diff --git a/infra/modules/providers/azure/keyvault-secret/README.md b/infra/modules/providers/azure/keyvault-secret/README.md index 119d811..a5949bf 100644 --- a/infra/modules/providers/azure/keyvault-secret/README.md +++ b/infra/modules/providers/azure/keyvault-secret/README.md @@ -21,6 +21,12 @@ module "keyvault-secret" { keyvault_id = kv_id secrets = secrets } + +data "key-vault-secret-output" { + depends_on = [keyvault-secret] + name = keys(local.secrets)[0] + key_vault_id = kv_id +} ``` ## Variables Reference @@ -34,5 +40,4 @@ The following variables are used: The following attributes are exported: -- `keyvault_secret_ids`: The id of the Key Vault secret. -- `keyvault_secret_versions`: The version of the Key Vault secret. +- `keyvault_secret_attributes`: The properties of a Key Vault secret. diff --git a/infra/modules/providers/azure/keyvault-secret/main.tf b/infra/modules/providers/azure/keyvault-secret/main.tf index 30d3855..e9aff22 100644 --- a/infra/modules/providers/azure/keyvault-secret/main.tf +++ b/infra/modules/providers/azure/keyvault-secret/main.tf @@ -8,3 +8,10 @@ resource "azurerm_key_vault_secret" "secret" { value = var.secrets[local.secret_names[count.index]] key_vault_id = var.keyvault_id } + +data "azurerm_key_vault_secret" "secrets" { + count = length(var.secrets) + depends_on = [azurerm_key_vault_secret.secret] + name = local.secret_names[count.index] + key_vault_id = var.keyvault_id +} \ No newline at end of file diff --git a/infra/modules/providers/azure/keyvault-secret/output.tf b/infra/modules/providers/azure/keyvault-secret/output.tf index 35d372a..dc8e71b 100644 --- a/infra/modules/providers/azure/keyvault-secret/output.tf +++ b/infra/modules/providers/azure/keyvault-secret/output.tf @@ -1,9 +1,7 @@ -output "keyvault_secret_ids" { - description = "The id of the Keyvault secret" - value = azurerm_key_vault_secret.secret.*.id -} - -output "keyvault_secret_versions" { - description = "The version of the keyvault secret" - value = azurerm_key_vault_secret.secret.*.version +output "keyvault_secret_attributes" { + description = "The properties of a keyvault secret" + /*Forced to use data block and resolve output of secrets into an array + as a workaround to an arm provider bug that will not allow updating app + service settings with a keyvault version in a more direct way.*/ + value = [for i in range(length(azurerm_key_vault_secret.secret.*.id)) : data.azurerm_key_vault_secret.secrets[i]] } diff --git a/infra/templates/az-isolated-service-single-region/app.tf b/infra/templates/az-isolated-service-single-region/app.tf index 14b2ccf..3f553fa 100644 --- a/infra/templates/az-isolated-service-single-region/app.tf +++ b/infra/templates/az-isolated-service-single-region/app.tf @@ -106,8 +106,3 @@ module "acr_service_principal_password" { keyvault_id = module.keyvault.keyvault_id secrets = local.acr_password } - -# data "azurerm_key_vault_secret" "acr_password" { -# name = "acr-service-principal-password" -# key_vault_id = module.keyvault.keyvault_id -# } diff --git a/infra/templates/az-isolated-service-single-region/ase.tf b/infra/templates/az-isolated-service-single-region/ase.tf index f9330d2..7b9509b 100644 --- a/infra/templates/az-isolated-service-single-region/ase.tf +++ b/infra/templates/az-isolated-service-single-region/ase.tf @@ -55,14 +55,15 @@ module "app_service" { service_plan_name = module.service_plan.service_plan_name service_plan_resource_group_name = azurerm_resource_group.admin_rg.name app_insights_instrumentation_key = module.app_insights.app_insights_instrumentation_key + vault_uri = module.keyvault.keyvault_uri azure_container_registry_name = module.container_registry.container_registry_name docker_registry_server_url = module.container_registry.container_registry_login_server docker_registry_server_username = module.acr_service_principal_acrpull.service_principal_application_id - docker_registry_server_password = format("@Microsoft.KeyVault(SecretUri=%s)", "module.acr_service_principal_password.keyvault_secret_ids[0]") #data.azurerm_key_vault_secret.acr_password.id) + docker_registry_server_password = format("@Microsoft.KeyVault(SecretUri=%s)", module.acr_service_principal_password.keyvault_secret_attributes[0].id) app_service_config = { for target in var.unauthn_deployment_targets : target.app_name => { - image = "${target.image_name}:${target.image_release_tag_prefix}}" + image = "${target.image_name}:${target.image_release_tag_prefix}" } } providers = { @@ -85,6 +86,7 @@ module "authn_app_service" { source = "../../modules/providers/azure/app-service" service_plan_name = module.service_plan.service_plan_name service_plan_resource_group_name = azurerm_resource_group.admin_rg.name + vault_uri = module.keyvault.keyvault_uri app_insights_instrumentation_key = module.app_insights.app_insights_instrumentation_key azure_container_registry_name = module.container_registry.container_registry_name docker_registry_server_url = module.container_registry.container_registry_login_server diff --git a/infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go b/infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go index 9e6c7f5..db44e01 100644 --- a/infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go +++ b/infra/templates/az-isolated-service-single-region/tests/unit/unit_test.go @@ -224,7 +224,7 @@ func TestTemplate(t *testing.T) { TfOptions: tfOptions, Workspace: workspace, PlanAssertions: nil, - ExpectedResourceCount: 51, + ExpectedResourceCount: 60, ExpectedResourceAttributeValues: infratests.ResourceDescription{ "azurerm_resource_group.app_rg": expectedAppDevResourceGroup, "azurerm_resource_group.admin_rg": expectedAdminResourceGroup,