This Terraform module creates an Azure Function App with its App Service Plan, a consumption plan by default. A Storage Account and an Application Insights are required and are created if not provided. This module allows to deploy a application from a local or remote ZIP file that will be stored on the associated storage account.
You can create an Azure Function without plan by using the submodule modules/functionapp.
Azure Functions v3 are now supported by this module and is the default one.
Based on a current limitation, you cannot mix Windows and Linux apps in the same resource group.
Limitations documentation: docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-intro#limitations
| Module version | Terraform version | OpenTofu version | AzureRM version |
|---|---|---|---|
| >= 8.x.x | Unverified | 1.8.x | >= 4.0 |
| >= 7.x.x | 1.3.x | >= 3.0 | |
| >= 6.x.x | 1.x | >= 3.0 | |
| >= 5.x.x | 0.15.x | >= 2.0 | |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
| >= 3.x.x | 0.12.x | >= 2.0 | |
| >= 2.x.x | 0.12.x | < 2.0 | |
| < 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
### Windows
module "function_app_windows" {
source = "claranet/function-app/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.name
name_prefix = "hello"
os_type = "Windows"
application_settings = {
"tracker_id" = "AJKGDFJKHFDS"
"backend_api_url" = "https://backend.domain.tld/api"
}
storage_account_identity_type = "SystemAssigned"
# application_insights_log_analytics_workspace_id = module.logs.log_analytics_workspace_id
logs_destinations_ids = [
# module.logs.logs_storage_account_id,
# module.logs.log_analytics_workspace_id
]
extra_tags = {
foo = "bar"
}
}
### Linux
module "function_app_linux" {
source = "claranet/function-app/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.name
name_prefix = "hello"
os_type = "Linux"
function_app_version = 4
site_config = {
application_stack = {
python_version = "3.9"
}
}
application_settings = {
"tracker_id" = "AJKGDFJKHFDS"
"backend_api_url" = "https://backend.domain.tld/api"
}
storage_account_identity_type = "SystemAssigned"
# application_insights_log_analytics_workspace_id = module.logs.log_analytics_workspace_id
logs_destinations_ids = [
# module.logs.logs_storage_account_id,
# module.logs.log_analytics_workspace_id
]
extra_tags = {
foo = "bar"
}
}No providers.
| Name | Source | Version |
|---|---|---|
| linux_function | ./modules/linux-function | n/a |
| service_plan | claranet/app-service-plan/azurerm | ~> 8.0.0 |
| windows_function | ./modules/windows-function | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_ips | IPs restriction for Function in CIDR format. See documentation. | list(string) |
[] |
no |
| allowed_service_tags | Service Tags restriction for Function App. See documentation. | list(string) |
[] |
no |
| allowed_subnet_ids | Subnets restriction for Function App. See documentation. | list(string) |
[] |
no |
| app_service_environment_id | ID of the App Service Environment to create this Service Plan in. Requires an Isolated SKU. Use one of I1, I2, I3 for azurerm_app_service_environment, or I1v2, I2v2, I3v2 for azurerm_app_service_environment_v3. | string |
null |
no |
| application_insights_custom_name | Custom name for application insights deployed with function app. | string |
"" |
no |
| application_insights_daily_data_cap | Daily data volume cap (in GB) for Application Insights. | number |
null |
no |
| application_insights_daily_data_cap_notifications_disabled | Whether disable email notifications when data volume cap is met. | bool |
null |
no |
| application_insights_enabled | Whether Application Insights should be deployed. | bool |
true |
no |
| application_insights_extra_tags | Extra tags to add to Application Insights. | map(string) |
{} |
no |
| application_insights_force_customer_storage_for_profiler | Whether to enforce users to create their own Storage Account for profiling in Application Insights. | bool |
false |
no |
| application_insights_id | ID of the existing Application Insights to use instead of deploying a new one. | string |
null |
no |
| application_insights_internet_ingestion_enabled | Whether ingestion support from Application Insights component over the Public Internet is enabled. | bool |
true |
no |
| application_insights_internet_query_enabled | Whether querying support from Application Insights component over the Public Internet is enabled. | bool |
true |
no |
| application_insights_ip_masking_disabled | Whether IP masking in logs is disabled. | bool |
false |
no |
| application_insights_local_authentication_disabled | Whether Non-Azure AD based authentication is disabled. | bool |
false |
no |
| application_insights_log_analytics_workspace_id | ID of the Log Analytics Workspace to be used with Application Insights. | string |
null |
no |
| application_insights_name_prefix | Application Insights name prefix. | string |
"" |
no |
| application_insights_retention | Retention period (in days) for logs. | number |
90 |
no |
| application_insights_sampling_percentage | Percentage of data produced by the monitored application sampled for Application Insights telemetry. | number |
null |
no |
| application_insights_type | Application Insights type if need to be generated. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights#application_type | string |
