Microsoft.App containerApps

Bicep resource definition

The containerApps resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.App/containerApps resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.App/containerApps@2024-10-02-preview' = {
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  kind: 'string'
  location: 'string'
  managedBy: 'string'
  name: 'string'
  properties: {
    configuration: {
      activeRevisionsMode: 'string'
      dapr: {
        appId: 'string'
        appPort: int
        appProtocol: 'string'
        enableApiLogging: bool
        enabled: bool
        httpMaxRequestSize: int
        httpReadBufferSize: int
        logLevel: 'string'
      }
      identitySettings: [
        {
          identity: 'string'
          lifecycle: 'string'
        }
      ]
      ingress: {
        additionalPortMappings: [
          {
            exposedPort: int
            external: bool
            targetPort: int
          }
        ]
        allowInsecure: bool
        clientCertificateMode: 'string'
        corsPolicy: {
          allowCredentials: bool
          allowedHeaders: [
            'string'
          ]
          allowedMethods: [
            'string'
          ]
          allowedOrigins: [
            'string'
          ]
          exposeHeaders: [
            'string'
          ]
          maxAge: int
        }
        customDomains: [
          {
            bindingType: 'string'
            certificateId: 'string'
            name: 'string'
          }
        ]
        exposedPort: int
        external: bool
        ipSecurityRestrictions: [
          {
            action: 'string'
            description: 'string'
            ipAddressRange: 'string'
            name: 'string'
          }
        ]
        stickySessions: {
          affinity: 'string'
        }
        targetPort: int
        targetPortHttpScheme: 'string'
        traffic: [
          {
            label: 'string'
            latestRevision: bool
            revisionName: 'string'
            weight: int
          }
        ]
        transport: 'string'
      }
      maxInactiveRevisions: int
      registries: [
        {
          identity: 'string'
          passwordSecretRef: 'string'
          server: 'string'
          username: 'string'
        }
      ]
      revisionTransitionThreshold: int
      runtime: {
        dotnet: {
          autoConfigureDataProtection: bool
        }
        java: {
          enableMetrics: bool
          javaAgent: {
            enabled: bool
            logging: {
              loggerSettings: [
                {
                  level: 'string'
                  logger: 'string'
                }
              ]
            }
          }
        }
      }
      secrets: [
        {
          identity: 'string'
          keyVaultUrl: 'string'
          name: 'string'
          value: 'string'
        }
      ]
      service: {
        type: 'string'
      }
      targetLabel: 'string'
    }
    environmentId: 'string'
    managedEnvironmentId: 'string'
    patchingConfiguration: {
      patchingMode: 'string'
    }
    template: {
      containers: [
        {
          args: [
            'string'
          ]
          command: [
            'string'
          ]
          env: [
            {
              name: 'string'
              secretRef: 'string'
              value: 'string'
            }
          ]
          image: 'string'
          imageType: 'string'
          name: 'string'
          probes: [
            {
              failureThreshold: int
              httpGet: {
                host: 'string'
                httpHeaders: [
                  {
                    name: 'string'
                    value: 'string'
                  }
                ]
                path: 'string'
                port: int
                scheme: 'string'
              }
              initialDelaySeconds: int
              periodSeconds: int
              successThreshold: int
              tcpSocket: {
                host: 'string'
                port: int
              }
              terminationGracePeriodSeconds: int
              timeoutSeconds: int
              type: 'string'
            }
          ]
          resources: {
            cpu: int
            gpu: int
            memory: 'string'
          }
          volumeMounts: [
            {
              mountPath: 'string'
              subPath: 'string'
              volumeName: 'string'
            }
          ]
        }
      ]
      initContainers: [
        {
          args: [
            'string'
          ]
          command: [
            'string'
          ]
          env: [
            {
              name: 'string'
              secretRef: 'string'
              value: 'string'
            }
          ]
          image: 'string'
          imageType: 'string'
          name: 'string'
          resources: {
            cpu: int
            gpu: int
            memory: 'string'
          }
          volumeMounts: [
            {
              mountPath: 'string'
              subPath: 'string'
              volumeName: 'string'
            }
          ]
        }
      ]
      revisionSuffix: 'string'
      scale: {
        cooldownPeriod: int
        maxReplicas: int
        minReplicas: int
        pollingInterval: int
        rules: [
          {
            azureQueue: {
              accountName: 'string'
              auth: [
                {
                  secretRef: 'string'
                  triggerParameter: 'string'
                }
              ]
              identity: 'string'
              queueLength: int
              queueName: 'string'
            }
            custom: {
              auth: [
                {
                  secretRef: 'string'
                  triggerParameter: 'string'
                }
              ]
              identity: 'string'
              metadata: {
                {customized property}: 'string'
              }
              type: 'string'
            }
            http: {
              auth: [
                {
                  secretRef: 'string'
                  triggerParameter: 'string'
                }
              ]
              identity: 'string'
              metadata: {
                {customized property}: 'string'
              }
            }
            name: 'string'
            tcp: {
              auth: [
                {
                  secretRef: 'string'
                  triggerParameter: 'string'
                }
              ]
              identity: 'string'
              metadata: {
                {customized property}: 'string'
              }
            }
          }
        ]
      }
      serviceBinds: [
        {
          clientType: 'string'
          customizedKeys: {
            {customized property}: 'string'
          }
          name: 'string'
          serviceId: 'string'
        }
      ]
      terminationGracePeriodSeconds: int
      volumes: [
        {
          mountOptions: 'string'
          name: 'string'
          secrets: [
            {
              path: 'string'
              secretRef: 'string'
            }
          ]
          storageName: 'string'
          storageType: 'string'
        }
      ]
    }
    workloadProfileName: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

Configuration

Name Description Value
activeRevisionsMode ActiveRevisionsMode controls how active revisions are handled for the Container app:
<list><item>Single: Only one revision can be active at a time. Traffic weights cannot be used. This is the default.</item><item>Multiple: Multiple revisions can be active, including optional traffic weights and labels.</item><item>Labels: Only revisions with labels are active. Traffic weights can be applied to labels.</item></list>
'Labels'
'Multiple'
'Single'
dapr Dapr configuration for the Container App. Dapr
identitySettings Optional settings for Managed Identities that are assigned to the Container App. If a Managed Identity is not specified here, default settings will be used. IdentitySettings[]
ingress Ingress configurations. Ingress
maxInactiveRevisions Optional. Max inactive revisions a Container App can have. int
registries Collection of private container registry credentials for containers used by the Container app RegistryCredentials[]
revisionTransitionThreshold Optional. The percent of the total number of replicas that must be brought up before revision transition occurs. Defaults to 100 when none is given. Value must be greater than 0 and less than or equal to 100. int

Constraints:
Min value = 1
Max value = 100
runtime App runtime configuration for the Container App. Runtime
secrets Collection of secrets used by a Container app Secret[]
service Container App to be a dev Container App Service Service
targetLabel Required in labels revisions mode. Label to apply to newly created revision. string

Container

Name Description Value
args Container start command arguments. string[]
command Container start command. string[]
env Container environment variables. EnvironmentVar[]
image Container image tag. string
imageType The type of the image. Set to CloudBuild to let the system manages the image, where user will not be able to update image through image field. Set to ContainerImage for user provided image. 'CloudBuild'
'ContainerImage'
name Custom container name. string
probes List of probes for the container. ContainerAppProbe[]
resources Container resource requirements. ContainerResources
volumeMounts Container volume mounts. VolumeMount[]

