The azure-native:appconfiguration:ConfigurationStore resource, part of the Pulumi Azure Native provider, provisions an Azure App Configuration store that serves as a centralized repository for application settings and feature flags. This guide focuses on three capabilities: store creation with SKU selection, Azure AD authentication enforcement, and data plane proxy configuration.
Configuration stores require an Azure resource group and subscription. The examples are intentionally small. Combine them with your own encryption keys, managed identities, and network access controls.
Create a configuration store with standard SKU
Most deployments start by provisioning a store in a specific region with the Standard SKU for centralized configuration management.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const configurationStore = new azure_native.appconfiguration.ConfigurationStore("configurationStore", {
configStoreName: "contoso",
location: "westus",
resourceGroupName: "myResourceGroup",
sku: {
name: "Standard",
},
tags: {
myTag: "myTagValue",
},
});
import pulumi
import pulumi_azure_native as azure_native
configuration_store = azure_native.appconfiguration.ConfigurationStore("configurationStore",
config_store_name="contoso",
location="westus",
resource_group_name="myResourceGroup",
sku={
"name": "Standard",
},
tags={
"myTag": "myTagValue",
})
package main
import (
appconfiguration "github.com/pulumi/pulumi-azure-native-sdk/appconfiguration/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appconfiguration.NewConfigurationStore(ctx, "configurationStore", &appconfiguration.ConfigurationStoreArgs{
ConfigStoreName: pulumi.String("contoso"),
Location: pulumi.String("westus"),
ResourceGroupName: pulumi.String("myResourceGroup"),
Sku: &appconfiguration.SkuArgs{
Name: pulumi.String("Standard"),
},
Tags: pulumi.StringMap{
"myTag": pulumi.String("myTagValue"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var configurationStore = new AzureNative.AppConfiguration.ConfigurationStore("configurationStore", new()
{
ConfigStoreName = "contoso",
Location = "westus",
ResourceGroupName = "myResourceGroup",
Sku = new AzureNative.AppConfiguration.Inputs.SkuArgs
{
Name = "Standard",
},
Tags =
{
{ "myTag", "myTagValue" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.appconfiguration.ConfigurationStore;
import com.pulumi.azurenative.appconfiguration.ConfigurationStoreArgs;
import com.pulumi.azurenative.appconfiguration.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var configurationStore = new ConfigurationStore("configurationStore", ConfigurationStoreArgs.builder()
.configStoreName("contoso")
.location("westus")
.resourceGroupName("myResourceGroup")
.sku(SkuArgs.builder()
.name("Standard")
.build())
.tags(Map.of("myTag", "myTagValue"))
.build());
}
}
resources:
configurationStore:
type: azure-native:appconfiguration:ConfigurationStore
properties:
configStoreName: contoso
location: westus
resourceGroupName: myResourceGroup
sku:
name: Standard
tags:
myTag: myTagValue
The configStoreName sets a unique identifier within your resource group. The location determines the Azure region where the store is deployed. The sku property with name set to “Standard” provisions the baseline feature set. Tags provide metadata for organization and cost tracking.