"web" |
no |
| application_settings | Function App application settings. | map(string) |
{} |
no |
| application_settings_drift_ignore | Ignore drift from settings manually set. | bool |
true |
no |
| application_zip_package_path | Local or remote path of a zip package to deploy on the Function App. | string |
null |
no |
| auth_settings_v2 | Authentication settings V2. See documentation. | any |
{} |
no |
| builtin_logging_enabled | Whether built-in logging is enabled. | bool |
true |
no |
| client_certificate_enabled | Whether the Function App uses client certificates. | bool |
null |
no |
| client_certificate_mode | The mode of the Function App's client certificates requirement for incoming requests. Possible values are Required, Optional, and OptionalInteractiveUser. |
string |
null |
no |
| client_name | Client name/account used in naming. | string |
n/a | yes |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| diagnostic_settings_custom_name | Custom name of the diagnostics settings, name will be default if not set. |
string |
"default" |
no |
| environment | Project environment. | string |
n/a | yes |
| extra_tags | Extra tags to add. | map(string) |
{} |
no |
| function_app_custom_name | Custom name for function app. | string |
"" |
no |
| function_app_extra_tags | Extra tags to add to Function App. | map(string) |
{} |
no |
| function_app_name_prefix | Function App name prefix. | string |
"" |
no |
| function_app_version | Version of the function app runtime to use. | number |
3 |
no |
| https_only | Whether HTTPS traffic only is enabled. | bool |
true |
no |
| identity_ids | User Assigned Identities IDs to add to Function App. Mandatory if type is UserAssigned. |
list(string) |
null |
no |
| identity_type | Add a Managed Identity (MSI) to the function app. Possible values are SystemAssigned, UserAssigned and SystemAssigned, UserAssigned which assigns both a system managed identity as well as the specified user assigned identities. |
string |
"SystemAssigned" |
no |
| ip_restriction_headers | IPs restriction headers for Function. See documentation. | map(list(string)) |
null |
no |
| location | Azure location for Function App and related resources. | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
| logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character. |
list(string) |
n/a | yes |
| logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
| maximum_elastic_worker_count | Maximum number of workers to use in an Elastic SKU Plan. Cannot be set unless using an Elastic SKU. | number |
null |
no |
| name_prefix | Optional prefix for the generated name. | string |
"" |
no |
| name_suffix | Optional suffix for the generated name. | string |
"" |
no |
| os_type | OS type for the Functions to be hosted in the Service Plan. Possible values include Windows, Linux, and WindowsContainer. |
string |
n/a | yes |
| per_site_scaling_enabled | Should per site scaling be enabled on the Service Plan. | bool |
false |
no |
| rbac_storage_blob_role_principal_ids | The principal IDs of the users, groups, and service principals to assign the Storage Blob Data * different roles to if Blob containers are created. |
object({ |
{} |
no |
| rbac_storage_contributor_role_principal_ids | The principal IDs of the users, groups, and service principals to assign the Storage Account Contributor role to. |
list(string) |
[] |
no |
| rbac_storage_file_role_principal_ids | The principal IDs of the users, groups, and service principals to assign the Storage File Data * different roles to if File Shares are created. |
object({ |
{} |
no |
| rbac_storage_queue_contributor_role_principal_ids | The principal IDs of the users, groups, and service principals to assign the Storage Queue Data * role to. |
object({ |
{} |
no |
| rbac_storage_table_role_principal_ids | The principal IDs of the users, groups, and service principals to assign the Storage Table Data * role to. |
object({ |
{} |
no |
| resource_group_name | Resource group name. | string |
n/a | yes |
| scm_allowed_ips | SCM IPs restriction for Function App. See documentation. | list(string) |
[] |
no |
| scm_allowed_service_tags | SCM Service Tags restriction for Function App. See documentation. | list(string) |
[] |
no |
| scm_allowed_subnet_ids | SCM subnets restriction for Function App. See documentation. | list(string) |
[] |
no |
| scm_ip_restriction_headers | IPs restriction headers for Function App. See documentation. | map(list(string)) |
null |
no |
| service_plan_custom_name | Name of the App Service Plan, generated if not set. | string |
"" |
no |
| service_plan_extra_tags | Extra tags to add to Service Plan. | map(string) |
{} |
no |
| site_config | Site config for Function App. See documentation. IP restriction attribute is not managed in this block. | any |
{} |
no |
| sku_name | The SKU for the Service Plan. Possible values include B1, B2, B3, D1, F1, I1, I2, I3, I1v2, I2v2, I3v2, P1v2, P2v2, P3v2, P1v3, P2v3, P3v3, P1mv3, P2mv3, P3mv3, P4mv3, P5mv3, S1, S2, S3, SHARED, EP1, EP2, EP3, WS1, WS2, WS3, and Y1. | string |
"Y1" |
no |
| stack | Project stack name. | string |
n/a | yes |
| staging_slot_custom_application_settings | Override staging slot with custom application settings. | map(string) |
null |
no |