ContainerAppProbe

Name Description Value
failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. Maximum value is 10. int
httpGet HTTPGet specifies the http request to perform. ContainerAppProbeHttpGet
initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. Minimum value is 1. Maximum value is 60. int
periodSeconds How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value is 240. int
successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. Maximum value is 10. int
tcpSocket TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported. ContainerAppProbeTcpSocket
terminationGracePeriodSeconds Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate. Maximum value is 3600 seconds (1 hour) int
timeoutSeconds Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 240. int
type The type of probe. 'Liveness'
'Readiness'
'Startup'

ContainerAppProbeHttpGet

Name Description Value
host Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. string
httpHeaders Custom headers to set in the request. HTTP allows repeated headers. ContainerAppProbeHttpGetHttpHeadersItem[]
path Path to access on the HTTP server. string
port Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. int (required)
scheme Scheme to use for connecting to the host. Defaults to HTTP. 'HTTP'
'HTTPS'

ContainerAppProbeHttpGetHttpHeadersItem

Name Description Value
name The header field name string (required)
value The header field value string (required)

ContainerAppProbeTcpSocket

Name Description Value
host Optional: Host name to connect to, defaults to the pod IP. string
port Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. int (required)

ContainerAppProperties

Name Description Value
configuration Non versioned Container App configuration properties. Configuration
environmentId Resource ID of environment. string
managedEnvironmentId Deprecated. Resource ID of the Container App's environment. string
patchingConfiguration Container App auto patch configuration. ContainerAppPropertiesPatchingConfiguration
template Container App versioned application definition. Template
workloadProfileName Workload profile name to pin for container app execution. string

ContainerAppPropertiesPatchingConfiguration

Name Description Value
patchingMode Patching mode for the container app. Null or default in this field will be interpreted as Automatic by RP. Automatic mode will automatically apply available patches. Manual mode will require the user to manually apply patches. Disabled mode will stop patch detection and auto patching. 'Automatic'
'Disabled'
'Manual'

ContainerResources

Name Description Value
cpu Required CPU in cores, e.g. 0.5 int
gpu Required GPU in cores for GPU based app, e.g. 1.0 int
memory Required memory, e.g. "250Mb" string

CorsPolicy

Name Description Value
allowCredentials Specifies whether the resource allows credentials bool
allowedHeaders Specifies the content for the access-control-allow-headers header string[]
allowedMethods Specifies the content for the access-control-allow-methods header string[]
allowedOrigins Specifies the content for the access-control-allow-origins header string[] (required)
exposeHeaders Specifies the content for the access-control-expose-headers header string[]
maxAge Specifies the content for the access-control-max-age header int

CustomDomain

Name Description Value
bindingType Custom Domain binding type. 'Auto'
'Disabled'
'SniEnabled'
certificateId Resource Id of the Certificate to be bound to this hostname. Must exist in the Managed Environment. string
name Hostname. string (required)

CustomScaleRule

Name Description Value
auth Authentication secrets for the custom scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe custom scale rule. CustomScaleRuleMetadata
type Type of the custom scale rule
eg: azure-servicebus, redis etc.
string

CustomScaleRuleMetadata

Name Description Value

Dapr

Name Description Value
appId Dapr application identifier string
appPort Tells Dapr which port your application is listening on int
appProtocol Tells Dapr which protocol your application is using. Valid options are http and grpc. Default is http 'grpc'
'http'
enableApiLogging Enables API logging for the Dapr sidecar bool
enabled Boolean indicating if the Dapr side car is enabled bool
httpMaxRequestSize Increasing max size of request body http and grpc servers parameter in MB to handle uploading of big files. Default is 4 MB. int
httpReadBufferSize Dapr max size of http header read buffer in KB to handle when sending multi-KB headers. Default is 65KB. int
logLevel Sets the log level for the Dapr sidecar. Allowed values are debug, info, warn, error. Default is info. 'debug'
'error'
'info'
'warn'

EnvironmentVar

Name Description Value
name Environment variable name. string
secretRef Name of the Container App secret from which to pull the environment variable value. string
value Non-secret environment variable value. string

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'CustomLocation'

HttpScaleRule

Name Description Value
auth Authentication secrets for the custom scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe http scale rule. HttpScaleRuleMetadata

HttpScaleRuleMetadata

Name Description Value

IdentitySettings

Name Description Value
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string (required)
lifecycle Use to select the lifecycle stages of a Container App during which the Managed Identity should be available. 'All'
'Init'
'Main'
'None'

Ingress

Name Description Value
additionalPortMappings Settings to expose additional ports on container app IngressPortMapping[]
allowInsecure Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections bool
clientCertificateMode Client certificate mode for mTLS authentication. Ignore indicates server drops client certificate on forwarding. Accept indicates server forwards client certificate but does not require a client certificate. Require indicates server requires a client certificate. 'accept'
'ignore'
'require'
corsPolicy CORS policy for container app CorsPolicy
customDomains custom domain bindings for Container Apps' hostnames. CustomDomain[]
exposedPort Exposed Port in containers for TCP traffic from ingress int
external Bool indicating if app exposes an external http endpoint bool
ipSecurityRestrictions Rules to restrict incoming IP address. IpSecurityRestrictionRule[]
stickySessions Sticky Sessions for Single Revision Mode IngressStickySessions
targetPort Target Port in containers for traffic from ingress int
targetPortHttpScheme Whether an http app listens on http or https 'http'
'https'
traffic Traffic weights for app's revisions TrafficWeight[]
transport Ingress transport protocol 'auto'
'http'
'http2'
'tcp'

IngressPortMapping

Name Description Value
exposedPort Specifies the exposed port for the target port. If not specified, it defaults to target port int
external Specifies whether the app port is accessible outside of the environment bool (required)
targetPort Specifies the port user's container listens on int (required)

IngressStickySessions

Name Description Value
affinity Sticky Session Affinity 'none'
'sticky'

InitContainer

Name Description Value
args Container start command arguments. string[]
command Container start command. string[]
env Container environment variables. EnvironmentVar[]
image Container image tag. string
imageType The type of the image. Set to CloudBuild to let the system manages the image, where user will not be able to update image through image field. Set to ContainerImage for user provided image. 'CloudBuild'
'ContainerImage'
name Custom container name. string
resources Container resource requirements. ContainerResources
volumeMounts Container volume mounts. VolumeMount[]

IpSecurityRestrictionRule

Name Description Value
action Allow or Deny rules to determine for incoming IP. Note: Rules can only consist of ALL Allow or ALL Deny 'Allow'
'Deny' (required)
description Describe the IP restriction rule that is being sent to the container-app. This is an optional field. string
ipAddressRange CIDR notation to match incoming IP address string (required)
name Name for the IP restriction rule. string (required)

LoggerSetting

Name Description Value
level The specified logger's log level. 'debug'
'error'
'info'
'off'
'trace'
'warn' (required)
logger Logger name. string (required)

ManagedServiceIdentity

Name Description Value
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. UserAssignedIdentities

Microsoft.App/containerApps

Name Description Value
extendedLocation The complex type of the extended location. ExtendedLocation
identity managed identities for the Container App to interact with other Azure services without maintaining any secrets or credentials in code. ManagedServiceIdentity
kind Metadata used to render different experiences for resources of the same type; e.g. WorkflowApp is a kind of Microsoft.App/ContainerApps type. If supported, the resource provider must validate and persist this value. 'workflowapp'
location The geo-location where the resource lives string (required)
managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is managed by another Azure resource. If this is present, complete mode deployment will not delete the resource if it is removed from the template since it is managed by another resource. string
name The resource name string (required)
properties ContainerApp resource specific properties ContainerAppProperties
tags Resource tags Dictionary of tag names and values. See Tags in templates

QueueScaleRule

Name Description Value
accountName Storage account name. required if using managed identity to authenticate string
auth Authentication secrets for the queue scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
queueLength Queue length. int
queueName Queue name. string

