Azure Container Group
This page shows how to write Terraform and Azure Resource Manager for Container Group and write them securely.
azurerm_container_group (Terraform)
The Group in Container can be configured in Terraform with the resource name azurerm_container_group
. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_container_group" "common-instances" {
for_each = var.common_instance
name = each.value.name
location = azurerm_resource_group.rg_splunk.location
resource_group_name = azurerm_resource_group.rg_splunk.name
ip_address_type = "public"
resource "azurerm_container_group" "tfcg_test" {
name = "yogissvcgrp"
location = azurerm_resource_group.tf_test.location
resource_group_name = azurerm_resource_group.tf_test.name
ip_address_type = "public"
dns_name_label = "yogisapis"
resource "azurerm_container_group" "tfcg_amazingrace"{
name = "amazingracebill"
location = azurerm_resource_group.tf_amazingrace.location
resource_group_name = azurerm_resource_group.tf_amazingrace.name
ip_address_type = "public"
resource "azurerm_container_group" "weatherforecast-api" {
name = "weatherforecast-api"
location = var.LOCATION
resource_group_name = var.RESOURCE_GROUP_NAME
ip_address_type = "private"
resource "azurerm_container_group" "aci" {
name = "aci-sitetreinamentotf"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
ip_address_type = "public"
resource "azurerm_container_group" "hide_n_seek_containers" {
name = "HideNSeekContainer"
location = azurerm_resource_group.hide_n_seek.location
resource_group_name = azurerm_resource_group.hide_n_seek.name
# can be accessed via hidenseek.eastus.azurecontainer.io
dns_name_label = "hidenseek"
resource "azurerm_container_group" "container_group1" {
count = var.container_group1_count
name = var.container_group1_name
location = azurerm_resource_group.container_rg.location
resource_group_name = azurerm_resource_group.container_rg.name
ip_address_type = var.ip_address_type
resource "azurerm_container_group" "tfcg_test" {
name = "weatherapi"
location = azurerm_resource_group.tf_test.location
resource_group_name = azurerm_resource_group.tf_test.name
ip_address_type = "public"
resource "azurerm_container_group" "tfcg_test" {
name = "weatherapi"
location = azurerm_resource_group.tf_test.location
resource_group_name = azurerm_resource_group.tf_test.name
ip_address_type = "public"
Parameters
-
dns_name_label
optional - string -
fqdn
optional computed - string -
id
optional computed - string -
ip_address
optional computed - string -
ip_address_type
optional - string -
location
required - string -
name
required - string -
network_profile_id
optional - string -
os_type
required - string -
resource_group_name
required - string -
restart_policy
optional - string -
tags
optional - map from string to string -
container
list block-
commands
optional computed - list of string -
cpu
required - number -
environment_variables
optional - map from string to string -
image
required - string -
memory
required - number -
name
required - string -
secure_environment_variables
optional - map from string to string -
gpu
list block -
liveness_probe
list block-
exec
optional - list of string -
failure_threshold
optional - number -
initial_delay_seconds
optional - number -
period_seconds
optional - number -
success_threshold
optional - number -
timeout_seconds
optional - number -
http_get
list block
-
-
ports
set block -
readiness_probe
list block-
exec
optional - list of string -
failure_threshold
optional - number -
initial_delay_seconds
optional - number -
period_seconds
optional - number -
success_threshold
optional - number -
timeout_seconds
optional - number -
http_get
list block
-
-
volume
list block-
empty_dir
optional - bool -
mount_path
required - string -
name
required - string -
read_only
optional - bool -
secret
optional - map from string to string -
share_name
optional - string -
storage_account_key
optional - string -
storage_account_name
optional - string -
git_repo
list block
-
-
-
diagnostics
list block-
log_analytics
list block-
log_type
optional - string -
metadata
optional - map from string to string -
workspace_id
required - string -
workspace_key
required - string
-
-
-
dns_config
list block-
nameservers
required - list of string -
options
required - set of string -
search_domains
required - set of string
-
-
identity
list block-
identity_ids
optional - list of string -
principal_id
optional computed - string -
type
required - string
-
-
image_registry_credential
list block -
timeouts
single block
Explanation in Terraform Registry
Manages as an Azure Container Group instance.
Tips: Best Practices for The Other Azure Container Resources
In addition to the azurerm_kubernetes_cluster, Azure Container has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_kubernetes_cluster
Ensure to enable logging for AKS
It is better to enable AKS logging to Azure Monitoring. This provides useful information regarding access and usage.
