Azure App Service Web (Linux or Windows) Overlay Terraform Module

This Terraform Module creates a an Azure Service Plan using our dedicated Terraform module and creates an Azure App Service Web (Linux or Windows) associated with an Application Insights component. This also enables private endpoint. This module can be used with an SCCA compliant Network.

SCCA Compliance

This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.

For more information, please read the SCCA documentation.

Contributing

If you want to contribute to this repository, feel free to to contribute to our Terraform module.

More details are available in the CONTRIBUTING.md file.

Resources Used

• Azure App Service Plan
• Azure App Service Web (Linux or Windows)
• Azure Application Insights
• Azure App Service Slot
• Private Endpoints
• Private DNS zone for privatelink A records
• Azure Reource Locks

Overlay Module Usage

# Azurerm Provider configuration
provider "azurerm" {
  features {}
}

module "mod_app_service" {
  source  = "azurenoops/overlays-app-service/azurerm"
  version = "x.x.x"

  # By default, this module will create a resource group and 
  # provide a name for an existing resource group. If you wish 
  # to use an existing resource group, change the option 
  # to "create_app_service_resource_group = false." The location of the group 
  # will remain the same if you use the current resource.
  create_app_service_resource_group = true
  location                        = module.mod_azure_region_lookup.location_cli
  environment                     = "public"
  deploy_environment              = "dev"
  org_name                        = "anoa"
  workload_name                   = "kv"

  # This is to enable the features of the key vault
  enabled_for_deployment          = false
  enabled_for_disk_encryption     = false
  enabled_for_template_deployment = false

  # This is to enable public access to the key vault, since we are using a private endpoint, we will disable it
  public_network_access_enabled = false
  
  # Creating Private Endpoint requires, VNet name to create a Private Endpoint
  # By default this will create a `privatelink.azurecr.io` DNS zone. if created in commercial cloud
  # To use existing subnet, specify `existing_subnet_id` with valid subnet id. 
  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
  # Private endpoints doesn't work If not using `existing_subnet_id` to create redis inside a specified VNet.
  enable_private_endpoint = false
  # existing_subnet_id      = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-anoa-dev-kv/providers/Microsoft.Network/virtualNetworks/vnet-anoa-dev-kv/subnets/snet-anoa-dev-kv"
  # virtual_network_name    = "vnet-anoa-dev-kv"
  # existing_private_dns_zone     = "demo.example.com"

  # Current user should be here to be able to create keys and secrets
  admin_objects_ids = [
    data.azuread_group.admin_group.id
  ]
  
  # This is to enable resource locks for the key vault. 
  enable_resource_locks = false

  # Tags for Azure Resources
  add_tags = {
    example = "basic deployment of key vault"
  }
}

Requirements

Name	Version
terraform	>= 1.3
azurenoopsutils	~> 1.0.4
azurerm	~> 3.22

Providers

Name	Version
azurenoopsutils	~> 1.0.4
azurerm	~> 3.22

Modules

Name	Source	Version
mod_azure_region_lookup	azurenoops/overlays-azregions-lookup/azurerm	~> 1.0.0
mod_key_vault	azurenoops/overlays-key-vault/azurerm	~> 1.0.0
mod_scaffold_rg	azurenoops/overlays-resource-group/azurerm	~> 1.0.1
overlays-storage-account	azurenoops/overlays-storage-account/azurerm	~> 0.1.0

Resources

Name	Type
azurerm_application_insights.app_service_app_insights	resource
azurerm_key_vault_access_policy.app_access_policy	resource
azurerm_linux_function_app.func	resource
azurerm_linux_function_app_slot.example	resource
azurerm_management_lock.resource_group_level_lock	resource
azurerm_service_plan.asp	resource
azurerm_user_assigned_identity.app_identity	resource
azurerm_windows_function_app.func	resource
azurerm_windows_function_app_slot.slot	resource
azurerm_windows_web_app.appService	resource
azurerm_windows_web_app_slot.slot	resource
azurenoopsutils_resource_name.azurerm_app_service	data source
azurerm_app_service_environment_v3.ase	data source
azurerm_client_config.current	data source
azurerm_key_vault.app_key_vault	data source
azurerm_resource_group.rg	data source
azurerm_service_plan.asp	data source
azurerm_storage_account.sa	data source
azurerm_subnet.pe_subnet	data source
azurerm_user_assigned_identity.app_identity	data source

Inputs

Name	Description	Type	Default	Required
add_tags	Map of custom tags.	map(string)	{}	no
app_service_environment	The name of the app service environment to deploy to (Optional)	string	null	no
app_service_name	The name of the app service to be deployed, if not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
app_service_plan_os_type	The kind of the app service plan to deploy to (Optional)	string	"Windows"	no
app_service_plan_sku_name	Specifies the SKU for the plan	string	null	no
app_service_resource_type	The resource type of the app service plan to deploy to (Optional)	string	"App"	no
app_storage_account_name	Name of an existing storage account to use with the app	string	null	no
application_stack	Specifies the application stack for the app service	string	null	no
create_app_keyvault	Controls if the keyvault should be created. Default is true.	bool	true	no
create_app_service_plan	Controls if the app service plan should be created. If set to false, the app service plan name must be provided. Default is true.	bool	true	no
create_app_storage_account	Controls if the storage account should be created. Default is true.	bool	true	no
create_resource_group	Controls if the resource group should be created. If set to false, the resource group name must be provided. Default is false.	bool	false	no
custom_resource_group_name	The name of the custom resource group to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
deploy_environment	Name of the workload's environment	string	n/a	yes
deployment_slot_count	Specifies the number of deployment slots for the app service	number	0	no
dotnet_core_version	Specifies the dotnet core version for the app service	string	null	no
dotnet_version	Specifies the dotnet version for the app service	string	null	no
enable_application_insights	Controls if the application insights should be created. Default is true.	bool	true	no
enable_resource_locks	(Optional) Enable resource locks, default is false. If true, resource locks will be created for the resource group and the storage account.	bool	false	no
environment	The Terraform backend environment e.g. public or usgovernment	string	n/a	yes
existing_app_service_plan_name	Name of the existing app service plan to use	string	null	no
existing_resource_group_name	The name of the existing resource group to use. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
health_check_path	Specifies the health check path for the app service	string	null	no
java_version	Specifies the java version for the app service	string	null	no
location	Azure region in which instance will be hosted	string	n/a	yes
lock_level	(Optional) id locks are enabled, Specifies the Level to be used for this Lock.	string	"CanNotDelete"	no
log_analytics_workspace_id	The name of the log analytics workspace to deploy application insights to (Optional)	string	null	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
org_name	Name of the organization	string	n/a	yes
private_endpoint_subnet_name	The name of the private endpoint subnet to deploy KeyVault to (Optional)	string	null	no
use_32_bit_worker	Use 32 bit worker for the app service	bool	false	no
use_location_short_name	Use short location name for resources naming (ie eastus -> eus). Default is true. If set to false, the full cli location name will be used. if custom naming is set, this variable will be ignored.	bool	true	no
use_naming	Use the Azure NoOps naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
virtual_network_name	The name of the virtual network to deploy KeyVault to (Optional)	string	null	no
workload_name	Name of the workload_name	string	n/a	yes

Outputs

No outputs.