RegistryCredentials

Name Description Value
identity A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use 'system' string
passwordSecretRef The name of the Secret that contains the registry login password string
server Container Registry Server string
username Container Registry Username string

Runtime

Name Description Value
dotnet .NET app configuration RuntimeDotnet
java Java app configuration RuntimeJava

RuntimeDotnet

Name Description Value
autoConfigureDataProtection Auto configure the ASP.NET Core Data Protection feature bool

RuntimeJava

Name Description Value
enableMetrics Enable jmx core metrics for the java app bool
javaAgent Diagnostic capabilities achieved by java agent RuntimeJavaAgent

RuntimeJavaAgent

Name Description Value
enabled Enable java agent injection for the java app. bool
logging Capabilities on the java logging scenario. RuntimeJavaAgentLogging

RuntimeJavaAgentLogging

Name Description Value
loggerSettings Settings of the logger for the java app. LoggerSetting[]

Scale

Name Description Value
cooldownPeriod Optional. KEDA Cooldown Period. Defaults to 300 seconds if not set. int
maxReplicas Optional. Maximum number of container replicas. Defaults to 10 if not set. int
minReplicas Optional. Minimum number of container replicas. int
pollingInterval Optional. KEDA Polling Interval. Defaults to 30 seconds if not set. int
rules Scaling rules. ScaleRule[]

ScaleRule

Name Description Value
azureQueue Azure Queue based scaling. QueueScaleRule
custom Custom scale rule. CustomScaleRule
http HTTP requests based scaling. HttpScaleRule
name Scale Rule Name string
tcp Tcp requests based scaling. TcpScaleRule

ScaleRuleAuth

Name Description Value
secretRef Name of the secret from which to pull the auth params. string
triggerParameter Trigger Parameter that uses the secret string

Secret

Name Description Value
identity Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity. string
keyVaultUrl Azure Key Vault URL pointing to the secret referenced by the container app. string
name Secret Name. string
value Secret Value. string

Constraints:
Sensitive value. Pass in as a secure parameter.

SecretVolumeItem

Name Description Value
path Path to project secret to. If no path is provided, path defaults to name of secret listed in secretRef. string
secretRef Name of the Container App secret from which to pull the secret value. string

Service

Name Description Value
type Dev ContainerApp service type string (required)

ServiceBind

Name Description Value
clientType Type of the client to be used to connect to the service string
customizedKeys Customized keys for customizing injected values to the app ServiceBindCustomizedKeys
name Name of the service bind string
serviceId Resource id of the target service string

ServiceBindCustomizedKeys

Name Description Value

TcpScaleRule

Name Description Value
auth Authentication secrets for the tcp scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe tcp scale rule. TcpScaleRuleMetadata

TcpScaleRuleMetadata

Name Description Value

Template

Name Description Value
containers List of container definitions for the Container App. Container[]
initContainers List of specialized containers that run before app containers. InitContainer[]
revisionSuffix User friendly suffix that is appended to the revision name string
scale Scaling properties for the Container App. Scale
serviceBinds List of container app services bound to the app ServiceBind[]
terminationGracePeriodSeconds Optional duration in seconds the Container App Instance needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. int
volumes List of volume definitions for the Container App. Volume[]

TrackedResourceTags

Name Description Value

TrafficWeight

Name Description Value
label Associates a traffic label with a revision string
latestRevision Indicates that the traffic weight belongs to a latest stable revision bool
revisionName Name of a revision string
weight Traffic weight assigned to a revision int

UserAssignedIdentities

Name Description Value

UserAssignedIdentity

Name Description Value

Volume

Name Description Value
mountOptions Mount options used while mounting the Azure file share or NFS Azure file share. Must be a comma-separated string. string
name Volume name. string
secrets List of secrets to be added in volume. If no secrets are provided, all secrets in collection will be added to volume. SecretVolumeItem[]
storageName Name of storage resource. No need to provide for EmptyDir and Secret. string
storageType Storage type for the volume. If not provided, use EmptyDir. 'AzureFile'
'EmptyDir'
'NfsAzureFile'
'Secret'
'Smb'

VolumeMount

Name Description Value
mountPath Path within the container at which the volume should be mounted.Must not contain ':'. string
subPath Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). string
volumeName This must match the Name of a Volume. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Creates a Container App and Environment with Registry Create a Container App Environment with a basic Container App from an Azure Container Registry. It also deploys a Log Analytics Workspace to store logs.
Creates a Container App with a defined HTTP scaling rule Create a Container App Environment with a basic Container App that scales based on HTTP traffic.
Creates a Container App within a Container App Environment Create a Container App Environment with a basic Container App. It also deploys a Log Analytics Workspace to store logs.
Creates a Dapr microservices app using Container Apps Create a Dapr microservices app using Container Apps.
Creates a Dapr pub-sub servicebus app using Container Apps Create a Dapr pub-sub servicebus app using Container Apps.
Creates a two Container App with a Container App Environment Create a two Container App Environment with a basic Container App. It also deploys a Log Analytics Workspace to store logs.
Creates an external Container App environment with a VNET Creates an external Container App environment with a VNET.
Creates an internal Container App environment with a VNET Creates an internal Container App environment with a VNET.

ARM template resource definition

The containerApps resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.App/containerApps resource, add the following JSON to your template.

