This Overlay terraform module creates an Azure App Configuration with optional Key Vault for encryption enabled to be used in a SCCA compliant Management Network. This module has also key and feature management capabilities.
Since this module is built for both public and us government clouds. The environment variable defaults to public for Azure Cloud. When using this module with the Azure Government Cloud, you must set the environment variable to usgovernment. You will also need to set the azurerm provider environment variable to the proper cloud as well. This will ensure that the correct Azure Government Cloud endpoints are used. You will also need to set the location variable to a valid Azure Government Cloud location.
Example Usage for Azure Government Cloud:
provider "azurerm" {
environment = "usgovernment"
}
module "overlays-app-configuration" {
source = "POps-Rox/tf-az-overlays-app-configuration/azurerm"
version = "x.x.x"
location = "usgovvirginia"
environment = "usgovernment"
...
}
Terraform requires the following resource providers to be available:
- Microsoft.Network
- Microsoft.Storage
- Microsoft.Compute
- Microsoft.KeyVault
- Microsoft.Authorization
- Microsoft.Resources
- Microsoft.OperationalInsights
- Microsoft.GuestConfiguration
- Microsoft.Insights
- Microsoft.Advisor
- Microsoft.Security
- Microsoft.OperationsManagement
- Microsoft.AAD
- Microsoft.AlertsManagement
- Microsoft.Authorization
- Microsoft.AnalysisServices
- Microsoft.Automation
- Microsoft.Subscription
- Microsoft.Support
- Microsoft.PolicyInsights
- Microsoft.SecurityInsights
- Microsoft.Security
- Microsoft.Monitor
- Microsoft.Management
- Microsoft.ManagedServices
- Microsoft.ManagedIdentity
- Microsoft.Billing
- Microsoft.Consumption
Please note that some of the resource providers may not be available in Azure Government Cloud. Please check the Azure Government Cloud documentation for more information.
This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.
For more information, please read the SCCA documentation.
If you want to contribute to this repository, feel free to to contribute to our Terraform module.
More details are available in the CONTRIBUTING.md file.
- Azure App Configuration
- Azure App Configuration Key
- Azure App Configuration Feature Flag
- Azure Key Vault
- Private Link service/Endpoint network policies on Subnet
# Azurerm provider configuration
provider "azurerm" {
features {}
}
module "overlays-app-configuration" {
source = "POps-Rox/tf-az-overlays-app-configuration/azurerm"
version = "x.x.x"
create_app_config_resource_group = true
location = "eastus"
deploy_environment = "dev"
org_name = "anoa"
environment = "public"
workload_name = "app-config"
}To enable purge protection for the App Configuration, set the enable_purge_protection variable to true. This will enable purge protection for the App Configuration. It defaults to false. This field only works for standard sku
module "overlays-app-configuration" {
source = "POps-Rox/tf-az-overlays-app-configuration/azurerm"
version = "x.x.x"
create_app_config_resource_group = true
location = "eastus"
deploy_environment = "dev"
org_name = "anoa"
environment = "public"
workload_name = "app-config"
# Sku
sku = "standard"
# Purge Protection Configuration
enable_purge_protection = true
}To configure soft deletetion days for the App Configuration, set the soft_delete_retention_days variable to number of days that items should be retained for once soft-deleted. This will enable soft delete for the App Configuration. This value can be between 1 and 7 days. Defaults to 7. This field only works for standard sku
module "overlays-app-configuration" {
source = "POps-Rox/tf-az-overlays-app-configuration/azurerm"
version = "x.x.x"
create_app_config_resource_group = true
location = "eastus"
deploy_environment = "dev"
org_name = "anoa"
environment = "public"
workload_name = "app-config"
# Sku
sku = "standard"
# Soft Delete Configuration
enable_soft_delete = true
}To use a user assigned identity with the App Configuration module, set the identity_type variable to UserAssigned. Add the existing_principal_ids variable to the module and set it to the user assigned identity ids. The user assigned identity must be in the same region and subscription where the App Configuration resides.
module "overlays-app-configuration" {
source = "POps-Rox/tf-az-overlays-app-configuration/azurerm"
version = "x.x.x"
create_app_config_resource_group = true
location = "eastus"
deploy_environment = "dev"
org_name = "anoa"
environment = "public"
workload_name = "app-config"
# User Assigned Identity Configuration
identity_type = "UserAssigned"
existing_principal_ids = ["<user_assigned_identity_ids>"]
}To use encryption with the App Configuration module, set the existing_key_vault_id and existing_key_vault_principal_object_id variables to a existing Key Vault for the App Configuration to use.
Note: The
existing_key_vault_idandexisting_key_vault_principal_object_idvariables are required when using an existing key vault. The existing key vault must be in the same region and subscription where the App Configuration resides.
module "overlays-app-configuration" {
source = "POps-Rox/tf-az-overlays-app-configuration/azurerm"
version = "x.x.x"
create_app_config_resource_group = true
location = "eastus"
deploy_environment = "dev"
org_name = "anoa"
environment = "public"
workload_name = "app-config"
# Key Vault Configuration
existing_key_vault_id = "<key_vault_id>"
existing_key_vault_principal_object_id = "<object_id>"
}Applying tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name Environment and the value Production to all the resources in production.
