azure.azcollection.azure_rm_webapp module – Manage Web App instances

Note

This module is part of the azure.azcollection collection (version 3.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install azure.azcollection. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_rm_webapp.

New in azure.azcollection 0.1.2

Synopsis

  • Create, update and delete instance of Web App.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.7

  • The host that executes this module must have the azure.azcollection collection installed via galaxy

  • All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection

  • Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

Parameters

Parameter

Comments

ad_user

string

Active Directory username. Use when authenticating with an Active Directory user rather than service principal.

adfs_authority_url

string

added in azure.azcollection 0.0.1

Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority.

always_on

boolean

Keeps the app loaded even when there’s no traffic.

Choices:

  • false

  • true

api_profile

string

added in azure.azcollection 0.0.1

Selects an API profile to use when communicating with Azure services. Default value of latest is appropriate for public clouds; future values will allow use with Azure Stack.

Default: "latest"

app_settings

dictionary

Configure web app application settings. Suboptions are in key value pair format.

app_state

string

Start/Stop/Restart the web app.

Choices:

  • "started" ← (default)

  • "stopped"

  • "restarted"

append_tags

boolean

Use to control if tags field is canonical or just appends to existing tags.

When canonical, any tags not found in the tags parameter will be removed from the object’s metadata.

Choices:

  • false

  • true ← (default)

auth_source

string

added in azure.azcollection 0.0.1

Controls the source of the credentials to use for authentication.

Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable.

When set to auto (the default) the precedence is module parameters -> env -> credential_file -> cli.

When set to env, the credentials will be read from the environment variables

When set to credential_file, it will read the profile from ~/.azure/credentials.

When set to cli, the credentials will be sources from the Azure CLI profile. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if more than one is present otherwise the default az cli subscription is used.

When set to msi, the host machine must be an azure resource with an enabled MSI extension. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if the resource is granted access to more than one subscription, otherwise the first subscription is chosen.

The msi was added in Ansible 2.6.

Choices:

  • "auto" ← (default)

  • "cli"

  • "credential_file"

  • "env"

  • "msi"

cert_validation_mode

string

added in azure.azcollection 0.0.1

Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing ignore. Can also be set via credential file profile or the AZURE_CERT_VALIDATION environment variable.

Choices:

  • "ignore"

  • "validate"

client_affinity_enabled

boolean

Whether or not to send session affinity cookies, which route client requests in the same session to the same instance.

Choices:

  • false

  • true ← (default)

client_id

string

Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi).

Can also be set via the AZURE_CLIENT_ID environment variable.

cloud_environment

string

added in azure.azcollection 0.0.1

For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, AzureChinaCloud, AzureUSGovernment), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or the AZURE_CLOUD_ENVIRONMENT environment variable.

Default: "AzureCloud"

container_settings

dictionary

Web app container settings.

name

string / required

Name of the container, for example imagename:tag.

To create a multi-container app, the name should be ‘COMPOSE|’ or ‘KUBE|’ followed by base64 encoded configuration.

registry_server_password

string

The container registry server password.

registry_server_url

string

Container registry server URL, for example mydockerregistry.io.

registry_server_user

string

The container registry server user name.

deployment_source

dictionary

Deployment source for git.

branch

string

The branch name of the repository.

url

string

Repository url of deployment source.

disable_instance_discovery

boolean

added in azure.azcollection 2.3.0

Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.

Set via credential file profile or the AZURE_DISABLE_INSTANCE_DISCOVERY environment variable.

Choices:

  • false ← (default)

  • true

frameworks

list / elements=dictionary

Set of run time framework settings. Each setting is a dictionary.

See https://docs.microsoft.com/en-us/azure/app-service/app-service-web-overview for more info.

name

string / required

Name of the framework.

Supported framework list for Windows web app and Linux web app is different.

Windows web apps support java, net_framework, php, python, and node from June 2018.

Windows web apps support multiple framework at the same time.

Linux web apps support java, ruby, php, python, dotnetcore, and node from June 2018.

Linux web apps support only one framework.

