Azure Container Group
This page shows how to write Terraform and Azure Resource Manager for Container Group and write them securely.
azurerm_container_group (Terraform)
The Group in Container can be configured in Terraform with the resource name azurerm_container_group. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_container_group" "common-instances" {
for_each = var.common_instance
name = each.value.name
location = azurerm_resource_group.rg_splunk.location
resource_group_name = azurerm_resource_group.rg_splunk.name
ip_address_type = "public"
resource "azurerm_container_group" "tfcg_test" {
name = "yogissvcgrp"
location = azurerm_resource_group.tf_test.location
resource_group_name = azurerm_resource_group.tf_test.name
ip_address_type = "public"
dns_name_label = "yogisapis"
resource "azurerm_container_group" "tfcg_amazingrace"{
name = "amazingracebill"
location = azurerm_resource_group.tf_amazingrace.location
resource_group_name = azurerm_resource_group.tf_amazingrace.name
ip_address_type = "public"
resource "azurerm_container_group" "weatherforecast-api" {
name = "weatherforecast-api"
location = var.LOCATION
resource_group_name = var.RESOURCE_GROUP_NAME
ip_address_type = "private"
resource "azurerm_container_group" "aci" {
name = "aci-sitetreinamentotf"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
ip_address_type = "public"
resource "azurerm_container_group" "hide_n_seek_containers" {
name = "HideNSeekContainer"
location = azurerm_resource_group.hide_n_seek.location
resource_group_name = azurerm_resource_group.hide_n_seek.name
# can be accessed via hidenseek.eastus.azurecontainer.io
dns_name_label = "hidenseek"
resource "azurerm_container_group" "container_group1" {
count = var.container_group1_count
name = var.container_group1_name
location = azurerm_resource_group.container_rg.location
resource_group_name = azurerm_resource_group.container_rg.name
ip_address_type = var.ip_address_type
resource "azurerm_container_group" "tfcg_test" {
name = "weatherapi"
location = azurerm_resource_group.tf_test.location
resource_group_name = azurerm_resource_group.tf_test.name
ip_address_type = "public"
resource "azurerm_container_group" "tfcg_test" {
name = "weatherapi"
location = azurerm_resource_group.tf_test.location
resource_group_name = azurerm_resource_group.tf_test.name
ip_address_type = "public"
Parameters
-
dns_name_labeloptional - string -
fqdnoptional computed - string -
idoptional computed - string -
ip_addressoptional computed - string -
ip_address_typeoptional - string -
locationrequired - string -
namerequired - string -
network_profile_idoptional - string -
os_typerequired - string -
resource_group_namerequired - string -
restart_policyoptional - string -
tagsoptional - map from string to string -
containerlist block-
commandsoptional computed - list of string -
cpurequired - number -
environment_variablesoptional - map from string to string -
imagerequired - string -
memoryrequired - number -
namerequired - string -
secure_environment_variablesoptional - map from string to string -
gpulist block -
liveness_probelist block-
execoptional - list of string -
failure_thresholdoptional - number -
initial_delay_secondsoptional - number -
period_secondsoptional - number -
success_thresholdoptional - number -
timeout_secondsoptional - number -
http_getlist block
-
-
portsset block -
readiness_probelist block-
execoptional - list of string -
failure_thresholdoptional - number -
initial_delay_secondsoptional - number -
period_secondsoptional - number -
success_thresholdoptional - number -
timeout_secondsoptional - number -
http_getlist block
-
-
volumelist block-
empty_diroptional - bool -
mount_pathrequired - string -
namerequired - string -
read_onlyoptional - bool -
secretoptional - map from string to string -
share_nameoptional - string -
storage_account_keyoptional - string -
storage_account_nameoptional - string -
git_repolist block
-
-
-
diagnosticslist block-
log_analyticslist block-
log_typeoptional - string -
metadataoptional - map from string to string -
workspace_idrequired - string -
workspace_keyrequired - string
-
-
-
dns_configlist block-
nameserversrequired - list of string -
optionsrequired - set of string -
search_domainsrequired - set of string
-
-
identitylist block-
identity_idsoptional - list of string -
principal_idoptional computed - string -
typerequired - string
-
-
image_registry_credentiallist block -
timeoutssingle block
Explanation in Terraform Registry
Manages as an Azure Container Group instance.
Tips: Best Practices for The Other Azure Container Resources
In addition to the azurerm_kubernetes_cluster, Azure Container has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_kubernetes_cluster
Ensure to enable logging for AKS
It is better to enable AKS logging to Azure Monitoring. This provides useful information regarding access and usage.
Microsoft.ContainerInstance/containerGroups (Azure Resource Manager)
The containerGroups in Microsoft.ContainerInstance can be configured in Azure Resource Manager with the resource name Microsoft.ContainerInstance/containerGroups. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
{
"contentVersion": "1.0.0.0",
"parameters": {
"workbookDisplayName": {
"type": "string",
Parameters
apiVersionrequired - stringidentityoptionaltypeoptional - stringThe type of identity used for the container group. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the container group.
userAssignedIdentitiesoptional - undefinedThe list of user identities associated with the container group. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
locationoptional - stringThe resource location.
namerequired - stringThe name of the container group.
propertiesrequiredcontainersrequired arraynamerequired - stringThe user-provided name of the container instance.
propertiesrequiredcommandoptional - arrayThe commands to execute within the container instance in exec form.
environmentVariablesoptional arraynamerequired - stringThe name of the environment variable.
