web-site
report
Report Package web-site
If you believe that this package or its contents contain harmful information, please inform us.
Please be aware that we will never share your credentials.
This Terraform Azure Verified Module deploys: terraform-azurerm-avm-res-web-site
ipm add --package avm-terraform/web-site --version 0.18.0 Published: 29-07-2025
Project URL: https://ipmhub.io/avm-terraform
Package Type: Terraform
License: MIT
terraform-azurerm-avm-res-web-site
This is the module to deploy function apps in Azure.
NOTES:
0.13.0supportsazurerm4.8and later versions.- For
azurerm4.xsupport, please use0.12.xand later versions. - For
azurerm3.xsupport, please use0.11.xand prior versions.
Requirements
The following requirements are needed by this module:
-
terraform (>= 1.9, < 2.0)
-
azurerm (~> 4.0, >= 4.8.0, >= 4.21.1, < 5.0.0)
-
modtm (~> 0.3)
-
random (>= 3.5.0, < 4.0.0)
Resources
The following resources are used by this module:
- azurerm_app_service_certificate.this (resource)
- azurerm_app_service_custom_hostname_binding.this (resource)
- azurerm_app_service_slot_custom_hostname_binding.slot (resource)
- azurerm_application_insights.slot (resource)
- azurerm_application_insights.this (resource)
- azurerm_dns_cname_record.this (resource)
- azurerm_dns_txt_record.this (resource)
- azurerm_function_app_active_slot.this (resource)
- azurerm_function_app_flex_consumption.this (resource)
- azurerm_linux_function_app.this (resource)
- azurerm_linux_function_app_slot.this (resource)
- azurerm_linux_web_app.this (resource)
- azurerm_linux_web_app_slot.this (resource)
- azurerm_logic_app_standard.this (resource)
- azurerm_management_lock.pe (resource)
- azurerm_management_lock.slot (resource)
- azurerm_management_lock.this (resource)
- azurerm_monitor_diagnostic_setting.this (resource)
- azurerm_private_endpoint.slot (resource)
- azurerm_private_endpoint.slot_this_unmanaged_dns_zone_groups (resource)
- azurerm_private_endpoint.this (resource)
- azurerm_private_endpoint.this_unmanaged_dns_zone_groups (resource)
- azurerm_private_endpoint_application_security_group_association.slot (resource)
- azurerm_private_endpoint_application_security_group_association.this (resource)
- azurerm_role_assignment.pe (resource)
- azurerm_role_assignment.slot (resource)
- azurerm_role_assignment.slot_pe (resource)
- azurerm_role_assignment.this (resource)
- azurerm_web_app_active_slot.this (resource)
- azurerm_windows_function_app.this (resource)
- azurerm_windows_function_app_slot.this (resource)
- azurerm_windows_web_app.this (resource)
- azurerm_windows_web_app_slot.this (resource)
- modtm_telemetry.telemetry (resource)
- random_uuid.telemetry (resource)
- azurerm_client_config.telemetry (data source)
- modtm_module_source.telemetry (data source)
Required Inputs
The following input variables are required:
kind
Description: The type of App Service to deploy. Possible values are functionapp, webapp and logicapp.
Type: string
location
Description: Azure region where the resource should be deployed.
Type: string
name
Description: The name which should be used for the Function App.
Type: string
os_type
Description: The operating system that should be the same type of the App Service Plan to deploy the App Service in.
Type: string
resource_group_name
Description: The name of the Resource Group where the App Service will be deployed.
Type: string
service_plan_resource_id
Description: The resource ID of the App Service Plan to deploy the App Service in in.
Type: string
Optional Inputs
The following input variables are optional (have default values):
all_child_resources_inherit_lock
Description: Should the Function App inherit the lock from the parent resource? Defaults to true.
Type: bool
Default: true
all_child_resources_inherit_tags
Description: Should the Function App inherit tags from the parent resource? Defaults to true.
Type: bool
Default: true
app_service_active_slot
Description: Object that sets the active slot for the App Service.
slot_key - The key of the slot object to set as active.
overwrite_network_config - Determines if the network configuration should be overwritten. Defaults to true.
Type:
object({
slot_key = optional(string)
overwrite_network_config = optional(bool, true)
})
Default: null
app_settings
Description: A map of key-value pairs for App Settings and custom values to assign to the Function App.
app_settings = {
WEBSITE_NODE_DEFAULT_VERSION = "10.14.1"
WEBSITE_TIME_ZONE = "Pacific Standard Time"
WEB_CONCURRENCY = "1"
WEBSITE_RUN_FROM_PACKAGE = "1"
WEBSITE_ENABLE_SYNC_UPDATE_SITE = "true"
WEBSITE_ENABLE_SYNC_UPDATE_SITE_LOCKED = "false"
WEBSITE_NODE_DEFAULT_VERSION_LOCKED = "false"
WEBSITE_TIME_ZONE_LOCKED = "false"
WEB_CONCURRENCY_LOCKED = "false"
WEBSITE_RUN_FROM_PACKAGE_LOCKED = "false"
}
Type: map(string)
Default: {}
application_insights
Description:
The Application Insights settings to assign to the Function App.
-application_type: The type of Application Insights to create. Valid values are ios, java, MobileCenter, Node.JS, other, phone, store, and web. Defaults to web.
-inherit_tags: Should the Application Insights inherit tags from the parent resource? Defaults to false.
-location: The location of the Application Insights.
-name: The name of the Application Insights.
-resource_group_name: The name of the Resource Group where the Application Insights will be deployed.
-tags: A map of tags to assign to the Application Insights.
-workspace_resource_id: The resource ID of the Log Analytics Workspace to use for the Application Insights.
-daily_data_cap_in_gb: The daily data cap in GB for the Application Insights.
-daily_data_cap_notifications_disabled: Should the daily data cap notifications be disabled for the Application Insights?
-retention_in_days: The retention period in days for the Application Insights. Defaults to 90.
-sampling_percentage: The sampling percentage for the Application Insights. Defaults to 100.
-disable_ip_masking: Should the IP masking be disabled for the Application Insights? Defaults to false.
-local_authentication_disabled: Should the local authentication be disabled for the Application Insights? Defaults to false.
-internet_ingestion_enabled: Should the internet ingestion be enabled for the Application Insights? Defaults to true.
-internet_query_enabled: Should the internet query be enabled for the Application Insights? Defaults to true.
-force_customer_storage_for_profiler: Should the customer storage be forced for the profiler for the Application Insights? Defaults to false.
application_insights = {
name = module.naming.application_insights.name_unique
resource_group_name = module.avm_res_resources_resourcegroup.name
location = module.avm_res_resources_resourcegroup.resource.location
application_type = "web"
workspace_resource_id = azurerm_log_analytics_workspace.example.id
tags = {
environment = "dev-tf"
}
}
Type:
object({
application_type = optional(string, "web")
inherit_tags = optional(bool, false)
location = optional(string)
name = optional(string)
resource_group_name = optional(string)
tags = optional(map(any), null)
workspace_resource_id = optional(string)
daily_data_cap_in_gb = optional(number)
daily_data_cap_notifications_disabled = optional(bool)
retention_in_days = optional(number, 90)
sampling_percentage = optional(number, 100)
disable_ip_masking = optional(bool, false)
local_authentication_disabled = optional(bool, false)
internet_ingestion_enabled = optional(bool, true)
internet_query_enabled = optional(bool, true)
force_customer_storage_for_profiler = optional(bool, false)
})
Default: {}
auth_settings
Description: A map of authentication settings to assign to the Function App.
additional_login_parameters- (Optional) Specifies a map of login Parameters to send to the OpenID Connect authorization endpoint when a user logs in.allowed_external_redirect_urls- (Optional) Specifies a list of External URLs that can be redirected to as part of logging in or logging out of the Linux Web App.default_provider- (Optional) The default authentication provider to use when multiple providers are configured. Possible values include:AzureActiveDirectory,Facebook,Google,MicrosoftAccount,Twitter,Githubenabled- (Required) Should the Authentication / Authorization feature be enabled for the Linux Web App?issuer- (Optional) The OpenID Connect Issuer URI that represents the entity which issues access tokens for this Linux Web App.runtime_version- (Optional) The RuntimeVersion of the Authentication / Authorization feature in use for the Linux Web App.token_refresh_extension_hours- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72hours.token_store_enabled- (Optional) Should the Linux Web App durably store platform-specific security tokens that are obtained during login flows? Defaults tofalse.unauthenticated_client_action- (Optional) The action to take when an unauthenticated client attempts to access the app. Possible values include:RedirectToLoginPage,AllowAnonymous.
active_directory block supports the following:
allowed_audiences- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.client_id- (Required) The ID of the Client to use to authenticate with Azure Active Directory.client_secret- (Optional) The Client Secret for the Client ID. Cannot be used withclient_secret_setting_name.client_secret_setting_name- (Optional) The App Setting name that contains the client secret of the Client. Cannot be used withclient_secret.
facebook block supports the following:
app_id- (Required) The App ID of the Facebook app used for login.app_secret- (Optional) The App Secret of the Facebook app used for Facebook login. Cannot be specified withapp_secret_setting_name.app_secret_setting_name- (Optional) The app setting name that contains theapp_secretvalue used for Facebook login. Cannot be specified withapp_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes to be requested as part of Facebook login authentication.
github block supports the following:
client_id- (Required) The ID of the GitHub app used for login.client_secret- (Optional) The Client Secret of the GitHub app used for GitHub login. Cannot be specified withclient_secret_setting_name.client_secret_setting_name- (Optional) The app setting name that contains theclient_secretvalue used for GitHub login. Cannot be specified withclient_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of GitHub login authentication.
google block supports the following:
client_id- (Required) The OpenID Connect Client ID for the Google web application.client_secret- (Optional) The client secret associated with the Google web application. Cannot be specified withclient_secret_setting_name.client_secret_setting_name- (Optional) The app setting name that contains theclient_secretvalue used for Google login. Cannot be specified withclient_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication. If not specified,openid,profile, andemailare used as default scopes.
microsoft block supports the following:
client_id- (Required) The OAuth 2.0 client ID that was created for the app used for authentication.client_secret- (Optional) The OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclient_secret_setting_name.client_secret_setting_name- (Optional) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication. Cannot be specified withclient_secret.oauth_scopes- (Optional) Specifies a list of OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication. If not specified,wl.basicis used as the default scope.
twitter block supports the following:
consumer_key- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.consumer_secret- (Optional) The OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumer_secret_setting_name.consumer_secret_setting_name- (Optional) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in. Cannot be specified withconsumer_secret.