Enforce Azure AD authentication only
Security-conscious teams disable local authentication to ensure all access goes through Azure Active Directory.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const configurationStore = new azure_native.appconfiguration.ConfigurationStore("configurationStore", {
configStoreName: "contoso",
disableLocalAuth: true,
location: "westus",
resourceGroupName: "myResourceGroup",
sku: {
name: "Standard",
},
});
import pulumi
import pulumi_azure_native as azure_native
configuration_store = azure_native.appconfiguration.ConfigurationStore("configurationStore",
config_store_name="contoso",
disable_local_auth=True,
location="westus",
resource_group_name="myResourceGroup",
sku={
"name": "Standard",
})
package main
import (
appconfiguration "github.com/pulumi/pulumi-azure-native-sdk/appconfiguration/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appconfiguration.NewConfigurationStore(ctx, "configurationStore", &appconfiguration.ConfigurationStoreArgs{
ConfigStoreName: pulumi.String("contoso"),
DisableLocalAuth: pulumi.Bool(true),
Location: pulumi.String("westus"),
ResourceGroupName: pulumi.String("myResourceGroup"),
Sku: &appconfiguration.SkuArgs{
Name: pulumi.String("Standard"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var configurationStore = new AzureNative.AppConfiguration.ConfigurationStore("configurationStore", new()
{
ConfigStoreName = "contoso",
DisableLocalAuth = true,
Location = "westus",
ResourceGroupName = "myResourceGroup",
Sku = new AzureNative.AppConfiguration.Inputs.SkuArgs
{
Name = "Standard",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.appconfiguration.ConfigurationStore;
import com.pulumi.azurenative.appconfiguration.ConfigurationStoreArgs;
import com.pulumi.azurenative.appconfiguration.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var configurationStore = new ConfigurationStore("configurationStore", ConfigurationStoreArgs.builder()
.configStoreName("contoso")
.disableLocalAuth(true)
.location("westus")
.resourceGroupName("myResourceGroup")
.sku(SkuArgs.builder()
.name("Standard")
.build())
.build());
}
}
resources:
configurationStore:
type: azure-native:appconfiguration:ConfigurationStore
properties:
configStoreName: contoso
disableLocalAuth: true
location: westus
resourceGroupName: myResourceGroup
sku:
name: Standard
Setting disableLocalAuth to true blocks all authentication methods except Azure AD, providing centralized identity management and audit trails. Applications must use Azure AD credentials or managed identities to access the store.
Configure data plane proxy for ARM integration
Organizations using private endpoints configure data plane proxy settings to control how Azure Resource Manager routes traffic.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const configurationStore = new azure_native.appconfiguration.ConfigurationStore("configurationStore", {
configStoreName: "contoso",
dataPlaneProxy: {
authenticationMode: azure_native.appconfiguration.AuthenticationMode.Pass_through,
privateLinkDelegation: azure_native.appconfiguration.PrivateLinkDelegation.Enabled,
},
location: "westus",
resourceGroupName: "myResourceGroup",
sku: {
name: "Standard",
},
});
import pulumi
import pulumi_azure_native as azure_native
configuration_store = azure_native.appconfiguration.ConfigurationStore("configurationStore",
config_store_name="contoso",
data_plane_proxy={
"authentication_mode": azure_native.appconfiguration.AuthenticationMode.PASS_THROUGH,
"private_link_delegation": azure_native.appconfiguration.PrivateLinkDelegation.ENABLED,
},
location="westus",
resource_group_name="myResourceGroup",
sku={
"name": "Standard",
})
package main
import (
appconfiguration "github.com/pulumi/pulumi-azure-native-sdk/appconfiguration/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := appconfiguration.NewConfigurationStore(ctx, "configurationStore", &appconfiguration.ConfigurationStoreArgs{
ConfigStoreName: pulumi.String("contoso"),
DataPlaneProxy: &appconfiguration.DataPlaneProxyPropertiesArgs{
AuthenticationMode: pulumi.String(appconfiguration.AuthenticationMode_Pass_Through),
PrivateLinkDelegation: pulumi.String(appconfiguration.PrivateLinkDelegationEnabled),
},
Location: pulumi.String("westus"),
ResourceGroupName: pulumi.String("myResourceGroup"),
Sku: &appconfiguration.SkuArgs{
Name: pulumi.String("Standard"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var configurationStore = new AzureNative.AppConfiguration.ConfigurationStore("configurationStore", new()
{
ConfigStoreName = "contoso",
DataPlaneProxy = new AzureNative.AppConfiguration.Inputs.DataPlaneProxyPropertiesArgs
{
