This module is used to manage Container Apps Managed Environments.
This module is composite and includes sub modules that can be used independently for deploying sub resources. These are:
- dapr_component - creation of Dapr components.
- storage - presentation of Azure Files Storage.
Major version Zero (0.y.z) is for initial development. Anything MAY change at any time. A module SHOULD NOT be considered stable till at least it is major version one (1.0.0) or greater. Changes will always be via new versions being published and no changes will be made to existing published versions. For more details please go to https://semver.org/
The following requirements are needed by this module:
The following resources are used by this module:
- azapi_resource.this_environment (resource)
- azurerm_management_lock.this (resource)
- azurerm_monitor_diagnostic_setting.this (resource)
- azurerm_role_assignment.this (resource)
- modtm_telemetry.telemetry (resource)
- random_uuid.telemetry (resource)
- azapi_client_config.current (data source)
- azapi_client_config.telemetry (data source)
- azapi_resource.customer_id (data source)
- modtm_module_source.telemetry (data source)
The following input variables are required:
Description: Azure region where the resource should be deployed.
Type: string
Description: The name of the Container Apps Managed Environment.
Type: string
Description: (Required) The name of the resource group in which the Container App Environment is to be created. Changing this forces a new resource to be created.
Type: string
The following input variables are optional (have default values):
Description: A map of certificates to create on the Container Apps Managed Environment. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
Each certificate can be configured in one of two ways:
Direct Certificate Upload:
certificate_password- (Optional) The password for the certificate (WriteOnly). Required when using direct certificate upload.certificate_value- (Optional) The PFX or PEM blob for the certificate (WriteOnly). Required when using direct certificate upload.
Key Vault Reference:
key_vault_url- (Optional) URL pointing to the Azure Key Vault secret that holds the certificate. Required when using Key Vault reference.key_vault_identity- (Optional) Resource ID of a managed identity to authenticate with Azure Key Vault, or 'System' to use a system-assigned identity. Required when using Key Vault reference.
timeouts block supports the following:
create- (Defaults to 30 minutes) Used when creating the certificate.delete- (Defaults to 30 minutes) Used when deleting the certificate.read- (Defaults to 5 minutes) Used when retrieving the certificate.update- (Defaults to 30 minutes) Used when updating the certificate.
Examples:
Direct certificate upload:
certificates = {
"my-cert" = {
certificate_password = "password123"
certificate_value = file("./cert.pfx")
}
}
Key Vault reference with system-assigned identity:
certificates = {
"my-kv-cert" = {
key_vault_url = "https://myvault.vault.azure.net/secrets/mycert"
key_vault_identity = "System"
}
}
Key Vault reference with user-assigned identity:
certificates = {
"my-kv-cert" = {
key_vault_url = "https://myvault.vault.azure.net/secrets/mycert"
key_vault_identity = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity"
}
}
Type:
map(object({
# Direct certificate upload
certificate_password = optional(string)
certificate_value = optional(string)
# Key Vault reference
key_vault_url = optional(string)
key_vault_identity = optional(string) # or "System"
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
}))Default: {}
Description: Resource ID of a managed identity to authenticate with Azure Key Vault for the custom domain certificate, or 'System' to use a system-assigned identity.
This is used when configuring a custom domain for the entire environment (not individual certificates).
Must be used in conjunction with custom_domain_certificate_key_vault_url.
Type: string
Default: null
Description: URL pointing to the Azure Key Vault secret that holds the certificate for the custom domain.
This is used when configuring a custom domain for the entire environment (not individual certificates).
Must be used in conjunction with custom_domain_certificate_key_vault_identity.
Type: string
Default: null
Description: Certificate password for custom domain.
Type: string
Default: null
Description: PFX or PEM blob for the custom domain certificate (WriteOnly).
This is an alternative to using custom_domain_certificate_key_vault_url for direct certificate upload.
If using Key Vault reference, leave this as null and use custom_domain_certificate_key_vault_url instead.
Type: string
Default: null
Description: DNS suffix for custom domain.
Type: string
Default: null
Description: Application Insights connection string used by Dapr to export Service to Service communication telemetry.