auth_settings = {
example = {
enabled = true
active_directory = {
client_id = "00000000-0000-0000-0000-000000000000"
allowed_audiences = ["00000000-0000-0000-0000-000000000000"]
client_secret = "00000000-0000-0000-0000-000000000000"
client_secret_setting_name = "00000000-0000-0000-0000-000000000000"
}
}
}
Type:
map(object({
additional_login_parameters = optional(map(string))
allowed_external_redirect_urls = optional(list(string))
default_provider = optional(string)
enabled = optional(bool, false)
issuer = optional(string)
runtime_version = optional(string)
token_refresh_extension_hours = optional(number, 72)
token_store_enabled = optional(bool, false)
unauthenticated_client_action = optional(string)
active_directory = optional(map(object({
client_id = optional(string)
allowed_audiences = optional(list(string))
client_secret = optional(string)
client_secret_setting_name = optional(string)
})), {})
facebook = optional(map(object({
app_id = optional(string)
app_secret = optional(string)
app_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})), {})
github = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})), {})
google = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})), {})
microsoft = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})), {})
twitter = optional(map(object({
consumer_key = optional(string)
consumer_secret = optional(string)
consumer_secret_setting_name = optional(string)
})), {})
}))
Default: {}
auth_settings_v2
Description: A map of authentication settings (V2) to assign to the Function App.
auth_enabled- (Optional) Should the AuthV2 Settings be enabled. Defaults tofalse.config_file_path- (Optional) The path to the App Auth settings.default_provider- (Optional) The Default Authentication Provider to use when theunauthenticated_actionis set toRedirectToLoginPage. Possible values include:apple,azureactivedirectory,facebook,github,google,twitterand thenameof yourcustom_oidc_v2provider.excluded_paths- (Optional) The paths which should be excluded from theunauthenticated_actionwhen it is set toRedirectToLoginPage.forward_proxy_convention- (Optional) The convention used to determine the url of the request made. Possible values includeNoProxy,Standard,Custom. Defaults toNoProxy.forward_proxy_custom_host_header_name- (Optional) The name of the custom header containing the host of the request.forward_proxy_custom_scheme_header_name- (Optional) The name of the custom header containing the scheme of the request.http_route_api_prefix- (Optional) The prefix that should precede all the authentication and authorisation paths. Defaults to/.auth.require_authentication- (Optional) Should the authentication flow be used for all requests.require_https- (Optional) Should HTTPS be required on connections? Defaults totrue.runtime_version- (Optional) The Runtime Version of the Authentication and Authorisation feature of this App. Defaults to~1.unauthenticated_action- (Optional) The action to take for requests made without authentication. Possible values includeRedirectToLoginPage,AllowAnonymous,Return401, andReturn403. Defaults toRedirectToLoginPage.
active_directory_v2 block supports the following:
allowed_applications- (Optional) The list of allowed Applications for the Default Authorisation Policy.allowed_audiences- (Optional) Specifies a list of Allowed audience values to consider when validating JWTs issued by Azure Active Directory.allowed_groups- (Optional) The list of allowed Group Names for the Default Authorisation Policy.allowed_identities- (Optional) The list of allowed Identities for the Default Authorisation Policy.client_id- (Required) The ID of the Client to use to authenticate with Azure Active Directory.client_secret_certificate_thumbprint- (Optional) The thumbprint of the certificate used for signing purposes.client_secret_setting_name- (Optional) The App Setting name that contains the client secret of the Client.jwt_allowed_client_applications- (Optional) A list of Allowed Client Applications in the JWT Claim.jwt_allowed_groups- (Optional) A list of Allowed Groups in the JWT Claim.login_parameters- (Optional) A map of key-value pairs to send to the Authorisation Endpoint when a user logs in.tenant_auth_endpoint- (Required) The Azure Tenant Endpoint for the Authenticating Tenant. e.g.https://login.microsoftonline.com/v2.0/{tenant-guid}/www_authentication_disabled- (Optional) Should the www-authenticate provider should be omitted from the request? Defaults tofalse.
apple_v2 block supports the following:
client_id- (Required) The OpenID Connect Client ID for the Apple web application.client_secret_setting_name- (Required) The app setting name that contains theclient_secretvalue used for Apple Login.
azure_static_web_app_v2 block supports the following:
client_id- (Required) The ID of the Client to use to authenticate with Azure Static Web App Authentication.
custom_oidc_v2 block supports the following:
client_id- (Required) The ID of the Client to use to authenticate with the Custom OIDC.name- (Required) The name of the Custom OIDC Authentication Provider.name_claim_type- (Optional) The name of the claim that contains the users name.openid_configuration_endpoint- (Required) The app setting name that contains theclient_secretvalue used for the Custom OIDC Login.scopes- (Optional) The list of the scopes that should be requested while authenticating.
facebook_v2 block supports the following:
app_id- (Required) The App ID of the Facebook app used for login.app_secret_setting_name- (Required) The app setting name that contains theapp_secretvalue used for Facebook Login.graph_api_version- (Optional) The version of the Facebook API to be used while logging in.login_scopes- (Optional) The list of scopes that should be requested as part of Facebook Login authentication.
github_v2 block supports the following:
client_id- (Required) The ID of the GitHub app used for login..client_secret_setting_name- (Required) The app setting name that contains theclient_secretvalue used for GitHub Login.login_scopes- (Optional) The list of OAuth 2.0 scopes that should be requested as part of GitHub Login authentication.
google_v2 block supports the following:
allowed_audiences- (Optional) Specifies a list of Allowed Audiences that should be requested as part of Google Sign-In authentication.client_id- (Required) The OpenID Connect Client ID for the Google web application.client_secret_setting_name- (Required) The app setting name that contains theclient_secretvalue used for Google Login.login_scopes- (Optional) The list of OAuth 2.0 scopes that should be requested as part of Google Sign-In authentication.
login block supports the following:
allowed_external_redirect_urls- (Optional) External URLs that can be redirected to as part of logging in or logging out of the app. This is an advanced setting typically only needed by Windows Store application backends.cookie_expiration_convention- (Optional) The method by which cookies expire. Possible values include:FixedTime, andIdentityProviderDerived. Defaults toFixedTime.cookie_expiration_time- (Optional) The time after the request is made when the session cookie should expire. Defaults to08:00:00.logout_endpoint- (Optional) The endpoint to which logout requests should be made.nonce_expiration_time- (Optional) The time after the request is made when the nonce should expire. Defaults to00:05:00.preserve_url_fragments_for_logins- (Optional) Should the fragments from the request be preserved after the login request is made. Defaults tofalse.token_refresh_extension_time- (Optional) The number of hours after session token expiration that a session token can be used to call the token refresh API. Defaults to72hours.token_store_enabled- (Optional) Should the Token Store configuration Enabled. Defaults tofalsetoken_store_path- (Optional) The directory path in the App Filesystem in which the tokens will be stored.token_store_sas_setting_name- (Optional) The name of the app setting which contains the SAS URL of the blob storage containing the tokens.validate_nonce- (Optional) Should the nonce be validated while completing the login flow. Defaults totrue.
microsoft_v2 block supports the following:
allowed_audiences- (Optional) Specifies a list of Allowed Audiences that will be requested as part of Microsoft Sign-In authentication.client_id- (Required) The OAuth 2.0 client ID that was created for the app used for authentication.client_secret_setting_name- (Required) The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication.login_scopes- (Optional) The list of Login scopes that should be requested as part of Microsoft Account authentication.
twitter_v2 block supports the following:
consumer_key- (Required) The OAuth 1.0a consumer key of the Twitter application used for sign-in.consumer_secret_setting_name- (Required) The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.
auth_settings_v2 = {
setting1 = {
auth_enabled = true
default_provider = "AzureActiveDirectory"
active_directory_v2 = {
aad1 = {
client_id = "<client-id>"
tenant_auth_endpoint = "https://login.microsoftonline.com/{tenant-guid}/v2.0/"
}
}
login = {
login1 = {
token_store_enabled = true
}
}
}
}
Type:
map(object({
auth_enabled = optional(bool, false)
config_file_path = optional(string)
default_provider = optional(string)
excluded_paths = optional(list(string))
forward_proxy_convention = optional(string, "NoProxy")
forward_proxy_custom_host_header_name = optional(string)
forward_proxy_custom_scheme_header_name = optional(string)
http_route_api_prefix = optional(string, "/.auth")
require_authentication = optional(bool, false)
require_https = optional(bool, true)
runtime_version = optional(string, "~1")
unauthenticated_action = optional(string, "RedirectToLoginPage")
active_directory_v2 = optional(map(object({
allowed_applications = optional(list(string))
allowed_audiences = optional(list(string))
allowed_groups = optional(list(string))
allowed_identities = optional(list(string))
client_id = optional(string)
client_secret_certificate_thumbprint = optional(string)
client_secret_setting_name = optional(string)
jwt_allowed_client_applications = optional(list(string))
jwt_allowed_groups = optional(list(string))
login_parameters = optional(map(any))
tenant_auth_endpoint = optional(string)
www_authentication_disabled = optional(bool, false)
})), {})
apple_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
azure_static_web_app_v2 = optional(map(object({
client_id = optional(string)
})), {})
custom_oidc_v2 = optional(map(object({
authorisation_endpoint = optional(string)
certification_uri = optional(string)
client_credential_method = optional(string)
client_id = optional(string)
client_secret_setting_name = optional(string)
issuer_endpoint = optional(string)
name = optional(string)
name_claim_type = optional(string)
openid_configuration_endpoint = optional(string)
scopes = optional(list(string))
token_endpoint = optional(string)
})), {})
facebook_v2 = optional(map(object({
app_id = optional(string)
app_secret_setting_name = optional(string)
graph_api_version = optional(string)
login_scopes = optional(list(string))
})), {})
github_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
google_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
login = optional(map(object({
allowed_external_redirect_urls = optional(list(string))
cookie_expiration_convention = optional(string, "FixedTime")
cookie_expiration_time = optional(string, "08:00:00")
logout_endpoint = optional(string)
nonce_expiration_time = optional(string, "00:05:00")
preserve_url_fragments_for_logins = optional(bool, false)
token_refresh_extension_time = optional(number, 72)
token_store_enabled = optional(bool, false)
token_store_path = optional(string)
token_store_sas_setting_name = optional(string)
validate_nonce = optional(bool, true)
})),
{
login = {
}
})
microsoft_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
twitter_v2 = optional(map(object({
consumer_key = optional(string)
consumer_secret_setting_name = optional(string)
})), {})
}))
Default: {}
auto_heal_setting
Description:
Configures the Auto Heal settings for the Function App. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
action- (Optional) The action to take when the trigger is activated.action_type- (Required) The type of action to take. Possible values include:CustomAction,Recycle,LogEvent,HttpRequst.custom_action- (Optional) The custom action to take when the trigger is activated.executable- (Required) The executable to run when the trigger is activated.parameters- (Optional) The parameters to pass to the executable.
minimum_process_execution_time- (Optional) The minimum process execution time before the action is taken. Defaults to00:00:00.
trigger- (Optional) The trigger to activate the action.private_memory_kb- (Optional) The private memory in kilobytes to trigger the action.requests- (Optional) The requests trigger to activate the action.count- (Required) The number of requests to trigger the action.interval- (Required) The interval to trigger the action.
slow_request- (Optional) The slow request trigger to activate the action.count- (Required) The number of slow requests to trigger the action.interval- (Required) The interval to trigger the action.time_taken- (Required) The time taken to trigger the action.path- (Optional) The path to trigger the action.