{
  "type": "Microsoft.App/containerApps",
  "apiVersion": "2024-10-02-preview",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "kind": "string",
  "location": "string",
  "managedBy": "string",
  "properties": {
    "configuration": {
      "activeRevisionsMode": "string",
      "dapr": {
        "appId": "string",
        "appPort": "int",
        "appProtocol": "string",
        "enableApiLogging": "bool",
        "enabled": "bool",
        "httpMaxRequestSize": "int",
        "httpReadBufferSize": "int",
        "logLevel": "string"
      },
      "identitySettings": [
        {
          "identity": "string",
          "lifecycle": "string"
        }
      ],
      "ingress": {
        "additionalPortMappings": [
          {
            "exposedPort": "int",
            "external": "bool",
            "targetPort": "int"
          }
        ],
        "allowInsecure": "bool",
        "clientCertificateMode": "string",
        "corsPolicy": {
          "allowCredentials": "bool",
          "allowedHeaders": [ "string" ],
          "allowedMethods": [ "string" ],
          "allowedOrigins": [ "string" ],
          "exposeHeaders": [ "string" ],
          "maxAge": "int"
        },
        "customDomains": [
          {
            "bindingType": "string",
            "certificateId": "string",
            "name": "string"
          }
        ],
        "exposedPort": "int",
        "external": "bool",
        "ipSecurityRestrictions": [
          {
            "action": "string",
            "description": "string",
            "ipAddressRange": "string",
            "name": "string"
          }
        ],
        "stickySessions": {
          "affinity": "string"
        },
        "targetPort": "int",
        "targetPortHttpScheme": "string",
        "traffic": [
          {
            "label": "string",
            "latestRevision": "bool",
            "revisionName": "string",
            "weight": "int"
          }
        ],
        "transport": "string"
      },
      "maxInactiveRevisions": "int",
      "registries": [
        {
          "identity": "string",
          "passwordSecretRef": "string",
          "server": "string",
          "username": "string"
        }
      ],
      "revisionTransitionThreshold": "int",
      "runtime": {
        "dotnet": {
          "autoConfigureDataProtection": "bool"
        },
        "java": {
          "enableMetrics": "bool",
          "javaAgent": {
            "enabled": "bool",
            "logging": {
              "loggerSettings": [
                {
                  "level": "string",
                  "logger": "string"
                }
              ]
            }
          }
        }
      },
      "secrets": [
        {
          "identity": "string",
          "keyVaultUrl": "string",
          "name": "string",
          "value": "string"
        }
      ],
      "service": {
        "type": "string"
      },
      "targetLabel": "string"
    },
    "environmentId": "string",
    "managedEnvironmentId": "string",
    "patchingConfiguration": {
      "patchingMode": "string"
    },
    "template": {
      "containers": [
        {
          "args": [ "string" ],
          "command": [ "string" ],
          "env": [
            {
              "name": "string",
              "secretRef": "string",
              "value": "string"
            }
          ],
          "image": "string",
          "imageType": "string",
          "name": "string",
          "probes": [
            {
              "failureThreshold": "int",
              "httpGet": {
                "host": "string",
                "httpHeaders": [
                  {
                    "name": "string",
                    "value": "string"
                  }
                ],
                "path": "string",
                "port": "int",
                "scheme": "string"
              },
              "initialDelaySeconds": "int",
              "periodSeconds": "int",
              "successThreshold": "int",
              "tcpSocket": {
                "host": "string",
                "port": "int"
              },
              "terminationGracePeriodSeconds": "int",
              "timeoutSeconds": "int",
              "type": "string"
            }
          ],
          "resources": {
            "cpu": "int",
            "gpu": "int",
            "memory": "string"
          },
          "volumeMounts": [
            {
              "mountPath": "string",
              "subPath": "string",
              "volumeName": "string"
            }
          ]
        }
      ],
      "initContainers": [
        {
          "args": [ "string" ],
          "command": [ "string" ],
          "env": [
            {
              "name": "string",
              "secretRef": "string",
              "value": "string"
            }
          ],
          "image": "string",
          "imageType": "string",
          "name": "string",
          "resources": {
            "cpu": "int",
            "gpu": "int",
            "memory": "string"
          },
          "volumeMounts": [
            {
              "mountPath": "string",
              "subPath": "string",
              "volumeName": "string"
            }
          ]
        }
      ],
      "revisionSuffix": "string",
      "scale": {
        "cooldownPeriod": "int",
        "maxReplicas": "int",
        "minReplicas": "int",
        "pollingInterval": "int",
        "rules": [
          {
            "azureQueue": {
              "accountName": "string",
              "auth": [
                {
                  "secretRef": "string",
                  "triggerParameter": "string"
                }
              ],
              "identity": "string",
              "queueLength": "int",
              "queueName": "string"
            },
            "custom": {
              "auth": [
                {
                  "secretRef": "string",
                  "triggerParameter": "string"
                }
              ],
              "identity": "string",
              "metadata": {
                "{customized property}": "string"
              },
              "type": "string"
            },
            "http": {
              "auth": [
                {
                  "secretRef": "string",
                  "triggerParameter": "string"
                }
              ],
              "identity": "string",
              "metadata": {
                "{customized property}": "string"
              }
            },
            "name": "string",
            "tcp": {
              "auth": [
                {
                  "secretRef": "string",
                  "triggerParameter": "string"
                }
              ],
              "identity": "string",
              "metadata": {
                "{customized property}": "string"
              }
            }
          }
        ]
      },
      "serviceBinds": [
        {
          "clientType": "string",
          "customizedKeys": {
            "{customized property}": "string"
          },
          "name": "string",
          "serviceId": "string"
        }
      ],
      "terminationGracePeriodSeconds": "int",
      "volumes": [
        {
          "mountOptions": "string",
          "name": "string",
          "secrets": [
            {
              "path": "string",
              "secretRef": "string"
            }
          ],
          "storageName": "string",
          "storageType": "string"
        }
      ]
    },
    "workloadProfileName": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

Configuration

Name Description Value
activeRevisionsMode ActiveRevisionsMode controls how active revisions are handled for the Container app:
<list><item>Single: Only one revision can be active at a time. Traffic weights cannot be used. This is the default.</item><item>Multiple: Multiple revisions can be active, including optional traffic weights and labels.</item><item>Labels: Only revisions with labels are active. Traffic weights can be applied to labels.</item></list>
'Labels'
'Multiple'
'Single'
dapr Dapr configuration for the Container App. Dapr
identitySettings Optional settings for Managed Identities that are assigned to the Container App. If a Managed Identity is not specified here, default settings will be used. IdentitySettings[]
ingress Ingress configurations. Ingress
maxInactiveRevisions Optional. Max inactive revisions a Container App can have. int
registries Collection of private container registry credentials for containers used by the Container app RegistryCredentials[]
revisionTransitionThreshold Optional. The percent of the total number of replicas that must be brought up before revision transition occurs. Defaults to 100 when none is given. Value must be greater than 0 and less than or equal to 100. int

Constraints:
Min value = 1
Max value = 100
runtime App runtime configuration for the Container App. Runtime
secrets Collection of secrets used by a Container app Secret[]
service Container App to be a dev Container App Service Service
targetLabel Required in labels revisions mode. Label to apply to newly created revision. string

Container

Name Description Value
args Container start command arguments. string[]
command Container start command. string[]
env Container environment variables. EnvironmentVar[]
image Container image tag. string
imageType The type of the image. Set to CloudBuild to let the system manages the image, where user will not be able to update image through image field. Set to ContainerImage for user provided image. 'CloudBuild'
'ContainerImage'
name Custom container name. string
probes List of probes for the container. ContainerAppProbe[]
resources Container resource requirements. ContainerResources
volumeMounts Container volume mounts. VolumeMount[]

ContainerAppProbe

Name Description Value
failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. Maximum value is 10. int
httpGet HTTPGet specifies the http request to perform. ContainerAppProbeHttpGet
initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. Minimum value is 1. Maximum value is 60. int
periodSeconds How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value is 240. int
successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. Maximum value is 10. int
tcpSocket TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported. ContainerAppProbeTcpSocket
terminationGracePeriodSeconds Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate. Maximum value is 3600 seconds (1 hour) int
timeoutSeconds Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 240. int
type The type of probe. 'Liveness'
'Readiness'
'Startup'

ContainerAppProbeHttpGet

Name Description Value
host Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. string
httpHeaders Custom headers to set in the request. HTTP allows repeated headers. ContainerAppProbeHttpGetHttpHeadersItem[]
path Path to access on the HTTP server. string
port Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. int (required)
scheme Scheme to use for connecting to the host. Defaults to HTTP. 'HTTP'
'HTTPS'

ContainerAppProbeHttpGetHttpHeadersItem

Name Description Value
name The header field name string (required)
value The header field value string (required)

ContainerAppProbeTcpSocket

Name Description Value
host Optional: Host name to connect to, defaults to the pod IP. string
port Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. int (required)

ContainerAppProperties

Name Description Value
configuration Non versioned Container App configuration properties. Configuration
environmentId Resource ID of environment. string
managedEnvironmentId Deprecated. Resource ID of the Container App's environment. string
patchingConfiguration Container App auto patch configuration. ContainerAppPropertiesPatchingConfiguration
template Container App versioned application definition. Template
workloadProfileName Workload profile name to pin for container app execution. string

ContainerAppPropertiesPatchingConfiguration

Name Description Value
patchingMode Patching mode for the container app. Null or default in this field will be interpreted as Automatic by RP. Automatic mode will automatically apply available patches. Manual mode will require the user to manually apply patches. Disabled mode will stop patch detection and auto patching. 'Automatic'
'Disabled'
'Manual'

ContainerResources

Name Description Value
cpu Required CPU in cores, e.g. 0.5 int
gpu Required GPU in cores for GPU based app, e.g. 1.0 int
memory Required memory, e.g. "250Mb" string