Type: string
Default: null
Description: - component_type - (Required) The Dapr Component Type. For example state.azure.blobstorage. Changing this forces a new resource to be created.
ignore_errors- (Optional) Should the Dapr sidecar to continue initialisation if the component fails to load. Defaults tofalseinit_timeout- (Optional) The timeout for component initialisation as aISO8601formatted string. e.g.5s,2h,1m. Defaults to5s.secret_store_component- (Optional) Name of a Dapr component to retrieve component secrets from.scopes- (Optional) A list of scopes to which this component applies.version- (Required) The version of the component.
metadata block supports the following:
name- (Required) The name of the Metadata configuration item.secret_name- (Optional) The name of a secret specified in thesecretsblock that contains the value for this metadata configuration item.value- (Optional) The value for this metadata configuration item.
secret block supports the following:
name- (Required) The Secret name.value- (Required) The value for this secret.
timeouts block supports the following:
create- (Defaults to 30 minutes) Used when creating the Container App Environment Dapr Component.delete- (Defaults to 30 minutes) Used when deleting the Container App Environment Dapr Component.read- (Defaults to 5 minutes) Used when retrieving the Container App Environment Dapr Component.update- (Defaults to 30 minutes) Used when updating the Container App Environment Dapr Component.
Type:
map(object({
component_type = string
ignore_errors = optional(bool, true)
init_timeout = optional(string)
secret_store_component = optional(string)
scopes = optional(list(string))
version = string
metadata = optional(list(object({
name = string
secret_name = optional(string)
value = optional(string)
})))
secret = optional(set(object({
name = string
value = string
})))
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
}))
}))Default: {}
Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
name- (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.log_categories- (Optional) A set of log categories to send to the log analytics workspace. Defaults to[].log_groups- (Optional) A set of log groups to send to the log analytics workspace. Defaults to["allLogs"].metric_categories- (Optional) A set of metric categories to send to the log analytics workspace. Defaults to["AllMetrics"].log_analytics_destination_type- (Optional) The destination type for the diagnostic setting. Possible values areDedicatedandAzureDiagnostics. Defaults toDedicated.workspace_resource_id- (Optional) The resource ID of the log analytics workspace to send logs and metrics to.storage_account_resource_id- (Optional) The resource ID of the storage account to send logs and metrics to.event_hub_authorization_rule_resource_id- (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.event_hub_name- (Optional) The name of the event hub. If none is specified, the default event hub will be selected.marketplace_partner_resource_id- (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.
Type:
map(object({
name = optional(string, null)
log_categories = optional(set(string), [])
log_groups = optional(set(string), ["allLogs"])
metric_categories = optional(set(string), ["AllMetrics"])
log_analytics_destination_type = optional(string, "Dedicated")
workspace_resource_id = optional(string, null)
storage_account_resource_id = optional(string, null)
event_hub_authorization_rule_resource_id = optional(string, null)
event_hub_name = optional(string, null)
marketplace_partner_resource_id = optional(string, null)
}))Default: {}
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
Description: Name of the platform-managed resource group created for the Managed Environment to host infrastructure resources.
If a subnet ID is provided, this resource group will be created in the same subscription as the subnet.
If not specified, then one will be generated automatically, in the form ME_<app_managed_environment_name>_<resource_group>_<location>.
Type: string
Default: null
Description: The existing Subnet to use for the Container Apps Control Plane. NOTE: The Subnet must have a /21 or larger address space.
Type: string
Default: null
Description: Should the Container Environment operate in Internal Load Balancing Mode? Defaults to false. Note: can only be set to true if infrastructure_subnet_id is specified.
Type: bool
Default: false
Description: Controls the Resource Lock configuration for this resource. The following properties can be specified:
kind- (Required) The type of lock. Possible values are\"CanNotDelete\"and\"ReadOnly\".name- (Optional) The name of the lock. If not specified, a name will be generated based on thekindvalue. Changing this forces the creation of a new resource.
Type:
object({
kind = string
name = optional(string, null)
})Default: null
Description: The resource ID of the Log Analytics Workspace to link this Container Apps Managed Environment to.
This is the suggested mechanism to link a Log Analytics Workspace to a Container Apps Managed Environment, as it
avoids having to pass the primary shared key directly.
This requires at least Microsoft.OperationalInsights/workspaces/sharedkeys/read over the Log Analytics Workspace resource,
as the key is fetched by the module (i.e. this mirrors the behaviour of the AzureRM provider).
An alternative mechanism is to supply log_analytics_workspace_primary_shared_key directly.
Type:
object({
resource_id = string
})Default: null
Description: The Customer ID for the Log Analytics Workspace to link this Container Apps Managed Environment to.
If specifying this, you must also specify log_analytics_workspace_primary_shared_key.
This scenario is useful where you do not have permissions to directly look up the shared key.
The preferred mechanism is to specify the log_analytics_workspace.resource_id, in which case this variable can be left as null.
Type: string
Default: null
Description: Destination for Log Analytics (options: 'log-analytics', 'azure-monitor', 'none').
Type: string
Default: "log-analytics"
Description: Optional direct mechanism to supply the primary shared key for Log Analytics.
