README.md

Terraform Deployment

This directory contains Terraform modules and a deployment script for provisioning Azure services in LocalStack for Azure. For further details about the sample application, refer to the Azure Web App with Custom Docker Image.

Prerequisites

Before deploying this solution, ensure you have the following tools installed:

• LocalStack for Azure: Local Azure cloud emulator for development and testing
• Visual Studio Code: Code editor installed on one of the supported platforms
• Terraform: Infrastructure as Code tool for provisioning Azure resources
• Docker: Container runtime required for LocalStack and building the custom image
• Azure CLI: Azure command-line interface
• Azlocal CLI: LocalStack Azure CLI wrapper
• Python: Python runtime (version 3.12 or above)
• jq: JSON processor for scripting and parsing command outputs

Installing azlocal CLI

The deploy.sh Bash script uses the azlocal CLI instead of the standard Azure CLI to work with LocalStack. Install it using:

pip install azlocal

For more information, see Get started with the az tool on LocalStack.

Architecture Overview

The Terraform modules create the following Azure resources:

1. Azure Resource Group: A logical container scoping all resources in this sample.
2. Azure Virtual Network: Hosts two subnets:
   • app-subnet: Dedicated to regional VNet integration with the Web App.
   • pe-subnet: Used for hosting Azure Private Endpoints.
3. Azure Private DNS Zone: Handles DNS resolution for the Azure Container Registry Private Endpoint within the virtual network.
4. Azure Private Endpoint: Secures network access to the Azure Container Registry via a private IP within the VNet.
5. Azure NAT Gateway: Provides deterministic outbound connectivity for the Web App. Included for completeness; the sample app does not call any external services.
6. Azure Network Security Group: Enforces inbound and outbound traffic rules across the virtual network's subnets.
7. Azure Log Analytics Workspace: Centralizes diagnostic logs and metrics from all resources in the solution.
8. Azure Container Registry: A fully-managed container registry service based on the open-source Docker platform used to hold the container image used by the web app.
9. User-Assigned Managed Identity: Created and associated with the Web App.
10. Azure App Service Plan: The underlying compute tier that hosts the web application.
11. Azure Web App: Runs the Python Flask application from the custom container image stored in the Azure Container Registry.

Note
The Terraform azurerm_linux_web_app resource does not support using a managed identity for container image pull from Azure Container Registry. The Terraform deployment uses ACR admin username and password instead of a managed identity.

Provisioning Scripts

You can use the deploy.sh script to automate the deployment of all Azure resources in a single step, streamlining setup and reducing manual configuration. The script executes the following steps:

• Cleans up any previous Terraform state and plan files to ensure a fresh deployment.
• Initializes the Terraform working directory and downloads required plugins.
• Creates and validates a Terraform execution plan for the Azure infrastructure.
• Applies the Terraform plan to provision all necessary Azure resources.
• Uses a local-exec provisioner on a null_resource to build and push the container image to the Azure Container Registry locally before deploying the Web App.
• Deploys the Web App configured to pull the container image using ACR admin credentials.

Configuration

When using LocalStack for Azure, configure the metadata_host and subscription_id settings in the Azure Provider for Terraform to ensure proper connectivity:

provider "azurerm" {
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }
  }

  # Set the hostname of the Azure Metadata Service (for example management.azure.com)
  # used to obtain the Cloud Environment when using LocalStack's Azure emulator.
  # This allows the provider to correctly identify the environment and avoid making calls to the real Azure endpoints.
  metadata_host = "localhost.localstack.cloud:4566"

  # Set the subscription ID to a dummy value when using LocalStack's Azure emulator.
  subscription_id = "00000000-0000-0000-0000-000000000000"
}

Deployment

You can set up the Azure emulator by utilizing the LocalStack for Azure Docker image. Before starting, ensure you have a valid LOCALSTACK_AUTH_TOKEN to access the Azure emulator. Refer to the Auth Token guide to obtain your Auth Token and specify it in the LOCALSTACK_AUTH_TOKEN environment variable. The Azure Docker image is available on the LocalStack Docker Hub. To pull the Azure Docker image, execute the following command:

docker pull localstack/localstack-azure-alpha

Start the LocalStack Azure emulator using the localstack CLI, execute the following command:

# Set the authentication token
export LOCALSTACK_AUTH_TOKEN=<your_auth_token>

# Start the LocalStack Azure emulator
IMAGE_NAME=localstack/localstack-azure-alpha localstack start -d
localstack wait -t 60

# Route all Azure CLI calls to the LocalStack Azure emulator
azlocal start-interception

Navigate to the terraform folder:

cd samples/web-app-custom-image/python/terraform

Make the script executable:

chmod +x deploy.sh

Run the deployment script:

./deploy.sh

Validation

Once the deployment completes, run the validate.sh script to confirm that all resources were provisioned and configured as expected:

#!/bin/bash
set -euo pipefail

PREFIX='local'
SUFFIX='test'
RESOURCE_GROUP_NAME="${PREFIX}-rg"
ACR_NAME="${PREFIX}acr${SUFFIX}"
MANAGED_IDENTITY_NAME="${PREFIX}-identity-${SUFFIX}"
APP_SERVICE_PLAN_NAME="${PREFIX}-app-service-plan-${SUFFIX}"
WEB_APP_NAME="${PREFIX}-webapp-${SUFFIX}"
VIRTUAL_NETWORK_NAME="${PREFIX}-vnet-${SUFFIX}"
PRIVATE_DNS_ZONE_NAME="privatelink.azurecr.io"
PRIVATE_ENDPOINT_NAME="${PREFIX}-acr-pe-${SUFFIX}"
WEB_APP_SUBNET_NSG_NAME="${PREFIX}-webapp-subnet-nsg-${SUFFIX}"
PE_SUBNET_NSG_NAME="${PREFIX}-pe-subnet-nsg-${SUFFIX}"
NAT_GATEWAY_NAME="${PREFIX}-nat-gateway-${SUFFIX}"
PIP_PREFIX_NAME="${PREFIX}-nat-gateway-pip-prefix-${SUFFIX}"
LOG_ANALYTICS_NAME="${PREFIX}-log-analytics-${SUFFIX}"

# Check resource group
echo -e "[$RESOURCE_GROUP_NAME] resource group:\n"
az group show \
	--name "$RESOURCE_GROUP_NAME" \
	--output table

# Check managed identity
echo -e "[$MANAGED_IDENTITY_NAME] managed identity:\n"
az identity show \
	--name "$MANAGED_IDENTITY_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

# Check App Service Plan
echo -e "\n[$APP_SERVICE_PLAN_NAME] App Service Plan:\n"
az appservice plan show \
	--name "$APP_SERVICE_PLAN_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

# Check Azure Container Registry
echo -e "\n[$ACR_NAME] Azure Container Registry:\n"
az acr show \
	--name "$ACR_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

# Check Azure Web App
echo -e "\n[$WEB_APP_NAME] Web App:\n"
az webapp show \
	--name "$WEB_APP_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--query "{name:name, state:state, defaultHostName:defaultHostName, kind:kind}" \
	--output table

# Check App Settings
echo -e "\n[$WEB_APP_NAME] app settings:\n"
az webapp config appsettings list \
	--name "$WEB_APP_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--query "[?name=='IMAGE_NAME' || name=='APP_NAME' || name=='WEBSITES_PORT']" \
	--output table

# Check Virtual Network
echo -e "\n[$VIRTUAL_NETWORK_NAME] virtual network:\n"
az network vnet show \
	--name "$VIRTUAL_NETWORK_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Private DNS Zone
echo -e "\n[$PRIVATE_DNS_ZONE_NAME] private dns zone:\n"
az network private-dns zone show \
	--name "$PRIVATE_DNS_ZONE_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--query '{Name:name,ResourceGroup:resourceGroup,RecordSets:recordSets,VirtualNetworkLinks:virtualNetworkLinks}' \
	--output table \
	--only-show-errors

# Check Private Endpoint
echo -e "\n[$PRIVATE_ENDPOINT_NAME] private endpoint:\n"
az network private-endpoint show \
	--name "$PRIVATE_ENDPOINT_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Web App Subnet NSG
echo -e "\n[$WEB_APP_SUBNET_NSG_NAME] network security group:\n"
az network nsg show \
	--name "$WEB_APP_SUBNET_NSG_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Private Endpoint Subnet NSG
echo -e "\n[$PE_SUBNET_NSG_NAME] network security group:\n"
az network nsg show \
	--name "$PE_SUBNET_NSG_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check NAT Gateway
echo -e "\n[$NAT_GATEWAY_NAME] nat gateway:\n"
az network nat gateway show \
	--name "$NAT_GATEWAY_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Public IP Prefix
echo -e "\n[$PIP_PREFIX_NAME] public ip prefix:\n"
az network public-ip prefix show \
	--name "$PIP_PREFIX_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Log Analytics Workspace
echo -e "\n[$LOG_ANALYTICS_NAME] log analytics workspace:\n"
az monitor log-analytics workspace show \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--workspace-name "$LOG_ANALYTICS_NAME" \
	--query '{Name:name,Location:location,ResourceGroup:resourceGroup}' \
	--output table \
	--only-show-errors

echo -e "\nResources in [$RESOURCE_GROUP_NAME]:\n"
az resource list \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

Cleanup

To destroy all created resources:

# Delete resource group and all contained resources
az group delete --name local-rg --yes --no-wait

# Verify deletion
az group list --output table

This will remove all Azure resources created by the Terraform deployment.

Related Documentation

• Terraform Azure Provider Documentation
• Terraform local-exec Provisioner
• LocalStack for Azure Documentation