CorsPolicy

Name Description Value
allowCredentials Specifies whether the resource allows credentials bool
allowedHeaders Specifies the content for the access-control-allow-headers header string[]
allowedMethods Specifies the content for the access-control-allow-methods header string[]
allowedOrigins Specifies the content for the access-control-allow-origins header string[] (required)
exposeHeaders Specifies the content for the access-control-expose-headers header string[]
maxAge Specifies the content for the access-control-max-age header int

CustomDomain

Name Description Value
bindingType Custom Domain binding type. 'Auto'
'Disabled'
'SniEnabled'
certificateId Resource Id of the Certificate to be bound to this hostname. Must exist in the Managed Environment. string
name Hostname. string (required)

CustomScaleRule

Name Description Value
auth Authentication secrets for the custom scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe custom scale rule. CustomScaleRuleMetadata
type Type of the custom scale rule
eg: azure-servicebus, redis etc.
string

CustomScaleRuleMetadata

Name Description Value

Dapr

Name Description Value
appId Dapr application identifier string
appPort Tells Dapr which port your application is listening on int
appProtocol Tells Dapr which protocol your application is using. Valid options are http and grpc. Default is http 'grpc'
'http'
enableApiLogging Enables API logging for the Dapr sidecar bool
enabled Boolean indicating if the Dapr side car is enabled bool
httpMaxRequestSize Increasing max size of request body http and grpc servers parameter in MB to handle uploading of big files. Default is 4 MB. int
httpReadBufferSize Dapr max size of http header read buffer in KB to handle when sending multi-KB headers. Default is 65KB. int
logLevel Sets the log level for the Dapr sidecar. Allowed values are debug, info, warn, error. Default is info. 'debug'
'error'
'info'
'warn'

EnvironmentVar

Name Description Value
name Environment variable name. string
secretRef Name of the Container App secret from which to pull the environment variable value. string
value Non-secret environment variable value. string

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'CustomLocation'

HttpScaleRule

Name Description Value
auth Authentication secrets for the custom scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe http scale rule. HttpScaleRuleMetadata

HttpScaleRuleMetadata

Name Description Value

IdentitySettings

Name Description Value
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string (required)
lifecycle Use to select the lifecycle stages of a Container App during which the Managed Identity should be available. 'All'
'Init'
'Main'
'None'

Ingress

Name Description Value
additionalPortMappings Settings to expose additional ports on container app IngressPortMapping[]
allowInsecure Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections bool
clientCertificateMode Client certificate mode for mTLS authentication. Ignore indicates server drops client certificate on forwarding. Accept indicates server forwards client certificate but does not require a client certificate. Require indicates server requires a client certificate. 'accept'
'ignore'
'require'
corsPolicy CORS policy for container app CorsPolicy
customDomains custom domain bindings for Container Apps' hostnames. CustomDomain[]
exposedPort Exposed Port in containers for TCP traffic from ingress int
external Bool indicating if app exposes an external http endpoint bool
ipSecurityRestrictions Rules to restrict incoming IP address. IpSecurityRestrictionRule[]
stickySessions Sticky Sessions for Single Revision Mode IngressStickySessions
targetPort Target Port in containers for traffic from ingress int
targetPortHttpScheme Whether an http app listens on http or https 'http'
'https'
traffic Traffic weights for app's revisions TrafficWeight[]
transport Ingress transport protocol 'auto'
'http'
'http2'
'tcp'

IngressPortMapping

Name Description Value
exposedPort Specifies the exposed port for the target port. If not specified, it defaults to target port int
external Specifies whether the app port is accessible outside of the environment bool (required)
targetPort Specifies the port user's container listens on int (required)

IngressStickySessions

Name Description Value
affinity Sticky Session Affinity 'none'
'sticky'

InitContainer

Name Description Value
args Container start command arguments. string[]
command Container start command. string[]
env Container environment variables. EnvironmentVar[]
image Container image tag. string
imageType The type of the image. Set to CloudBuild to let the system manages the image, where user will not be able to update image through image field. Set to ContainerImage for user provided image. 'CloudBuild'
'ContainerImage'
name Custom container name. string
resources Container resource requirements. ContainerResources
volumeMounts Container volume mounts. VolumeMount[]

IpSecurityRestrictionRule

Name Description Value
action Allow or Deny rules to determine for incoming IP. Note: Rules can only consist of ALL Allow or ALL Deny 'Allow'
'Deny' (required)
description Describe the IP restriction rule that is being sent to the container-app. This is an optional field. string
ipAddressRange CIDR notation to match incoming IP address string (required)
name Name for the IP restriction rule. string (required)

LoggerSetting

Name Description Value
level The specified logger's log level. 'debug'
'error'
'info'
'off'
'trace'
'warn' (required)
logger Logger name. string (required)

ManagedServiceIdentity

Name Description Value
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. UserAssignedIdentities

Microsoft.App/containerApps

Name Description Value
apiVersion The api version '2024-10-02-preview'
extendedLocation The complex type of the extended location. ExtendedLocation
identity managed identities for the Container App to interact with other Azure services without maintaining any secrets or credentials in code. ManagedServiceIdentity
kind Metadata used to render different experiences for resources of the same type; e.g. WorkflowApp is a kind of Microsoft.App/ContainerApps type. If supported, the resource provider must validate and persist this value. 'workflowapp'
location The geo-location where the resource lives string (required)
managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is managed by another Azure resource. If this is present, complete mode deployment will not delete the resource if it is removed from the template since it is managed by another resource. string
name The resource name string (required)
properties ContainerApp resource specific properties ContainerAppProperties
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.App/containerApps'

QueueScaleRule

Name Description Value
accountName Storage account name. required if using managed identity to authenticate string
auth Authentication secrets for the queue scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
queueLength Queue length. int
queueName Queue name. string

RegistryCredentials

Name Description Value
identity A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use 'system' string
passwordSecretRef The name of the Secret that contains the registry login password string
server Container Registry Server string
username Container Registry Username string

Runtime

Name Description Value
dotnet .NET app configuration RuntimeDotnet
java Java app configuration RuntimeJava

RuntimeDotnet

Name Description Value
autoConfigureDataProtection Auto configure the ASP.NET Core Data Protection feature bool

RuntimeJava

Name Description Value
enableMetrics Enable jmx core metrics for the java app bool
javaAgent Diagnostic capabilities achieved by java agent RuntimeJavaAgent

RuntimeJavaAgent

Name Description Value
enabled Enable java agent injection for the java app. bool
logging Capabilities on the java logging scenario. RuntimeJavaAgentLogging

RuntimeJavaAgentLogging

Name Description Value
loggerSettings Settings of the logger for the java app. LoggerSetting[]

Scale

Name Description Value
cooldownPeriod Optional. KEDA Cooldown Period. Defaults to 300 seconds if not set. int
maxReplicas Optional. Maximum number of container replicas. Defaults to 10 if not set. int
minReplicas Optional. Minimum number of container replicas. int
pollingInterval Optional. KEDA Polling Interval. Defaults to 30 seconds if not set. int
rules Scaling rules. ScaleRule[]

ScaleRule

Name Description Value
azureQueue Azure Queue based scaling. QueueScaleRule
custom Custom scale rule. CustomScaleRule
http HTTP requests based scaling. HttpScaleRule
name Scale Rule Name string
tcp Tcp requests based scaling. TcpScaleRule

ScaleRuleAuth

Name Description Value
secretRef Name of the secret from which to pull the auth params. string
triggerParameter Trigger Parameter that uses the secret string

Secret

Name Description Value
identity Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity. string
keyVaultUrl Azure Key Vault URL pointing to the secret referenced by the container app. string
name Secret Name. string
value Secret Value. string

Constraints:
Sensitive value. Pass in as a secure parameter.

