Azure App Service (Web Apps) Windows Web App

This page shows how to write Terraform and Azure Resource Manager for App Service (Web Apps) Windows Web App and write them securely.

azurerm_windows_web_app (Terraform)

The Windows Web App in App Service (Web Apps) can be configured in Terraform with the resource name azurerm_windows_web_app. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • location - (Required) The Azure Region where the Windows Web App should exist. Changing this forces a new Windows Web App to be created.

  • name - (Required) The name which should be used for this Windows Web App. Changing this forces a new Windows Web App to be created.

  • resource_group_name - (Required) The name of the Resource Group where the Windows Web App should exist. Changing this forces a new Windows Web App to be created.

  • service_plan_id - (Required) The ID of the Service Plan that this Windows App Service will be created in.

  • site_config - (Required) A site_config block as defined below.


  • app_settings - (Optional) A map of key-value pairs of App Settings.

  • auth_settings - (Optional) An auth_settings block as defined below.

  • backup - (Optional) A backup block as defined below.

  • client_affinity_enabled - (Optional) Should Client Affinity be enabled?

  • client_cert_enabled - (Optional) Should Client Certificates be enabled?

  • client_cert_mode - (Optional) The Client Certificate mode. Possible values include Optional and Required. This property has no effect when client_cert_enabled is false

  • connection_string - (Optional) One or more connection_string blocks as defined below.

  • enabled - (Optional) Should the Windows Web App be enabled? Defaults to true.

  • https_only - (Optional) Should the Windows Web App require HTTPS connections.

  • identity - (Optional) An identity block as defined below.

  • logs - (Optional) A logs block as defined below.

  • storage_account - (Optional) One or more storage_account blocks as defined below.

  • tags - (Optional) A mapping of tags which should be assigned to the Windows Web App.


A action block supports the following:

  • action_type - (Required) Predefined action to be taken to an Auto Heal trigger. Possible values include: Recycle, LogEvent, and CustomAction.

  • custom_action - (Optional) A custom_action block as defined below.

  • minimum_process_execution_time - (Optional) The minimum amount of time in hh:mm:ss the Windows Web App must have been running before the defined action will be run in the event of a trigger.


A active_directory block supports the following:

  • client_id - (Required) The ID of the Client to use to authenticate with Azure Active Directory.

  • allowed_audiences - (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

Note: The client_id value is always considered an allowed audience.

  • client_secret - (Optional) The Client Secret for the Client ID. Cannot be used with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The App Setting name that contains the client secret of the Client. Cannot be used with client_secret.


A application_logs block supports the following:

  • azure_blob_storage - (Optional) An azure_blob_storage block as defined below.

  • file_system_level - (Optional) Log level. Possible values include: Verbose, Information, Warning, and Error.


A application_stack block supports the following:

  • current_stack - (Optional) The Application Stack for the Windows Web App. Possible values include dotnet, node, python, php, and java.

NOTE: Whilst this property is Optional omitting it can cause unexpected behaviour, in particular for display of settings in the Azure Portal.

  • docker_container_name - (Optional) The name of the Docker Container. For example azure-app-service/samples/aspnethelloworld

  • docker_container_registry - (Optional) The registry Host on which the specified Docker Container can be located. For example mcr.microsoft.com

  • docker_container_tag - (Optional) The Image Tag of the specified Docker Container to use. For example latest

  • dotnet_version - (Optional) The version of .Net to use when current_stack is set to dotnet. Possible values include v2.0, v3.0, v4.0, and v5.0.

  • java_container - (Optional) The Java container type to use when current_stack is set to java. Possible values include JAVA, JETTY, and TOMCAT. Required with java_version and java_container_version.

  • java_container_version - (Optional) The Version of the java_container to use. Required with java_version and java_container.

  • java_version - (Optional) The version of Java to use when current_stack is set to java. Possible values include 1.7, 1.8 and 11. Required with java_container and java_container_version.

NOTE: For compatible combinations of java_version, java_container and java_container_version users can use az webapp list-runtimes from command line.

  • node_version - (Optional) The version of node to use when current_stack is set to node.

NOTE: This property conflicts with java_version.

  • php_version - (Optional) The version of PHP to use when current_stack is set to php. Possible values include v5.6, v7.3, and v7.4.

  • python_version - (Optional) The version of Python to use when current_stack is set to python. Possible values include 2.7 and 3.4.0.


A auth_settings block supports the following:

  • enabled - (Required) Should the Authentication / Authorization feature is enabled for the Windows Web App be enabled?

  • active_directory - (Optional) An active_directory block as defined above.

  • additional_login_params - (Optional) Specifies a map of Login Parameters to send to the OpenID Connect authorization endpoint when a user logs in.

  • allowed_external_redirect_urls - (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Windows Web App.

