Azure Function App

This Terraform module creates an Azure Function App with its App Service Plan, a consumption plan by default. A Storage Account and an Application Insights are required and are created if not provided. This module allows to deploy a application from a local or remote ZIP file that will be stored on the associated storage account.

You can create an Azure Function without plan by using the submodule modules/functionapp.

Azure Functions v3 are now supported by this module and is the default one.

Limitations

Based on a current limitation, you cannot mix Windows and Linux apps in the same resource group.

Limitations documentation: docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-intro#limitations

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "logs" {
  source  = "claranet/run/azurerm//modules/logs"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name
}

### Windows
module "function_app_windows" {
  source  = "claranet/function-app/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name

  name_prefix = "hello"

  os_type = "Windows"

  function_app_application_settings = {
    "tracker_id"      = "AJKGDFJKHFDS"
    "backend_api_url" = "https://backend.domain.tld/api"
  }

  storage_account_identity_type = "SystemAssigned"

  application_insights_log_analytics_workspace_id = module.logs.log_analytics_workspace_id

  logs_destinations_ids = [
    module.logs.logs_storage_account_id,
    module.logs.log_analytics_workspace_id
  ]

  extra_tags = {
    foo = "bar"
  }
}

### Linux
module "function_app_linux" {
  source  = "claranet/function-app/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name

  name_prefix = "hello"

  os_type              = "Linux"
  function_app_version = 4
  function_app_site_config = {
    application_stack = {
      python_version = "3.9"
    }
  }

  function_app_application_settings = {
    "tracker_id"      = "AJKGDFJKHFDS"
    "backend_api_url" = "https://backend.domain.tld/api"
  }

  storage_account_identity_type = "SystemAssigned"

  application_insights_log_analytics_workspace_id = module.logs.log_analytics_workspace_id

  logs_destinations_ids = [
    module.logs.logs_storage_account_id,
    module.logs.log_analytics_workspace_id
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

No providers.

Modules

Name	Source	Version
linux_function	./modules/linux-function	n/a
service_plan	claranet/app-service-plan/azurerm	~> 7.1.0
windows_function	./modules/windows-function	n/a