SecretVolumeItem

Name Description Value
path Path to project secret to. If no path is provided, path defaults to name of secret listed in secretRef. string
secretRef Name of the Container App secret from which to pull the secret value. string

Service

Name Description Value
type Dev ContainerApp service type string (required)

ServiceBind

Name Description Value
clientType Type of the client to be used to connect to the service string
customizedKeys Customized keys for customizing injected values to the app ServiceBindCustomizedKeys
name Name of the service bind string
serviceId Resource id of the target service string

ServiceBindCustomizedKeys

Name Description Value

TcpScaleRule

Name Description Value
auth Authentication secrets for the tcp scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe tcp scale rule. TcpScaleRuleMetadata

TcpScaleRuleMetadata

Name Description Value

Template

Name Description Value
containers List of container definitions for the Container App. Container[]
initContainers List of specialized containers that run before app containers. InitContainer[]
revisionSuffix User friendly suffix that is appended to the revision name string
scale Scaling properties for the Container App. Scale
serviceBinds List of container app services bound to the app ServiceBind[]
terminationGracePeriodSeconds Optional duration in seconds the Container App Instance needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. int
volumes List of volume definitions for the Container App. Volume[]

TrackedResourceTags

Name Description Value

TrafficWeight

Name Description Value
label Associates a traffic label with a revision string
latestRevision Indicates that the traffic weight belongs to a latest stable revision bool
revisionName Name of a revision string
weight Traffic weight assigned to a revision int

UserAssignedIdentities

Name Description Value

UserAssignedIdentity

Name Description Value

Volume

Name Description Value
mountOptions Mount options used while mounting the Azure file share or NFS Azure file share. Must be a comma-separated string. string
name Volume name. string
secrets List of secrets to be added in volume. If no secrets are provided, all secrets in collection will be added to volume. SecretVolumeItem[]
storageName Name of storage resource. No need to provide for EmptyDir and Secret. string
storageType Storage type for the volume. If not provided, use EmptyDir. 'AzureFile'
'EmptyDir'
'NfsAzureFile'
'Secret'
'Smb'

VolumeMount

Name Description Value
mountPath Path within the container at which the volume should be mounted.Must not contain ':'. string
subPath Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). string
volumeName This must match the Name of a Volume. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Creates a Container App and Environment with Registry

Deploy to Azure
Create a Container App Environment with a basic Container App from an Azure Container Registry. It also deploys a Log Analytics Workspace to store logs.
Creates a Container App with a defined HTTP scaling rule

Deploy to Azure
Create a Container App Environment with a basic Container App that scales based on HTTP traffic.
Creates a Container App within a Container App Environment

Deploy to Azure
Create a Container App Environment with a basic Container App. It also deploys a Log Analytics Workspace to store logs.
Creates a Dapr microservices app using Container Apps

Deploy to Azure
Create a Dapr microservices app using Container Apps.
Creates a Dapr pub-sub servicebus app using Container Apps

Deploy to Azure
Create a Dapr pub-sub servicebus app using Container Apps.
Creates a two Container App with a Container App Environment

Deploy to Azure
Create a two Container App Environment with a basic Container App. It also deploys a Log Analytics Workspace to store logs.
Creates an external Container App environment with a VNET

Deploy to Azure
Creates an external Container App environment with a VNET.
Creates an internal Container App environment with a VNET

Deploy to Azure
Creates an internal Container App environment with a VNET.

Terraform (AzAPI provider) resource definition

The containerApps resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.App/containerApps resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.App/containerApps@2024-10-02-preview"
  name = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  kind = "string"
  location = "string"
  managedBy = "string"
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    extendedLocation = {
      name = "string"
      type = "string"
    }
    properties = {
      configuration = {
        activeRevisionsMode = "string"
        dapr = {
          appId = "string"
          appPort = int
          appProtocol = "string"
          enableApiLogging = bool
          enabled = bool
          httpMaxRequestSize = int
          httpReadBufferSize = int
          logLevel = "string"
        }
        identitySettings = [
          {
            identity = "string"
            lifecycle = "string"
          }
        ]
        ingress = {
          additionalPortMappings = [
            {
              exposedPort = int
              external = bool
              targetPort = int
            }
          ]
          allowInsecure = bool
          clientCertificateMode = "string"
          corsPolicy = {
            allowCredentials = bool
            allowedHeaders = [
              "string"
            ]
            allowedMethods = [
              "string"
            ]
            allowedOrigins = [
              "string"
            ]
            exposeHeaders = [
              "string"
            ]
            maxAge = int
          }
          customDomains = [
            {
              bindingType = "string"
              certificateId = "string"
              name = "string"
            }
          ]
          exposedPort = int
          external = bool
          ipSecurityRestrictions = [
            {
              action = "string"
              description = "string"
              ipAddressRange = "string"
              name = "string"
            }
          ]
          stickySessions = {
            affinity = "string"
          }
          targetPort = int
          targetPortHttpScheme = "string"
          traffic = [
            {
              label = "string"
              latestRevision = bool
              revisionName = "string"
              weight = int
            }
          ]
          transport = "string"
        }
        maxInactiveRevisions = int
        registries = [
          {
            identity = "string"
            passwordSecretRef = "string"
            server = "string"
            username = "string"
          }
        ]
        revisionTransitionThreshold = int
        runtime = {
          dotnet = {
            autoConfigureDataProtection = bool
          }
          java = {
            enableMetrics = bool
            javaAgent = {
              enabled = bool
              logging = {
                loggerSettings = [
                  {
                    level = "string"
                    logger = "string"
                  }
                ]
              }
            }
          }
        }
        secrets = [
          {
            identity = "string"
            keyVaultUrl = "string"
            name = "string"
            value = "string"
          }
        ]
        service = {
          type = "string"
        }
        targetLabel = "string"
      }
      environmentId = "string"
      managedEnvironmentId = "string"
      patchingConfiguration = {
        patchingMode = "string"
      }
      template = {
        containers = [
          {
            args = [
              "string"
            ]
            command = [
              "string"
            ]
            env = [
              {
                name = "string"
                secretRef = "string"
                value = "string"
              }
            ]
            image = "string"
            imageType = "string"
            name = "string"
            probes = [
              {
                failureThreshold = int
                httpGet = {
                  host = "string"
                  httpHeaders = [
                    {
                      name = "string"
                      value = "string"
                    }
                  ]
                  path = "string"
                  port = int
                  scheme = "string"
                }
                initialDelaySeconds = int
                periodSeconds = int
                successThreshold = int
                tcpSocket = {
                  host = "string"
                  port = int
                }
                terminationGracePeriodSeconds = int
                timeoutSeconds = int
                type = "string"
              }
            ]
            resources = {
              cpu = int
              gpu = int
              memory = "string"
            }
            volumeMounts = [
              {
                mountPath = "string"
                subPath = "string"
                volumeName = "string"
              }
            ]
          }
        ]
        initContainers = [
          {
            args = [
              "string"
            ]
            command = [
              "string"
            ]
            env = [
              {
                name = "string"
                secretRef = "string"
                value = "string"
              }
            ]
            image = "string"
            imageType = "string"
            name = "string"
            resources = {
              cpu = int
              gpu = int
              memory = "string"
            }
            volumeMounts = [
              {
                mountPath = "string"
                subPath = "string"
                volumeName = "string"
              }
            ]
          }
        ]
        revisionSuffix = "string"
        scale = {
          cooldownPeriod = int
          maxReplicas = int
          minReplicas = int
          pollingInterval = int
          rules = [
            {
              azureQueue = {
                accountName = "string"
                auth = [
                  {
                    secretRef = "string"
                    triggerParameter = "string"
                  }
                ]
                identity = "string"
                queueLength = int
                queueName = "string"
              }
              custom = {
                auth = [
                  {
                    secretRef = "string"
                    triggerParameter = "string"
                  }
                ]
                identity = "string"
                metadata = {
                  {customized property} = "string"
                }
                type = "string"
              }
              http = {
                auth = [
                  {
                    secretRef = "string"
                    triggerParameter = "string"
                  }
                ]
                identity = "string"
                metadata = {
                  {customized property} = "string"
                }
              }
              name = "string"
              tcp = {
                auth = [
                  {
                    secretRef = "string"
                    triggerParameter = "string"
                  }
                ]
                identity = "string"
                metadata = {
                  {customized property} = "string"
                }
              }
            }
          ]
        }
        serviceBinds = [
          {
            clientType = "string"
            customizedKeys = {
              {customized property} = "string"
            }
            name = "string"
            serviceId = "string"
          }
        ]
        terminationGracePeriodSeconds = int
        volumes = [
          {
            mountOptions = "string"
            name = "string"
            secrets = [
              {
                path = "string"
                secretRef = "string"
              }
            ]
            storageName = "string"
            storageType = "string"
          }
        ]
      }
      workloadProfileName = "string"
    }
  })
}