Java framework is mutually exclusive with others.

Choices:

  • "java"

  • "net_framework"

  • "php"

  • "python"

  • "ruby"

  • "dotnetcore"

  • "node"

settings

dictionary

List of settings of the framework.

java_container

string / required

Name of Java container.

Supported only when frameworks=java. Sample values Tomcat, JavaSE, RedHat.

java_container_version

string / required

Version of Java container.

Supported only when frameworks=java.

Sample values for Tomcat, 8.5, 9.0, 10.0, 10.1.

version

string / required

Version of the framework. For Linux web app supported value, see https://aka.ms/linux-stacks for more info.

net_framework supported value sample, v4.8 for .NET 4.8 and v3.5 for .NET 3.5.

php supported value sample, 8.1, 8.2.

python supported value sample, 3.8, 3.9, 3.10, 3.11, 3.12.

node supported value sample, 18, 20.

dotnetcore supported value sample, 8, 7, 6.

ruby supported value sample, 2.3.

java supported value sample, 21, 17, 11 and 8.

ftps_state

string

The state of the FTP/FTPS service.

Choices:

  • "AllAllowed"

  • "FtpsOnly"

  • "Disabled"

http20_enabled

boolean

Configures a web site to allow clients to connect over HTTP 2.0.

Choices:

  • false

  • true

https_only

boolean

Configures web site to accept only https requests.

Choices:

  • false

  • true

identity

dictionary

Identity for the Object

type

string

Type of the managed identity

Choices:

  • "SystemAssigned"

  • "UserAssigned"

  • "SystemAssigned, UserAssigned"

  • "None" ← (default)

user_assigned_identities

dictionary

User Assigned Managed Identities and its options

Default: {}

append

boolean

If the list of identities has to be appended to current identities (true) or if it has to replace current identities (false)

Choices:

  • false

  • true ← (default)

id

list / elements=string

List of the user assigned identities IDs associated to the Object

Default: []

location

string

Resource location. If not set, location from the resource group will be used as default.

log_mode

string

Parent argument.

log_path

string

Parent argument.

min_tls_version

string

The minimum TLS encryption version required for the app.

Choices:

  • "1.0"

  • "1.1"

  • "1.2"

name

string / required

Unique name of the app to create or update. To create or update a deployment slot, use the {slot} parameter.

password

string

Active Directory user password. Use when authenticating with an Active Directory user rather than service principal.

plan

any

App service plan. Required for creation.

Can be name of existing app service plan in same resource group as web app.

Can be the resource ID of an existing app service plan. For example /subscriptions/<subs_id>/resourceGroups/<resource_group>/providers/Microsoft.Web/serverFarms/<plan_name>.

Can be a dict containing five parameters, defined below.

name, name of app service plan.

resource_group, resource group of the app service plan.

sku, SKU of app service plan, allowed values listed on https://azure.microsoft.com/en-us/pricing/details/app-service/linux/.

is_linux, whether or not the app service plan is Linux. defaults to False.

number_of_workers, number of workers for app service plan.

profile

string

Security profile found in ~/.azure/credentials file.

purge_app_settings

boolean

Purge any existing application settings. Replace web app application settings with app_settings.

Choices:

  • false ← (default)

  • true

resource_group

string / required

Name of the resource group to which the resource belongs.

scm_type

string

Repository type of deployment source, for example LocalGit, GitHub.

List of supported values maintained at https://docs.microsoft.com/en-us/rest/api/appservice/webapps/createorupdate#scmtype.

secret

string

Azure client secret. Use when authenticating with a Service Principal.

site_auth_settings

dictionary

Configuration settings for the Azure App Service Authentication / Authorization feature.

aad_claims_authorization

string

Gets a JSON string containing the Azure AD Acl settings.

additional_login_params

string

Login parameters to send to the OpenID Connect authorization endpoint when a user logs in.

Each parameter must be in the form “key=value”.

allowed_audiences

list / elements=string

Allowed audience values to consider when validating JWTs issued by Azure Active Directory.

allowed_external_redirect_urls

list / elements=string

External URLs that can be redirected to as part of logging in or logging out of the app.