  • default_provider - (Optional) The default authentication provider to use when multiple providers are configured. Possible values include: BuiltInAuthenticationProviderAzureActiveDirectory, BuiltInAuthenticationProviderFacebook, BuiltInAuthenticationProviderGoogle, BuiltInAuthenticationProviderMicrosoftAccount, BuiltInAuthenticationProviderTwitter, BuiltInAuthenticationProviderGithub

NOTE: This setting is only needed if multiple providers are configured, and the unauthenticated_client_action is set to "RedirectToLoginPage".

  • facebook - (Optional) A facebook block as defined below.

  • github - (Optional) A github block as defined below.

  • google - (Optional) A google block as defined below.

  • issuer - (Optional) The OpenID Connect Issuer URI that represents the entity which issues access tokens for this Windows Web App.

NOTE: When using Azure Active Directory, this value is the URI of the directory tenant, e.g. https://sts.windows.net/[tenant-guid]/.

  • microsoft - (Optional) A microsoft block as defined below.

  • runtime_version - (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Windows Web App.

  • token_refresh_extension_hours - (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to 72 hours.

  • token_store_enabled - (Optional) Should the Windows Web App durably store platform-specific security tokens that are obtained during login flows? Defaults to false.

  • twitter - (Optional) A twitter block as defined below.

  • unauthenticated_client_action - (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include: RedirectToLoginPage, AllowAnonymous.


A auto_heal_setting block supports the following:

  • action - (Required) An action block as defined above.

  • trigger - (Required) A trigger block as defined below.


A azure_blob_storage block supports the following:

  • retention_in_days - (Required) The time in days after which to remove blobs. A value of 0 means no retention.

  • sas_url - (Required) SAS url to an Azure blob container with read/write/list/delete permissions.


A backup block supports the following:

  • name - (Required) The name which should be used for this Backup.

  • schedule - (Required) A schedule block as defined below.

  • storage_account_url - (Required) The SAS URL to the container.

  • enabled - (Optional) Should this backup job be enabled?


A connection_string block supports the following:

  • type - (Required) Type of database. Possible values include: MySQL, SQLServer, SQLAzure, Custom, NotificationHub, ServiceBus, EventHub, APIHub, DocDb, RedisCache, and PostgreSQL.

  • value - (Required) The connection string value.


A cors block supports the following:

  • allowed_origins - (Required) Specifies a list of origins that should be allowed to make cross-origin calls.

  • support_credentials - (Optional) Whether CORS requests with credentials are allowed. Defaults to false


A custom_action block supports the following:

  • executable - (Required) The executable to run for the custom_action.

  • parameters - (Optional) The parameters to pass to the specified executable.


A facebook block supports the following:

  • app_id - (Required) The App ID of the Facebook app used for login.

  • app_secret - (Optional) The App Secret of the Facebook app used for Facebook Login. Cannot be specified with app_secret_setting_name.

  • app_secret_setting_name - (Optional) The app setting name that contains the app_secret value used for Facebook Login. Cannot be specified with app_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook Login authentication.


A file_system block supports the following:

  • retention_in_days - (Required) The retention period in days. A values of 0 means no retention.

  • retention_in_mb - (Required) The maximum size in megabytes that log files can use.


A github block supports the following:

  • client_id - (Required) The ID of the GitHub app used for login.

  • client_secret - (Optional) The Client Secret of the GitHub app used for GitHub Login. Cannot be specified with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The app setting name that contains the client_secret value used for GitHub Login. Cannot be specified with client_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub Login authentication.


A google block supports the following:

  • client_id - (Required) The OpenID Connect Client ID for the Google web application.

  • client_secret - (Optional) The client secret associated with the Google web application. Cannot be specified with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The app setting name that contains the client_secret value used for Google Login. Cannot be specified with client_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified, "openid", "profile", and "email" are used as default scopes.


A headers block supports the following:

NOTE: Please see the official Azure Documentation for details on using header filtering.

  • x_azure_fdid - (Optional) Specifies a list of Azure Front Door IDs.

  • x_fd_health_probe - (Optional) Specifies if a Front Door Health Probe should be expected.

  • x_forwarded_for - (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.

  • x_forwarded_host - (Optional) Specifies a list of Hosts for which matching should be applied.


A http_logs block supports the following:

  • azure_blob_storage - (Optional) A azure_blob_storage block as defined above.

  • file_system - (Optional) A file_system block as defined above.


A identity block supports the following:

  • type - (Required) The type of managed service identity. Possible values include: ManagedServiceIdentityTypeSystemAssigned, ManagedServiceIdentityTypeUserAssigned, and ManagedServiceIdentityTypeSystemAssignedUserAssigned.

  • identity_ids - (Optional) Specifies a list of Identity IDs.


A ip_restriction block supports the following:

  • action - (Optional) The action to take. Possible values are Allow or Deny.

  • headers - (Optional) A headers block as defined above.