NOTE: The
pathproperty in theslow_requestblock is deprecated and will be removed in 4.0 of provider. Please useslow_request_with_pathto set a slow request trigger withpathspecified.status_code- (Optional) The status code trigger to activate the action.count- (Required) The number of status codes to trigger the action.interval- (Required) The interval to trigger the action.status_code_range- (Required) The status code range to trigger the action.path- (Optional) The path to trigger the action.sub_status- (Optional) The sub status to trigger the action.win32_status_code- (Optional) The Win32 status code to trigger the action.
auto_heal_setting = {
setting_1 = {
action = {
action_type = "Recycle"
minimum_process_execution_time = "00:01:00"
}
trigger = {
requests = {
count = 100
interval = "00:00:30"
}
status_code = {
status_5000 = {
count = 5000
interval = "00:05:00"
path = "/HealthCheck"
status_code_range = 500
sub_status = 0
}
status_6000 = {
count = 6000
interval = "00:05:00"
path = "/Get"
status_code_range = 500
sub_status = 0
}
}
}
}
}
Type:
map(object({
action = optional(object({
action_type = string
custom_action = optional(object({
executable = string
parameters = optional(string)
}))
minimum_process_execution_time = optional(string, "00:00:00")
}))
trigger = optional(object({
private_memory_kb = optional(number)
requests = optional(map(object({
count = number
interval = string
})), {})
slow_request = optional(map(object({
count = number
interval = string
time_taken = string
path = optional(string)
})), {})
slow_request_with_path = optional(map(object({
count = number
interval = string
time_taken = string
path = optional(string)
})), {})
status_code = optional(map(object({
count = number
interval = string
status_code_range = string
path = optional(string)
sub_status = optional(number)
win32_status_code = optional(number)
})), {})
}))
}))
Default: {}
backup
Description: A map of backup settings to assign to the Function App.
name- (Optional) The name of the backup. One will be generated if not set.schedule- (Optional) A map of backup schedule settings.frequency_interval- (Optional) The frequency interval of the backup.frequency_unit- (Optional) The frequency unit of the backup.keep_at_least_one_backup- (Optional) Should at least one backup be kept?.retention_period_in_days- (Optional) The retention period in days of the backup.start_time- (Optional) The start time of the backup.
storage_account_url- (Optional) The URL of the Storage Account to store the backup in.enabled- (Optional) Is the backup enabled? Defaults totrue.
backup = {
example = {
name = "example"
schedule = {
frequency_interval = 1
frequency_unit = "Day"
keep_at_least_one_backup = true
retention_period_in_days = 7
start_time = "2020-01-01T00:00:00Z"
}
storage_account_url = "https://example.blob.core.windows.net/example"
enabled = true
}
}
Type:
map(object({
enabled = optional(bool, true)
name = optional(string)
storage_account_url = optional(string)
schedule = optional(map(object({
frequency_interval = optional(number)
frequency_unit = optional(string)
keep_at_least_one_backup = optional(bool)
retention_period_days = optional(number)
start_time = optional(string)
})))
}))
Default: {}
builtin_logging_enabled
Description: Should builtin logging be enabled for the Function App?
Type: bool
Default: true
bundle_version
Description: The version of the extension bundle to use. Defaults to [1.*, 2.0.0). (Logic App)
Type: string
Default: "[1.*, 2.0.0)"
client_affinity_enabled
Description: Should client affinity be enabled for the Function App?
Type: bool
Default: false
client_certificate_enabled
Description: Should client certificate be enabled for the Function App?
Type: bool
Default: false
client_certificate_exclusion_paths
Description: The client certificate exclusion paths for the Function App.
Type: string
Default: null
client_certificate_mode
Description: The client certificate mode for the Function App.
Type: string
Default: "Required"
connection_strings
Description: A map of connection strings to assign to the Function App.
name- (Optional) The name of the connection string.type- (Optional) The type of the connection string.value- (Optional) The value of the connection string.
connection_strings = {
example = {
name = "example"
type = "example"
value = "example"
}
}
Type:
map(object({
name = optional(string)
type = optional(string)
value = optional(string)
}))
Default: {}
content_share_force_disabled
Description: Should content share be force disabled for the Function App?
Type: bool
Default: false
custom_domains
Description: A map of custom domains to assign to the Function App.
slot_as_target- (optional) Will this custom domain configuration be used for a App Service slot? Defaults tofalse.app_service_slot_key- (Optional) The key of the App Service Slot to use as the target for the custom domain.app_service_plan_resource_id- (Optional) The resource ID of the App Service Plan to use for the custom domain.key_vault_secret_id- (Optional) The ID of the Key Vault Secret to use for the custom domain.create_certificate- (Optional) Should a certificate be created for the custom domain? Defaults tofalse.create_txt_records- (Optional) Should TXT records be created for the custom domain? Defaults tofalse.create_cname_records- (Optional) Should CNAME records be created for the custom domain? Defaults tofalse.
custom_domains = {
# Allows for the configuration of custom domains for the Function App
# If not already set, the module allows for the creation of TXT and CNAME records
custom_domain_1 = {
zone_resource_group_name = "<zone_resource_group_name>"
create_txt_records = true
txt_name = "asuid.<module.naming.function_app.name_unique>"
txt_zone_name = "<zone_name>"
txt_records = {
record = {
value = "" # Leave empty as module will reference Function App ID after Function App creation
}
}
create_cname_records = true
cname_name = "<module.naming.function_app.name_unique>"
cname_zone_name = "<zone_name>"
cname_record = "<module.naming.function_app.name_unique>-custom-domain.azurewebsites.net"
create_certificate = true
certificate_name = "<module.naming.function_app.name_unique>-<data.azurerm_key_vault_secret.stored_certificate.name>"
certificate_location = azurerm_resource_group.example.location
pfx_blob = data.azurerm_key_vault_secret.stored_certificate.value
app_service_name = "<module.naming.function_app.name_unique>-custom-domain"
hostname = "<module.naming.function_app.name_unique>.<root_domain>"
resource_group_name = azurerm_resource_group.example.name
ssl_state = "SniEnabled"
thumbprint_key = "custom_domain_1" # Currently the key of the custom domain
}
}
Type:
map(object({
slot_as_target = optional(bool, false)
app_service_slot_key = optional(string)
create_certificate = optional(bool, false)
certificate_name = optional(string)
certificate_location = optional(string)
pfx_blob = optional(string)
pfx_password = optional(string)
hostname = optional(string)
app_service_name = optional(string)
app_service_plan_resource_id = optional(string)
key_vault_secret_id = optional(string)
key_vault_id = optional(string)
zone_resource_group_name = optional(string)
resource_group_name = optional(string)
ssl_state = optional(string)
inherit_tags = optional(bool, true)
tags = optional(map(any), {})
thumbprint_key = optional(string)
thumbprint_value = optional(string)
ttl = optional(number, 300)
validation_type = optional(string, "cname-delegation")
create_cname_records = optional(bool, false)
cname_name = optional(string)
cname_zone_name = optional(string)
cname_record = optional(string)
cname_target_resource_id = optional(string)
create_txt_records = optional(bool, false)
txt_name = optional(string)
txt_zone_name = optional(string)
txt_records = optional(map(object({ value = string })))
}))
Default: {}
daily_memory_time_quota
Description: (Optional) The amount of memory in gigabyte-seconds that your application is allowed to consume per day. Setting this value only affects Function Apps under the consumption plan. Defaults to 0.
Type: number
Default: 0
deployment_slots
Description: > NOTE: If you plan to use the attribute reference of an external Application Insights instance for application_insights_connection_string and application_insights_key, you will likely need to remove the sensitivity level. For example, using the nonsensitive function.
storage_shares_to_mount- A map of storage shares to mount to the Function App deployment slot.name- The name of the share.access_keyhas been DEPRECATED and should not be used. Instead variableslots_storage_shares_to_mount_sensitive_valuesshould be used.account_name- The name of the Storage Account.share_name- The name of the share in the Storage Account.mount_path- The path where the share will be mounted in the Function App.type- The type of mount, defaults to "AzureFiles".