Note that the query string part of the URL is ignored.

auth_file_path

string

The path of the config file containing auth settings.

If the path is relative, base will the site’s root directory.

client_id

string

The Client ID of this relying party application, known as the client_id.

client_secret

string

The Client Secret of this relying party application (in Azure Active Directory, this is also referred to as the Key).

client_secret_certificate_thumbprint

string

An alternative to the client secret, that is the thumbprint of a certificate used for signing purposes.

This property acts as a replacement for the Client Secret. It is also optional.

client_secret_setting_name

string

The app setting name that contains the client secret of the relying party application.

config_version

string

The ConfigVersion of the Authentication / Authorization feature in use for the current app.

The setting in this value can control the behavior of the control plane for Authentication / Authorization.

default_provider

string

The default authentication provider to use when multiple providers are configured.

Choices:

  • "AzureActiveDirectory"

  • "Facebook"

  • "Google"

  • "MicrosoftAccount"

  • "Twitter"

  • "Github"

enabled

boolean

Whether enable or disable the Authentication / Authorization feature for the current app.

Choices:

  • false

  • true

facebook_app_id

string

The App ID of the Facebook app used for login.

facebook_app_secret

string

The App Secret of the Facebook app used for Facebook Login.

facebook_app_secret_setting_name

string

The app setting name that contains the app secret used for Facebook Login.

facebook_o_auth_scopes

list / elements=string

The OAuth 2.0 scopes that will be requested as part of Facebook for Facebook Login.

git_hub_client_id

string

The Client Id of the GitHub app used for login.

git_hub_client_secret

string

The Client Secret of the GitHub app used for Github Login.

git_hub_client_secret_setting_name

string

The app setting name that contains the client secret of the Github app used for GitHub Login.

git_hub_o_auth_scopes

list / elements=string

The OAuth 2.0 scopes that will be requested as part of GitHub Login authentication.

This setting is optional.

google_client_id

string

The OpenID Connect Client ID for the Google web application.

google_client_secret

string

The client secret associated with the Google web application.

google_client_secret_setting_name

string

The app setting name that contains the client secret associated with the Google web application.

google_o_auth_scopes

list / elements=string

The OAuth 2.0 scopes that will be requested as part of Google Sign-In authentication.

This setting is optional. If not specified, “openid”, “profile”, and “email” are used as default scopes.

is_auth_from_file

string

If is_auth_from_file=true, the auth config settings should be read from a file.

Choices:

  • "true"

  • "false"

issuer

string

The OpenID Connect Issuer URI that represents the entity which issues access tokens for this application.

kind

string

Kind of resource.

microsoft_account_client_id

string

The OAuth 2.0 client ID that was created for the app used for authentication.

This setting is required for enabling Microsoft Account authentication.

microsoft_account_client_secret

string

The OAuth 2.0 client secret that was created for the app used for authentication.

microsoft_account_client_secret_setting_name

string

The app setting name containing the OAuth 2.0 client secret that was created for the app used for authentication.

microsoft_account_o_auth_scopes

list / elements=string

The OAuth 2.0 scopes that will be requested as part of Microsoft Account authentication.

runtime_version

string

The RuntimeVersion of the Authentication / Authorization feature in use for the current app.

token_refresh_extension_hours

float

The number of hours after session token expiration that a session token can be used to call the token refresh API.

token_store_enabled

boolean

Whether to use App Service Token Store.

Choices:

  • false

  • true

twitter_consumer_key

string

The OAuth 1.0a consumer key of the Twitter application used for sign-in.

twitter_consumer_secret

string

The OAuth 1.0a consumer secret of the Twitter application used for sign-in.

This setting is required for enabling Twitter Sign-In.

twitter_consumer_secret_setting_name

string

The app setting name that contains the OAuth 1.0a consumer secret of the Twitter application used for sign-in.

unauthenticated_client_action

string

The action to take when an unauthenticated client attempts to access the app.