For recommendations on how to implement a tagging strategy, see Resource naming and tagging decision guide.
Important : Tag names are case-insensitive for operations. A tag with a tag name, regardless of the casing, is updated or retrieved. However, the resource provider might keep the casing you provide for the tag name. You'll see that casing in cost reports. Tag values are case-sensitive.
An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these recommended naming conventions, a public IP resource for a production SharePoint workload is named like this: pip-sharepoint-prod-westus-001.
| Name | Version |
|---|---|
| terraform | >= 1.9 |
| popsrox-utils | ~> 1.0.4 |
| azurerm | ~> 3.116 |
| Name | Version |
|---|---|
| popsrox-utils | ~> 1.0.4 |
| azurerm | ~> 3.116 |
| Name | Source | Version |
|---|---|---|
| mod_azregions | POps-Rox/overlays-azregions-lookup/azurerm | ~> 1.0.0 |
| mod_scaffold_rg | POps-Rox/overlays-resource-group/azurerm | ~> 1.0.1 |
| Name | Type |
|---|---|
| azurerm_app_configuration.app_configuration | resource |
| azurerm_app_configuration_feature.feature | resource |
| azurerm_app_configuration_key.test | resource |
| azurerm_role_assignment.appconf_dataowner | resource |
| popsrox_resource_name.example_custom_name | data source |
| azurerm_client_config.current | data source |
| azurerm_resource_group.rg | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| add_tags | Map of custom tags. | map(string) |
{} |
no |
| app_configuration_features | A map of App Configuration features | map(object({ |
null |
no |
| app_configuration_keys | A list of keys to create in the App Configuration | map(object({ |
null |
no |
| create_app_config_resource_group | Controls if the resource group should be created. If set to false, the resource group name must be provided. Default is false. | bool |
false |
no |
| custom_app_configuration_name | The name of the custom app configuration to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables. |
string |
null |
no |
| custom_resource_group_name | The name of the custom resource group to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables. |
string |
null |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| deploy_environment | Name of the workload's environment | string |
n/a | yes |
| enable_purge_protection | Whether Purge Protection is enabled. This field only works for standard SKU. Defaults to false. |
bool |
false |
no |
| environment | The Terraform backend environment e.g. public or usgovernment | string |
n/a | yes |
| existing_key_vault_id | The ID of an existing Key Vault to use for App Configuration. | string |
null |
no |
| existing_key_vault_principal_object_id | The principal ID of an existing Key Vault to use for App Configuration. | string |
null |
no |
| existing_principal_id | The principal ID of an existing service principal to use for the App Configuration Data Owner role assignment. If not provided, the current service principal will be used. | string |
null |
no |
| existing_principal_ids | The principal ID of an existing principal ids to use for App Configuration. | list(string) |
null |
no |
| existing_resource_group_name | The name of the existing resource group to use. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables. |
string |
null |
no |
| identity_type | App configuration identity type. Possible values are null UserAssigned and SystemAssigned. |
string |
"SystemAssigned" |
no |
| local_auth_enabled | Whether local authentication methods is enabled. Defaults to false. |
bool |
false |
no |
| location | Azure region in which instance will be hosted | string |
n/a | yes |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| org_name | Name of the organization | string |
n/a | yes |
| public_network_access_enabled | Whether public network access is enabled. Defaults to true. |
bool |
true |
no |
| replica_location | The location of the replica. Defaults to East US. Must be a valid Azure location. |
string |
"East US" |
no |
| replica_name | The name of the replica. | string |
"secondary" |
no |
| sku | The SKU name of the App Configuration. Possible values are free and standard. Defaults to standard. |
string |
"standard" |
no |
| soft_delete_retention_days | The number of days that items should be retained for once soft-deleted. This field only works for standard sku. This value can be between 1 and 7 days. Defaults to 7. Changing this forces a new resource to be created. |
number |
7 |
no |
| use_location_short_name | Use short location name for resources naming (ie eastus -> eus). Default is true. If set to false, the full cli location name will be used. if custom naming is set, this variable will be ignored. | bool |
true |
no |
| use_naming | Use the Azure NoOps naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
| workload_name | Name of the workload_name | string |
n/a | yes |
| Name | Description |
|---|---|
| app_configuration | App Configuration output object |
| endpoint | App Configuration Endpoint URL |
| id | App Configuration ID |
| identity_principal_id | App Configuration system identity principal ID |
| name | App Configuration name |
| primary_read_key | App Configuration primary read key |
| primary_write_key | App Configuration primary write key |
| secondary_read_key | App Configuration secondary read key |
| secondary_write_key | App Configuration secondary write key |