Type:
map(object({
name = optional(string)
app_settings = optional(map(string))
builtin_logging_enabled = optional(bool, true)
content_share_force_disabled = optional(bool, false)
client_affinity_enabled = optional(bool, false)
client_certificate_enabled = optional(bool, false)
client_certificate_exclusion_paths = optional(string, null)
client_certificate_mode = optional(string, "Required")
daily_memory_time_quota = optional(number, 0)
enabled = optional(bool, true)
functions_extension_version = optional(string, "~4")
ftp_publish_basic_authentication_enabled = optional(bool, true)
https_only = optional(bool, false)
key_vault_reference_identity_id = optional(string, null)
# managed_identities = optional(object({
# system_assigned = optional(bool, false)
# user_assigned_resource_ids = optional(set(string), [])
# }), {})
public_network_access_enabled = optional(bool, true)
service_plan_id = optional(string, null)
tags = optional(map(string))
virtual_network_subnet_id = optional(string, null)
webdeploy_publish_basic_authentication_enabled = optional(bool, true)
zip_deploy_file = optional(string, null)
auth_settings = optional(map(object({
additional_login_parameters = optional(list(string))
allowed_external_redirect_urls = optional(list(string))
default_provider = optional(string)
enabled = optional(bool, false)
issuer = optional(string)
runtime_version = optional(string)
token_refresh_extension_hours = optional(number, 72)
token_store_enabled = optional(bool, false)
unauthenticated_client_action = optional(string)
active_directory = optional(map(object({
client_id = optional(string)
allowed_audiences = optional(list(string))
client_secret = optional(string)
client_secret_setting_name = optional(string)
})))
facebook = optional(map(object({
app_id = optional(string)
app_secret = optional(string)
app_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
github = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
google = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
microsoft = optional(map(object({
client_id = optional(string)
client_secret = optional(string)
client_secret_setting_name = optional(string)
oauth_scopes = optional(list(string))
})))
twitter = optional(map(object({
consumer_key = optional(string)
consumer_secret = optional(string)
consumer_secret_setting_name = optional(string)
})))
})), {})
auth_settings_v2 = optional(map(object({
auth_enabled = optional(bool, false)
config_file_path = optional(string)
default_provider = optional(string)
excluded_paths = optional(list(string))
forward_proxy_convention = optional(string, "NoProxy")
forward_proxy_custom_host_header_name = optional(string)
forward_proxy_custom_scheme_header_name = optional(string)
http_route_api_prefix = optional(string, "/.auth")
require_authentication = optional(bool, false)
require_https = optional(bool, true)
runtime_version = optional(string, "~1")
unauthenticated_action = optional(string, "RedirectToLoginPage")
active_directory_v2 = optional(map(object({
allowed_applications = optional(list(string))
allowed_audiences = optional(list(string))
allowed_groups = optional(list(string))
allowed_identities = optional(list(string))
client_id = optional(string)
client_secret_certificate_thumbprint = optional(string)
client_secret_setting_name = optional(string)
jwt_allowed_client_applications = optional(list(string))
jwt_allowed_groups = optional(list(string))
login_parameters = optional(map(any))
tenant_auth_endpoint = optional(string)
www_authentication_disabled = optional(bool, false)
})), {})
apple_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
azure_static_web_app_v2 = optional(map(object({
client_id = optional(string)
})), {})
custom_oidc_v2 = optional(map(object({
authorisation_endpoint = optional(string)
certification_uri = optional(string)
client_credential_method = optional(string)
client_id = optional(string)
client_secret_setting_name = optional(string)
issuer_endpoint = optional(string)
name = optional(string)
name_claim_type = optional(string)
openid_configuration_endpoint = optional(string)
scopes = optional(list(string))
token_endpoint = optional(string)
})), {})
facebook_v2 = optional(map(object({
app_id = optional(string)
app_secret_setting_name = optional(string)
graph_api_version = optional(string)
login_scopes = optional(list(string))
})), {})
github_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
login_scopes = optional(list(string))
})), {})
google_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
login = map(object({
allowed_external_redirect_urls = optional(list(string))
cookie_expiration_convention = optional(string, "FixedTime")
cookie_expiration_time = optional(string, "00:00:00")
logout_endpoint = optional(string)
nonce_expiration_time = optional(string, "00:05:00")
preserve_url_fragments_for_logins = optional(bool, false)
token_refresh_extension_time = optional(number, 72)
token_store_enabled = optional(bool, false)
token_store_path = optional(string)
token_store_sas_setting_name = optional(string)
validate_nonce = optional(bool, true)
}))
microsoft_v2 = optional(map(object({
client_id = optional(string)
client_secret_setting_name = optional(string)
allowed_audiences = optional(list(string))
login_scopes = optional(list(string))
})), {})
twitter_v2 = optional(map(object({
consumer_key = optional(string)
consumer_secret_setting_name = optional(string)
})), {})
})), {})
auto_heal_setting = optional(map(object({
action = optional(object({
action_type = string
custom_action = optional(object({
executable = string
parameters = optional(string)
}))
minimum_process_execution_time = optional(string, "00:00:00")
}))
trigger = optional(object({
private_memory_kb = optional(number)
requests = optional(map(object({
count = number
interval = string
})), {})
slow_request = optional(map(object({
count = number
interval = string
time_taken = string
path = optional(string)
})), {})
slow_request_with_path = optional(map(object({
count = number
interval = string
time_taken = string
path = optional(string)
})), {})
status_code = optional(map(object({
count = number
interval = string
status_code_range = string
path = optional(string)
sub_status = optional(number)
win32_status_code = optional(number)
})), {})
}))
})), {})
backup = optional(map(object({
enabled = optional(bool, true)
name = optional(string)
storage_account_url = optional(string)
schedule = optional(map(object({
frequency_interval = optional(number)
frequency_unit = optional(string)
keep_at_least_one_backup = optional(bool)
retention_period_days = optional(number)
start_time = optional(string)
})))
})), {})
connection_strings = optional(map(object({
name = optional(string)
type = optional(string)
value = optional(string)
})), {})
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
logs = optional(map(object({
application_logs = optional(map(object({
azure_blob_storage = optional(object({
level = optional(string, "Off")
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system_level = optional(string, "Off")
})), {})
detailed_error_messages = optional(bool, false)
failed_request_tracing = optional(bool, false)
http_logs = optional(map(object({
azure_blob_storage_http = optional(object({
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system = optional(object({
retention_in_days = optional(number, 0)
retention_in_mb = number
}))
})), {})
})), {})
private_endpoints = optional(map(object({
name = optional(string, null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
tags = optional(map(string), null)
subnet_resource_id = string
private_dns_zone_group_name = optional(string, "default")
private_dns_zone_resource_ids = optional(set(string), [])
application_security_group_associations = optional(map(string), {})
private_service_connection_name = optional(string, null)
network_interface_name = optional(string, null)
location = optional(string, null)
resource_group_name = optional(string, null)
ip_configurations = optional(map(object({
name = string
private_ip_address = string
})), {})
})), {})
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
storage_shares_to_mount = optional(map(object({
# access_key = optional(string, null)
account_name = string
mount_path = string
name = string
share_name = string
type = optional(string, "AzureFiles")
})), {})
site_config = optional(object({
always_on = optional(bool, true)
api_definition_url = optional(string)
api_management_api_id = optional(string)
app_command_line = optional(string)
auto_heal_enabled = optional(bool)
app_scale_limit = optional(number)
application_insights_connection_string = optional(string)
application_insights_key = optional(string)
slot_application_insights_object_key = optional(string)
container_registry_managed_identity_client_id = optional(string)
container_registry_use_managed_identity = optional(bool)
default_documents = optional(list(string))
elastic_instance_minimum = optional(number)
ftps_state = optional(string, "FtpsOnly")
health_check_eviction_time_in_min = optional(number)
health_check_path = optional(string)
http2_enabled = optional(bool, false)
ip_restriction_default_action = optional(string, "Allow")
load_balancing_mode = optional(string, "LeastRequests")
local_mysql_enabled = optional(bool, false)
managed_pipeline_mode = optional(string, "Integrated")
minimum_tls_version = optional(string, "1.3")
pre_warmed_instance_count = optional(number)
remote_debugging_enabled = optional(bool, false)
remote_debugging_version = optional(string)
runtime_scale_monitoring_enabled = optional(bool)
scm_ip_restriction_default_action = optional(string, "Allow")
scm_minimum_tls_version = optional(string, "1.2")
scm_use_main_ip_restriction = optional(bool, false)
use_32_bit_worker = optional(bool, false)
vnet_route_all_enabled = optional(bool, false)
websockets_enabled = optional(bool, false)
worker_count = optional(number)
app_service_logs = optional(map(object({
disk_quota_mb = optional(number, 35)
retention_period_days = optional(number)
})), {})
application_stack = optional(map(object({
dotnet_core_version = optional(string)
dotnet_version = optional(string)
java_version = optional(string)
node_version = optional(string)
powershell_core_version = optional(string)
python_version = optional(string)
go_version = optional(string)
ruby_version = optional(string)
java_server = optional(string)
java_server_version = optional(string)
php_version = optional(string)
use_custom_runtime = optional(bool)
use_dotnet_isolated_runtime = optional(bool)
docker = optional(list(object({
image_name = string
image_tag = string
registry_password = optional(string)
registry_url = string
registry_username = optional(string)
})))
current_stack = optional(string)
docker_image_name = optional(string)
docker_registry_url = optional(string)
docker_registry_username = optional(string)
docker_registry_password = optional(string)
docker_container_name = optional(string)
docker_container_tag = optional(string)
java_embedded_server_enabled = optional(bool)
tomcat_version = optional(bool)
})), {})
cors = optional(map(object({
allowed_origins = optional(list(string))
support_credentials = optional(bool, false)
})), {})
ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {})
scm_ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {})
virtual_application = optional(map(object({
physical_path = optional(string, "site\\wwwroot")
preload_enabled = optional(bool, false)
virtual_directory = optional(map(object({
physical_path = optional(string)
virtual_path = optional(string)
})), {})
virtual_path = optional(string, "/")
})),
{
default = {
physical_path = "site\\wwwroot"
preload_enabled = false
virtual_path = "/"
}
}
)
}), {})
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}), null)
}))
Default: {}
deployment_slots_inherit_lock
Description: Whether to inherit the lock from the parent resource for the deployment slots. Defaults to true.
Type: bool
Default: true
diagnostic_settings
Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name- (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.log_categories- (Optional) A set of log categories to send to the log analytics workspace. Defaults to[].log_groups- (Optional) A set of log groups to send to the log analytics workspace. Defaults to["allLogs"].metric_categories- (Optional) A set of metric categories to send to the log analytics workspace. Defaults to["AllMetrics"].log_analytics_destination_type- (Optional) The destination type for the diagnostic setting. Possible values areDedicatedandAzureDiagnostics. Defaults toDedicated. Will resolve tonullas Function App / web App does not support Destination Table.workspace_resource_id- (Optional) The resource ID of the log analytics workspace to send logs and metrics to.storage_account_resource_id- (Optional) The resource ID of the Storage Account to send logs and metrics to.event_hub_authorization_rule_resource_id- (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.event_hub_name- (Optional) The name of the event hub. If none is specified, the default event hub will be selected.marketplace_partner_resource_id- (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.
Type:
map(object({
name = optional(string, null)
log_categories = optional(set(string), [])
log_groups = optional(set(string), ["allLogs"])
metric_categories = optional(set(string), ["AllMetrics"])
log_analytics_destination_type = optional(string, "Dedicated")
workspace_resource_id = optional(string, null)
storage_account_resource_id = optional(string, null)
event_hub_authorization_rule_resource_id = optional(string, null)
event_hub_name = optional(string, null)
marketplace_partner_resource_id = optional(string, null)
}))
Default: {}
enable_application_insights
Description: Should Application Insights be enabled for the Function App?
Type: bool
Default: true
enable_telemetry
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: false
enabled
Description: Is the Function App enabled? Defaults to true.
Type: bool
Default: true
fc1_runtime_name
Description: The Runtime of the Linux Function App. Possible values are node, dotnet-isolated, powershell, python, java.
Type: string
Default: null
fc1_runtime_version
Description: The Runtime version of the Linux Function App. The supported values are different depending on the runtime chosen with runtime_name:
dotnet-isolatedsupported values are:8.0,9.0nodesupported values are:20pythonsupported values are:3.10,3.11javasupported values are:11,17powershellsupported values are:7.4
Type: string
Default: null
ftp_publish_basic_authentication_enabled
Description: Should basic authentication be enabled for FTP publish?
Type: bool
Default: true
function_app_uses_fc1
Description: Should this Function App run on a Flex Consumption Plan?
Type: bool
Default: false
functions_extension_version
Description: The version of the Azure Functions runtime to use. Defaults to ~4.
Type: string
Default: "~4"
https_only
Description: Should the Function App only be accessible over HTTPS?
Type: bool
Default: false
instance_memory_in_mb
Description: The amount of memory to allocate for the instance(s).
Type: number
Default: 2048
key_vault_reference_identity_id
Description: The identity ID to use for Key Vault references.
Type: string
Default: null
lock
Description: The lock level to apply. Possible values for kind are None, CanNotDelete, and ReadOnly.
Type:
object({
kind = string
name = optional(string, null)
})
Default: null
logic_app_runtime_version
Description: The runtime version associated with the Logic App. Defaults to ~4 (Logic App)
Type: string
Default: "~4"
logs
Description:
A map of logs to create on the Function App.
Type:
map(object({
application_logs = optional(map(object({
azure_blob_storage = optional(object({
level = optional(string, "Off")
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system_level = optional(string, "Off")
})), {})
detailed_error_messages = optional(bool, false)
failed_request_tracing = optional(bool, false)
http_logs = optional(map(object({
azure_blob_storage_http = optional(object({
retention_in_days = optional(number, 0)
sas_url = string
}))
file_system = optional(object({
retention_in_days = optional(number, 0)
retention_in_mb = number
}))
})), {})
}))
Default: {}
managed_identities
Description: Managed identities to be created for the resource.
Type:
object({
system_assigned = optional(bool, false)
user_assigned_resource_ids = optional(set(string), [])
})
Default: {}
maximum_instance_count
Description: The number of workers this function app can scale out to.