Choices:

  • "RedirectToLoginPage"

  • "AllowAnonymous"

startup_file

string

The web’s startup file.

Used only for Linux web apps.

state

string

State of the Web App.

Use present to create or update a Web App and absent to delete it.

Choices:

  • "absent"

  • "present" ← (default)

subscription_id

string

Your Azure subscription Id.

tags

dictionary

Dictionary of string:string pairs to assign as metadata to the object.

Metadata tags on the object will be updated with any provided values.

To remove tags set append_tags option to false.

Currently, Azure DNS zones and Traffic Manager services also don’t allow the use of spaces in the tag.

Azure Front Door doesn’t support the use of

Azure Automation and Azure CDN only support 15 tags on resources.

tenant

string

Azure tenant ID. Use when authenticating with a Service Principal.

thumbprint

string

added in azure.azcollection 1.14.0

The thumbprint of the private key specified in x509_certificate_path.

Use when authenticating with a Service Principal.

Required if x509_certificate_path is defined.

x509_certificate_path

path

added in azure.azcollection 1.14.0

Path to the X509 certificate used to create the service principal in PEM format.

The certificate must be appended to the private key.

Use when authenticating with a Service Principal.

Notes

Note

  • For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login.

  • Authentication is also possible using a service principal or Active Directory user.

  • To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

  • To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.

  • Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.

See Also

See also

Sign in with Azure CLI

How to authenticate using the az login command.

Examples

- name: Create a windows web app with non-exist app service plan
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWinWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
      is_linux: false
      sku: S1

- name: Create a docker web app with some app settings, with docker image
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myDockerWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
      is_linux: true
      sku: S1
      number_of_workers: 2
    app_settings:
      testkey: testvalue
      testkey2: testvalue2
    container_settings:
      name: ansible/ansible:ubuntu1404

- name: Create a docker web app with private acr registry
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myDockerWebapp
    plan: myAppServicePlan
    app_settings:
      testkey: testvalue
    container_settings:
      name: ansible/ubuntu1404
      registry_server_url: myregistry.io
      registry_server_user: user
      registry_server_password: "{{ password }}"

- name: Create a multi-container web app
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myMultiContainerWebapp
    plan: myAppServicePlan
    app_settings:
      testkey: testvalue
    container_settings:
      name: "COMPOSE|{{ lookup('file', 'docker-compose.yml') | b64encode }}"

- name: Create a linux web app with Node 6.6 framework
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myLinuxWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
    app_settings:
      testkey: testvalue
    frameworks:
      - name: "node"
        version: "18"

- name: Create a windows web app with node, php
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWinWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
    app_settings:
      testkey: testvalue
    frameworks:
      - name: "node"
        version: 18
      - name: "php"
        version: 8.2

- name: Create a stage deployment slot for an existing web app
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWebapp/slots/stage
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
    app_settings:
      testkey:testvalue

- name: Create a linux web app with java framework
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myLinuxWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
    app_settings:
      testkey: testvalue
    frameworks:
      - name: "java"
        version: "8"
        settings:
          java_container: "Tomcat"
          java_container_version: "8.5"

- name: Create a windows web app with site_auth_settings
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myWindowWebapp
    site_auth_settings:
      client_id: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
      default_provider: 'MicrosoftAccount'
      runtime_version: '-2'
      token_refresh_extension_hours: 120
      unauthenticated_client_action: 'RedirectToLoginPage'
      client_secret: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
      token_store_enabled: false
      enabled: true
      is_auth_from_file: false
    plan:
      resource_group: myResourceGroup
      name: myLinuxwebapp
      is_linux: false
      sku: S1

- name: Create a linux web app with python framework
  azure_rm_webapp:
    resource_group: myResourceGroup
    name: myLinuxWebapp
    plan:
      resource_group: myAppServicePlan_rg
      name: myAppServicePlan
    app_settings:
      testkey: testvalue
    frameworks:
      - name: "python"
        version: "3.10"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

id

string

ID of current web app.

Returned: always

Sample: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/myWebApp"

Authors

  • Yunge Zhu (@yungezz)