  • ip_address - (Optional) The CIDR notation of the IP or IP Range to match. For example: 10.0.0.0/24 or 192.168.10.1/32

  • name - (Optional) The name which should be used for this ip_restriction.

  • priority - (Optional) The priority value of this ip_restriction.

  • service_tag - (Optional) The Service Tag used for this IP Restriction.

  • virtual_network_subnet_id - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

NOTE: One and only one of ip_address, service_tag or virtual_network_subnet_id must be specified.


A logs block supports the following:

  • application_logs - (Optional) A application_logs block as defined above.

  • detailed_error_messages - (Optional) Should detailed error messages be enabled.

  • failed_request_tracing - (Optional) Should tracing be enabled for failed requests.

  • http_logs - (Optional) A http_logs block as defined above.


A microsoft block supports the following:

  • client_id - (Required) The OAuth 2.0 client ID that was created for the app used for authentication.

  • client_secret - (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified with client_secret_setting_name.

  • client_secret_setting_name - (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified with client_secret.

  • oauth_scopes - (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified, "wl.basic" is used as the default scope.


A requests block supports the following:

  • count - (Required) The number of requests in the specified interval to trigger this rule.

  • interval - (Required) The interval in hh:mm:ss.


A schedule block supports the following:

  • frequency_interval - (Required) How often the backup should be executed (e.g. for weekly backup, this should be set to 7 and frequency_unit should be set to Day).

NOTE: Not all intervals are supported on all Windows Web App SKU's. Please refer to the official documentation for appropriate values.

  • frequency_unit - (Required) The unit of time for how often the backup should take place. Possible values include: Day, Hour

  • keep_at_least_one_backup - (Optional) Should the service keep at least one backup, regardless of age of backup. Defaults to false.

  • retention_period_days - (Optional) After how many days backups should be deleted.

  • start_time - (Optional) When the schedule should start working in RFC-3339 format.


A scm_ip_restriction block supports the following:

  • action - (Optional) The action to take. Possible values are Allow or Deny.

  • headers - (Optional) A headers block as defined above.

  • ip_address - (Optional) The CIDR notation of the IP or IP Range to match. For example: 10.0.0.0/24 or 192.168.10.1/32

  • name - (Optional) The name which should be used for this ip_restriction.

  • priority - (Optional) The priority value of this ip_restriction.

  • service_tag - (Optional) The Service Tag used for this IP Restriction.

  • virtual_network_subnet_id - (Optional) The Virtual Network Subnet ID used for this IP Restriction.

NOTE: One and only one of ip_address, service_tag or virtual_network_subnet_id must be specified.


A site_config block supports the following:

  • always_on - (Optional) If this Windows Web App is Always On enabled. Defaults to false.

  • api_management_config_id - (Optional) The ID of the APIM configuration for this Windows Web App.

  • app_command_line - (Optional) The App command line to launch.

  • application_stack - (Optional) A application_stack block as defined above.

  • auto_heal - (Optional) Should Auto heal rules be enabled. Required with auto_heal_setting.

  • auto_heal_setting - (Optional) A auto_heal_setting block as defined above. Required with auto_heal.

  • auto_swap_slot_name - (Optional) The Windows Web App Slot Name to automatically swap to when deployment to that slot is successfully completed.

  • cors - (Optional) A cors block as defined above.

  • default_documents - (Optional) Specifies a list of Default Documents for the Windows Web App.

  • ftps_state - (Optional) The State of FTP / FTPS service. Possible values include: AllAllowed, FtpsOnly, Disabled.

NOTE: Azure defaults this value to AllAllowed, however, in the interests of security Terraform will default this to Disabled to ensure the user makes a conscious choice to enable it.

  • health_check_path - (Optional) The path to the Health Check.

  • health_check_eviction_time_in_min - (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between 2 and 10. Only valid in conjunction with health_check_path.

  • http2_enabled - (Optional) Should the HTTP2 be enabled?

  • ip_restriction - (Optional) One or more ip_restriction blocks as defined above.

  • load_balancing_mode - (Optional) The Site load balancing. Possible values include: WeightedRoundRobin, LeastRequests, LeastResponseTime, WeightedTotalTraffic, RequestHash, PerSiteRoundRobin. Defaults to LeastRequests if omitted.

  • local_mysql - (Optional) Use Local MySQL. Defaults to false.

  • managed_pipeline_mode - (Optional) Managed pipeline mode. Possible values include: Integrated, Classic.

  • minimum_tls_version - (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include: 1.0, 1.1, and 1.2. Defaults to 1.2.

  • number_of_workers - (Optional) The number of Workers for this Windows App Service.

  • remote_debugging - (Optional) Should Remote Debugging be enabled. Defaults to false.

  • remote_debugging_version - (Optional) The Remote Debugging Version. Possible values include VS2017 and VS2019

  • scm_ip_restriction - (Optional) One or more scm_ip_restriction blocks as defined above.

