Fixes secrets handling in app settings for ACR access (#278)

* isolate the test env from others * no dbl-quotes when expansion needed? also more settings to populate * keep the Cobalt defaults for the example vars * implement workaround for keyvault versioning in app settings * Update unit tests with expected count * Removed extra character from unauth of ase.tf
2019-09-12 10:44:07 -05:00 · 2019-09-12 10:44:07 -05:00 · e6868360c8
--- a/infra/modules/providers/azure/keyvault-secret/README.md
+++ b/infra/modules/providers/azure/keyvault-secret/README.md
@ -21,6 +21,12 @@ module "keyvault-secret" {
  keyvault_id          = kv_id
  secrets              = secrets
 }
+
+data "key-vault-secret-output" {
+  depends_on   = [keyvault-secret]
+  name         = keys(local.secrets)[0]
+  key_vault_id = kv_id
+}
 ```

 ## Variables Reference
@ -34,5 +40,4 @@ The following variables are used:

 The following attributes are exported:

- `keyvault_secret_ids`: The id of the Key Vault secret.
- `keyvault_secret_versions`: The version of the Key Vault secret.
+- `keyvault_secret_attributes`: The properties of a Key Vault secret.
--- a/infra/modules/providers/azure/keyvault-secret/main.tf
+++ b/infra/modules/providers/azure/keyvault-secret/main.tf
@ -8,3 +8,10 @@ resource "azurerm_key_vault_secret" "secret" {
  value        = var.secrets[local.secret_names[count.index]]
  key_vault_id = var.keyvault_id
 }
+
+data "azurerm_key_vault_secret" "secrets" {
+  count        = length(var.secrets)
+  depends_on   = [azurerm_key_vault_secret.secret]
+  name         = local.secret_names[count.index]
+  key_vault_id = var.keyvault_id
+}
--- a/infra/modules/providers/azure/keyvault-secret/output.tf
+++ b/infra/modules/providers/azure/keyvault-secret/output.tf
@ -1,9 +1,7 @@
-output "keyvault_secret_ids" {
-  description = "The id of the Keyvault secret"
-  value       = azurerm_key_vault_secret.secret.*.id
-}
-
-output "keyvault_secret_versions" {
-  description = "The version of the keyvault secret"
-  value       = azurerm_key_vault_secret.secret.*.version
+output "keyvault_secret_attributes" {
+  description = "The properties of a keyvault secret"
+  /*Forced to use data block and resolve output of secrets into an array 
+  as a workaround to an arm provider bug that will not allow updating app
+  service settings with a keyvault version in a more direct way.*/
+  value = [for i in range(length(azurerm_key_vault_secret.secret.*.id)) : data.azurerm_key_vault_secret.secrets[i]]
 }
--- a/infra/templates/az-isolated-service-single-region/app.tf
+++ b/infra/templates/az-isolated-service-single-region/app.tf
@ -106,8 +106,3 @@ module "acr_service_principal_password" {
  keyvault_id = module.keyvault.keyvault_id
  secrets     = local.acr_password
 }
-
-# data "azurerm_key_vault_secret" "acr_password" {
-#   name         = "acr-service-principal-password"
-#   key_vault_id = module.keyvault.keyvault_id
-# }
--- a/infra/templates/az-isolated-service-single-region/ase.tf
+++ b/infra/templates/az-isolated-service-single-region/ase.tf
@ -55,14 +55,15 @@ module "app_service" {
  service_plan_name                = module.service_plan.service_plan_name
  service_plan_resource_group_name = azurerm_resource_group.admin_rg.name
  app_insights_instrumentation_key = module.app_insights.app_insights_instrumentation_key
+  vault_uri                        = module.keyvault.keyvault_uri
  azure_container_registry_name    = module.container_registry.container_registry_name
  docker_registry_server_url       = module.container_registry.container_registry_login_server
  docker_registry_server_username  = module.acr_service_principal_acrpull.service_principal_application_id
-  docker_registry_server_password  = format("@Microsoft.KeyVault(SecretUri=%s)", "module.acr_service_principal_password.keyvault_secret_ids[0]") #data.azurerm_key_vault_secret.acr_password.id)
+  docker_registry_server_password  = format("@Microsoft.KeyVault(SecretUri=%s)", module.acr_service_principal_password.keyvault_secret_attributes[0].id)
  app_service_config = {
    for target in var.unauthn_deployment_targets :
    target.app_name => {
-      image = "${target.image_name}:${target.image_release_tag_prefix}}"
+      image = "${target.image_name}:${target.image_release_tag_prefix}"
    }
  }
  providers = {
@ -85,6 +86,7 @@ module "authn_app_service" {
  source                           = "../../modules/providers/azure/app-service"
  service_plan_name                = module.service_plan.service_plan_name
  service_plan_resource_group_name = azurerm_resource_group.admin_rg.name
+  vault_uri                        = module.keyvault.keyvault_uri
  app_insights_instrumentation_key = module.app_insights.app_insights_instrumentation_key
  azure_container_registry_name    = module.container_registry.container_registry_name
  docker_registry_server_url       = module.container_registry.container_registry_login_server
--- a/infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go
+++ b/infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go
@ -224,7 +224,7 @@ func TestTemplate(t *testing.T) {
 		TfOptions:             tfOptions,
 		Workspace:             workspace,
 		PlanAssertions:        nil,
-		ExpectedResourceCount: 51,
+		ExpectedResourceCount: 60,
 		ExpectedResourceAttributeValues: infratests.ResourceDescription{
 			"azurerm_resource_group.app_rg":   expectedAppDevResourceGroup,
 			"azurerm_resource_group.admin_rg": expectedAdminResourceGroup,