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
app_service_environment_id	ID of the App Service Environment to create this Service Plan in. Requires an Isolated SKU. Use one of I1, I2, I3 for azurerm_app_service_environment, or I1v2, I2v2, I3v2 for azurerm_app_service_environment_v3.	`string`	`null`	no
application_insights_custom_name	Custom name for application insights deployed with function app.	`string`	`""`	no
application_insights_daily_data_cap	Daily data volume cap (in GB) for Application Insights.	`number`	`null`	no
application_insights_daily_data_cap_notifications_disabled	Whether disable email notifications when data volume cap is met.	`bool`	`null`	no
application_insights_enabled	Whether Application Insights should be deployed.	`bool`	`true`	no
application_insights_extra_tags	Extra tags to add to Application Insights.	`map(string)`	`{}`	no
application_insights_force_customer_storage_for_profiler	Whether to enforce users to create their own Storage Account for profiling in Application Insights.	`bool`	`false`	no
application_insights_id	ID of the existing Application Insights to use instead of deploying a new one.	`string`	`null`	no
application_insights_internet_ingestion_enabled	Whether ingestion support from Application Insights component over the Public Internet is enabled.	`bool`	`true`	no
application_insights_internet_query_enabled	Whether querying support from Application Insights component over the Public Internet is enabled.	`bool`	`true`	no
application_insights_ip_masking_disabled	Whether IP masking in logs is disabled.	`bool`	`false`	no
application_insights_local_authentication_disabled	Whether Non-Azure AD based authentication is disabled.	`bool`	`false`	no
application_insights_log_analytics_workspace_id	ID of the Log Analytics Workspace to be used with Application Insights.	`string`	`null`	no
application_insights_name_prefix	Application Insights name prefix.	`string`	`""`	no
application_insights_retention	Retention period (in days) for logs.	`number`	`90`	no
application_insights_sampling_percentage	Percentage of data produced by the monitored application sampled for Application Insights telemetry.	`number`	`null`	no
application_insights_type	Application Insights type if need to be generated. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights#application_type	`string`	`"web"`	no
application_zip_package_path	Local or remote path of a zip package to deploy on the Function App.	`string`	`null`	no
authorized_ips	IPs restriction for Function in CIDR format. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ip_restriction	`list(string)`	`[]`	no
authorized_service_tags	Service Tags restriction for Function App. See documentation https://www.terraform.io/docs/providers/azurerm/r/function_app.html#ip_restriction	`list(string)`	`[]`	no
authorized_subnet_ids	Subnets restriction for Function App. See documentation https://www.terraform.io/docs/providers/azurerm/r/function_app.html#ip_restriction	`list(string)`	`[]`	no
builtin_logging_enabled	Whether built-in logging is enabled.	`bool`	`true`	no
client_certificate_enabled	Whether the Function App uses client certificates.	`bool`	`null`	no
client_certificate_mode	The mode of the Function App's client certificates requirement for incoming requests. Possible values are `Required`, `Optional`, and `OptionalInteractiveUser`.	`string`	`null`	no
client_name	Client name/account used in naming.	`string`	n/a	yes
custom_diagnostic_settings_name	Custom name of the diagnostics settings, name will be 'default' if not set.	`string`	`"default"`	no
default_tags_enabled	Option to enable or disable default tags.	`bool`	`true`	no
environment	Project environment.	`string`	n/a	yes
extra_tags	Extra tags to add.	`map(string)`	`{}`	no
function_app_application_settings	Function App application settings.	`map(string)`	`{}`	no
function_app_application_settings_drift_ignore	Ignore drift from settings manually set.	`bool`	`true`	no
function_app_auth_settings_v2	Authentication settings V2. See https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_function_app#auth_settings_v2	`any`	`{}`	no
function_app_custom_name	Custom name for function app.	`string`	`""`	no
function_app_extra_tags	Extra tags to add to Function App.	`map(string)`	`{}`	no
function_app_name_prefix	Function App name prefix.	`string`	`""`	no
function_app_site_config	Site config for Function App. See documentation https://www.terraform.io/docs/providers/azurerm/r/app_service.html#site_config. IP restriction attribute is not managed in this block.	`any`	`{}`	no
function_app_sticky_settings	Lists of connection strings and app settings to prevent from swapping between slots.	object({ app_setting_names = optional(list(string)) connection_string_names = optional(list(string)) })	`null`	no
function_app_version	Version of the function app runtime to use.	`number`	`3`	no
function_app_vnet_integration_subnet_id	ID of the subnet to associate with the Function App (Virtual Network integration).	`string`	`null`	no
https_only	Whether HTTPS traffic only is enabled.	`bool`	`true`	no
identity_ids	User Assigned Identities IDs to add to Function App. Mandatory if type is UserAssigned.	`list(string)`	`null`	no
identity_type	Add an Identity (MSI) to the function app. Possible values are SystemAssigned or UserAssigned.	`string`	`"SystemAssigned"`	no
ip_restriction_headers	IPs restriction headers for Function. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#headers	`map(list(string))`	`null`	no
location	Azure location for Function App and related resources.	`string`	n/a	yes
location_short	Short string for Azure location.	`string`	n/a	yes
logs_categories	Log categories to send to destinations.	`list(string)`	`null`	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be `Storage Account`, `Log Analytics Workspace` and `Event Hub`. No more than one of each can be set. If you want to use Azure EventHub as destination, you must provide a formatted string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the `\|` character.	`list(string)`	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	`list(string)`	`null`	no
maximum_elastic_worker_count	Maximum number of workers to use in an Elastic SKU Plan. Cannot be set unless using an Elastic SKU.	`number`	`null`	no
name_prefix	Optional prefix for the generated name.	`string`	`""`	no
name_suffix	Optional suffix for the generated name.	`string`	`""`	no
os_type	OS type for the Functions to be hosted in the Service Plan. Possible values include `Windows`, `Linux`, and `WindowsContainer`.	`string`	n/a	yes
per_site_scaling_enabled	Should per site scaling be enabled on the Service Plan.	`bool`	`false`	no
resource_group_name	Resource group name.	`string`	n/a	yes
scm_authorized_ips	SCM IPs restriction for Function App. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#scm_ip_restriction	`list(string)`	`[]`	no
scm_authorized_service_tags	SCM Service Tags restriction for Function App. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#scm_ip_restriction	`list(string)`	`[]`	no
scm_authorized_subnet_ids	SCM subnets restriction for Function App. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#scm_ip_restriction	`list(string)`	`[]`	no
scm_ip_restriction_headers	IPs restriction headers for Function App. See documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#scm_ip_restriction	`map(list(string))`	`null`	no
service_plan_custom_name	Name of the App Service Plan, generated if not set.	`string`	`""`	no
service_plan_extra_tags	Extra tags to add to Service Plan.	`map(string)`	`{}`	no
sku_name	The SKU for the Service Plan. Possible values include B1, B2, B3, D1, F1, I1, I2, I3, I1v2, I2v2, I3v2, P1v2, P2v2, P3v2, P1v3, P2v3, P3v3, P1mv3, P2mv3, P3mv3, P4mv3, P5mv3, S1, S2, S3, SHARED, EP1, EP2, EP3, WS1, WS2, WS3, and Y1.	`string`	`"Y1"`	no
stack	Project stack name.	`string`	n/a	yes
staging_slot_custom_application_settings	Override staging slot with custom application settings.	`map(string)`	`null`	no
staging_slot_custom_name	Custom name of the Function App slot.	`string`	`null`	no
staging_slot_enabled	Create a staging slot alongside the Function App for blue/green deployment purposes.	`bool`	`false`	no
storage_account_authorized_ips	IPs restrictions for Function Storage Account in CIDR format.	`list(string)`	`[]`	no
storage_account_custom_name	Custom name of the Storage account to attach to function.	`string`	`null`	no
storage_account_enable_advanced_threat_protection	Whether advanced threat protection is enabled. See documentation: https://docs.microsoft.com/en-us/azure/storage/common/storage-advanced-threat-protection?tabs=azure-portal	`bool`	`false`	no
storage_account_enable_https_traffic_only	Whether HTTPS traffic only is enabled for Storage Account.	`bool`	`true`	no
storage_account_extra_tags	Extra tags to add to Storage Account.	`map(string)`	`{}`	no
storage_account_id	ID of the existing Storage Account to use.	`string`	`null`	no
storage_account_identity_ids	Specifies a list of User Assigned Managed Identity IDs to be assigned to the Storage Account.	`list(string)`	`null`	no
storage_account_identity_type	Type of Managed Service Identity that should be configured on the Storage Account.	`string`	`null`	no
storage_account_kind	Storage Account Kind.	`string`	`"StorageV2"`	no
storage_account_min_tls_version	Storage Account minimal TLS version.	`string`	`"TLS1_2"`	no
storage_account_name_prefix	Storage Account name prefix.	`string`	`""`	no
storage_account_network_bypass	Whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of `Logging`, `Metrics`, `AzureServices`, or `None`.	`list(string)`	[ "Logging", "Metrics", "AzureServices" ]	no
storage_account_network_rules_enabled	Whether to enable Storage Account network default rules for functions.	`bool`	`true`	no
storage_uses_managed_identity	Whether the Function App use Managed Identity to access the Storage Account. Caution This disable the storage keys on the Storage Account if created within the module.	`bool`	`false`	no
use_caf_naming	Use the Azure CAF naming provider to generate default resource name. `custom_name` override this if set. Legacy default name is used if this is set to `false`.	`bool`	`true`	no
use_existing_storage_account	Whether existing Storage Account should be used instead of creating a new one.	`bool`	`false`	no
worker_count	Number of Workers (instances) to be allocated.	`number`	`null`	no
zone_balancing_enabled	Should the Service Plan balance across Availability Zones in the region. Defaults to `false` because the default SKU `Y1` for the App Service Plan cannot use this feature.	`bool`	`false`	no