The alternative method is to use the log_analytics_workspace.resource_id, and the module will make a POST request to
fetch the key, in which case this variable can be left as null.
Type: string
Default: null
Description: A map of managed certificates to create on the Container Apps Managed Environment. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
Managed certificates are auto-provisioned and auto-renewed by Azure.
subject_name- (Required) The subject name (domain name) for the certificate.domain_control_validation- (Optional) The domain control validation method. Possible values: 'CNAME', 'HTTP', 'TXT'. Defaults to 'HTTP'.
timeouts block supports the following:
create- (Defaults to 30 minutes) Used when creating the managed certificate.delete- (Defaults to 30 minutes) Used when deleting the managed certificate.read- (Defaults to 5 minutes) Used when retrieving the managed certificate.update- (Defaults to 30 minutes) Used when updating the managed certificate.
Example:
managed_certificates = {
"my-domain-cert" = {
subject_name = "example.com"
domain_control_validation = "HTTP"
}
}
Type:
map(object({
subject_name = string
domain_control_validation = optional(string, "HTTP")
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
}))
}))Default: {}
Description: Controls the Managed Identity configuration on this resource. The following properties can be specified:
system_assigned- (Optional) Specifies if the System Assigned Managed Identity should be enabled.user_assigned_resource_ids- (Optional) Specifies a list of User Assigned Managed Identity resource IDs to be assigned to this resource.
Type:
object({
system_assigned = optional(bool, false)
user_assigned_resource_ids = optional(set(string), [])
})Default: {}
Description: The parent resource ID for this resource. When provided, takes precedence over resource_group_name.
Type: string
Default: null
Description: Enable mutual TLS (mTLS) authentication for peer-to-peer communication between Container Apps within the environment.
When enabled, Container Apps within the environment will use mTLS to mutually authenticate each other. Azure Container Apps
automatically manages the certificates required for this authentication.
This is different from peer_traffic_encryption_enabled:
peer_authentication_enabled(this variable) - Enables mutual TLS authentication (both parties verify each other's identity)peer_traffic_encryption_enabled- Enables traffic encryption only (encrypts the channel but doesn't enforce mutual authentication)
Note: Applications within a Container Apps environment are automatically authenticated when peer-to-peer encryption is enabled.
However, the Container Apps runtime doesn't support authorization for access control between applications using the built-in
peer-to-peer encryption. For client-to-app mTLS (client certificate authentication), configure at the individual container app level.
Defaults to false.
Type: bool
Default: false
Description: Enable peer-to-peer traffic encryption within the Container Apps environment.
When enabled, all network traffic between apps within the environment is encrypted using private certificates managed by Azure.
This is different from peer_authentication_enabled (mTLS):
peer_authentication_enabled- Enables mutual TLS authentication (who you are)peer_traffic_encryption_enabled- Enables traffic encryption (secure channel)
Both can be enabled independently or together.
Note: Enabling peer-to-peer encryption may increase response latency and reduce maximum throughput in high-load scenarios.
Defaults to false.
Type: bool
Default: false
Description: THIS IS A VARIABLE USED FOR A PREVIEW SERVICE/FEATURE, MICROSOFT MAY NOT PROVIDE SUPPORT FOR THIS, PLEASE CHECK THE PRODUCT DOCS FOR CLARIFICATION.
Controls whether the Container Apps environment accepts traffic from public networks.
When set to false, the environment can only be accessed through private endpoints or virtual network integration.
This is useful for creating fully private environments that are not accessible from the internet.
Prerequisites for disabling public access:
- The environment must have virtual network integration configured (
infrastructure_subnet_idmust be set) - Private endpoints can be configured after disabling public access for secure connectivity
Note: This feature requires API version 2024-10-02-preview or later. This module uses API version 2025-02-02-preview.
Important: If internal_load_balancer_enabled is true, Azure does not allow public network access to be Enabled.
In that case this module will force publicNetworkAccess to Disabled.
Defaults to true (public access enabled).
See: https://learn.microsoft.com/en-us/azure/container-apps/networking#public-network-access
Type: bool
Default: true
Description: A map of role assignments to create on the container app environment. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.
role_definition_id_or_name- The ID or name of the role definition to assign to the principal.principal_id- The ID of the principal to assign the role to.description- (Optional) The description of the role assignment.skip_service_principal_aad_check- (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.condition- (Optional) The condition which will be used to scope the role assignment.condition_version- (Optional) The version of the condition syntax. Leave asnullif you are not using a condition, if you are then valid values are '2.0'.delegated_managed_identity_resource_id- (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.principal_type- (Optional) The type of theprincipal_id. Possible values areUser,GroupandServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.
Note: only set
skip_service_principal_aad_checkto true if you are assigning a role to a service principal.
