
extension
optional - stringRequests with this extension will be handled using the specified FastCGI application.
scriptProcessor
optional - stringThe absolute path to the FastCGI application.
healthCheckPath
optional - stringHealth check path
http20Enabled
optional - booleanHttp20Enabled: configures a web site to allow clients to connect over http2.0
httpLoggingEnabled
optional - boolean<code>true</code> if HTTP logging is enabled; otherwise, <code>false</code>.
ipSecurityRestrictions
optional arrayaction
optional - stringAllow or Deny access for this IP range.
description
optional - stringIP restriction rule description.
headers
optional - arrayIP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..
- If the property is null or empty (default), all hosts(or lack of) are allowed.
- A value is compared using ordinal-ignore-case (excluding port number).
- Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
- Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
- If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
- If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
ipAddress
optional - stringIP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.
name
optional - stringIP restriction rule name.
priority
optional - integerPriority of IP restriction rule.
subnetMask
optional - stringSubnet mask for the range of IP addresses the restriction is valid for.
subnetTrafficTag
optional - integer(internal) Subnet traffic tag
tag
optional - stringDefines what this IP filter will be used for. This is to support IP filtering on proxies.
vnetSubnetResourceId
optional - stringVirtual network resource id
vnetTrafficTag
optional - integer(internal) Vnet traffic tag
javaContainer
optional - stringJava container.
javaContainerVersion
optional - stringJava container version.
javaVersion
optional - stringJava version.
keyVaultReferenceIdentity
optional - stringIdentity to use for Key Vault Reference authentication.
limits
optionalmaxDiskSizeInMb
optional - integerMaximum allowed disk size usage in MB.
maxMemoryInMb
optional - integerMaximum allowed memory usage in MB.
maxPercentageCpu
optional - numberMaximum allowed CPU usage percentage.
linuxFxVersion
optional - stringLinux App Framework and version
loadBalancing
optional - stringSite load balancing.
localMySqlEnabled
optional - boolean<code>true</code> to enable local MySQL; otherwise, <code>false</code>.
logsDirectorySizeLimit
optional - integerHTTP logs directory size limit.
managedPipelineMode
optional - stringManaged pipeline mode.
managedServiceIdentityId
optional - integerManaged Service Identity Id
minimumElasticInstanceCount
optional - integerNumber of minimum instance count for a site This setting only applies to the Elastic Plans
minTlsVersion
optional - stringMinTlsVersion: configures the minimum version of TLS required for SSL requests.
netFrameworkVersion
optional - string.NET Framework version.
nodeVersion
optional - stringVersion of Node.js.
numberOfWorkers
optional - integerNumber of workers.
phpVersion
optional - stringVersion of PHP.
powerShellVersion
optional - stringVersion of PowerShell.
preWarmedInstanceCount
optional - integerNumber of preWarmed instances. This setting only applies to the Consumption and Elastic Plans
publicNetworkAccess
optional - stringProperty to allow or block all public traffic.
publishingUsername
optional - stringPublishing user name.
push
optionalkind
optional - stringKind of resource.
properties
optionaldynamicTagsJson
optional - stringGets or sets a JSON string containing a list of dynamic tags that will be evaluated from user claims in the push registration endpoint.
isPushEnabled
required - booleanGets or sets a flag indicating whether the Push endpoint is enabled.
tagsRequiringAuth
optional - stringGets or sets a JSON string containing a list of tags that require user authentication to be used in the push registration endpoint. Tags can consist of alphanumeric characters and the following: '_', '@', '#', '.', ':', '-'. Validation should be performed at the PushRequestHandler.
tagWhitelistJson
optional - stringGets or sets a JSON string containing a list of tags that are whitelisted for use by the push registration endpoint.
pythonVersion
optional - stringVersion of Python.
remoteDebuggingEnabled
optional - boolean<code>true</code> if remote debugging is enabled; otherwise, <code>false</code>.
remoteDebuggingVersion
optional - stringRemote debugging version.
requestTracingEnabled
optional - boolean<code>true</code> if request tracing is enabled; otherwise, <code>false</code>.
requestTracingExpirationTime
optional - stringRequest tracing expiration time.
scmIpSecurityRestrictions
optional arrayaction
optional - stringAllow or Deny access for this IP range.
description
optional - stringIP restriction rule description.
headers
optional - arrayIP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..
- If the property is null or empty (default), all hosts(or lack of) are allowed.
- A value is compared using ordinal-ignore-case (excluding port number).
- Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
- Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
- If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
- If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
ipAddress
optional - stringIP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.
name
optional - stringIP restriction rule name.
priority
optional - integerPriority of IP restriction rule.
subnetMask
optional - stringSubnet mask for the range of IP addresses the restriction is valid for.
subnetTrafficTag
optional - integer(internal) Subnet traffic tag
tag
optional - stringDefines what this IP filter will be used for. This is to support IP filtering on proxies.
vnetSubnetResourceId
optional - stringVirtual network resource id
vnetTrafficTag
optional - integer(internal) Vnet traffic tag
scmIpSecurityRestrictionsUseMain
optional - booleanIP security restrictions for scm to use main.
scmMinTlsVersion
optional - stringScmMinTlsVersion: configures the minimum version of TLS required for SSL requests for SCM site.
scmType
optional - stringSCM type.
tracingOptions
optional - stringTracing options.
use32BitWorkerProcess
optional - boolean<code>true</code> to use 32-bit worker process; otherwise, <code>false</code>.
virtualApplications
optional arrayphysicalPath
optional - stringPhysical path.
preloadEnabled
optional - boolean<code>true</code> if preloading is enabled; otherwise, <code>false</code>.
virtualDirectories
optional arrayphysicalPath
optional - stringPhysical path.
virtualPath
optional - stringPath to virtual application.
virtualPath
optional - stringVirtual path.
vnetName
optional - stringVirtual Network name.
vnetPrivatePortsCount
optional - integerThe number of private ports assigned to this app. These will be assigned dynamically on runtime.
vnetRouteAllEnabled
optional - booleanVirtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.
websiteTimeZone
optional - stringSets the time zone a site uses for generating timestamps. Compatible with Linux and Windows App Service. Setting the WEBSITE_TIME_ZONE app setting takes precedence over this config. For Linux, expects tz database values https://www.iana.org/time-zones (for a quick reference see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For Windows, expects one of the time zones listed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
webSocketsEnabled
optional - boolean<code>true</code> if WebSocket is enabled; otherwise, <code>false</code>.
windowsFxVersion
optional - stringXenon App Framework and version
xManagedServiceIdentityId
optional - integerExplicit Managed Service Identity Id
storageAccountRequired
optional - booleanChecks if Customer provided storage account is required
virtualNetworkSubnetId
optional - stringAzure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}
tags
optional - stringResource tags.
type
required - string