Outputs

Name	Description
application_insights_app_id	App ID of the associated Application Insights
application_insights_application_type	Application Type of the associated Application Insights
application_insights_id	ID of the associated Application Insights
application_insights_instrumentation_key	Instrumentation key of the associated Application Insights
application_insights_name	Name of the associated Application Insights
function_app_connection_string	Connection string of the created Function App
function_app_default_hostname	Default hostname of the created Function App
function_app_id	ID of the created Function App
function_app_identity	Identity block output of the Function App
function_app_name	Name of the created Function App
function_app_outbound_ip_addresses	Outbound IP adresses of the created Function App
function_app_possible_outbound_ip_addresses	All possible outbound IP adresses of the created Function App
function_app_slot_default_hostname	Default hostname of the Function App slot
function_app_slot_identity	Identity block output of the Function App slot
function_app_slot_name	Name of the Function App slot
linux_function_app	Linux Function App output object if Linux is chosen. Please refer to `./modules/linux-function/README.md`
os_type	The OS type for the Functions to be hosted in this plan.
service_plan_id	ID of the created Service Plan
service_plan_name	Name of the created Service Plan
storage_account_id	ID of the associated Storage Account, empty if connection string provided
storage_account_name	Name of the associated Storage Account, empty if connection string provided
storage_account_network_rules	Network rules of the associated Storage Account
storage_account_primary_access_key	Primary connection string of the associated Storage Account, empty if connection string provided
storage_account_primary_connection_string	Primary connection string of the associated Storage Account, empty if connection string provided
storage_account_secondary_access_key	Secondary connection string of the associated Storage Account, empty if connection string provided
storage_account_secondary_connection_string	Secondary connection string of the associated Storage Account, empty if connection string provided
windows_function_app	Windows Function App output object if Windows is chosen. Please refer to `./modules/windows-function/README.md`

claranet / terraform-azurerm-function-app

readme