Installation
Requirements
- Terraform >= 1.3.0
- Azure Provider (azurerm) >= 4.31.0
- Azure subscription with appropriate permissions
- Log Analytics Workspace for Container App Environment
The integration is designed to be run once per Azure subscription and the Upwind platform uses the subscription as a way to group together Azure Container App resources.
Installation
To deploy Upwind components on Azure Container Apps the recommended approach is to utilize the Terraform module that we maintain. The module deploys the Upwind Cluster Manager with the tracer embedded, along with supporting infrastructure.
- Log in to the Upwind Management Console .
- Select the + (plus) symbol at the top of the screen and select Connect Azure Container App.
- Enter the subscription ID where your Container Apps are deployed.
- Under Sensor credentials, click Generate to create a new client ID and client secret. Provide a name and click Generate. If you already have Sensor credentials, you may skip this step and select existing credentials from the list.
provider "azurerm" {
features {}
subscription_id = "{SUBSCRIPTION_ID}"
}
module "upwind_integration_azure_container_app" {
source = "https://get.upwind.io/terraform/modules/azure-onboarding/azure-container-app-latest.tar.gz"
resource_group_name = "{RESOURCE_GROUP_NAME}"
container_app_environment_name = "{CONTAINER_APP_ENVIRONMENT_NAME}"
upwind_client_id = "{UPWIND_CLIENT_ID}"
upwind_client_secret = "{UPWIND_CLIENT_SECRET}"
}
Installation with VNet Integration (Optional)
To optionally deploy the cluster manager into an existing VNet, add the infrastructure_subnet_id parameter with your subnet ID. The subnet must have a minimum /23 CIDR range and be delegated to Microsoft.App/environments.
For App Service workloads to send traces to the cluster manager, you may also need:
internal_load_balancer_enabled- Removes the public endpoint so the cluster manager is only accessible within the VNetcreate_private_dns_zone- Creates a private DNS zone linked to the VNet so App Services can resolve the cluster manager's internal hostname
note
Container App Environment VNet integration must be configured at creation time. An existing environment cannot be moved into a VNet.
What Gets Deployed
The module creates the following resources:
- Resource Group (optional): Container for all Upwind resources
- Key Vault: Stores Upwind credentials securely
- Container App Environment: Managed environment with a dedicated workload profile (D4)
- Cluster Manager Container App:
- Runs the Upwind cluster agent with the tracer embedded
- Configured with 4 CPU and 8GB memory
- Exposes an HTTP2 ingress endpoint for receiving traces from application containers
- Auto-scales between 1-3 replicas based on demand
The cluster manager is deployed with the Upwind tracer embedded in the container, allowing it to trace its own operations while also serving as the collection endpoint for traces from your application containers.
Configuration
Input Variables
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
resource_group_name | The name of the resource group | string | n/a | ✅ |
container_app_environment_name | Name of an existing Container App Environment to deploy into | string | n/a | ✅ |
upwind_client_id | Upwind Client ID | string | n/a | ✅ |
upwind_client_secret | Upwind Client Secret | string | n/a | ✅ |
name | The name of the application. Used as a prefix for resource names | string | "upwind-cluster-manager" | ❌ |
location | The Azure location where resources will be created. If not provided, derived from the Container App Environment | string | null | ❌ |
create | Determines whether resources will be created | bool | true | ❌ |
tags | A map of tags to add to all resources | map(string) | {} | ❌ |
create_resource_group | Whether to create a resource group for the application | bool | false | ❌ |
resource_group_id | The ID of an existing resource group, if create_resource_group is false | string | null | ❌ |
current_identity_object_id | The object ID of the current identity executing terraform, used for Key Vault access policies | string | null | ❌ |
create_secret | Whether to create a secret for Upwind credentials. If false, key_vault_id must be provided | bool | true | ❌ |
key_vault_id | The ID of an existing Key Vault to use for storing secrets | string | null | ❌ |
upwind_auth_endpoint | Authentication endpoint for Upwind platform | string | "https://oauth.upwind.io/oauth/token" | ❌ |
upwind_api_host | API host for Upwind platform | string | "https://agent.upwind.io" | ❌ |
registry_url | Docker registry URL for Upwind images | string | "registry.upwind.io" | ❌ |
registry_username | Username for the Docker registry. If not provided, credentials are obtained automatically | string | null | ❌ |
registry_password | Password for the Docker registry. If not provided, credentials are obtained automatically | string | null | ❌ |
container_app_port | The port that the container application listens on | number | 8082 | ❌ |
create_cluster_manager | Whether to create the Upwind Cluster Manager | bool | true | ❌ |
image_cluster_manager | Cluster manager image configuration | object({ registry = string, repository = string, tag = string }) | See module defaults | ❌ |
cluster_manager_extra_env | Additional environment variables for cluster manager | map(string) | {} | ❌ |
cluster_manager_external_ingress | Whether to enable external ingress for the cluster manager | bool | false | ❌ |
infrastructure_subnet_id | Subnet ID for VNet integration. Subnet must have /23 CIDR and be delegated to Microsoft.App/environments | string | null | ❌ |
internal_load_balancer_enabled | Enable internal load balancer (no public endpoint). Requires infrastructure_subnet_id | bool | false | ❌ |
create_private_dns_zone | Create private DNS zone for App Service connectivity. Requires infrastructure_subnet_id | bool | false | ❌ |
log_analytics_workspace_id | Log Analytics workspace ID for monitoring | string | null | ❌ |
enable_diagnostic_settings | Enable diagnostic settings | bool | true | ❌ |
create_acr_cache | Create an Azure Container Registry with pull-through cache for ECR public images | bool | true | ❌ |
acr_name | Name for the Azure Container Registry. Must be globally unique, 5-50 characters, alphanumeric only | string | null | ❌ |
acr_id | The ID of an existing Azure Container Registry to use. Set create_acr_cache = false when using this | string | null | ❌ |
existing_acr_login_server | The login server URL of an existing ACR. Required when acr_id is provided | string | null | ❌ |
existing_acr_pull_identity_id | The ID of an existing managed identity with AcrPull role. Required when acr_id is provided | string | null | ❌ |
Outputs
| Name | Description |
|---|---|
cluster_manager_fqdn | The FQDN of the cluster manager container app |
cluster_manager_url | The full URL of the cluster manager |
key_vault_id | The ID of the Key Vault used for secrets |