App Config enhancements

.github/workflows/standalone-scenarios.json

@@ -2,6 +2,7 @@
   "config_files": [
     "app_config/100-simple",
     "app_config/101-private-link",
+    "app_config/102-dynamic-settings",
     "app_insights/100-all-attributes",
     "app_insights/100-simple",
     "app_insights/102-workspace-based-central-logs",

app_config.tf

@@ -6,9 +6,12 @@ module "app_config" {
   client_config       = local.client_config
   combined_objects    = local.dynamic_app_config_combined_objects
   global_settings     = local.global_settings
+  managed_identities  = local.combined_objects_managed_identities
+  keyvaults           = local.combined_objects_keyvaults
   settings            = each.value
   vnets               = local.combined_objects_networking
   private_dns         = local.combined_objects_private_dns
+  resource_groups     = local.combined_objects_resource_groups
   base_tags           = local.global_settings.inherit_tags
   resource_group      = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
   resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
@@ -17,4 +20,4 @@ module "app_config" {
 
 output "app_config" {
   value = module.app_config
-}
+}

examples/app_config/102-dynamic-settings/configuration.tfvars

@@ -0,0 +1,112 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "westus"
+  }
+}
+
+provider_azurerm_features_template_deployment = {
+  delete_nested_items_during_deletion = true
+}
+
+resource_groups = {
+  rg1 = {
+    name   = "rg1"
+    region = "region1"
+  }
+}
+
+managed_identities = {
+  appconf1 = {
+    name               = "appconf1"
+    resource_group_key = "rg1"
+  }
+}
+
+keyvaults = {
+  kv1 = {
+    name               = "bbaee456fe3e"
+    resource_group_key = "rg1"
+    sku_name           = "standard"
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+    }
+  }
+}
+
+keyvault_access_policies = {
+  kv1 = {
+    appconf1 = {
+      managed_identity_key = "appconf1"
+      secret_permissions   = ["Get"]
+    }
+  }
+}
+
+dynamic_keyvault_secrets = {
+  kv1 = {
+    admin-username = {
+      secret_name = "admin-username"
+      value       = "administrator"
+    }
+    admin-password = {
+      secret_name = "admin-password"
+      value       = "dynamic"
+      config = {
+        length           = 25
+        special          = true
+        override_special = "_!@"
+      }
+    }
+  }
+}
+
+app_config = {
+  appconf1 = {
+    name               = "56bddacc03bd"
+    resource_group_key = "rg1"
+    location           = "region1"
+    tags = {
+      project = "sales"
+    }
+
+    identity = {
+      type                 = "UserAssigned"
+      managed_identity_key = "appconf1"
+    }
+
+    # the "App Configuration Data Owner" role must be set before trying to create any key
+    # settings = {
+    #   admin-password = {
+    #     key = "admin-password"
+    #     vault_key = {
+    #       keyvault = {
+    #         key = "kv1"
+    #       }
+    #       secret_name = "admin-password"
+    #     }
+    #     label = "credential"
+    #   }
+    # }
+  }
+}
+
+role_mapping = {
+  built_in_role_mapping = {
+    app_config = {
+      appconf1 = {
+        # this role is needed to be able to create config key inside the App Config
+        "App Configuration Data Owner" = {
+          logged_in = {
+            keys = [
+              "app",
+              "user"
+            ]
+          }
+        }
+      }
+    }
+  }
+}

modules/databases/app_config/app_config.tf

@@ -24,7 +24,8 @@ resource "azurerm_app_configuration" "config" {
     for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
 
     content {
-      type = var.settings.identity.type
+      type         = var.settings.identity.type
+      identity_ids = lower(var.settings.identity.type) == "userassigned" ? can(var.settings.identity.user_assigned_identity_id) ? [var.settings.identity.user_assigned_identity_id] : [var.managed_identities[try(var.settings.identity.lz_key, var.client_config.landingzone_key)][var.settings.identity.managed_identity_key].id] : null
     }
   }
 }

modules/databases/app_config/dynamic_settings.tf

@@ -3,9 +3,10 @@ module "compute_instance" {
   depends_on = [azurerm_app_configuration.config]
 
   resource_group_name = local.resource_group_name
-  key_names           = keys(local.config_settings)
-  key_values          = values(local.config_settings)
-  config_name         = azurecaf_name.app_config.result
+  config_settings     = local.config_settings
+  keyvaults           = var.keyvaults
+  app_config_id       = azurerm_app_configuration.config.id
   tags                = local.tags
   global_settings     = var.global_settings
-}
+  client_config       = var.client_config
+}