Type: number
Default: null
private_endpoints
Description: A map of private endpoints to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name- (Optional) The name of the private endpoint. One will be generated if not set.role_assignments- (Optional) A map of role assignments to create on the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time. Seevar.role_assignmentsfor more information.principal_type- (Optional) The type of theprincipal_id. Possible values areUser,GroupandServicePrincipal. It is necessary to explicitly set this attribute when creating private endpoints if the principal creating the assignment is constrained by RBAC rules that filters on the PrincipalType attribute.lock- (Optional) The lock level to apply to the private endpoint. Default isNone. Possible values areNone,CanNotDelete, andReadOnly.tags- (Optional) A mapping of tags to assign to the private endpoint.subnet_resource_id- The resource ID of the subnet to deploy the private endpoint in.private_dns_zone_group_name- (Optional) The name of the private DNS zone group. One will be generated if not set.private_dns_zone_resource_ids- (Optional) A set of resource IDs of private DNS zones to associate with the private endpoint. If not set, no zone groups will be created and the private endpoint will not be associated with any private DNS zones. DNS records must be managed external to this module.application_security_group_resource_ids- (Optional) A map of resource IDs of application security groups to associate with the private endpoint. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.private_service_connection_name- (Optional) The name of the private service connection. One will be generated if not set.network_interface_name- (Optional) The name of the network interface. One will be generated if not set.location- (Optional) The Azure location where the resources will be deployed. Defaults to the location of the resource group.resource_group_name- (Optional) The resource group where the resources will be deployed. Defaults to the resource group of this resource.ip_configurations- (Optional) A map of IP configurations to create on the private endpoint. If not specified the platform will create one. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.name- The name of the IP configuration.private_ip_address- The private IP address of the IP configuration.
Type:
map(object({
name = optional(string, null)
role_assignments = optional(map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
})), {})
lock = optional(object({
kind = string
name = optional(string, null)
}), null)
tags = optional(map(string), null)
subnet_resource_id = string
private_dns_zone_group_name = optional(string, "default")
private_dns_zone_resource_ids = optional(set(string), [])
application_security_group_associations = optional(map(string), {})
private_service_connection_name = optional(string, null)
network_interface_name = optional(string, null)
location = optional(string, null)
resource_group_name = optional(string, null)
ip_configurations = optional(map(object({
name = string
private_ip_address = string
})), {})
}))
Default: {}
private_endpoints_inherit_lock
Description: Should the private endpoints inherit the lock from the parent resource? Defaults to true.
Type: bool
Default: true
private_endpoints_manage_dns_zone_group
Description: Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy.
Type: bool
Default: true
public_network_access_enabled
Description: Should the Function App be accessible from the public network? Defaults to true.
Type: bool
Default: true
role_assignments
Description: A map of role assignments to create on this resource. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
role_definition_id_or_name- The ID or name of the role definition to assign to the principal.principal_id- The ID of the principal to assign the role to.description- The description of the role assignment.skip_service_principal_aad_check- If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults tofalse.condition- The condition which will be used to scope the role assignment.condition_version- The version of the condition syntax. Valid values are2.0.delegated_managed_identity_resource_id- (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.principal_type- (Optional) The type of theprincipal_id. Possible values areUser,GroupandServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
Note: only set
skip_service_principal_aad_checkto true if you are assigning a role to a service principal.
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
}))
Default: {}
scm_publish_basic_authentication_enabled
Description: Should basic authentication be enabled for SCM publish?
Type: bool
Default: true
site_config
Description: An object that configures the Function App's site_config block.
always_on- (Optional) If this Linux Web App is Always On enabled. Defaults totrue.auto_swap_slot_name- (Optional) The name of the slot to swap with. (Logic App)api_definition_url- (Optional) The URL of the API definition that describes this Linux Function App.api_management_api_id- (Optional) The ID of the API Management API for this Linux Function App.app_command_line- (Optional) The App command line to launch.app_scale_limit- (Optional) The number of workers this function app can scale out to. Only applicable to apps on the Consumption and Premium plan.application_insights_connection_string- (Optional) The Connection String for linking the Linux Function App to Application Insights.application_insights_key- (Optional) The Instrumentation Key for connecting the Linux Function App to Application Insights.container_registry_managed_identity_client_id- (Optional) The Client ID of the Managed Service Identity to use for connections to the Azure Container Registry.container_registry_use_managed_identity- (Optional) Should connections for Azure Container Registry use Managed Identity.default_documents- (Optional) Specifies a list of Default Documents for the Linux Web App.dotnet_framework_version- (Optional) The version of the .NET Framework to use. Possible values arev4.0(including .NET Core 2.1 and 3.1),v5.0,v6.0andv8.0. Defaults tov4.0.elastic_instance_minimum- (Optional) The number of minimum instances for this Linux Function App. Only affects apps on Elastic Premium plans.ftps_state- (Optional) State of FTP / FTPS service for this function app. Possible values include:AllAllowed,FtpsOnlyandDisabled. Defaults toFtpsOnly.health_check_eviction_time_in_min- (Optional) The amount of time in minutes that a node can be unhealthy before being removed from the load balancer. Possible values are between2and10. Only valid in conjunction withhealth_check_path.health_check_path- (Optional) The path to be checked for this function app health.http2_enabled- (Optional) Specifies if the HTTP2 protocol should be enabled. Defaults tofalse.load_balancing_mode- (Optional) The Site load balancing mode. Possible values include:WeightedRoundRobin,LeastRequests,LeastResponseTime,WeightedTotalTraffic,RequestHash,PerSiteRoundRobin. Defaults toLeastRequestsif omitted.linux_fx_version- (Optional) Linux App Framework and version for the App Service, e.g.DOCKER|(golang:latest). Setting this value will also set the kind of application deployed tofunctionapp,linux,container,workflowapp. You must setos_typetoLinuxwhen this property is set.managed_pipeline_mode- (Optional) Managed pipeline mode. Possible values include:Integrated,Classic. Defaults toIntegrated.minimum_tls_version- (Optional) The configures the minimum version of TLS required for SSL requests. Possible values include:1.0,1.1,1.2, and1.3. Defaults to1.3.pre_warmed_instance_count- (Optional) The number of pre-warmed instances for this function app. Only affects apps on an Elastic Premium plan.remote_debugging_enabled- (Optional) Should Remote Debugging be enabled. Defaults tofalse.remote_debugging_version- (Optional) The Remote Debugging Version. Possible values includeVS2017,VS2019, andVS2022.runtime_scale_monitoring_enabled- (Optional) Should Scale Monitoring of the Functions Runtime be enabled?scm_minimum_tls_version- (Optional) Configures the minimum version of TLS required for SSL requests to the SCM site Possible values include:1.0,1.1, and1.2. Defaults to1.2.scm_use_main_ip_restriction- (Optional) Should the Linux Function Appip_restrictionconfiguration be used for the SCM also.scm_type- (Optional) The type of SCM to use. Possible values include:None,LocalGit,GitHub,BitbucketGit,BitBucketHg,CodePlexHg,CodePlexGit,Dropbox,Tfs,VSO,VSTSRM,ExternalGit,ExternalHgandOneDrive. Defaults toNone.use_32_bit_worker- (Optional) Should the Linux Web App use a 32-bit worker process. Defaults tofalse.vnet_route_all_enabled- (Optional) Should all outbound traffic to have NAT Gateways, Network Security Groups and User Defined Routes applied? Defaults tofalse.websockets_enabled- (Optional) Should Web Sockets be enabled. Defaults tofalse.worker_count- (Optional) The number of Workers for this Linux Function App.
app_service_logs block supports the following:
disk_quota_mb- (Optional) The amount of disk space to use for logs. Valid values are between25and100. Defaults to35.retention_period_days- (Optional) The retention period for logs in days. Valid values are between0and99999.(never delete).
application_stack block supports the following:
dotnet_core_version- (Optional) The version of .NET Core to use. Possible values includev4.0.dotnet_version- (Optional) The version of .NET to use. Possible values include3.1,6.0,7.0and8.0.java_version- (Optional) The Version of Java to use. Supported versions include8,11&17.node_version- (Optional) The version of Node to run. Possible values include12,14,16and18.powershell_core_version- (Optional) The version of PowerShell Core to run. Possible values are7, and7.2.python_version- (Optional) The version of Python to run. Possible values are3.12,3.11,3.10,3.9,3.8and3.7.go_version- (Optional) The version of Go to use. Possible values are1.18, and1.19.ruby_version- (Optional) The version of Ruby to use. Possible values are2.6, and2.7.java_server- (Optional) The Java server type. Possible values areJAVA,TOMCAT, andJBOSSEAP.java_server_version- (Optional) The version of the Java server to use.php_version- (Optional) The version of PHP to use. Possible values are7.4,8.0,8.1, and8.2.use_custom_runtime- (Optional) Should the Linux Function App use a custom runtime?use_dotnet_isolated_runtime- (Optional) Should the DotNet process use an isolated runtime. Defaults tofalse.
docker block supports the following:
image_name- (Required) The name of the Docker image to use.image_tag- (Required) The image tag of the image to use.registry_password- (Optional) The password for the account to use to connect to the registry.registry_url- (Required) The URL of the docker registry.registry_username- (Optional) The username to use for connections to the registry.
cors block supports the following:
allowed_origins- (Optional) Specifies a list of origins that should be allowed to make cross-origin calls.support_credentials- (Optional) Are credentials allowed in CORS requests? Defaults tofalse.
ip_restriction block supports the following:
action- (Optional) The action to take. Possible values areAlloworDeny. Defaults toAllow.ip_address- (Optional) The CIDR notation of the IP or IP Range to match. For example:10.0.0.0/24or192.168.10.1/32name- (Optional) The name which should be used for thisip_restriction.priority- (Optional) The priority value of thisip_restriction. Defaults to65000.service_tag- (Optional) The Service Tag used for this IP Restriction.virtual_network_subnet_id- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
headers block supports the following:
x_azure_fdid- (Optional) Specifies a list of Azure Front Door IDs.x_fd_health_probe- (Optional) Specifies if a Front Door Health Probe should be expected. The only possible value is1.x_forwarded_for- (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.x_forwarded_host- (Optional) Specifies a list of Hosts for which matching should be applied.
scm_ip_restriction block supports the following:
action- (Optional) The action to take. Possible values areAlloworDeny. Defaults toAllow.ip_address- (Optional) The CIDR notation of the IP or IP Range to match. For example:10.0.0.0/24or192.168.10.1/32name- (Optional) The name which should be used for thisip_restriction.priority- (Optional) The priority value of thisip_restriction. Defaults to65000.service_tag- (Optional) The Service Tag used for this IP Restriction.virtual_network_subnet_id- (Optional) The Virtual Network Subnet ID used for this IP Restriction.
headers block supports the following:
x_azure_fdid- (Optional) Specifies a list of Azure Front Door IDs.x_fd_health_probe- (Optional) Specifies if a Front Door Health Probe should be expected. The only possible value is1.x_forwarded_for- (Optional) Specifies a list of addresses for which matching should be applied. Omitting this value means allow any.x_forwarded_host- (Optional) Specifies a list of Hosts for which matching should be applied.
