Azure Container Instance Overlay Terraform Module

This Overlay terraform module can deploys and manages a Azure Container Instance Group This module can be used in a SCCA compliant Network.

Using Azure Clouds

Since this module is built for both public and us government clouds. The environment variable defaults to public for Azure Cloud. When using this module with the Azure Government Cloud, you must set the environment variable to usgovernment. You will also need to set the azurerm provider environment variable to the proper cloud as well. This will ensure that the correct Azure Government Cloud endpoints are used. You will also need to set the location variable to a valid Azure Government Cloud location.

Example Usage for Azure Government Cloud:

provider "azurerm" {
  environment = "usgovernment"
}

module "mod_ampls" {
  source  = "POps-Rox/tf-az-overlays-container-instance/azurerm"
  version = "x.x.x"
  
  location = "usgovvirginia"
  environment = "usgovernment"
  ...
}

SCCA Compliance

This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.

For more information, please read the SCCA documentation.

Contributing

If you want to contribute to this repository, feel free to to contribute to our Terraform module.

More details are available in the CONTRIBUTING.md file.

License

This Terraform module is open-sourced software licensed under the MIT License.

Resources Supported

• Azure Container Instance

Module Usage

# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

module "mod_ampls" {
  source  = "POps-Rox/tf-az-overlays-container-instance/azurerm"
  version = "x.x.x"

  depends_on = [azurerm_virtual_network.example-vnet, azurerm_subnet.example-snet, azurerm_log_analytics_workspace.example-log]

  # Resource Group, location, VNet and Subnet details
  create_resource_group = true
  location              = var.location
  deploy_environment    = var.deploy_environment
  environment           = var.environment
  org_name              = var.org_name
  workload_name         = var.workload_name

  # Container Instance details
  restart_policy = "OnFailure"

  # Container Group details
  containers_config = [
    {
      name   = "aci-example"
      image  = "mcr.microsoft.com/azuredocs/aci-helloworld:latest"
      cpu    = 1
      memory = 2

      ports = [{
        port     = 80
        protocol = "TCP"
      }]
    }
  ]
  
  # Tags
  add_tags = {} # Tags to be applied to all resources
}

Requirements

Name	Version
terraform	>= 1.3
azurenoopsutils	~> 1.0.4
azurerm	~> 3.22

Providers

Name	Version
azurenoopsutils	~> 1.0.4
azurerm	~> 3.22

Modules

Name	Source	Version
mod_azure_region_lookup	azurenoops/overlays-azregions-lookup/azurerm	~> 1.0.0
mod_scaffold_rg	azurenoops/overlays-resource-group/azurerm	~> 1.0.1

Resources

Name	Type
azurerm_container_group.aci	resource
azurenoopsutils_resource_name.aci	data source
azurerm_client_config.current	data source
azurerm_resource_group.rgrp	data source