modules/databases/app_config/output.tf

@@ -16,4 +16,24 @@ output "identity" {
 output "rbac_id" {
   value       = try(azurerm_app_configuration.config.identity[0].principal_id, null)
   description = "The rbac_id of the App Config for role assignments."
-}
+}
+
+output "primary_read_key_connection_string" {
+  value       = try(azurerm_app_configuration.config.primary_read_key[0].connection_string, null)
+  description = "The Connection String for the primary read access key - comprising of the Endpoint, ID and Secret."
+}
+
+output "primary_write_key_connection_string" {
+  value       = try(azurerm_app_configuration.config.primary_write_key[0].connection_string, null)
+  description = "The Connection String for the primary write access key - comprising of the Endpoint, ID and Secret."
+}
+
+output "secondary_read_key_connection_string" {
+  value       = try(azurerm_app_configuration.config.secondary_read_key[0].connection_string, null)
+  description = "The Connection String for the secondary read access key - comprising of the Endpoint, ID and Secret."
+}
+
+output "secondary_write_key_connection_string" {
+  value       = try(azurerm_app_configuration.config.secondary_write_key[0].connection_string, null)
+  description = "The Connection String for the secondary write access key - comprising of the Endpoint, ID and Secret."
+}

modules/databases/app_config/private_endpoints.tf

@@ -8,8 +8,8 @@ module "private_endpoint" {
 
   resource_id         = azurerm_app_configuration.config.id
   name                = each.value.name
-  location            = local.location
-  resource_group_name = local.resource_group_name
+  location            = try(var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].location, local.location)
+  resource_group_name = try(var.resource_groups[try(each.value.resource_group.lz_key, var.client_config.landingzone_key)][try(each.value.resource_group.key, each.value.resource_group_key)].name, local.resource_group_name)
   subnet_id           = can(each.value.subnet_id) ? each.value.subnet_id : var.vnets[try(each.value.lz_key, var.client_config.landingzone_key)][each.value.vnet_key].subnets[each.value.subnet_key].id
   settings            = each.value
   global_settings     = var.global_settings

modules/databases/app_config/settings/app_config_setting.tf

@@ -1,28 +1,21 @@
-resource "azurecaf_name" "settings" {
-  name          = format("app-config-%s", var.config_name)
-  resource_type = "azurerm_template_deployment"
-  prefixes      = var.global_settings.prefixes
-  random_length = var.global_settings.random_length
-  clean_input   = true
-  passthrough   = var.global_settings.passthrough
-  use_slug      = var.global_settings.use_slug
+locals {
+  app_config_id = join("/", concat(
+    [""],
+    slice(split("/", var.app_config_id), 1, 4),
+    [lower(split("/", var.app_config_id)[4])],
+    slice(split("/", var.app_config_id), 5, 8),
+    [lower(split("/", var.app_config_id)[8])]
+  ))
 }
 
-# create app config settings
-resource "azurerm_resource_group_template_deployment" "settings" {
-  name                = "settings"
-  resource_group_name = var.resource_group_name
+resource "azurerm_app_configuration_key" "config" {
+  for_each = var.config_settings
 
-  template_content = file(local.arm_filename)
-
-  parameters_content = jsonencode(local.parameters_content)
-
-  deployment_mode = "Incremental"
-
-  timeouts {
-    create = "1h"
-    update = "1h"
-    delete = "1h"
-    read   = "5m"
-  }
-}
+  configuration_store_id = local.app_config_id
+  key                    = each.value.key
+  label                  = try(each.value.label, null)
+  # if value is a keyvault reference, set the correct type, set value to null and set vault_key_reference
+  type                = try(each.value.vault_key, null) == null ? "kv" : "vault"
+  value               = try(each.value.vault_key, null) == null ? each.value.value : null
+  vault_key_reference = try(each.value.vault_key, null) == null ? null : "${var.keyvaults[try(each.value.vault_key.keyvault.lz_key, var.client_config.landingzone_key)][each.value.vault_key.keyvault.key].vault_uri}secrets/${each.value.vault_key.secret_name}"
+}

modules/databases/app_config/settings/variables.tf

@@ -12,17 +12,11 @@ variable "tags" {
   type        = map(any)
 }
 
-variable "key_values" {
-  type        = list(string)
-  description = "App Config Setting Values List"
-}
-
-variable "key_names" {
-  type        = list(string)
-  description = "App Config Setting Key Names"
+variable "app_config_id" {
+  type        = string
+  description = "App Config Resource Id"
 }
 
-variable "config_name" {
-  type        = string
-  description = "App Config Resource Name"
-}
+variable "client_config" {}
+variable "config_settings" {}
+variable "keyvaults" {}

modules/databases/app_config/variables.tf

@@ -28,9 +28,10 @@ variable "combined_objects" {
 }
 
 variable "client_config" {}
-variable "vnets" {
-  default = {}
-}
+variable "managed_identities" {}
+variable "keyvaults" {}
+variable "vnets" {}
+variable "resource_groups" {}
 variable "private_dns" {
   default = {}
-}
+}