Type:
object({
always_on = optional(bool, true)
linux_fx_version = optional(string)
api_definition_url = optional(string)
api_management_api_id = optional(string)
app_command_line = optional(string)
# auto_heal_enabled = optional(bool)
dotnet_framework_version = optional(string, "v4.0")
auto_swap_slot_name = optional(string)
app_scale_limit = optional(number)
application_insights_connection_string = optional(string)
application_insights_key = optional(string)
container_registry_managed_identity_client_id = optional(string)
container_registry_use_managed_identity = optional(bool)
default_documents = optional(list(string))
elastic_instance_minimum = optional(number)
ftps_state = optional(string, "FtpsOnly")
health_check_eviction_time_in_min = optional(number)
health_check_path = optional(string)
http2_enabled = optional(bool, false)
ip_restriction_default_action = optional(string, "Allow")
load_balancing_mode = optional(string, "LeastRequests")
local_mysql_enabled = optional(bool, false)
managed_pipeline_mode = optional(string, "Integrated")
minimum_tls_version = optional(string, "1.3")
pre_warmed_instance_count = optional(number)
remote_debugging_enabled = optional(bool, false)
remote_debugging_version = optional(string)
runtime_scale_monitoring_enabled = optional(bool)
scm_type = optional(string, "None")
scm_ip_restriction_default_action = optional(string, "Allow")
scm_minimum_tls_version = optional(string, "1.2")
scm_use_main_ip_restriction = optional(bool, false)
use_32_bit_worker = optional(bool, false)
vnet_route_all_enabled = optional(bool, false)
websockets_enabled = optional(bool, false)
worker_count = optional(number)
app_service_logs = optional(map(object({
disk_quota_mb = optional(number, 35)
retention_period_days = optional(number)
})), {})
application_stack = optional(map(object({
dotnet_core_version = optional(string)
dotnet_version = optional(string)
java_version = optional(string)
node_version = optional(string)
powershell_core_version = optional(string)
python_version = optional(string)
go_version = optional(string)
ruby_version = optional(string)
java_server = optional(string)
java_server_version = optional(string)
php_version = optional(string)
use_custom_runtime = optional(bool)
use_dotnet_isolated_runtime = optional(bool)
docker = optional(list(object({
image_name = string
image_tag = string
registry_password = optional(string)
registry_url = string
registry_username = optional(string)
})))
current_stack = optional(string)
docker_image_name = optional(string)
docker_registry_url = optional(string)
docker_registry_username = optional(string)
docker_registry_password = optional(string)
docker_container_name = optional(string)
docker_container_tag = optional(string)
java_embedded_server_enabled = optional(bool)
tomcat_version = optional(bool)
})), {})
cors = optional(map(object({
allowed_origins = optional(list(string))
support_credentials = optional(bool, false)
})), {})
ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {})
scm_ip_restriction = optional(map(object({
action = optional(string, "Allow")
ip_address = optional(string)
name = optional(string)
priority = optional(number, 65000)
service_tag = optional(string)
virtual_network_subnet_id = optional(string)
headers = optional(map(object({
x_azure_fdid = optional(list(string))
x_fd_health_probe = optional(list(string), ["1"])
x_forwarded_for = optional(list(string))
x_forwarded_host = optional(list(string))
})), {})
})), {})
virtual_application = optional(map(object({
physical_path = optional(string, "site\\wwwroot")
preload_enabled = optional(bool, false)
virtual_directory = optional(map(object({
physical_path = optional(string)
virtual_path = optional(string)
})), {})
virtual_path = optional(string, "/")
})),
{
# Removing default, as provider issue needing workaround has been resolved.
# https://github.com/hashicorp/terraform-provider-azurerm/issues/16326
# default = {
# physical_path = "site\\wwwroot"
# preload_enabled = false
# virtual_path = "/"
# }
})
})
Default: {}
slot_application_insights
Description: Configures the Application Insights instance(s) for the deployment slot(s).
Type:
map(object({
application_type = optional(string, "web")
inherit_tags = optional(bool, false)
location = optional(string)
name = optional(string)
resource_group_name = optional(string)
tags = optional(map(any), null)
workspace_resource_id = optional(string)
daily_data_cap_in_gb = optional(number)
daily_data_cap_notifications_disabled = optional(bool)
retention_in_days = optional(number, 90)
sampling_percentage = optional(number, 100)
disable_ip_masking = optional(bool, false)
local_authentication_disabled = optional(bool, false)
internet_ingestion_enabled = optional(bool, true)
internet_query_enabled = optional(bool, true)
force_customer_storage_for_profiler = optional(bool, false)
}))
Default: {}
slots_storage_shares_to_mount_sensitive_values
Description: A map of sensitive values (Storage Access Key) for the Storage Account SMB file shares to mount to the Function App.
The key is the supplied input to var.storage_shares_to_mount.
The value is the secret value (storage access key).
Type: map(string)
Default: {}
sticky_settings
Description: A map of sticky settings to assign to the Function App.
app_setting_names- (Optional) A list of app setting names to make sticky.connection_string_names- (Optional) A list of connection string names to make sticky.
sticky_settings = {
sticky1 = {
app_setting_names = ["example1", "example2"]
connection_string_names = ["example1", "example2"]
}
}
Type:
map(object({
app_setting_names = optional(list(string))
connection_string_names = optional(list(string))
}))
Default: {}
storage_account_access_key
Description: The access key of the Storage Account to deploy the Function App in. Conflicts with storage_uses_managed_identity (non-flex consumption function app configurations).
This will resolve to storage_acccess_key for flex consumption function apps. Must be specified if storage_authentication_type is set to storageaccountconnecionstring Conflicts with storage_user_assigned_identity_id.
Type: string
Default: null
storage_account_name
Description: The name of the Storage Account to deploy the Function App in.
Type: string
Default: null
storage_account_share_name
Description: (Logic App)
Type: string
Default: null
storage_authentication_type
Description: The authentication type which will be used to access the backend storage account for the Function App.
Possible values are StorageAccountConnectionString, SystemAssignedIdentity, and UserAssignedIdentity."
Type: string
Default: null
storage_container_endpoint
Description: The backend storage container endpoint which will be used by this Function App.
Type: string
Default: null
storage_container_type
Description: The storage container type used for the Function App. The current supported type is blobContainer.
Type: string
Default: null
storage_key_vault_secret_id
Description: The ID of the secret in the key vault to use for the Storage Account access key.
Type: string
Default: null
storage_shares_to_mount
Description: A map of objects that represent Storage Account FILE SHARES to mount to the Function App.
This functionality is only available for Linux Function Apps, via documentation
The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
access_key- (Optional) The access key of the Storage Account.account_name- (Optional) The name of the Storage Account.name- (Optional) The name of the Storage Account to mount.share_name- (Optional) The name of the share to mount.type- (Optional) The type of Storage Account. Currently, only atypeofAzureFilesis supported. Defaults toAzureFiles.mount_path- (Optional) The path to mount the Storage Account to.
storage_shares_to_mount = {
storacc1 = {
access_key = "00000000-0000-0000-0000-000000000000"
account_name = "example"
name = "example"
share_name = "example"
type = "AzureFiles"
mount_path = "/mnt/example"
}
}
Type:
map(object({
access_key = string
account_name = string
mount_path = string
name = string
share_name = string
type = optional(string, "AzureFiles")
}))
Default: {}
storage_user_assigned_identity_id
Description: The ID of the User Assigned Managed Identity to use for the Storage Account. Conflicts with storage_account_access_key.
Type: string
Default: null
storage_uses_managed_identity
Description: Should the Storage Account use a Managed Identity? Conflicts with storage_account_access_key.
Type: bool
Default: false
tags
Description: The map of tags to be applied to the resource
Type: map(string)
Default: null
timeouts
Description: - create - (Defaults to 30 minutes) Used when creating the Linux Function App.
delete- (Defaults to 30 minutes) Used when deleting the Linux Function App.read- (Defaults to 5 minutes) Used when retrieving the Linux Function App.update- (Defaults to 30 minutes) Used when updating the Linux Function App.
Type:
object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
})
Default: null
use_extension_bundle
Description: Should the extension bundle be used? (Logic App)
Type: bool
Default: true
virtual_network_backup_restore_enabled
Description: Should backup and restore operations over the linked virtual network are enabled? Defaults to false.
Type: bool
Default: false
virtual_network_subnet_id
Description: The ID of the subnet to deploy the Function App in.
Type: string
Default: null
vnet_content_share_enabled
Description: Should the traffic for the content share be routed over virtual network enabled? Defaults to false.
Type: bool
Default: false
vnet_image_pull_enabled
Description: Should the traffic for the image pull be routed over virtual network enabled? Defaults to false.
Type: bool
Default: false
webdeploy_publish_basic_authentication_enabled
Description: Should basic authentication be enabled for web deploy?
Type: bool
Default: true
zip_deploy_file
Description: The path to the zip file to deploy to the Function App.
Type: string
Default: null
Outputs
The following outputs are exported:
application_insights
Description: The application insights resource.
deployment_slot_locks
Description: The locks of the deployment slots.
function_app_active_slot
Description: The active slot.
function_app_deployment_slots
Description: The deployment slots.
identity_principal_id
Description: The object principal id of the resource.
kind
Description: The kind of app service.
location
Description: The location of the resource.
name
Description: The name of the resource.
os_type
Description: The operating system type of the resource.
private_endpoint_locks
Description: The locks of the deployment slots.
resource
Description: This is the full output for the resource.
resource_id
Description: This is the full output for the resource.
resource_lock
Description: The locks of the resources.
resource_private_endpoints
Description: A map of private endpoints. The map key is the supplied input to var.private_endpoints. The map value is the entire azurerm_private_endpoint resource.
resource_uri
Description: The default hostname of the resource.
system_assigned_mi_principal_id
Description: value
system_assigned_mi_principal_id_slots
Description: Map or value of system-assigned managed identity principal IDs for resources slots (only for webapp & functionapp)
thumbprints
Description: The thumbprint of the certificate.
web_app_active_slot
Description: The active slot.
web_app_deployment_slots
Description: The deployment slots.
Modules
No modules.
