Deploy an Azure container app to a Container app environment. Integrates with the container-app-environment module.
For the list of inputs, outputs, resources... check the terraform module documentation.
Create the common container app environment:
module "container-app-environment" {
source = "../../../dtos-devops-templates/infrastructure/modules/container-app-environment"
name = "manage-breast-screening-${var.environment}"
resource_group_name = azurerm_resource_group.this.name
log_analytics_workspace_id = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id
vnet_integration_subnet_id = module.container_app_subnet.id
}Create a webapp for a container listening on port 8000. The webapp will be available on internal URL https://<name>.<container app environment default domain>:
module "webapp" {
source = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
name = "manage-breast-screening-web-${var.environment}"
container_app_environment_id = module.container-app-environment.id
resource_group_name = azurerm_resource_group.this.name
docker_image = var.docker_image
environment_variables = {
"ALLOWED_HOSTS" = "manage-breast-screening-web-${var.environment}.${module.container-app-environment.default_domain}"
}
is_web_app = true
http_port = 8000
}Create a background worker (no ingress):
module "worker" {
source = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
name = "manage-breast-screening-worker-${var.environment}"
container_app_environment_id = module.container-app-environment.id
resource_group_name = azurerm_resource_group.this.name
docker_image = var.docker_image_worker
}The container app can be mapped to Azure Key Vaults for secret management:
-
App Key Vault:
- All secrets from the app key vault are fetched and mapped to secret environment variables if
fetch_secrets_from_app_key_vault = trueandapp_key_vault_idis provided. - Secret names in Key Vault must use hyphens (e.g.,
SECRET-KEY). These are mapped to environment variables with underscores (e.g.,SECRET_KEY). - Secrets are updated when Terraform runs, or automatically within 30 minutes.
- All secrets from the app key vault are fetched and mapped to secret environment variables if
-
Infra Key Vault:
- When authentication is enabled (
enable_entra_id_authentication = true), secrets are fetched from the infra key vault using the list ininfra_secret_names(default:aad-client-id,aad-client-secret,aad-client-audiences). - You can override
infra_secret_namesto fetch additional or custom secrets as needed. - The infra key vault must exist and be populated with the required secrets before enabling authentication.
- When authentication is enabled (
Warning: The module cannot read from the app key vault if it doesn't exist yet. Recommended workflow:
- Create the key vault(s) using the key-vault module.
- Deploy the container app with
fetch_secrets_from_app_key_vault = false(default). - Manually add the required secrets to the key vault(s).
- Set
fetch_secrets_from_app_key_vault = true, then re-run Terraform to populate the app with secret environment variables and enable authentication.
Example (app secrets):
module "worker" {
source = "../../../modules/dtos-devops-templates/infrastructure/modules/container-app"
...
app_key_vault_id = module.app-key-vault.key_vault_id
fetch_secrets_from_app_key_vault = true
}Example (infra secrets for authentication):
module "container-app" {
...
enable_entra_id_authentication = true
infra_key_vault_name = "my-infra-kv"
infra_key_vault_rg = "my-infra-rg"
infra_secret_names = ["aad-client-id", "aad-client-secret", "aad-client-audiences"] # can be customized
}Note: If your infra key vault is in a different subscription, configure the
azurerm.hubprovider in your root module and pass it to this module.
To enable Azure AD authentication:
- Set
enable_entra_id_authentication = true. - Provide the infra key vault details (
infra_key_vault_name,infra_key_vault_rg). - Ensure the infra key vault contains the required secrets listed in
infra_secret_names(default:aad-client-id,aad-client-secret,aad-client-audiences). - You may customize
infra_secret_namesto fetch additional secrets if needed.
Example:
module "container-app" {
...
enable_entra_id_authentication = true
infra_key_vault_name = "my-infra-kv"
infra_key_vault_rg = "my-infra-rg"
infra_secret_names = ["aad-client-id", "aad-client-secret", "aad-client-audiences"]
}You can exclude specific paths from authentication using the auth_excluded_paths variable. These paths will respond without requiring authentication, which is useful for health checks or version endpoints.
Example:
module "container-app" {
...
enable_entra_id_authentication = true
auth_excluded_paths = ["/healthcheck", "/sha"]
}By default, no paths are excluded (auth_excluded_paths = []).
To enable container app alerting:
- Set
enable_alerting = true.
Example:
module "container-app" {
...
enable_alerting = true
action_group_id = <action_group_id>
alert_memory_threshold = 80 (already defaults to this)
alert_cpu_threshold = 80 (already defaults to this)
replica_restart_alert_threshold = 1 (already defaults to this)
}To enable container probs on webapps:
- Set
probe_path = "/healthcheck"(by convention). - Ensure the application accepts requests from
127.0.0.1andlocalhostso the probe running inside the container can access the health endpoint.
Previously the AzureRM provider version in Templates container-app module was set to a specific version, like version = "4.34.0".
In order to be able to better manage the provider version used in the client repositories, we won't be pinning a specific provider version anymore.
We will allow using the previously pinned "4.34.0" or newer, as defined in the client repository.
New version definition is version = ">= 4.34.0"
More on the provider version constraints in terraform modules can be found here.