Property values

Configuration

Name Description Value
activeRevisionsMode ActiveRevisionsMode controls how active revisions are handled for the Container app:
<list><item>Single: Only one revision can be active at a time. Traffic weights cannot be used. This is the default.</item><item>Multiple: Multiple revisions can be active, including optional traffic weights and labels.</item><item>Labels: Only revisions with labels are active. Traffic weights can be applied to labels.</item></list>
'Labels'
'Multiple'
'Single'
dapr Dapr configuration for the Container App. Dapr
identitySettings Optional settings for Managed Identities that are assigned to the Container App. If a Managed Identity is not specified here, default settings will be used. IdentitySettings[]
ingress Ingress configurations. Ingress
maxInactiveRevisions Optional. Max inactive revisions a Container App can have. int
registries Collection of private container registry credentials for containers used by the Container app RegistryCredentials[]
revisionTransitionThreshold Optional. The percent of the total number of replicas that must be brought up before revision transition occurs. Defaults to 100 when none is given. Value must be greater than 0 and less than or equal to 100. int

Constraints:
Min value = 1
Max value = 100
runtime App runtime configuration for the Container App. Runtime
secrets Collection of secrets used by a Container app Secret[]
service Container App to be a dev Container App Service Service
targetLabel Required in labels revisions mode. Label to apply to newly created revision. string

Container

Name Description Value
args Container start command arguments. string[]
command Container start command. string[]
env Container environment variables. EnvironmentVar[]
image Container image tag. string
imageType The type of the image. Set to CloudBuild to let the system manages the image, where user will not be able to update image through image field. Set to ContainerImage for user provided image. 'CloudBuild'
'ContainerImage'
name Custom container name. string
probes List of probes for the container. ContainerAppProbe[]
resources Container resource requirements. ContainerResources
volumeMounts Container volume mounts. VolumeMount[]

ContainerAppProbe

Name Description Value
failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. Maximum value is 10. int
httpGet HTTPGet specifies the http request to perform. ContainerAppProbeHttpGet
initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. Minimum value is 1. Maximum value is 60. int
periodSeconds How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. Maximum value is 240. int
successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. Maximum value is 10. int
tcpSocket TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported. ContainerAppProbeTcpSocket
terminationGracePeriodSeconds Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate. Maximum value is 3600 seconds (1 hour) int
timeoutSeconds Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. Maximum value is 240. int
type The type of probe. 'Liveness'
'Readiness'
'Startup'

ContainerAppProbeHttpGet

Name Description Value
host Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. string
httpHeaders Custom headers to set in the request. HTTP allows repeated headers. ContainerAppProbeHttpGetHttpHeadersItem[]
path Path to access on the HTTP server. string
port Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. int (required)
scheme Scheme to use for connecting to the host. Defaults to HTTP. 'HTTP'
'HTTPS'

ContainerAppProbeHttpGetHttpHeadersItem

Name Description Value
name The header field name string (required)
value The header field value string (required)

ContainerAppProbeTcpSocket

Name Description Value
host Optional: Host name to connect to, defaults to the pod IP. string
port Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. int (required)

ContainerAppProperties

Name Description Value
configuration Non versioned Container App configuration properties. Configuration
environmentId Resource ID of environment. string
managedEnvironmentId Deprecated. Resource ID of the Container App's environment. string
patchingConfiguration Container App auto patch configuration. ContainerAppPropertiesPatchingConfiguration
template Container App versioned application definition. Template
workloadProfileName Workload profile name to pin for container app execution. string

ContainerAppPropertiesPatchingConfiguration

Name Description Value
patchingMode Patching mode for the container app. Null or default in this field will be interpreted as Automatic by RP. Automatic mode will automatically apply available patches. Manual mode will require the user to manually apply patches. Disabled mode will stop patch detection and auto patching. 'Automatic'
'Disabled'
'Manual'

ContainerResources

Name Description Value
cpu Required CPU in cores, e.g. 0.5 int
gpu Required GPU in cores for GPU based app, e.g. 1.0 int
memory Required memory, e.g. "250Mb" string

CorsPolicy

Name Description Value
allowCredentials Specifies whether the resource allows credentials bool
allowedHeaders Specifies the content for the access-control-allow-headers header string[]
allowedMethods Specifies the content for the access-control-allow-methods header string[]
allowedOrigins Specifies the content for the access-control-allow-origins header string[] (required)
exposeHeaders Specifies the content for the access-control-expose-headers header string[]
maxAge Specifies the content for the access-control-max-age header int

CustomDomain

Name Description Value
bindingType Custom Domain binding type. 'Auto'
'Disabled'
'SniEnabled'
certificateId Resource Id of the Certificate to be bound to this hostname. Must exist in the Managed Environment. string
name Hostname. string (required)

CustomScaleRule

Name Description Value
auth Authentication secrets for the custom scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe custom scale rule. CustomScaleRuleMetadata
type Type of the custom scale rule
eg: azure-servicebus, redis etc.
string

CustomScaleRuleMetadata

Name Description Value

Dapr

Name Description Value
appId Dapr application identifier string
appPort Tells Dapr which port your application is listening on int
appProtocol Tells Dapr which protocol your application is using. Valid options are http and grpc. Default is http 'grpc'
'http'
enableApiLogging Enables API logging for the Dapr sidecar bool
enabled Boolean indicating if the Dapr side car is enabled bool
httpMaxRequestSize Increasing max size of request body http and grpc servers parameter in MB to handle uploading of big files. Default is 4 MB. int
httpReadBufferSize Dapr max size of http header read buffer in KB to handle when sending multi-KB headers. Default is 65KB. int
logLevel Sets the log level for the Dapr sidecar. Allowed values are debug, info, warn, error. Default is info. 'debug'
'error'
'info'
'warn'

EnvironmentVar

Name Description Value
name Environment variable name. string
secretRef Name of the Container App secret from which to pull the environment variable value. string
value Non-secret environment variable value. string

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'CustomLocation'

HttpScaleRule

Name Description Value
auth Authentication secrets for the custom scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe http scale rule. HttpScaleRuleMetadata

HttpScaleRuleMetadata

Name Description Value

IdentitySettings

Name Description Value
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string (required)
lifecycle Use to select the lifecycle stages of a Container App during which the Managed Identity should be available. 'All'
'Init'
'Main'
'None'