Data Collection
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
Release History
Version 0.18.0 - 2025-07-25
Breaking Change(s)
- potential breaking change regarding diagnostics setting to use
categoryforlog_categories - potential breaking change regarding removing setting
virtual_applicationby default , as provider issue needing workaround has been resolved (see here), addressing Issue #211
Feature(s)
vnet_image_pull_enabledfunctionality available (addresses #210)
Update(s)
- removed
clent_secret_setting_nameas its value will be decided automatically based on the result of applying the configuration. attempting to set this argument resulted in errors withcustom_oidc_v2blocks as mentioned in Issue #206- added
auth_settings_v2inexamples/web_app
- added
- updated
examples/ip_restrictionto show proper configuration ofheaders, addressing #215
What's Changed
- chore: pre-commit updates by @azure-verified-modules[bot] in https://github.com/Azure/terraform-azurerm-avm-res-web-site/pull/205
- chore: pre-commit updates by @azure-verified-modules[bot] in https://github.com/Azure/terraform-azurerm-avm-res-web-site/pull/208
update: diagnostic settings to usecategory<--category_groupby @donovm4 in https://github.com/Azure/terraform-azurerm-avm-res-web-site/pull/213bugfix: removing client_secret_setting_name from root module by @donovm4 in https://github.com/Azure/terraform-azurerm-avm-res-web-site/pull/214
Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-web-site/compare/v0.17.2...v0.18.0
Version 0.17.2 - 2025-06-16
Breaking Change(s)
NONE
Feature(s)
- new variable
storage_user_assigned_identity_idfor flex consumption scenarios with user assigned identites
Update(s)
- revised to
required_versionto accept">= 1.9, < 2.0" - updated the following logic
storage_access_key = var.storage_authentication_type == "StorageAccountConnectionString" ? var.storage_account_access_key : null
storage_user_assigned_identity_id = var.storage_authentication_type == "UserAssignedIdentity" ? var.storage_user_assigned_identity_id : null
Version 0.17.1 - 2025-06-10
Breaking Change(s)
NONE
Feature(s)
virtual_network_backup_restore_enabledfor function appsscm_publish_basic_authentication_enabledfunctionality (from0.17.0)ftp_publish_basic_authentication_enabledfunctionality (from0.17.0)
Update(s)
vnet_image_pull_enabled throughazurerminstead ofazapi`
Version 0.17.0 - 2025-06-06
Breaking Change(s)
- Deprecation of
access_keyindeployment_slots. Please refer toslots_storage_shares_to_mount_sensitive_values. (addresses #196)
Feature(s)
- New variable
vnet_image_pull_enabledallowing for vnet image pulling. (addresses #197)
Update(s)
cookie_expiration_timenow defaults to08:00:00.- Updated logic for
system_assigned_mi_principal_id_slots.
Version 0.16.4 - 2025-04-17
Breaking Change(s)
None
Feature(s)
None
Update(s)
- fixing bug in
0.16.3where module attempted to iterate over local null value fordeployment_slotskeys
Contributors
Version 0.16.3 - 2025-04-16
Breaking Change(s)
None
Feature(s)
- further addressing bug for private ip configurations (#173)
- implements logic for more accurate and non-breaking functionality for app service logs, specifically when
application_logs/file_system_levelis set toOff(#187)
Update(s)
None
Contributors
- @dave92082
Version 0.16.2 - 2025-04-10
Breaking Change(s)
None
Feature(s)
- incorporating logic for
logicappprivate endpoint and role assignment functionality addressing #189
Update(s)
None
Contributors
None
Version 0.16.1 - 2025-04-09
Breaking Change(s)
None
Feature(s)
None
Update(s)
- bug fix for slot private endpoints / private ip
Contributors
None
Version 0.16.0 - 2025-04-02
Breaking Change(s)
- bug fixes addressing the following issues:
- #177
- #179
- #181
- #183
Feature(s)
- logic app standard functionality
Update(s)
- updated
auto_heal_enabledexample - avm updates
Contributors
- @dave92082
Version 0.15.2 - 2025-03-25
Breaking Change(s)
None
Feature(s)
None
Update(s)
- adding
custom_containerexample (addresses #169) - avm updates
Contributors
None
Version 0.15.1 - 2025-03-06
Breaking Change(s)
None
Feature(s)
None
Update(s)
- adding
zip_deploy_fileexample (addresses #123)
Contributors
None
Version 0.15.0 - 2025-03-04
Breaking Change(s)
azurermrequired version increased to4.21.1forazurerm_function_app_flex_consumption
Feature(s)
- support for
FC1/azurerm_function_app_flex_consumption(addresses #159)
Update(s)
None
Contributors
None
Version 0.14.2 - 2025-01-29
Breaking Change(s)
None
Feature(s)
None
Update(s)
bugfixwhereadditional_login_parameterswas set to accept a list of string where provide expects a map of string (addresses Issue #157)
variable "auth_settings" {
type = map(object({
additional_login_parameters = optional(list(string)) ------> additional_login_parameters = optional(map(string))
.
.
.
bugfixto address issue where ifapp_service_nameis not explicitly set, module references name that will cause error (addresses Issue #156) Before:
app_service_name = coalesce(each.value.app_service_name, "${var.name}-asp")
After:
app_service_name = coalesce(each.value.app_service_name, var.name, "${var.name}-asp")
NOTE: Will likely remove "${var.name}-asp" in the future.
bugfixto properly add tags for slot private endpoints Before:
tags = var.all_child_resources_inherit_tags ? merge(var.tags, each.value.pe_value.tags) : each.value.tags
After:
tags = var.all_child_resources_inherit_tags ? merge(var.tags, each.value.pe_value.tags) : each.value.pe_value.tags
Contributors
- @niekvanraaij (PR #155)
Version 0.14.1 - 2025-01-13
Breaking Change(s)
None
Feature(s)
- added new output
system_assigned_mi_principal_id_slotsfor slots' principal id
Update(s)
None
Version 0.14.0 - 2024-12-19
BE AWARE - this version my introduce breaking changes to your existing configuration(s)
Breaking Change(s)
- introducing
featurethat allows for different application insights for slots via Issue #145, involving changes to logic regarding the application insights for deployment slots
CODE:
Function App Slots
application_insights_connection_string = var.enable_application_insights ? (each.value.site_config.slot_application_insights_object_key != null ? coalesce(each.value.site_config.application_insights_connection_string, azurerm_application_insights.slot[each.value.site_config.slot_application_insights_object_key].connection_string, azurerm_application_insights.this[0].connection_string) : coalesce(each.value.site_config.application_insights_connection_string, azurerm_application_insights.this[0].connection_string)) : null application_insights_key = var.enable_application_insights ? (each.value.site_config.slot_application_insights_object_key != null ? coalesce(each.value.site_config.application_insights_key, azurerm_application_insights.slot[each.value.site_config.slot_application_insights_object_key].instrumentation_key, azurerm_application_insights.this[0].instrumentation_key) : coalesce(each.value.site_config.application_insights_key, azurerm_application_insights.this[0].instrumentation_key)) : null
Web App Slots
app_settings = var.enable_application_insights ? merge({ "APPLICATIONINSIGHTS_CONNECTION_STRING" = (each.value.site_config.slot_application_insights_object_key != null ? coalesce(each.value.site_config.application_insights_connection_string, azurerm_application_insights.slot[each.value.site_config.slot_application_insights_object_key].connection_string, azurerm_application_insights.this[0].connection_string) : coalesce(each.value.site_config.application_insights_connection_string, azurerm_application_insights.this[0].connection_string)) }, { "APPINSIGHTS_INSTRUMENTATIONKEY" = (each.value.site_config.slot_application_insights_object_key != null ? coalesce(each.value.site_config.application_insights_key, azurerm_application_insights.slot[each.value.site_config.slot_application_insights_object_key].instrumentation_key, azurerm_application_insights.this[0].instrumentation_key) : coalesce(each.value.site_config.application_insights_key, azurerm_application_insights.this[0].instrumentation_key)) }, each.value.app_settings) : each.value.app_settings
Feature(s)
- new
slot_application_insightsobject variable - new
slot_application_insights_object_keyvariable
Update(s)
- addressed bug where
dotnet_core_versionwas missing fromapplication_stack(Issue #146) - added the following to documentation of
deployment_slotsvariable:
If you plan to use the attribute reference of an external Application Insights instance for
application_insights_connection_stringandapplication_insights_key, you will likely need to remove the sensitivity level. For example, using thenonsensitivefunction.
- updated
example/deploy_slots_with_interfacesto show different application insights instance deployment model.
Version 0.13.0 - 2024-11-22
Breaking Change(s)
- module supports
azurerm4.8.xand later versions always_ondefaults totrueftps_statedefaults to"FtpsOnly"minimum_tls_versiondefaults to"1.3"
Feature(s)
None
Update(s)
examplesusesregions0.8.xand later versions- removed
main.service_plan.tfandmain.storage_account.tf - removed comments from
variables.tf
Version 0.12.1 - 2024-11-12
Breaking Change(s)
None
Feature(s)
- addressing bug where
slot.site_configwas missingvirtual_applicationblock via Issue #140
Update(s)
.github/workflowsupgrades
Version 0.12.0 - 2024-11-07
Breaking Change(s)
PLEASE READ! Includes VERY IMPORTANT Breaking Changes
v0.12.0will no longer supportazurerm3.xbut will now supportazurerm4.x
Feature(s)
azurerm4.xsupport addressing Issue #122- enabling tls
1.3support throughazurerm4.8support (Issue #136)
Update(s)
- bug fixes to unmanaged private endpoints with deployment slots as highlighted in PR #129
- arguments removed as no longer supported by
azurerm4.xdocker_container_name(as part ofapplication_stack)docker_container_tag(as part ofapplication_stack)path(as part ofslow_request. Please youslow_request_with_pathif needed.)auto_heal_enabled
loginmap made optional by module (still required by provider forauth_settings_v2) so that a defaultloginmap can be automatically set forauth_settings_v2addressing Issue #130
Version 0.11.0 - 2024-10-23
Breaking Change(s)
PLEASE READ! Includes VERY IMPORTANT Breaking Changes
- module no longer supports the creation and management of
App Service Plan- removed the following variables:
create_service_plannew_service_plan
- removed related outputs:
service_planservice_plan_idservice_plan_name
- removed the following variables:
Users will need to reference an app service plan using
service_plan_resource_id, thus making it arequiredinput.
- module no longer supports the creation and management of
Storage AccountforFunction App- removed the following variables:
function_app_create_storage_accountfunction_app_storage_accountfunction_app_storage_account_access_keyfunction_app_storage_account_inherit_lockfunction_app_storage_account_namefunction_app_storage_uses_managed_identity
- removed related outputs:
storage_accountstorage_account_lock
- removed the following variables:
Users can still supply an existing storage account using
storage_account_access_key(orstorage_uses_managed_identity) andstorage_account_name.