| staging_slot_custom_name | Custom name of the Function App slot. | string |
null |
no |
| staging_slot_enabled | Create a staging slot alongside the Function App for blue/green deployment purposes. | bool |
false |
no |
| sticky_settings | Lists of connection strings and app settings to prevent from swapping between slots. | object({ |
null |
no |
| storage_account_advanced_threat_protection_enabled | Whether advanced threat protection is enabled. See documentation: https://docs.microsoft.com/en-us/azure/storage/common/storage-advanced-threat-protection?tabs=azure-portal | bool |
false |
no |
| storage_account_allowed_ips | IPs restrictions for Function Storage Account in CIDR format. | list(string) |
[] |
no |
| storage_account_custom_name | Custom name of the Storage account to attach to function. | string |
null |
no |
| storage_account_extra_tags | Extra tags to add to Storage Account. | map(string) |
{} |
no |
| storage_account_https_traffic_only_enabled | Whether HTTPS traffic only is enabled for Storage Account. | bool |
true |
no |
| storage_account_id | ID of the existing Storage Account to use. | string |
null |
no |
| storage_account_identity_ids | Specifies a list of User Assigned Managed Identity IDs to be assigned to the Storage Account. | list(string) |
null |
no |
| storage_account_identity_type | Type of Managed Service Identity that should be configured on the Storage Account. | string |
null |
no |
| storage_account_kind | Storage Account Kind. | string |
"StorageV2" |
no |
| storage_account_min_tls_version | Storage Account minimal TLS version. | string |
"TLS1_2" |
no |
| storage_account_name_prefix | Storage Account name prefix. | string |
"" |
no |
| storage_account_network_bypass | Whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None. |
list(string) |
[ |
no |
| storage_account_network_rules_enabled | Whether to enable Storage Account network default rules for functions. | bool |
true |
no |
| storage_uses_managed_identity | Whether the Function App use Managed Identity to access the Storage Account. Caution This disable the storage keys on the Storage Account if created within the module. | bool |
false |
no |
| use_existing_storage_account | Whether existing Storage Account should be used instead of creating a new one. | bool |
false |
no |
| vnet_integration_subnet_id | ID of the subnet to associate with the Function App (Virtual Network integration). | string |
null |
no |
| worker_count | Number of Workers (instances) to be allocated. | number |
null |
no |
| zone_balancing_enabled | Should the Service Plan balance across Availability Zones in the region. Defaults to false because the default SKU Y1 for the App Service Plan cannot use this feature. |
bool |
false |
no |
| Name | Description |
|---|---|
| application_insights_app_id | App ID of the associated Application Insights. |
| application_insights_application_type | Application Type of the associated Application Insights. |
| application_insights_id | ID of the associated Application Insights. |
| application_insights_instrumentation_key | Instrumentation key of the associated Application Insights. |
| application_insights_name | Name of the associated Application Insights. |
| connection_string | Connection string of the created Function App. |
| default_hostname | Default hostname of the created Function App. |
| id | ID of the created Function App. |
| identity_principal_id | Identity principal ID output of the Function App. |
| linux_function_app | Linux Function App output object if Linux is chosen. Please refer to ./modules/linux-function/README.md |
| module_service_plan | Service Plan module object. |
| name | Name of the created Function App. |
| os_type | The OS type for the Functions to be hosted in this plan. |
| outbound_ip_addresses | Outbound IP adresses of the created Function App. |
| possible_outbound_ip_addresses | All possible outbound IP adresses of the created Function App. |
| resource_application_insights | Application Insights resource object. |
| service_plan_id | ID of the created Service Plan. |
| service_plan_name | Name of the created Service Plan. |
| slot_default_hostname | Default hostname of the Function App slot. |
| slot_identity | Identity block output of the Function App slot. |
| slot_name | Name of the Function App slot. |
| storage_account_id | Storage Account ID, empty if connection string provided. |
| storage_account_name | Storage Account name, empty if connection string provided. |
| storage_account_network_rules | Storage Account associated network rules. |
| storage_account_primary_access_key | Storage Account primary access key, empty if connection string provided. |
| storage_account_primary_connection_string | Storage Account primary connection string, empty if connection string provided. |
| storage_account_secondary_access_key | Storage Account secondary access key, empty if connection string provided. |
| storage_account_secondary_connection_string | Storage Account secondary connection string, empty if connection string provided. |
| windows_function_app | Windows Function App output object if Windows is chosen. Please refer to ./modules/windows-function/README.md |
Microsoft Azure Functions documentation: github.com/Azure/Azure-Functions#documentation-1