Reputation: 143
How to enable app-service-authentication and logging into a blob via ARM-Template?
How to enable app-service-authentication and logging into a blob via ARM-Template?
hello everybody, i have a question i want to activate the app-service-authentication for anonymous requests and also the logging of everything that could happen in the website into a blob of a storageaccount via the resource template. what should i add to the template-json-file to do that?
thanks for every help
Edit:
I found out something. with this snippet it work but that are not the correct settings
"properties": {
"name": "<#= website.Name #>",
"siteConfig": {
"alwaysOn": true,
"siteAuthEnabled": true,
"siteAuthSettings": null,
"httpLoggingEnabled": true,
"logsDirectorySizeLimit": 35,
"detailedErrorLoggingEnabled": true
},
now it looks like so:
but that is how it should be looking for:
Upvotes: 10
Views: 5400
Answers (3)
Reputation: 18465
According to your scenario, I have deployed my ARM template to enable Application Logging and Web server logging against Blob Storage, enable App Service Authentication and allow Anonymous requests for my Web App. Here are some detailed steps, you could refer to them.
1.Create Azure Resource Group project and add the Web App template;
2.Add "MONITORING > Diagnostic logs" configuration as follows:
3.Add "SETTINGS > Authentication/Authorization" configuration as follows:
4.Deploy the Web App and check it on Azure Portal:
Here is my website.json, you could refer to it.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hostingPlanName": {
"type": "string",
"minLength": 1
},
"skuName": {
"type": "string",
"defaultValue": "F1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
],
"metadata": {
"description": "Describes plan's pricing tier and capacity. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Describes plan's instance count"
}
}
},
"variables": {
"webSiteName": "[concat('webSite', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "HostingPlan"
},
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[parameters('hostingPlanName')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]"
],
"properties": {
"name": "[variables('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [
{
"name": "logs",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites/', variables('webSiteName'))]" ],
"tags": {
"displayName": "websiteLogs"
},
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "Off"
},
"azureTableStorage": {
"level": "Off",
"sasUrl": null
},
"azureBlobStorage": {
"level": "Error",
"sasUrl": "https://{your-storageaccount-name}.blob.core.windows.net/{container-name}?{sasToken}",
"retentionInDays": null
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 35,
"retentionInDays": null,
"enabled": false
},
"azureBlobStorage": {
"sasUrl":"https://{your-storageaccount-name}.blob.core.windows.net/{container-name}?{sasToken}",
"retentionInDays": null,
"enabled": true
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
},
{
"name": "authsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites/', variables('webSiteName'))]" ],
"tags": {
"displayName": "websiteAuthSettings"
},
"properties": {
"enabled": true,
"httpApiPrefixPath": null,
"unauthenticatedClientAction": 1,
"tokenStoreEnabled": true,
"allowedExternalRedirectUrls": null,
"defaultProvider": 0,
"clientId": null,
"clientSecret": null,
"issuer": null,
"allowedAudiences": null,
"additionalLoginParams": null,
"isAadAutoProvisioned": false,
"googleClientId": null,
"googleClientSecret": null,
"googleOAuthScopes": null,
"facebookAppId": null,
"facebookAppSecret": null,
"facebookOAuthScopes": [
""
],
"twitterConsumerKey": null,
"twitterConsumerSecret": null,
"microsoftAccountClientId": null,
"microsoftAccountClientSecret": null,
"microsoftAccountOAuthScopes": [
""
]
}
}
]
}
]
}
Additionally, you could retrieve the configurations from resources.azure.com. Here is the screenshot for you to have a better understanding of the ARM template:
Upvotes: 7
Reputation: 3315
Log all the things
You could enable Diagnostics Logging (https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log) for your App Service and add it to your App Service Website by following this guide https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-enable-diagnostic-logs-using-template
For a general logging solution that helps you keep track of (almost) everything that happens in an App Service web site you could use Application Insights (AI). You can add Application Insights to your ARM template by following this article https://learn.microsoft.com/en-us/azure/application-insights/app-insights-powershell#create-an-azure-resource-manager-template. This will help you setup AI for your web and define any specific tracking and telemetry you want to log.