Type:
map(object({
role_definition_id_or_name = string
principal_id = string
description = optional(string, null)
skip_service_principal_aad_check = optional(bool, false)
condition = optional(string, null)
condition_version = optional(string, null)
delegated_managed_identity_resource_id = optional(string, null)
principal_type = optional(string, null)
}))Default: {}
Description: - access_key - (Required) The Storage Account Access Key.
access_mode- (Required) The access mode to connect this storage to the Container App. Possible values includeReadOnlyandReadWrite. Changing this forces a new resource to be created.account_name- (Required) The Azure Storage Account in which the Share to be used is located. Changing this forces a new resource to be created.share_name- (Required) The name of the Azure Storage Share to use. Changing this forces a new resource to be created.
timeouts block supports the following:
create- (Defaults to 30 minutes) Used when creating the Container App Environment Storage.delete- (Defaults to 30 minutes) Used when deleting the Container App Environment Storage.read- (Defaults to 5 minutes) Used when retrieving the Container App Environment Storage.update- (Defaults to 30 minutes) Used when updating the Container App Environment Storage.
Type:
map(object({
access_key = string
access_mode = string
account_name = string
share_name = string
timeouts = optional(object({
create = optional(string)
delete = optional(string)
read = optional(string)
}))
}))Default: {}
Description: (Optional) A mapping of tags to assign to the resource.
Type: map(string)
Default: null
Description: - create - (Defaults to 30 minutes) Used when creating the Container App Environment.
delete- (Defaults to 30 minutes) Used when deleting the Container App Environment.read- (Defaults to 5 minutes) Used when retrieving the Container App Environment.update- (Defaults to 30 minutes) Used when updating the Container App Environment.
Type:
object({
create = optional(string)
delete = optional(string)
read = optional(string)
update = optional(string)
})Default: null
Description:
This lists the workload profiles that will be configured for the Managed Environment.
This is in addition to the default Consumption Plan workload profile.
maximum_count- (Optional) The maximum number of instances of workload profile that can be deployed in the Container App Environment. Required for Dedicated profile types.minimum_count- (Optional) The minimum number of instances of workload profile that can be deployed in the Container App Environment. Required for Dedicated profile types.name- (Required) The name of the workload profile.workload_profile_type- (Required) Workload profile type for the workloads to run on. Possible values includeD4,D8,D16,D32,E4,E8,E16andE32.
Examples:
# this creates a Consumption workload profile:
workload_profile = [{
name = "Consumption"
workload_profile_type = "Consumption"
}]
# this creates a Dedicated workload profile, in this scenario a consumption profile is automatically created by the Container Apps service (or can be specified).
workload_profile = [{
name = "Dedicated"
workload_profile_type = "D4"
maximum_count = 3
minimum_count = 1
}]
# workload profiles can also be not specified, in which case a Consumption Only plan is created, without workload profiles.Type:
set(object({
maximum_count = optional(number)
minimum_count = optional(number)
name = string
workload_profile_type = string
}))Default: []
Description: (Optional) Should the Container App Environment be created with Zone Redundancy enabled? Defaults to false. Changing this forces a new resource to be created.
Type: bool
Default: true
The following outputs are exported:
Description: A map of certificates connected to this environment. The map key is the supplied input to var.certificates. The map value is the azurerm-formatted version of the entire certificate resource.
Description: The custom domain verification ID of the Container Apps Managed Environment.
Description: A map of dapr components connected to this environment. The map key is the supplied input to var.dapr_components. The map value is the azurerm-formatted version of the entire dapr_components resource.
Description: The default domain of the Container Apps Managed Environment.
Description: The Docker bridge CIDR of the Container Apps Managed Environment.
Description: The ID of the container app management environment resource.
Description: The infrastructure resource group of the Container Apps Managed Environment.
Description: A map of managed certificates connected to this environment. The map key is the supplied input to var.managed_certificates. The map value is the azurerm-formatted version of the entire managed certificate resource.
Description: The managed identities assigned to the Container Apps Managed Environment.
Description: The name of the resource
Description: The platform reserved CIDR of the Container Apps Managed Environment.
Description: The platform reserved DNS IP address of the Container Apps Managed Environment.
Description: The ID of the container app management environment resource.
Description: The static IP address of the Container Apps Managed Environment.
Description: A map of storage shares connected to this environment. The map key is the supplied input to var.storages. The map value is the azurerm-formatted version of the entire storage shares resource.
The following Modules are called:
Source: ./modules/certificate
Version:
Source: ./modules/dapr_component
Version:
Source: ./modules/managed_certificate
Version:
Source: ./modules/storage
Version:
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.