  • scm_minimum_tls_version - (Optional) The configures the minimum version of TLS required for SSL requests to the SCM site Possible values include: 1.0, 1.1, and 1.2. Defaults to 1.2.

  • scm_use_main_ip_restriction - (Optional) Should the Windows Web App ip_restriction configuration be used for the SCM also.

  • 32_bit_worker - (Optional) Should the Windows Web App use a 32-bit worker.

  • virtual_application - (Optional) One or more virtual_application blocks as defined below.

  • websockets - (Optional) Should Web Sockets be enabled. Defaults to false.


A slow_request block supports the following:

  • count - (Required) The number of Slow Requests in the time interval to trigger this rule.

  • interval - (Required) The time interval in the form hh:mm:ss.

  • time_taken - (Required) The threshold of time passed to qualify as a Slow Request in hh:mm:ss.

  • path - (Optional) The path for which this slow request rule applies.


A status_code block supports the following:

  • count - (Required) The number of occurrences of the defined status_code in the specified interval on which to trigger this rule.

  • interval - (Required) The time interval in the form hh:mm:ss.

  • status_code_range - (Required) The status code for this rule, accepts single status codes and status code ranges. e.g. 500 or 400-499. Possible values are integers between 101 and 599

  • path - (Optional) The path to which this rule status code applies.

  • sub_status - (Optional) The Request Sub Status of the Status Code.

  • win32_status - (Optional) The Win32 Status Code of the Request.


A storage_account block supports the following:

  • access_key - (Required) The Access key for the storage account.

  • account_name - (Required) The Name of the Storage Account.

  • name - (Required) The name which should be used for this TODO.

  • share_name - (Required) The Name of the File Share or Container Name for Blob storage.

  • type - (Required) The Azure Storage Type. Possible values include AzureFiles and AzureBlob

  • mount_path - (Optional) The path at which to mount the storage share.


A trigger block supports the following:

  • private_memory_kb - (Optional) The amount of Private Memory to be consumed for this rule to trigger. Possible values are between 102400 and 13631488.

  • requests - (Optional) A requests block as defined above.

  • slow_request - (Optional) One or more slow_request blocks as defined above.

  • status_code - (Optional) One or more status_code blocks as defined above.


A twitter block supports the following:

  • consumer_key - (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.
  • consumer_secret - (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified with consumer_secret_setting_name.
  • consumer_secret_setting_name - (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified with consumer_secret.

A virtual_application block supports the following:

  • physical_path - (Required) The physical path for the Virtual Application.

  • preload - (Required) Should pre-loading be enabled. Defaults to false.

  • virtual_directory - (Optional) One or more virtual_directory blocks as defined below.

  • virtual_path - (Required) The Virtual Path for the Virtual Application.


A virtual_directory block supports the following:

  • physical_path - (Optional) The physical path for the Virtual Application.

  • virtual_path - (Optional) The Virtual Path for the Virtual Application.

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the Windows Web App.

  • custom_domain_verification_id - The identifier used by App Service to perform domain ownership verification via DNS TXT record.

  • default_hostname - The default hostname of the Windows Web App.

  • kind - The Kind value for this Windows Web App.

  • outbound_ip_address_list - A list of outbound IP addresses - such as ["52.23.25.3", "52.143.43.12"]

  • outbound_ip_addresses - A comma separated list of outbound IP addresses - such as 52.23.25.3,52.143.43.12.

  • possible_outbound_ip_address_list - A possible_outbound_ip_address_list block as defined below.

  • possible_outbound_ip_addresses - A comma separated list of outbound IP addresses - such as 52.23.25.3,52.143.43.12,52.143.43.17 - not all of which are necessarily in use. Superset of outbound_ip_addresses.

  • site_credential - A site_credential block as defined below.


A site_credential block exports the following:

  • name - The Site Credentials Username used for publishing.

  • password - The Site Credentials Password used for publishing.

Explanation in Terraform Registry

Manages a Windows Web App. !> Note: This Resource is coming in version 3.0 of the Azure Provider and is available as an opt-in Beta - more information can be found in the upcoming version 3.0 of the Azure Provider.

Tips: Best Practices for The Other Azure App Service (Web Apps) Resources

In addition to the azurerm_app_service, Azure App Service (Web Apps) has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_app_service

Ensure your App Service is accessible via HTTPS only

It is better to configure the App Service to be accessible via HTTPS only. By default, both HTTP and HTTPS are available.

risk-label

azurerm_function_app

Ensure to enable authentication to prevent anonymous request being accepted

It is better to enable authentication to prevent anonymous requests and ensure all communications in the application are authenticated.