Inputs

Name	Description	Type	Default	Required
add_tags	Map of custom tags.	map(string)	{}	no
containers_config	Containers configurations.	list(object({ name = string image = string cpu = number memory = number environment_variables = optional(map(string)) secure_environment_variables = optional(map(string)) commands = optional(list(string)) ports = list(object({ port = number protocol = string })) volume = optional(list(object({ name = string mount_path = string read_only = optional(bool) empty_dir = optional(bool) storage_account_name = optional(string) storage_account_key = optional(string) share_name = optional(string) secret = optional(map(any)) })), []) readiness_probe = optional(object({ exec = optional(list(string)) http_get = optional(object({ path = optional(string) port = optional(number) scheme = optional(string) http_headers = optional(map(string)) })) initial_delay_seconds = optional(number) period_seconds = optional(number) failure_threshold = optional(number) success_threshold = optional(number) timeout_seconds = optional(number) })) liveness_probe = optional(object({ exec = optional(list(string)) http_get = optional(object({ path = optional(string) port = optional(number) scheme = optional(string) http_headers = optional(map(string)) })) initial_delay_seconds = optional(number) period_seconds = optional(number) failure_threshold = optional(number) success_threshold = optional(number) timeout_seconds = optional(number) })) }))	n/a	yes
create_private_endpoint_subnet	Controls if the subnet should be created. If set to false, the subnet name must be provided. Default is false.	bool	false	no
create_resource_group	Controls if the resource group should be created. If set to false, the resource group name must be provided. Default is false.	bool	false	no
custom_azure_container_instance_name	The name of the custom Azure Container Instance to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
custom_resource_group_name	The name of the custom resource group to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
deploy_environment	Name of the workload's environment	string	n/a	yes
dns_config	DNS configuration to apply to containers.	object({ nameservers = list(string) search_domains = optional(list(string)) options = optional(list(string)) })	null	no
dns_name_label	ACI Custom DNS name label used when container is public.	string	null	no
dns_name_label_reuse_policy	The value representing the security enum. Noreuse, ResourceGroupReuse, SubscriptionReuse, TenantReuse or Unsecure. Defaults to Unsecure.	string	"Unsecure"	no
enable_private_endpoint	Manages a Private Endpoint to Azure Container Registry. Default is false.	bool	false	no
enable_resource_locks	(Optional) Enable resource locks, default is false. If true, resource locks will be created for the resource group and the storage account.	bool	false	no
environment	The Terraform backend environment e.g. public or usgovernment	string	n/a	yes
existing_private_dns_zone	Name of the existing private DNS zone	any	null	no
existing_private_subnet_name	Name of the existing subnet for the private endpoint	any	null	no
existing_resource_group_name	The name of the existing resource group to use. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
identity	Map with identity block information.	object({ type = optional(string, "SystemAssigned") identity_ids = optional(list(string)) })	{}	no
init_containers	initContainer configuration.	list(object({ name = string image = string environment_variables = optional(map(string), {}) secure_environment_variables = optional(map(string), {}) commands = optional(list(string), []) volume = optional(list(object({ name = string mount_path = string read_only = optional(bool) empty_dir = optional(bool) storage_account_name = optional(string) storage_account_key = optional(string) share_name = optional(string) secret = optional(map(any)) })), []) security = optional(object({ privilege_enabled = bool }), null) }))	[]	no
location	Azure region in which instance will be hosted	string	n/a	yes
lock_level	(Optional) id locks are enabled, Specifies the Level to be used for this Lock.	string	"CanNotDelete"	no
log_analytics_workspace_id	The workspace (customer) ID of the Log Analytics workspace to send diagnostics to.	string	null	no
log_analytics_workspace_key	The shared key of the Log Analytics workspace to send diagnostics to.	string	null	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
org_name	Name of the organization	string	n/a	yes
os_type	The OS for the container group. Allowed values are Linux and Windows. Changing this forces a new resource to be created.	string	"Linux"	no
private_subnet_address_prefix	The name of the subnet for private endpoints	any	null	no
registry_credential	A registry_credential object as documented below. Changing this forces a new resource to be created.	list(object({ server = string username = optional(string) password = optional(string) # TODO: mark as sensitive (hashicorp/terraform#32414) user_assigned_identity_id = optional(string) }))	[]	no
restart_policy	Restart policy for the container group. Allowed values are Always, Never, OnFailure. Changing this forces a new resource to be created.	string	"Always"	no
subnet_ids	Subnet IDs of the private network profile of the container. Mandatory when VNet integration is enabled.	list(string)	null	no
use_location_short_name	Use short location name for resources naming (ie eastus -> eus). Default is true. If set to false, the full cli location name will be used. if custom naming is set, this variable will be ignored.	bool	true	no
use_naming	Use the Azure NoOps naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false.	bool	false	no
virtual_network_name	Name of the virtual network for the private endpoint	any	null	no
vnet_integration_enabled	Allow to enable Vnet integration.	bool	false	no
workload_name	Name of the workload_name	string	n/a	yes

Outputs

Name	Description
aci_fqdn	The FQDN of the container group derived from dns_name_label.
aci_id	Azure container instance group ID
aci_identity_principal_id	ACI identity principal ID.
aci_ip_address	The IP address allocated to the container instance group.