Manages an Azure App Configuration.
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_app_configuration" "appconf" {
name = "appConf1"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
}
provider "azurerm" {
features {
app_configuration {
purge_soft_delete_on_destroy = true
recover_soft_deleted = true
}
}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_user_assigned_identity" "example" {
name = "example-identity"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "example" {
name = "exampleKVt123"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
purge_protection_enabled = true
}
resource "azurerm_key_vault_access_policy" "server" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.example.principal_id
key_permissions = ["Get", "UnwrapKey", "WrapKey"]
secret_permissions = ["Get"]
}
resource "azurerm_key_vault_access_policy" "client" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy"]
secret_permissions = ["Get"]
}
resource "azurerm_key_vault_key" "example" {
name = "exampleKVkey"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey"
]
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.server,
]
}
resource "azurerm_app_configuration" "example" {
name = "appConf2"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku = "standard"
local_auth_enabled = true
public_network_access = "Enabled"
purge_protection_enabled = false
soft_delete_retention_days = 1
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.example.id,
]
}
encryption {
key_vault_key_identifier = azurerm_key_vault_key.example.id
identity_client_id = azurerm_user_assigned_identity.example.client_id
}
replica {
name = "replica1"
location = "West US"
}
tags = {
environment = "development"
}
depends_on = [
azurerm_key_vault_access_policy.client,
azurerm_key_vault_access_policy.server,
]
}
The following arguments are supported:
name
- (Required) Specifies the name of the App Configuration. Changing this forces a new resource to be created.
resource_group_name
- (Required) The name of the resource group in which to create the App Configuration. Changing this forces a new resource to be created.
location
- (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
identity
- (Optional) An identity
block as defined below.
encryption
- (Optional) An encryption
block as defined below.
local_auth_enabled
- (Optional) Whether local authentication methods is enabled. Defaults to true
.
public_network_access
- (Optional) The Public Network Access setting of the App Configuration. Possible values are Enabled
and Disabled
.
purge_protection_enabled
- (Optional) Whether Purge Protection is enabled. This field only works for standard
sku. Defaults to false
.replica
- (Optional) One or more replica
blocks as defined below.
sku
- (Optional) The SKU name of the App Configuration. Possible values are free
and standard
. Defaults to free
.
soft_delete_retention_days
- (Optional) The number of days that items should be retained for once soft-deleted. This field only works for standard
sku. This value can be between 1
and 7
days. Defaults to 7
. Changing this forces a new resource to be created.
tags
- (Optional) A mapping of tags to assign to the resource.An encryption
block supports the following:
key_vault_key_identifier
- (Optional) Specifies the URI of the key vault key used to encrypt data.
identity_client_id
- (Optional) Specifies the client id of the identity which will be used to access key vault.
An identity
block supports the following:
type
- (Required) Specifies the type of Managed Service Identity that should be configured on this App Configuration. Possible values are SystemAssigned
, UserAssigned
, SystemAssigned, UserAssigned
(to enable both).
identity_ids
- (Optional) A list of User Assigned Managed Identity IDs to be assigned to this App Configuration.
A replica
block supports the following:
location
- (Required) Specifies the supported Azure location where the replica exists.
name
- (Required) Specifies the name of the replica.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The App Configuration ID.
endpoint
- The URL of the App Configuration.
primary_read_key
- A primary_read_key
block as defined below containing the primary read access key.
primary_write_key
- A primary_write_key
block as defined below containing the primary write access key.
secondary_read_key
- A secondary_read_key
block as defined below containing the secondary read access key.
secondary_write_key
- A secondary_write_key
block as defined below containing the secondary write access key.
identity
- An identity
block as defined below.
An identity
block exports the following:
principal_id
- The Principal ID associated with this Managed Service Identity.
tenant_id
- The Tenant ID associated with this Managed Service Identity.
A replica
block exports the following:
id
- The ID of the App Configuration Replica.
endpoint
- The URL of the App Configuration Replica.
A primary_read_key
block exports the following:
connection_string
- The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.
id
- The ID of the Access Key.
secret
- The Secret of the Access Key.
A primary_write_key
block exports the following:
connection_string
- The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.
id
- The ID of the Access Key.
secret
- The Secret of the Access Key.
A secondary_read_key
block exports the following:
connection_string
- The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.
id
- The ID of the Access Key.
secret
- The Secret of the Access Key.
A secondary_write_key
block exports the following:
connection_string
- The Connection String for this Access Key - comprising of the Endpoint, ID and Secret.
id
- The ID of the Access Key.
secret
- The Secret of the Access Key.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the App Configuration.update
- (Defaults to 60 minutes) Used when updating the App Configuration.read
- (Defaults to 5 minutes) Used when retrieving the App Configuration.delete
- (Defaults to 60 minutes) Used when deleting the App Configuration.App Configurations can be imported using the resource id
, e.g.
terraform import azurerm_app_configuration.appconf /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.AppConfiguration/configurationStores/appConf1