Review your Azure App Service (Web Apps) settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Web/sites (Azure Resource Manager)

The sites in Microsoft.Web can be configured in Azure Resource Manager with the resource name Microsoft.Web/sites. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

template.json#L101
                "ResourceType": "Microsoft.Web/sites",
                "MetricName": "Http5xx",
                "Operator": "GreaterThanOrEqual",
                "Threshold": "50",
                "TimeWindow": "PT5M",
                "Aggregation": "Total"
tests.json#L30
          "resourceType": "Microsoft.Web/sites",
          "allOf": [
              {
                  "path": "kind",
                  "regex": "api$"
              },
v1.6_Export.json#L17
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "[parameters('FunctionAppName')]",
      "location": "UK South",
      "kind": "functionapp",
      "properties": {
integration.json
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "deploymentId": {
web4.json#L38
            "type": "Microsoft.Web/sites",
            "name": "[parameters('site_name')]",
            "apiVersion": "2016-08-01",
            "location": "[resourceGroup().location]",
            "scale": null,
            "properties": {
chapter4-azure-template.json#L45
            "type": "Microsoft.Web/sites",
            "apiVersion": "2018-11-01",
            "name": "[parameters('sites_chapter4_iac_dockerimage_name')]",
            "location": "Central US",
            "dependsOn": [
                "[resourceId('Microsoft.Web/serverfarms', parameters('serverfarms_ASP_Chapter4RG_ac17_name'))]"
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {
integration.json
{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "infrastructure": {

Parameters

  • apiVersion required - string
  • extendedLocation optional
      • name optional - string

        Name of extended location.

  • identity optional
      • type optional - string

        Type of managed service identity.

      • userAssignedIdentities optional - undefined

        The list of user assigned identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}

  • kind optional - string

    Kind of resource.

  • location required - string

    Resource Location.

  • name required - string

    Unique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.

  • properties required
      • clientAffinityEnabled optional - boolean

        <code>true</code> to enable client affinity; <code>false</code> to stop sending session affinity cookies, which route client requests in the same session to the same instance. Default is <code>true</code>.

      • clientCertEnabled optional - boolean

        <code>true</code> to enable client certificate authentication (TLS mutual authentication); otherwise, <code>false</code>. Default is <code>false</code>.

      • clientCertExclusionPaths optional - string

        client certificate authentication comma-separated exclusion paths

      • clientCertMode optional - string

        This composes with ClientCertEnabled setting.

        • ClientCertEnabled: false means ClientCert is ignored.
        • ClientCertEnabled: true and ClientCertMode: Required means ClientCert is required.
        • ClientCertEnabled: true and ClientCertMode: Optional means ClientCert is optional or accepted.
      • cloningInfo optional
          • appSettingsOverrides optional - string

            Application setting overrides for cloned app. If specified, these settings override the settings cloned from source app. Otherwise, application settings from source app are retained.

          • cloneCustomHostNames optional - boolean

            <code>true</code> to clone custom hostnames from source app; otherwise, <code>false</code>.

          • cloneSourceControl optional - boolean

            <code>true</code> to clone source control from source app; otherwise, <code>false</code>.

          • configureLoadBalancing optional - boolean

            <code>true</code> to configure load balancing for source and destination app.

          • correlationId optional - string

            Correlation ID of cloning operation. This ID ties multiple cloning operations together to use the same snapshot.

          • hostingEnvironment optional - string

            App Service Environment.

          • overwrite optional - boolean

            <code>true</code> to overwrite destination app; otherwise, <code>false</code>.

          • sourceWebAppId required - string

            ARM resource ID of the source app. App resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName} for production slots and /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{siteName}/slots/{slotName} for other slots.

          • sourceWebAppLocation optional - string

            Location of source app ex: West US or North Europe

          • trafficManagerProfileId optional - string

            ARM resource ID of the Traffic Manager profile to use, if it exists. Traffic Manager resource ID is of the form /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/trafficManagerProfiles/{profileName}.

          • trafficManagerProfileName optional - string

            Name of Traffic Manager profile to create. This is only needed if Traffic Manager profile does not already exist.

      • containerSize optional - integer

        Size of the function container.

      • customDomainVerificationId optional - string

        Unique identifier that verifies the custom domains assigned to the app. Customer will add this id to a txt record for verification.

      • dailyMemoryTimeQuota optional - integer

        Maximum allowed daily memory-time quota (applicable on dynamic apps only).

      • enabled optional - boolean

        <code>true</code> if the app is enabled; otherwise, <code>false</code>. Setting this value to false disables the app (takes the app offline).

      • hostingEnvironmentProfile optional
          • id optional - string

            Resource ID of the App Service Environment.

      • hostNamesDisabled optional - boolean

        <code>true</code> to disable the public hostnames of the app; otherwise, <code>false</code>. If <code>true</code>, the app is only accessible via API management process.

      • hostNameSslStates optional array
          • hostType optional - string

            Indicates whether the hostname is a standard or repository hostname.

          • name optional - string

            Hostname.

          • sslState optional - string

            SSL type.

