Azure Container Apps Environment
Container Apps environment with workload profiles, Dapr, KEDA scale rules, ACR pull identity and custom domain.
Verification
Static-verifiedPassed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).
Conformance
- Static validation (fmt · validate · tflint)
- No applicable security policies for this provider
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
azure-container-apps
Container Apps environment with workload profiles, Dapr, KEDA scale rules,
ACR pull identity and custom domain. Works with Terraform and OpenTofu
(>= 1.6), AzureRM provider >= 4.0, < 5.0.
Secure defaults:
- One shared user-assigned pull identity for all apps — image pulls via
RBAC (
AcrPull), zero registry passwords in app secrets - Ingress refuses insecure connections (
allow_insecure_connections = false) - Internal-only ingress unless an app explicitly sets
external_enabled = true - Environment logs wired to Log Analytics (created if not supplied)
- Optional VNet integration with internal load balancer and zone redundancy
Usage
module "container_apps" {
source = "./azure-container-apps"
name = "prod-cae"
location = "westeurope"
resource_group_name = "rg-prod-apps"
acr_id = module.acr.id
container_apps = {
api = {
containers = [{
name = "api"
image = "myorgprodacr.azurecr.io/api:1.4.2"
cpu = 0.5
memory = "1Gi"
}]
ingress = {
external_enabled = true
target_port = 8080
}
http_scale_rules = [{ name = "http-burst", concurrent_requests = "50" }]
max_replicas = 20
}
}
tags = { Environment = "prod" }
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
name | string | — | Environment name; prefix for supporting resources (required) |
location | string | — | Azure region (required) |
resource_group_name | string | — | Existing resource group (required) |
log_analytics_workspace_id | string | null | BYO workspace; one is created if null |
log_retention_in_days | number | 30 | Retention for the created workspace |
infrastructure_subnet_id | string | null | Subnet for VNet integration |
internal_load_balancer_enabled | bool | false | VNet-only ingress (needs subnet) |
zone_redundancy_enabled | bool | false | Zone spread (needs subnet) |
infrastructure_resource_group_name | string | null | Managed infra RG name (profiles only) |
mutual_tls_enabled | bool | false | mTLS between apps |
workload_profiles | list(object) | [] | Consumption/D-series/E-series profiles |
acr_id | string | null | Registry to wire identity-based pulls from |
dapr_components | map(object) | {} | Environment Dapr components |
container_apps | map(object) | {} | Apps: containers, ingress, secrets, scale rules, dapr, custom_domain |
tags | map(string) | {} | Tags applied to all resources |
Outputs
environment_id, default_domain, static_ip_address, app_ids,
app_fqdns, custom_domain_verification_ids, pull_identity_id,
pull_identity_principal_id, pull_identity_client_id,
log_analytics_workspace_id.
Requirements
- Terraform or OpenTofu
>= 1.6 hashicorp/azurerm>= 4.0, < 5.0
Notes for integrators:
- Custom domains: create the
asuid.<hostname>TXT record usingcustom_domain_verification_idsplus a CNAME to the app FQDN before applying the domain. For Azure managed certificates leavecertificate_idnull; bind the managed cert once issued. - KEDA:
http_scale_rules.concurrent_requestsis a string by provider schema. Usecustom_scale_rulesfor any other scaler (custom_rule_type+metadata, e.g.azure-servicebus). - Newer platform features (e.g. GPU workload profiles the provider lags on)
may require
azapi— out of scope here by design.
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).