Terraformminimum required version raised to1.9
Feature(s)
None
Update(s)
fix: addressing Issue #120 whereazurerm_windows_function_appsite configwas missingip_restriction_default_actionandscm_ip_restriction_default_action- improvements variable documentation
Version 0.10.0 - 2024-09-09
Breaking Change(s)
- migration to version
0.1.0ofavm-res-web-serverfarmfromazurerm_service_plan - removed certain outputs regarding
service_plan
Feature(s)
- added addtitional support for
avm-res-storage-storageaccountinputs - added additional support for
new_service_planvariable
Update(s)
- module now uses version
0.2.4ofavm-res-storage-storageaccount x_fd_health_probeto properly work when usingip_restriction/scm_ip_restrictionand Azure Front Door- module is now configured to zone redundant by default
worker_countdefaults to3zone_balancing_enableddefaults totruesku_namedefaults toP1v2
Version 0.9.1 - 2024-08-19
Breaking Change(s)
None
Feature(s)
None
Update(s)
- updates for github policies and workflows
- removed providers from yml templates and markdown documentation
- removed examples for:
linux_function_applinux_web_appwindows_function_appwindows_web_app
- created examples for:
function_appweb_app
Version 0.9.0 - 2024-07-30
Breaking Change(s)
- changes to
keyreferences ofdynamicblocksapplication_logsandhttp_logsforlogsvia Issue #106
Feature(s)
None
Update(s)
- corrected
azure_blob_storageblock to referenceazure_blob_storage_httpinstead ofazure_blob_storageforhttp_logs - added
examples/logs
Version 0.8.1 - 2024-07-25
Breaking Change(s)
None
Feature(s)
azurerm_app_service_slot_custom_hostname_bindingnow supportsazurerm_[windows|linux]_web_app_slot
Previous Logic:
app_service_slot_id = var.os_type == "Windows" ? azurerm_windows_function_app_slot.this[each.value.app_service_slot_key].id : azurerm_linux_function_app_slot.this[each.value.app_service_slot_key].id
Current Logic:
app_service_slot_id = var.kind == "functionapp" ? (var.os_type == "Windows" ? azurerm_windows_function_app_slot.this[each.value.app_service_slot_key].id : azurerm_linux_function_app_slot.this[each.value.app_service_slot_key].id) : (var.os_type == "Windows" ? azurerm_windows_web_app_slot.this[each.value.app_service_slot_key].id : azurerm_linux_web_app_slot.this[each.value.app_service_slot_key].id)
thumbprintcan now reference existing thumbprint value withthumbprint_value
Previous Logic:
thumbprint = azurerm_app_service_certificate.this[each.value.thumbprint_key].thumbprint
Current Logic:
thumbprint = each.value.thumbprint_key != null ? azurerm_app_service_certificate.this[each.value.thumbprint_key].thumbprint : each.value.thumbprint_value
Update(s)
thumbprintsas newoutput- cleaning
exmples/cusom_domain/main.tffile
Version 0.8.0 - 2024-07-24
Breaking Change(s)
- new mapping for
azurerm_app_service_custom_hostname_binding
will likely affect any configurations with existing custom domains managed by terraform
Feature(s)
- functionality for custom domains for deployment slots using
azurerm_app_service_slot_custom_hostname_bindingresource via Issue #101.
uses
slot_as_targetincustom_domainsas toggle to differentiate betweenazurerm_app_service_custom_hostname_bindingandazurerm_app_service_slot_custom_hostname_binding
azurerm_app_service_certificateto acceptkey_vault_idargument via Issue #102
Update(s)
- additional outputs added for:
function_app_active_slotfunction_app_deployment_slotskindos_type
Version 0.7.3 - 2024-07-17
Breaking Change(s):
None
Feature(s):
- new telemetry
- transition to use of
modtmprovider (view here) - removed
locals.telemetry.tf - removed
locals.telemetry.tf.json
- transition to use of
Update(s):
- added
examples/storage_uses_managed_identity - fixed logic for
storage_uses_managed_identityforazurerm_(windows | linux)_function_appvia Issue #96
Previous:
storage_uses_managed_identity = var.function_app_storage_uses_managed_identity == true && var.function_app_storage_account_access_key == null && var.function_app_storage_account == null ? var.function_app_storage_uses_managed_identity : null
Current:
storage_uses_managed_identity = var.function_app_storage_uses_managed_identity == true && var.function_app_storage_account_access_key == null ? var.function_app_storage_uses_managed_identity : null
- updated logic for
azurerm_linux_function_appandazurerm_linux_function_app_slotto account for created storage account's access key
storage_account_access_key = var.function_app_storage_account_access_key != null && var.function_app_storage_uses_managed_identity != true && var.function_app_create_storage_account != true ? var.function_app_storage_account_access_key : var.function_app_storage_account_access_key == null && var.function_app_storage_uses_managed_identity != true && var.function_app_create_storage_account ? module.avm_res_storage_storageaccount[0].resource.primary_access_key : null
Version 0.7.2 - 2024-07-03
Breaking Change(s)
None
Feature(s)
lockfunctionality forfunction_app_storage_accountlockfunctionality fordeployment_slotsdeployment_slots_inherit_lockdefaults totruefunction_app_storage_account_inherit_lockdefaults totrue
Update(s)
outputfor the following:deployment_slot_locksprivate_endpoint_locksresource_lockstorage_account_lock
Version 0.7.1 - 2024-06-25
Breaking Change(s)
None
Feature(s)
- output for
system_assigned_mi_principal_idvia RMFR7 private_endpointsfunctionality withdeployment_slotsvia Issue #88role_assignmentsfunctionality withdeployment_slotslockfunctionality withfunction_app_storage_account
Update(s)
- added
examples/deployment_slot - added
examples/deployment_slot_with_interfaces - added
examples/ip_restrictionvia Issue #85
Version 0.7.0 - 2024-06-21
Breaking Change(s)
terraformrequired version set to~>1.6- variable
client_certificate_modenow defaults toRequiredto matchazurermresource provider (previouslyOptional)
Features
- Deployment Slots via #64
- outputs for
web_app_deployment_slotsandweb_app_active_slot - outputs for
identity_principal_idvia #84
Update(s)
- added validation for
auto_heal_enabled- only set
auto_heal_enabledtotrueif configuringauto_heal_settingblock
- only set
validation {
condition = var.site_config.auto_heal_enabled != null && var.site_config.auto_heal_enabled != true ? contains([true, null], var.site_config.auto_heal_enabled) : true
error_message = "The value of `auto_heal_enabled` can only be set to `true` or `null`."
}
Only set
auto_heal_settingifauto_heal_enabledis set totrueor configuration will result in provider issue
- added
examples/auto_heal_enabledvia #77 - added
examples/slot - module call for
avm_res_storage_storageaccountusesenable_telemetryas toggle - configured conditional output for managed and unmanaged private dns zone groups regarding
azurerm_private_endpoints(output)
var.private_endpoints_manage_dns_zone_group ? azurerm_private_endpoint.this : azurerm_private_endpoint.this_unmanaged_dns_zone_groups
Version 0.6.3 - 2024-06-12
- addressing module/provider issue where if
auto_heal_enabledwas set totrueorfalse, user was still expected to populateauto_heal_settingvia Issue #77terraformprovider requires user to specifyauto_heal_settingifauto_heal_enabledis not set tonullin configuration.- added conditional that if
auto_heal-enabledis not set totrue, resolves tonullto avoid provider error.
- bug fixes regarding functionality for dynamic
actioninauto_heal_setting
bug:
action_type = auto_heal_setting.value.action_type
minimum_process_execution_time = auto_heal_setting.value.minimum_process_execution_time
solution:
action_type = auto_heal_setting.value.action.action_type
minimum_process_execution_time = auto_heal_setting.value.action.minimum_process_execution_time
Version 0.6.2 - 2024-06-05
- addressing fix for
backupwhere argument incorrectly referenced asretention_period_in_daysinstead ofretention_in_days
Version 0.6.1 - 2024-06-04
- fixes logic for
ftps_stateaffectingftp_publish_basic_authentication_enabledandwebdeploy_publish_basic_authentication_enabledforazurerm_windows_function_app,azurerm_linux_web_app, andazurerm_windows_web_app - adds logic for
storage_account_nameconcerning linux function app
storage_account_name = var.function_app_create_storage_account ? module.avm_res_storage_storageaccount[0].name : var.function_app_storage_account_name`
- added
example\basic_authfor basic authentication
Version 0.6.0 - 2024-06-03
- Module to reference
v0.1.2ofavm_res_storage_storageaccountmodule (source) via Issue #67- added optional argument for
locationforfunction_app_storage_accountvariable locationwill resolve to the location of the function app if not supplied infunction_app_storage_accountobject
- added optional argument for
- addressed logic for
webdeploy_publish_basic_authentication_enabledthat only allowed for configuration ifftps_statewas set to"AllAllowed"via Issue #71
Initial condition:
webdeploy_publish_basic_authentication_enabled = var.site_config.ftps_state == "AllAllowed" ? var.webdeploy_publish_basic_authentication_enabled : false
Current condition:
webdeploy_publish_basic_authentication_enabled = var.site_config.ftps_state == "Disabled" ? false : var.webdeploy_publish_basic_authentication_enabled
- addressing bug where dynamic
custom_oidc_v2blocks referenceauthorisation_endpointbutcustom_oidc_v2object hadauthorization_endpointinstead via Issue #66 - addressing bug where optional arguments within
auth_settings_v2were resolving tonullinstead of empty maps / objects, which caused errors via Issue #69active_directory_v2apple_v2azure_static_web_app_v2custom_oidc_v2facebook_v2github_v2google_v2twitter_v2
Version 0.5.0 - 2024-05-16
virtual_applicationdefault supported insite_configforazurerm_windows_web_app:- This is to address the following issues:
- Issue #52
- Provider Issue where
always_onis toggled off but provider attempts to add defaultvirtual_applicationon plan/apply after initial apply.
- This is to address the following issues:
headersto typemap(object)instead ofobject- Addresses Issue #53
- removal of logic for
"APPLICATIONINSIGHTS_CONNECTION_STRING"and"APPINSIGHTS_INSTRUMENTATIONKEY"inapp_settingsforazurerm_(windows|linux)_function_app- Addresses Issue #55 / Issue #56
- use arguments
application_insights_connection_stringandapplication_insights_keyinsite_configvariable as provider will set"APPLICATIONINSIGHTS_CONNECTION_STRING"and"APPINSIGHTS_INSTRUMENTATIONKEY"keys inapp_settingsaccordingly
Version 0.4.0 - 2024-05-06
- fixing bug where module references to undeclared resource:
ip_restrictiondynamic block that wrongly referencesscm_ip_restrictioninstead ofip_restriction
- addresses addition feature capabilities for
new_service_plan:maximum_elastic_worker_countper_site_scaling_enabledworker_countzone_balancing_enabled
Version 0.3.0 - 2024-04-18
- APRL recommendation:
- Application Insights enabled by default (via
enable_application_insights)
- Application Insights enabled by default (via
- Linting fixes for interfaces:
managed_identites:nullableset tofalse
private_endpoints:- removed
inherit_lockargument - removed
inherit_tagsargument nullableset tofalse
- removed
lock:kindis required argumentdefaultset tonullinstead of{}- removed
Noneas valid values forkind
role_assignments:nullableset tofalse
tags:typeset tomap(string)instead ofmap(any)defaultset tonullinstead of{}
- Deprecated variables/arguments:
inherit_lockargument inprivate_endpointsinherit_tagsargument inprivate_endpoints
- New variables:
all_child_resources_inherit_tagsall_child_resources_inherit_lockprivate_endpoints_inherit_lockprivate_endpoints_manage_dns_zone_group
Version 0.2.1 - 2024-04-02
Addition outputs:
application_insightsservice_planstorage_account
Version 0.2.0 - 2024-03-27
- feat: functionality to deploy web apps
kindvariable to determinefunctionapporwebapp- feat: functionality to create new storage account within module
- feat: functionality to create new service plan within module
- feat: functionality to reference app service environment
Version 0.1.2 - 2024-03-12
- doc fixes
- update
locals.version.tf.json - update
examplesto reference0.1.2
Version 0.1.1 - 2024-03-12
- doc fixes
- feat: custom domain
- feat: application insights
{
"workingFolder": "packages",
"packages": [
// packages defined earlier
{
"name": "avm-terraform/web-site",
"version": "0.18.0"
}
]
}
This package has no dependencies
Stats
Selected version:
0.18.0
Downloads this version:
0
Downloads all versions:
0
Latest version:
0.18.0
Latest update:
29-07-2025