AuthenticationMode = AzureNative.AppConfiguration.AuthenticationMode.Pass_through,
PrivateLinkDelegation = AzureNative.AppConfiguration.PrivateLinkDelegation.Enabled,
},
Location = "westus",
ResourceGroupName = "myResourceGroup",
Sku = new AzureNative.AppConfiguration.Inputs.SkuArgs
{
Name = "Standard",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.appconfiguration.ConfigurationStore;
import com.pulumi.azurenative.appconfiguration.ConfigurationStoreArgs;
import com.pulumi.azurenative.appconfiguration.inputs.DataPlaneProxyPropertiesArgs;
import com.pulumi.azurenative.appconfiguration.inputs.SkuArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var configurationStore = new ConfigurationStore("configurationStore", ConfigurationStoreArgs.builder()
.configStoreName("contoso")
.dataPlaneProxy(DataPlaneProxyPropertiesArgs.builder()
.authenticationMode("Pass-through")
.privateLinkDelegation("Enabled")
.build())
.location("westus")
.resourceGroupName("myResourceGroup")
.sku(SkuArgs.builder()
.name("Standard")
.build())
.build());
}
}
resources:
configurationStore:
type: azure-native:appconfiguration:ConfigurationStore
properties:
configStoreName: contoso
dataPlaneProxy:
authenticationMode: Pass-through
privateLinkDelegation: Enabled
location: westus
resourceGroupName: myResourceGroup
sku:
name: Standard
The dataPlaneProxy property controls ARM traffic routing. Setting authenticationMode to “Pass-through” forwards authentication to the backend service. The privateLinkDelegation property set to “Enabled” allows ARM to delegate private link connections to the configuration store.
Beyond these examples
These snippets focus on specific configuration store features: store provisioning and SKU selection, authentication controls, and data plane proxy configuration. They’re intentionally minimal rather than full configuration management solutions.
The examples require pre-existing infrastructure such as an Azure resource group and subscription. They focus on store configuration rather than provisioning the surrounding infrastructure.
To keep things focused, common store patterns are omitted, including:
- Customer-managed encryption keys (encryption property)
- Managed identity configuration (identity property)
- Public network access controls (publicNetworkAccess)
- Soft delete retention settings (softDeleteRetentionInDays)
- Private endpoint connections
These omissions are intentional: the goal is to illustrate how each store feature is wired, not provide drop-in configuration modules. See the App Configuration ConfigurationStore resource reference for all available configuration options.
Let's create Azure App Configuration Stores
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Lifecycle & Immutability
What properties can't I change after creating a configuration store?
The
location, configStoreName, createMode, and resourceGroupName properties are immutable and will force resource replacement if modified.How do I import an existing App Configuration store into Pulumi?
Use the
pulumi import command with the resource type, name, and Azure resource ID: pulumi import azure-native:appconfiguration:ConfigurationStore contoso /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AppConfiguration/configurationStores/{configStoreName}Authentication & Security
How do I disable local authentication and require Azure AD only?
Set
disableLocalAuth to true when creating the configuration store. This disables all authentication methods other than Azure AD.How do I configure data plane proxy for my configuration store?
Set the
dataPlaneProxy property with authenticationMode (e.g., Pass-through) and privateLinkDelegation (e.g., Enabled) to configure data plane proxy for Azure Resource Manager.Configuration & Defaults
How do I create a basic App Configuration store?
Specify the required properties:
configStoreName, location, resourceGroupName, and sku (with name set to a value like Standard). You can optionally add tags for resource organization.What are the default values for authentication and data protection settings?
By default,
disableLocalAuth is false (local auth enabled), enablePurgeProtection is false (purge protection disabled), and softDeleteRetentionInDays is 7 days.How do I use a different Azure API version for this resource?
The default API version is 2024-05-01. To use other available versions (2023-03-01, 2023-08-01-preview, 2023-09-01-preview, 2024-06-01, 2024-06-15-preview, 2025-02-01-preview, 2025-06-01-preview), generate a local SDK package using
pulumi package add azure-native appconfiguration [ApiVersion].Using a different cloud?
Explore integration guides for other cloud providers: