Governance Policies Azure Web Container Apps - Azure/az-prototype GitHub Wiki
Governance policies for Container Apps
Domain: azure-web
| Name | Description |
|---|---|
| Container App with Key Vault references | Use Key Vault references for secrets instead of environment variables |
| Container App with health probes | Always configure liveness and readiness probes for reliability |
| Description | Instead |
|---|---|
| Do not store secrets in environment variables or app settings | Use Key Vault references with managed identity via the secrets array |
| Do not use admin credentials for container registry | Use managed identity with AcrPull role assignment |
| Do not deploy Container Apps without VNet integration | Always deploy in a VNet-integrated managed environment |
| Check | Severity | Description |
|---|---|---|
| AZ-CA-001 | Required | Create Container Apps Environment with VNet integration and Log Analytics |
| AZ-CA-002 | Required | Create Container App with user-assigned managed identity, health probes, and Key Vault secret references |
| AZ-CA-003 | Recommended | Use consumption plan for dev/test, dedicated for production |
| AZ-CA-004 | Recommended | Set min replicas to 0 for non-critical services in dev |
| AZ-CA-005 | Recommended | Enable Container Apps system logs and console logs via environment logging |
Create Container Apps Environment with VNet integration and Log Analytics
Severity: Required
Rationale: Network isolation is mandatory; environment-level logging enables centralized observability
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.App/managedEnvironments
Create Container App with user-assigned managed identity, health probes, and Key Vault secret references
Severity: Required
Rationale: User-assigned identity enables shared identity across services; probes ensure reliability; Key Vault refs eliminate secret sprawl
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.App/containerApps
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Authorization/roleAssignments | AcrPull | AcrPull role assignment (7f951dda-4ed3-4680-a7ca-43fe172d538d) granting the managed identity permission to pull container images from ACR. Without this, the Container App cannot start — the image pull fails silently. |
Use consumption plan for dev/test, dedicated for production
Severity: Recommended
Rationale: Cost optimization without sacrificing production reliability
Agents: cloud-architect, cost-analyst
- Microsoft.App/containerApps
Set min replicas to 0 for non-critical services in dev
Severity: Recommended
Rationale: Avoids unnecessary spend during idle periods
Agents: terraform-agent, bicep-agent, cost-analyst
- Microsoft.App/containerApps
Enable Container Apps system logs and console logs via environment logging
Severity: Recommended
Rationale: Container Apps require explicit log configuration for stdout/stderr capture
Agents: cloud-architect, terraform-agent, bicep-agent, monitoring-agent
- Microsoft.App/managedEnvironments