Basically this is what you need to add to your ARM template in order to add AI to an App Service:
"resources": [
{
"apiVersion": "2014-08-01",
"location": "[parameters('appLocation')]",
"name": "[parameters('appName')]",
"type": "microsoft.insights/components",
"properties": {
"Application_Type": "[parameters('applicationType')]",
"ApplicationId": "[parameters('appName')]",
"Name": "[parameters('appName')]",
"Flow_Type": "Redfield",
"Request_Source": "IbizaAIExtension"
}
},
{
"name": "[variables('billingplan')]",
"type": "microsoft.insights/components/CurrentBillingFeatures",
"location": "[parameters('appLocation')]",
"apiVersion": "2015-05-01",
"dependsOn": [
"[resourceId('microsoft.insights/components', parameters('appName'))]"
],
"properties": {
"CurrentBillingFeatures": "[variables('pricePlan')]",
"DataVolumeCap": {
"Cap": "[parameters('dailyQuota')]",
"WarningThreshold": "[parameters('warningThreshold')]",
"ResetTime": "[parameters('dailyQuotaResetTime')]"
}
}
},
"__comment":"web test, alert, and any other resources go here"
]
Of course, you need to provide values for all the parameters and variables based on the price plan and quotas you want to set.
You could then setup Continuous Export (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-export-telemetry) from AI to export all logged telemetry to a separate Azure Storage blob for long term retention of your logged data. Unfortunatelly you cannot setup Continuous Export from the ARM template, but it will likely be available soon: https://visualstudio.uservoice.com/forums/357324-application-insights/suggestions/13718607-enable-programatic-configuration-of-continuous-exp
Authenticate all the things
Setting up Authentication in your App Service you can specify the authentication options as properties for your WebSite resource. I suggest you start by configuring the desired authentication model using the portal or PowerShell first and then extract the template from the resulting deployment https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template as the actual properties and values to set are not well documented.
Creating an ARM template from the portal
You can do all the changes to your website, setup diagnostics directly in the portal and then extract a template that reflects what is currently deployed in that Resource Group.
Just go to your Resource Group and select Automation script, this will extract the template definition. It may not be the prettiest template or best structured, but it will contain your deployment (unless it shows a warning for some resources).
Upvotes: 0
Reputation: 704
WebApp logging and authentication can be enabled via following resources in your template
{
"apiVersion": "2015-08-01",
"name": "logs",
"type": "config",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]" ],
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "off"
},
"azureTableStorage": {
"level": "off",
"sasUrl": null
},
"azureBlobStorage": {
"level": "off",
"sasUrl": null,
"retentionInDays": null
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 35,
"retentionInDays": null,
"enabled": true
},
"azureBlobStorage": {
"sasUrl": null,
"retentionInDays": null,
"enabled": false
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
},
{
"apiVersion": "2015-08-01",
"name": "authsettings",
"type": "config",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]" ],
"properties": {
"enabled": false,
"isAadAutoProvisioned": false
}
}
If you are not sure, what values should be in template. Do following:
- Provision Web App through the portal
- Enable necessary settings
- Go to https://resources.azure.com/ and check how template is configured for your Web App
- Make changes in your template json file
Upvotes: 2
Related Questions
- Azure Blob Storage Container Stored Access Policy with ARM
- Azure: Assign Roles via ARM Template to storage container
- how to create blob container inside Storage Account using ARM templates
- Configuration Authentication with Azure AD for Azure App Service with ARM template
- Azure Storage blob container assign RBAC using ARM
- Getting a SAS token for blob storage container doing an ARM deployment with Linked Templates
- Can't implement azure web app service access to azure storage container (blob) using MSI
- Create Azure blob/fileshare container through ARM template
- Set Storage Account key using an Arm Template
- Easy Authentication and Authorization in Azure Function App using ARM template