Merge pull request #9 from Azure-Samples/secure-secrets

Make sure all secrets are secure
Azure-Samples · Mar 25, 2024 · 2a6cbb5 · 2a6cbb5
2 parents f799342 + 105148f
commit 2a6cbb5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 17 deletions.
diff --git a/infra/core/host/container-app.bicep b/infra/core/host/container-app.bicep
@@ -3,7 +3,9 @@ param location string = resourceGroup().location
 param tags object = {}
 
 param containerEnvId string
-param secrets array = []
+@secure()
+param secrets object
+
 param env array = []
 param imageName string
 param targetPort int = 80
@@ -23,7 +25,10 @@ resource containerApp 'Microsoft.App/containerapps@2022-03-01' = {
         external: true
         targetPort: targetPort
       }
-      secrets: secrets
+      secrets: [for secret in items(secrets): {
+        name: secret.key
+        value: secret.value
+      }]
     }
     template: {
       containers: [

diff --git a/infra/main.bicep b/infra/main.bicep
@@ -150,7 +150,7 @@ module containerApp 'core/host/container-app.bicep' = {
       }
       {
         name: 'AUTH_AZURE_AD_CLIENT_SECRET'
-        value: authClientSecret
+        secretRef: 'authclientsecret'
       }
       {
         name: 'AUTH_AZURE_AD_TENANT_ID'
@@ -161,20 +161,12 @@ module containerApp 'core/host/container-app.bicep' = {
         value: useAuthentication ? 'true' : 'false'
       }
     ]
-    secrets: [
-      {
-        name: 'databasepassword'
-        value: databasePassword
-      }
-      {
-        name: 'nextauthsecret'
-        value: nextAuthSecret
-      }
-      {
-        name: 'salt'
-        value: salt
-      }
-    ]
+    secrets: {
+      'databasepassword': databasePassword
+      'nextauthsecret': nextAuthSecret
+      'salt': salt
+      'authclientsecret': authClientSecret
+    }
   }
 }