          • thumbprint optional - string

            SSL certificate thumbprint.

          • toUpdate optional - boolean

            Set to <code>true</code> to update existing hostname.

          • virtualIP optional - string

            Virtual IP address assigned to the hostname if IP based SSL is enabled.

      • httpsOnly optional - boolean

        HttpsOnly: configures a web site to accept only https requests. Issues redirect for http requests

      • hyperV optional - boolean

        Hyper-V sandbox.

      • isXenon optional - boolean

        Obsolete: Hyper-V sandbox.

      • keyVaultReferenceIdentity optional - string

        Identity to use for Key Vault Reference authentication.

      • redundancyMode optional - string

        Site redundancy mode.

      • reserved optional - boolean

        <code>true</code> if reserved; otherwise, <code>false</code>.

      • scmSiteAlsoStopped optional - boolean

        <code>true</code> to stop SCM (KUDU) site when the app is stopped; otherwise, <code>false</code>. The default is <code>false</code>.

      • serverFarmId optional - string

        Resource ID of the associated App Service plan, formatted as: "/subscriptions/{subscriptionID}/resourceGroups/{groupName}/providers/Microsoft.Web/serverfarms/{appServicePlanName}".

      • siteConfig optional
          • acrUseManagedIdentityCreds optional - boolean

            Flag to use Managed Identity Creds for ACR pull

          • acrUserManagedIdentityID optional - string

            If using user managed identity, the user managed identity ClientId

          • alwaysOn optional - boolean

            <code>true</code> if Always On is enabled; otherwise, <code>false</code>.

          • apiDefinition optional
              • url optional - string

                The URL of the API definition.

          • apiManagementConfig optional
              • id optional - string

                APIM-Api Identifier.

          • appCommandLine optional - string

            App command line to launch.

          • appSettings optional array
              • name optional - string

                Pair name.

              • value optional - string

                Pair value.

          • autoHealEnabled optional - boolean

            <code>true</code> if Auto Heal is enabled; otherwise, <code>false</code>.

          • autoHealRules optional
              • actions optional
                  • actionType optional - string

                    Predefined action to be taken.

                  • customAction optional
                      • exe optional - string

                        Executable to be run.

                      • parameters optional - string

                        Parameters for the executable.

                  • minProcessExecutionTime optional - string

                    Minimum time the process must execute before taking the action

              • triggers optional
                  • privateBytesInKB optional - integer

                    A rule based on private bytes.

                  • requests optional
                      • count optional - integer

                        Request Count.

                      • timeInterval optional - string

                        Time interval.

                  • slowRequests optional
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path.

                      • timeInterval optional - string

                        Time interval.

                      • timeTaken optional - string

                        Time taken.

                  • slowRequestsWithPath optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path.

                      • timeInterval optional - string

                        Time interval.

                      • timeTaken optional - string

                        Time taken.

                  • statusCodes optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string

                        Request Path

                      • status optional - integer

                        HTTP status code.

                      • subStatus optional - integer

                        Request Sub Status.

                      • timeInterval optional - string

                        Time interval.

                      • win32Status optional - integer

                        Win32 error code.

                  • statusCodesRange optional array
                      • count optional - integer

                        Request Count.

                      • path optional - string
                      • statusCodes optional - string

                        HTTP status code.

                      • timeInterval optional - string

                        Time interval.

          • autoSwapSlotName optional - string

            Auto-swap slot name.

          • azureStorageAccounts optional - undefined

            List of Azure Storage Accounts.

          • connectionStrings optional array
              • connectionString optional - string

                Connection string value.

              • name optional - string

                Name of connection string.

              • type optional - string

                Type of database.

          • cors optional
          • defaultDocuments optional - array

            Default documents.

          • detailedErrorLoggingEnabled optional - boolean

            <code>true</code> if detailed error logging is enabled; otherwise, <code>false</code>.

          • documentRoot optional - string

            Document root.

          • experiments optional
              • rampUpRules optional array
                  • actionHostName optional - string

                    Hostname of a slot to which the traffic will be redirected if decided to. E.g. myapp-stage.azurewebsites.net.

                  • changeDecisionCallbackUrl optional - string

                    Custom decision algorithm can be provided in TiPCallback site extension which URL can be specified. See TiPCallback site extension for the scaffold and contracts. https://www.siteextensions.net/packages/TiPCallback/

                  • changeIntervalInMinutes optional - integer

                    Specifies interval in minutes to reevaluate ReroutePercentage.

                  • changeStep optional - number

                    In auto ramp up scenario this is the step to add/remove from <code>ReroutePercentage</code> until it reaches \n<code>MinReroutePercentage</code> or <code>MaxReroutePercentage</code>. Site metrics are checked every N minutes specified in <code>ChangeIntervalInMinutes</code>.\nCustom decision algorithm can be provided in TiPCallback site extension which URL can be specified in <code>ChangeDecisionCallbackUrl</code>.

