Add secrets and env

Expecho · Dec 11, 2024 · 9651d96 · 9651d96
1 parent 5bc9004
commit 9651d96
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/bicep/deploy.bicep b/bicep/deploy.bicep
@@ -3,17 +3,17 @@ param location string = resourceGroup().location
 param workloadProfileType string = 'consumption'
 param workloadProfileName string = 'Consumption'
 
-param cappName string = 'policyinitativebuilder'
+param cappName string = 'policyinitiativebuilder'
 param cappConsumptionCpu string = '0.5'
 param cappConsumptionMemory string = '1'
 param cappImageName string = 'containerregistryexpecho.azurecr.io/policyinitiativebuilder:latest'
 param cappImageServer string = 'containerregistryexpecho.azurecr.io'
 
-param vnnetName string = 'vnet-policyinitativebuilder'
-param subnetName string = 'subnet-policyinitativebuilder'
+param vnnetName string = 'vnet-policyinitiativebuilder'
+param subnetName string = 'subnet-policyinitiativebuilder'
 
-param appInsightsName string = 'policyinitativebuilder-insights'
-param laWorkspaceName string = 'policyinitativebuilderlogwsexpecho'
+param appInsightsName string = 'policyinitiativebuilder-insights'
+param laWorkspaceName string = 'policyinitiativebuilderlogwsexpecho'
 
 resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
   name: vnnetName
@@ -88,6 +88,7 @@ resource laWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' ={
   }
 }
 
+var keyVaultSecretUrl = 'https://keyvaultexpecho${environment().suffixes.keyvaultDns}/secrets/policyinitiativebuilder-clientsecret/91919b737b6545fda6c32f9bb256eb25'
 resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: cappName
   location: location
@@ -99,6 +100,13 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   }
   properties: {
     configuration: {
+      secrets: [
+        {
+          name: 'clientsecret'
+          keyVaultUrl: keyVaultSecretUrl
+          identity: uai.id
+        }
+      ]
       activeRevisionsMode: 'single'
       ingress: {
         allowInsecure: false
@@ -122,6 +130,16 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
             cpu: json('${cappConsumptionCpu}')
             memory: '${cappConsumptionMemory}Gi'
           }
+          env: [
+            {
+              name: 'AzureMonitor__ConnectionString'
+              value: appInsights.properties.ConnectionString
+            }
+            {
+              name: 'AzureAd__ClientSecret'
+              secretRef: 'clientsecret' 
+            }
+          ]
         }
       ]
       scale: {

diff --git a/bicep/roleassignment.bicep b/bicep/roleassignment.bicep
@@ -2,8 +2,9 @@ param userAssignedIdentityId string
 param userAssignedIdentityName string
 
 var acrPullRoleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+var keyVaultSecretUserRoleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
 
-resource myAcrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' ={
+resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' ={
   scope: resourceGroup()
   name: guid(resourceGroup().id, userAssignedIdentityName, acrPullRoleDefinitionId)
   properties:{
@@ -13,3 +14,13 @@ resource myAcrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-0
     principalType: 'ServicePrincipal'
   }
 }
+
+resource keyVaultSecretUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: resourceGroup()
+  name: guid(resourceGroup().id, userAssignedIdentityName, keyVaultSecretUserRoleDefinitionId)
+  properties: {
+    roleDefinitionId: keyVaultSecretUserRoleDefinitionId
+    principalId: userAssignedIdentityId
+    principalType: 'ServicePrincipal'
+  }
+}