Ingress

Name Description Value
additionalPortMappings Settings to expose additional ports on container app IngressPortMapping[]
allowInsecure Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections bool
clientCertificateMode Client certificate mode for mTLS authentication. Ignore indicates server drops client certificate on forwarding. Accept indicates server forwards client certificate but does not require a client certificate. Require indicates server requires a client certificate. 'accept'
'ignore'
'require'
corsPolicy CORS policy for container app CorsPolicy
customDomains custom domain bindings for Container Apps' hostnames. CustomDomain[]
exposedPort Exposed Port in containers for TCP traffic from ingress int
external Bool indicating if app exposes an external http endpoint bool
ipSecurityRestrictions Rules to restrict incoming IP address. IpSecurityRestrictionRule[]
stickySessions Sticky Sessions for Single Revision Mode IngressStickySessions
targetPort Target Port in containers for traffic from ingress int
targetPortHttpScheme Whether an http app listens on http or https 'http'
'https'
traffic Traffic weights for app's revisions TrafficWeight[]
transport Ingress transport protocol 'auto'
'http'
'http2'
'tcp'

IngressPortMapping

Name Description Value
exposedPort Specifies the exposed port for the target port. If not specified, it defaults to target port int
external Specifies whether the app port is accessible outside of the environment bool (required)
targetPort Specifies the port user's container listens on int (required)

IngressStickySessions

Name Description Value
affinity Sticky Session Affinity 'none'
'sticky'

InitContainer

Name Description Value
args Container start command arguments. string[]
command Container start command. string[]
env Container environment variables. EnvironmentVar[]
image Container image tag. string
imageType The type of the image. Set to CloudBuild to let the system manages the image, where user will not be able to update image through image field. Set to ContainerImage for user provided image. 'CloudBuild'
'ContainerImage'
name Custom container name. string
resources Container resource requirements. ContainerResources
volumeMounts Container volume mounts. VolumeMount[]

IpSecurityRestrictionRule

Name Description Value
action Allow or Deny rules to determine for incoming IP. Note: Rules can only consist of ALL Allow or ALL Deny 'Allow'
'Deny' (required)
description Describe the IP restriction rule that is being sent to the container-app. This is an optional field. string
ipAddressRange CIDR notation to match incoming IP address string (required)
name Name for the IP restriction rule. string (required)

LoggerSetting

Name Description Value
level The specified logger's log level. 'debug'
'error'
'info'
'off'
'trace'
'warn' (required)
logger Logger name. string (required)

ManagedServiceIdentity

Name Description Value
type Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. UserAssignedIdentities

Microsoft.App/containerApps

Name Description Value
extendedLocation The complex type of the extended location. ExtendedLocation
identity managed identities for the Container App to interact with other Azure services without maintaining any secrets or credentials in code. ManagedServiceIdentity
kind Metadata used to render different experiences for resources of the same type; e.g. WorkflowApp is a kind of Microsoft.App/ContainerApps type. If supported, the resource provider must validate and persist this value. 'workflowapp'
location The geo-location where the resource lives string (required)
managedBy The fully qualified resource ID of the resource that manages this resource. Indicates if this resource is managed by another Azure resource. If this is present, complete mode deployment will not delete the resource if it is removed from the template since it is managed by another resource. string
name The resource name string (required)
properties ContainerApp resource specific properties ContainerAppProperties
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.App/containerApps@2024-10-02-preview"

QueueScaleRule

Name Description Value
accountName Storage account name. required if using managed identity to authenticate string
auth Authentication secrets for the queue scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
queueLength Queue length. int
queueName Queue name. string

RegistryCredentials

Name Description Value
identity A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use 'system' string
passwordSecretRef The name of the Secret that contains the registry login password string
server Container Registry Server string
username Container Registry Username string

Runtime

Name Description Value
dotnet .NET app configuration RuntimeDotnet
java Java app configuration RuntimeJava

RuntimeDotnet

Name Description Value
autoConfigureDataProtection Auto configure the ASP.NET Core Data Protection feature bool

RuntimeJava

Name Description Value
enableMetrics Enable jmx core metrics for the java app bool
javaAgent Diagnostic capabilities achieved by java agent RuntimeJavaAgent

RuntimeJavaAgent

Name Description Value
enabled Enable java agent injection for the java app. bool
logging Capabilities on the java logging scenario. RuntimeJavaAgentLogging

RuntimeJavaAgentLogging

Name Description Value
loggerSettings Settings of the logger for the java app. LoggerSetting[]

Scale

Name Description Value
cooldownPeriod Optional. KEDA Cooldown Period. Defaults to 300 seconds if not set. int
maxReplicas Optional. Maximum number of container replicas. Defaults to 10 if not set. int
minReplicas Optional. Minimum number of container replicas. int
pollingInterval Optional. KEDA Polling Interval. Defaults to 30 seconds if not set. int
rules Scaling rules. ScaleRule[]

ScaleRule

Name Description Value
azureQueue Azure Queue based scaling. QueueScaleRule
custom Custom scale rule. CustomScaleRule
http HTTP requests based scaling. HttpScaleRule
name Scale Rule Name string
tcp Tcp requests based scaling. TcpScaleRule

ScaleRuleAuth

Name Description Value
secretRef Name of the secret from which to pull the auth params. string
triggerParameter Trigger Parameter that uses the secret string

Secret

Name Description Value
identity Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity. string
keyVaultUrl Azure Key Vault URL pointing to the secret referenced by the container app. string
name Secret Name. string
value Secret Value. string

Constraints:
Sensitive value. Pass in as a secure parameter.

SecretVolumeItem

Name Description Value
path Path to project secret to. If no path is provided, path defaults to name of secret listed in secretRef. string
secretRef Name of the Container App secret from which to pull the secret value. string

Service

Name Description Value
type Dev ContainerApp service type string (required)

ServiceBind

Name Description Value
clientType Type of the client to be used to connect to the service string
customizedKeys Customized keys for customizing injected values to the app ServiceBindCustomizedKeys
name Name of the service bind string
serviceId Resource id of the target service string

ServiceBindCustomizedKeys

Name Description Value

TcpScaleRule

Name Description Value
auth Authentication secrets for the tcp scale rule. ScaleRuleAuth[]
identity The resource ID of a user-assigned managed identity that is assigned to the Container App, or 'system' for system-assigned identity. string
metadata Metadata properties to describe tcp scale rule. TcpScaleRuleMetadata

TcpScaleRuleMetadata

Name Description Value

Template

Name Description Value
containers List of container definitions for the Container App. Container[]
initContainers List of specialized containers that run before app containers. InitContainer[]
revisionSuffix User friendly suffix that is appended to the revision name string
scale Scaling properties for the Container App. Scale
serviceBinds List of container app services bound to the app ServiceBind[]
terminationGracePeriodSeconds Optional duration in seconds the Container App Instance needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. int
volumes List of volume definitions for the Container App. Volume[]

TrackedResourceTags

Name Description Value

TrafficWeight

Name Description Value
label Associates a traffic label with a revision string
latestRevision Indicates that the traffic weight belongs to a latest stable revision bool
revisionName Name of a revision string
weight Traffic weight assigned to a revision int

UserAssignedIdentities

Name Description Value

UserAssignedIdentity

Name Description Value

Volume

Name Description Value
mountOptions Mount options used while mounting the Azure file share or NFS Azure file share. Must be a comma-separated string. string
name Volume name. string
secrets List of secrets to be added in volume. If no secrets are provided, all secrets in collection will be added to volume. SecretVolumeItem[]
storageName Name of storage resource. No need to provide for EmptyDir and Secret. string
storageType Storage type for the volume. If not provided, use EmptyDir. 'AzureFile'
'EmptyDir'
'NfsAzureFile'
'Secret'
'Smb'

VolumeMount

Name Description Value
mountPath Path within the container at which the volume should be mounted.Must not contain ':'. string
subPath Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). string
volumeName This must match the Name of a Volume. string