                  • maxReroutePercentage optional - number

                    Specifies upper boundary below which ReroutePercentage will stay.

                  • minReroutePercentage optional - number

                    Specifies lower boundary above which ReroutePercentage will stay.

                  • name optional - string

                    Name of the routing rule. The recommended name would be to point to the slot which will receive the traffic in the experiment.

                  • reroutePercentage optional - number

                    Percentage of the traffic which will be redirected to <code>ActionHostName</code>.

          • ftpsState optional - string

            State of FTP / FTPS service.

          • functionAppScaleLimit optional - integer

            Maximum number of workers that a site can scale out to. This setting only applies to the Consumption and Elastic Premium Plans

          • functionsRuntimeScaleMonitoringEnabled optional - boolean

            Gets or sets a value indicating whether functions runtime scale monitoring is enabled. When enabled, the ScaleController will not monitor event sources directly, but will instead call to the runtime to get scale status.

          • handlerMappings optional array
              • arguments optional - string

                Command-line arguments to be passed to the script processor.

              • extension optional - string

                Requests with this extension will be handled using the specified FastCGI application.

              • scriptProcessor optional - string

                The absolute path to the FastCGI application.

          • healthCheckPath optional - string

            Health check path

          • http20Enabled optional - boolean

            Http20Enabled: configures a web site to allow clients to connect over http2.0

          • httpLoggingEnabled optional - boolean

            <code>true</code> if HTTP logging is enabled; otherwise, <code>false</code>.

          • ipSecurityRestrictions optional array
              • action optional - string

                Allow or Deny access for this IP range.

              • description optional - string

                IP restriction rule description.

              • headers optional - array

                IP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..

                • If the property is null or empty (default), all hosts(or lack of) are allowed.
                • A value is compared using ordinal-ignore-case (excluding port number).
                • Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
                • Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
                • If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
                • If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
              • ipAddress optional - string

                IP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.

              • name optional - string

                IP restriction rule name.

              • priority optional - integer

                Priority of IP restriction rule.

              • subnetMask optional - string

                Subnet mask for the range of IP addresses the restriction is valid for.

              • subnetTrafficTag optional - integer

                (internal) Subnet traffic tag

              • tag optional - string

                Defines what this IP filter will be used for. This is to support IP filtering on proxies.

              • vnetSubnetResourceId optional - string

                Virtual network resource id

              • vnetTrafficTag optional - integer

                (internal) Vnet traffic tag

          • javaContainer optional - string

            Java container.

          • javaContainerVersion optional - string

            Java container version.

          • javaVersion optional - string

            Java version.

          • keyVaultReferenceIdentity optional - string

            Identity to use for Key Vault Reference authentication.

          • limits optional
              • maxDiskSizeInMb optional - integer

                Maximum allowed disk size usage in MB.

              • maxMemoryInMb optional - integer

                Maximum allowed memory usage in MB.

              • maxPercentageCpu optional - number

                Maximum allowed CPU usage percentage.

          • linuxFxVersion optional - string

            Linux App Framework and version

          • loadBalancing optional - string

            Site load balancing.

          • localMySqlEnabled optional - boolean

            <code>true</code> to enable local MySQL; otherwise, <code>false</code>.

          • logsDirectorySizeLimit optional - integer

            HTTP logs directory size limit.

          • managedPipelineMode optional - string

            Managed pipeline mode.

          • managedServiceIdentityId optional - integer

            Managed Service Identity Id

          • minimumElasticInstanceCount optional - integer

            Number of minimum instance count for a site This setting only applies to the Elastic Plans

          • minTlsVersion optional - string

            MinTlsVersion: configures the minimum version of TLS required for SSL requests.

          • netFrameworkVersion optional - string

            .NET Framework version.

          • nodeVersion optional - string

            Version of Node.js.

          • numberOfWorkers optional - integer

            Number of workers.

          • phpVersion optional - string

            Version of PHP.

          • powerShellVersion optional - string

            Version of PowerShell.

          • preWarmedInstanceCount optional - integer

            Number of preWarmed instances. This setting only applies to the Consumption and Elastic Plans

          • publicNetworkAccess optional - string

            Property to allow or block all public traffic.

          • publishingUsername optional - string

            Publishing user name.

          • push optional
              • kind optional - string

                Kind of resource.

              • properties optional
                  • dynamicTagsJson optional - string

                    Gets or sets a JSON string containing a list of dynamic tags that will be evaluated from user claims in the push registration endpoint.

                  • isPushEnabled required - boolean

                    Gets or sets a flag indicating whether the Push endpoint is enabled.

                  • tagsRequiringAuth optional - string

                    Gets or sets a JSON string containing a list of tags that require user authentication to be used in the push registration endpoint. Tags can consist of alphanumeric characters and the following: '_', '@', '#', '.', ':', '-'. Validation should be performed at the PushRequestHandler.

