diff --git a/.gitignore b/.gitignore
index 6f9d4af..2c4c1ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@
 .terraform.lock.hcl
 .acr-pat
 azure.env
+*.tfvars
+!*auto.tfvars
diff --git a/main.tf b/main.tf
index 381d201..7021506 100644
--- a/main.tf
+++ b/main.tf
@@ -22,6 +22,24 @@ variable "subscription_id" {
   type        = string
 }
 
+variable "azure_client_id" {
+  description = "The Azure Client ID for authentication."
+  type        = string
+
+}
+
+variable "azure_tenant_id" {
+  description = "The Azure Tenant ID for authentication."
+  type        = string
+
+}
+
+variable "azure_client_secret" {
+  description = "The Azure Client Secret for authentication."
+  type        = string
+  sensitive   = true
+}
+
 variable "project_name" {
   description = "The name used to construct Azure resource names."
   type        = string
@@ -46,10 +64,16 @@ resource "azurerm_container_app_environment" "env" {
   location                   = azurerm_resource_group.rg.location
   log_analytics_workspace_id = azurerm_log_analytics_workspace.logaws.id
 
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.uai.id]
+  }
+
   workload_profile {
+    maximum_count         = 1
+    minimum_count         = 1
     name                  = "Consumption"
     workload_profile_type = "Consumption"
-    maximum_count         = 1
   }
 }
 
@@ -61,12 +85,53 @@ resource "azurerm_container_app" "app" {
 
   template {
     container {
-      name   = "${var.project_name}-container"
+      name   = "azure-image-chooser"
       image  = "skdomlab.azurecr.io/azure-image-chooser:latest"
       cpu    = "0.25"
       memory = "0.5Gi"
+
+      env {
+        name  = "AZURE_CLIENT_ID"
+        value = var.azure_client_id
+      }
+
+      env {
+        name  = "AZURE_TENANT_ID"
+        value = var.azure_tenant_id
+      }
+
+      env {
+        name  = "AZURE_CLIENT_SECRET"
+        value = var.azure_client_secret
+      }
+
+      env {
+        name  = "AZURE_SUBSCRIPTION_ID"
+        value = var.subscription_id
+      }
+    }
+
+    min_replicas = 1
+    max_replicas = 1
+  }
+
+  workload_profile_name = "Consumption"
+
+  ingress {
+    target_port      = 8501
+    external_enabled = true
+
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
     }
   }
+
+  registry {
+    server   = "skdomlab.azurecr.io"
+    identity = azurerm_user_assigned_identity.uai.id
+  }
+
   identity {
     type         = "UserAssigned"
     identity_ids = [azurerm_user_assigned_identity.uai.id]