Microsoft.ContainerInstance/containerGroups (Azure Resource Manager)
The containerGroups in Microsoft.ContainerInstance can be configured in Azure Resource Manager with the resource name Microsoft.ContainerInstance/containerGroups
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersion
required - stringidentity
optionaltype
optional - stringThe type of identity used for the container group. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the container group.
userAssignedIdentities
optional - undefinedThe list of user identities associated with the container group. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
location
optional - stringThe resource location.
name
required - stringThe name of the container group.
properties
requiredcontainers
required arrayname
required - stringThe user-provided name of the container instance.
properties
requiredcommand
optional - arrayThe commands to execute within the container instance in exec form.
environmentVariables
optional arrayname
required - stringThe name of the environment variable.
secureValue
optional - stringThe value of the secure environment variable.
value
optional - stringThe value of the environment variable.
image
required - stringThe name of the image used to create the container instance.
livenessProbe
optionalexec
optionalcommand
optional - arrayThe commands to execute within the container.
failureThreshold
optional - integerThe failure threshold.
httpGet
optionalhttpHeaders
optional arrayname
optional - stringThe header name.
value
optional - stringThe header value.
path
optional - stringThe path to probe.
port
required - integerThe port number to probe.
scheme
optional - stringThe scheme.
initialDelaySeconds
optional - integerThe initial delay seconds.
periodSeconds
optional - integerThe period seconds.
successThreshold
optional - integerThe success threshold.
timeoutSeconds
optional - integerThe timeout seconds.
ports
optional arrayport
required - integerThe port number exposed within the container group.
protocol
optional - stringThe protocol associated with the port.
readinessProbe
optionalexec
optionalcommand
optional - arrayThe commands to execute within the container.
failureThreshold
optional - integerThe failure threshold.
httpGet
optionalhttpHeaders
optional arrayname
optional - stringThe header name.
value
optional - stringThe header value.
path
optional - stringThe path to probe.
port
required - integerThe port number to probe.
scheme
optional - stringThe scheme.
initialDelaySeconds
optional - integerThe initial delay seconds.
periodSeconds
optional - integerThe period seconds.
successThreshold
optional - integerThe success threshold.
timeoutSeconds
optional - integerThe timeout seconds.
volumeMounts
optional arraymountPath
required - stringThe path within the container where the volume should be mounted. Must not contain colon (:).
name
required - stringThe name of the volume mount.
readOnly
optional - booleanThe flag indicating whether the volume mount is read-only.
diagnostics
optionallogAnalytics
optionallogType
optional - stringThe log type to be used.
metadata
optional - stringMetadata for log analytics.
workspaceId
required - stringThe workspace id for log analytics
workspaceKey
required - stringThe workspace key for log analytics
workspaceResourceId
optional - stringThe workspace resource id for log analytics
dnsConfig
optionalnameServers
required - arrayThe DNS servers for the container group.
options
optional - stringThe DNS options for the container group.
searchDomains
optional - stringThe DNS search domains for hostname lookup in the container group.
encryptionProperties
optionalkeyName
required - stringThe encryption key name.
keyVersion
required - stringThe encryption key version.
vaultBaseUrl
required - stringThe keyvault base url.
imageRegistryCredentials
optional arrayidentity
optional - stringThe identity for the private registry.
identityUrl
optional - stringThe identity URL for the private registry.
password
optional - stringThe password for the private registry.
server
required - stringThe Docker image registry server without a protocol such as "http" and "https".
username
required - stringThe username for the private registry.
initContainers
optional arrayname
required - stringThe name for the init container.
properties
requiredcommand
optional - arrayThe command to execute within the init container in exec form.
environmentVariables
optional arrayname
required - stringThe name of the environment variable.
secureValue
optional - stringThe value of the secure environment variable.
value
optional - stringThe value of the environment variable.
image
optional - stringThe image of the init container.
volumeMounts
optional arraymountPath
required - stringThe path within the container where the volume should be mounted. Must not contain colon (:).
name
required - stringThe name of the volume mount.
readOnly
optional - booleanThe flag indicating whether the volume mount is read-only.
ipAddress
optionaldnsNameLabel
optional - stringThe Dns name label for the IP.
ip
optional - stringThe IP exposed to the public internet.
ports
required arrayport
required - integerThe port number.
protocol
optional - stringThe protocol associated with the port.
type
required - stringSpecifies if the IP is exposed to the public internet or private VNET.
osType
required - stringThe operating system type required by the containers in the container group.
restartPolicy
optional - stringRestart policy for all containers within the container group.
Always
Always restartOnFailure
Restart on failureNever
Never restart .
sku
optional - stringThe SKU for a container group.
subnetIds
optional arrayid
required - stringResource ID of virtual network and subnet.
name
optional - stringFriendly name for the subnet.
volumes
optional arrayazureFile
optionalreadOnly
optional - booleanThe flag indicating whether the Azure File shared mounted as a volume is read-only.
shareName
required - stringThe name of the Azure File share to be mounted as a volume.
storageAccountKey
optional - stringThe storage account access key used to access the Azure File share.
storageAccountName
required - stringThe name of the storage account that contains the Azure File share.
emptyDir
optional - objectThe empty directory volume.
gitRepo
optionaldirectory
optional - stringTarget directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.
repository
required - stringRepository URL
revision
optional - stringCommit hash for the specified revision.
name
required - stringThe name of the volume.
secret
optional - stringThe secret volume.
tags
optional - stringThe resource tags.
type
required - stringzones
optional - arrayThe zones for the container group.
Frequently asked questions
What is Azure Container Group?
Azure Container Group is a resource for Container of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Container Group?
For Terraform, the walsung/tf-splunk-az, upendra409/reset and binarythistle/Terraform-Multi-Cloud source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the scautomation/Azure-Inventory-Workbook, ryanmrestivo/cloud-security-research-and-governance and VJchand-star/Azure source code examples are useful. See the Azure Resource Manager Example section for further details.