                  • tagWhitelistJson optional - string

                    Gets or sets a JSON string containing a list of tags that are whitelisted for use by the push registration endpoint.

          • pythonVersion optional - string

            Version of Python.

          • remoteDebuggingEnabled optional - boolean

            <code>true</code> if remote debugging is enabled; otherwise, <code>false</code>.

          • remoteDebuggingVersion optional - string

            Remote debugging version.

          • requestTracingEnabled optional - boolean

            <code>true</code> if request tracing is enabled; otherwise, <code>false</code>.

          • requestTracingExpirationTime optional - string

            Request tracing expiration time.

          • scmIpSecurityRestrictions optional array
              • action optional - string

                Allow or Deny access for this IP range.

              • description optional - string

                IP restriction rule description.

              • headers optional - array

                IP restriction rule headers. X-Forwarded-Host (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host#Examples). The matching logic is ..

                • If the property is null or empty (default), all hosts(or lack of) are allowed.
                • A value is compared using ordinal-ignore-case (excluding port number).
                • Subdomain wildcards are permitted but don't match the root domain. For example, *.contoso.com matches the subdomain foo.contoso.com but not the root domain contoso.com or multi-level foo.bar.contoso.com
                • Unicode host names are allowed but are converted to Punycode for matching. X-Forwarded-For (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#Examples). The matching logic is ..
                • If the property is null or empty (default), any forwarded-for chains (or lack of) are allowed.
                • If any address (excluding port number) in the chain (comma separated) matches the CIDR defined by the property. X-Azure-FDID and X-FD-HealthProbe. The matching logic is exact match.
              • ipAddress optional - string

                IP address the security restriction is valid for. It can be in form of pure ipv4 address (required SubnetMask property) or CIDR notation such as ipv4/mask (leading bit match). For CIDR, SubnetMask property must not be specified.

              • name optional - string

                IP restriction rule name.

              • priority optional - integer

                Priority of IP restriction rule.

              • subnetMask optional - string

                Subnet mask for the range of IP addresses the restriction is valid for.

              • subnetTrafficTag optional - integer

                (internal) Subnet traffic tag

              • tag optional - string

                Defines what this IP filter will be used for. This is to support IP filtering on proxies.

              • vnetSubnetResourceId optional - string

                Virtual network resource id

              • vnetTrafficTag optional - integer

                (internal) Vnet traffic tag

          • scmIpSecurityRestrictionsUseMain optional - boolean

            IP security restrictions for scm to use main.

          • scmMinTlsVersion optional - string

            ScmMinTlsVersion: configures the minimum version of TLS required for SSL requests for SCM site.

          • scmType optional - string

            SCM type.

          • tracingOptions optional - string

            Tracing options.

          • use32BitWorkerProcess optional - boolean

            <code>true</code> to use 32-bit worker process; otherwise, <code>false</code>.

          • virtualApplications optional array
              • physicalPath optional - string

                Physical path.

              • preloadEnabled optional - boolean

                <code>true</code> if preloading is enabled; otherwise, <code>false</code>.

              • virtualDirectories optional array
                  • physicalPath optional - string

                    Physical path.

                  • virtualPath optional - string

                    Path to virtual application.

              • virtualPath optional - string

                Virtual path.

          • vnetName optional - string

            Virtual Network name.

          • vnetPrivatePortsCount optional - integer

            The number of private ports assigned to this app. These will be assigned dynamically on runtime.

          • vnetRouteAllEnabled optional - boolean

            Virtual Network Route All enabled. This causes all outbound traffic to have Virtual Network Security Groups and User Defined Routes applied.

          • websiteTimeZone optional - string

            Sets the time zone a site uses for generating timestamps. Compatible with Linux and Windows App Service. Setting the WEBSITE_TIME_ZONE app setting takes precedence over this config. For Linux, expects tz database values https://www.iana.org/time-zones (for a quick reference see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). For Windows, expects one of the time zones listed under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

          • webSocketsEnabled optional - boolean

            <code>true</code> if WebSocket is enabled; otherwise, <code>false</code>.

          • windowsFxVersion optional - string

            Xenon App Framework and version

          • xManagedServiceIdentityId optional - integer

            Explicit Managed Service Identity Id

      • storageAccountRequired optional - boolean

        Checks if Customer provided storage account is required

      • virtualNetworkSubnetId optional - string

        Azure Resource Manager ID of the Virtual network and subnet to be joined by Regional VNET Integration. This must be of the form /subscriptions/{subscriptionName}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}

  • tags optional - string

    Resource tags.

  • type required - string

Frequently asked questions

What is Azure App Service (Web Apps) Windows Web App?

Azure App Service (Web Apps) Windows Web App is a resource for App Service (Web Apps) of Microsoft Azure. Settings can be wrote in Terraform.