secureValueoptional - stringThe value of the secure environment variable.
valueoptional - stringThe value of the environment variable.
imagerequired - stringThe name of the image used to create the container instance.
livenessProbeoptionalexecoptionalcommandoptional - arrayThe commands to execute within the container.
failureThresholdoptional - integerThe failure threshold.
httpGetoptionalhttpHeadersoptional arraynameoptional - stringThe header name.
valueoptional - stringThe header value.
pathoptional - stringThe path to probe.
portrequired - integerThe port number to probe.
schemeoptional - stringThe scheme.
initialDelaySecondsoptional - integerThe initial delay seconds.
periodSecondsoptional - integerThe period seconds.
successThresholdoptional - integerThe success threshold.
timeoutSecondsoptional - integerThe timeout seconds.
portsoptional arrayportrequired - integerThe port number exposed within the container group.
protocoloptional - stringThe protocol associated with the port.
readinessProbeoptionalexecoptionalcommandoptional - arrayThe commands to execute within the container.
failureThresholdoptional - integerThe failure threshold.
httpGetoptionalhttpHeadersoptional arraynameoptional - stringThe header name.
valueoptional - stringThe header value.
pathoptional - stringThe path to probe.
portrequired - integerThe port number to probe.
schemeoptional - stringThe scheme.
initialDelaySecondsoptional - integerThe initial delay seconds.
periodSecondsoptional - integerThe period seconds.
successThresholdoptional - integerThe success threshold.
timeoutSecondsoptional - integerThe timeout seconds.
volumeMountsoptional arraymountPathrequired - stringThe path within the container where the volume should be mounted. Must not contain colon (:).
namerequired - stringThe name of the volume mount.
readOnlyoptional - booleanThe flag indicating whether the volume mount is read-only.
diagnosticsoptionallogAnalyticsoptionallogTypeoptional - stringThe log type to be used.
metadataoptional - stringMetadata for log analytics.
workspaceIdrequired - stringThe workspace id for log analytics
workspaceKeyrequired - stringThe workspace key for log analytics
workspaceResourceIdoptional - stringThe workspace resource id for log analytics
dnsConfigoptionalnameServersrequired - arrayThe DNS servers for the container group.
optionsoptional - stringThe DNS options for the container group.
searchDomainsoptional - stringThe DNS search domains for hostname lookup in the container group.
encryptionPropertiesoptionalkeyNamerequired - stringThe encryption key name.
keyVersionrequired - stringThe encryption key version.
vaultBaseUrlrequired - stringThe keyvault base url.
imageRegistryCredentialsoptional arrayidentityoptional - stringThe identity for the private registry.
identityUrloptional - stringThe identity URL for the private registry.
passwordoptional - stringThe password for the private registry.
serverrequired - stringThe Docker image registry server without a protocol such as "http" and "https".
usernamerequired - stringThe username for the private registry.
initContainersoptional arraynamerequired - stringThe name for the init container.
propertiesrequiredcommandoptional - arrayThe command to execute within the init container in exec form.
environmentVariablesoptional arraynamerequired - stringThe name of the environment variable.
secureValueoptional - stringThe value of the secure environment variable.
valueoptional - stringThe value of the environment variable.
imageoptional - stringThe image of the init container.
volumeMountsoptional arraymountPathrequired - stringThe path within the container where the volume should be mounted. Must not contain colon (:).
namerequired - stringThe name of the volume mount.
readOnlyoptional - booleanThe flag indicating whether the volume mount is read-only.
ipAddressoptionaldnsNameLabeloptional - stringThe Dns name label for the IP.
ipoptional - stringThe IP exposed to the public internet.
portsrequired arrayportrequired - integerThe port number.
protocoloptional - stringThe protocol associated with the port.
typerequired - stringSpecifies if the IP is exposed to the public internet or private VNET.
osTyperequired - stringThe operating system type required by the containers in the container group.
restartPolicyoptional - stringRestart policy for all containers within the container group.
AlwaysAlways restartOnFailureRestart on failureNeverNever restart .
skuoptional - stringThe SKU for a container group.
subnetIdsoptional arrayidrequired - stringResource ID of virtual network and subnet.
nameoptional - stringFriendly name for the subnet.
volumesoptional arrayazureFileoptionalreadOnlyoptional - booleanThe flag indicating whether the Azure File shared mounted as a volume is read-only.
shareNamerequired - stringThe name of the Azure File share to be mounted as a volume.
storageAccountKeyoptional - stringThe storage account access key used to access the Azure File share.
storageAccountNamerequired - stringThe name of the storage account that contains the Azure File share.
emptyDiroptional - objectThe empty directory volume.
gitRepooptionaldirectoryoptional - stringTarget directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.
repositoryrequired - stringRepository URL
revisionoptional - stringCommit hash for the specified revision.
namerequired - stringThe name of the volume.
secretoptional - stringThe secret volume.
tagsoptional - stringThe resource tags.
typerequired - stringzonesoptional - arrayThe zones for the container group.
Frequently asked questions
What is Azure Container Group?
Azure Container Group is a resource for Container of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Container Group?
For Terraform, the walsung/tf-splunk-az, upendra409/reset and binarythistle/Terraform-Multi-Cloud source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the scautomation/Azure-Inventory-Workbook, ryanmrestivo/cloud-security-research-and-governance and VJchand-star/Azure source code examples are useful. See the Azure Resource Manager Example section for further details.
