koszewscy/azure-image-chooser
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enabled KV RBAC. Added dependencies between resources. Fixed lack of identitfy for the app.

Browse Source
This commit is contained in:
Sławek Koszewski
2025-08-15 15:53:06 +02:00
parent 319410fbcc
commit a75743e4e0
1 changed files with 35 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
terraform/main.tf
View File

@@ -4,6 +4,11 @@ terraform {
source = "hashicorp/azurerm" source = "hashicorp/azurerm"
version = ">= 4.0.0" version = ">= 4.0.0"
} }
azuread = {
source = "hashicorp/azuread"
version = ">= 3.0.0"
}
} }
backend "local" { backend "local" {
@@ -19,6 +24,10 @@ provider "azurerm" {
data "azurerm_client_config" "current" {} data "azurerm_client_config" "current" {}
data "azuread_user" "az_lab_admin" {
user_principal_name = "az-lab-admin@lab.koszewscy.waw.pl"
}
locals { locals {
kv_secret_name = "azure-client-secret" kv_secret_name = "azure-client-secret"
} }
@@ -37,11 +46,12 @@ resource "azurerm_log_analytics_workspace" "logaws" {
} }
resource "azurerm_key_vault" "kv" { resource "azurerm_key_vault" "kv" {
name = "${var.project_name}-kv" name = "${var.project_name}-kv"
location = azurerm_resource_group.rg.location location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name resource_group_name = azurerm_resource_group.rg.name
sku_name = "standard" sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id tenant_id = data.azurerm_client_config.current.tenant_id
enable_rbac_authorization = true
} }
resource "azurerm_role_assignment" "app_assignment" { resource "azurerm_role_assignment" "app_assignment" {
@@ -50,10 +60,18 @@ resource "azurerm_role_assignment" "app_assignment" {
role_definition_name = "Key Vault Secrets User" role_definition_name = "Key Vault Secrets User"
} }
resource "azurerm_role_assignment" "az_lab_admin_assignment" {
scope = azurerm_key_vault.kv.id
principal_id = data.azuread_user.az_lab_admin.object_id
role_definition_name = "Key Vault Secrets Officer"
}
resource "azurerm_key_vault_secret" "azure_client_secret" { resource "azurerm_key_vault_secret" "azure_client_secret" {
key_vault_id = azurerm_key_vault.kv.id key_vault_id = azurerm_key_vault.kv.id
name = local.kv_secret_name name = local.kv_secret_name
value = var.azure_client_secret value = var.azure_client_secret
depends_on = [azurerm_role_assignment.az_lab_admin_assignment]
} }
resource "azurerm_container_app_environment" "env" { resource "azurerm_container_app_environment" "env" {
@@ -94,7 +112,7 @@ resource "azurerm_container_app" "app" {
env { env {
name = "AZURE_CLIENT_SECRET" name = "AZURE_CLIENT_SECRET"
secret_name = "azure_client_secret" secret_name = local.kv_secret_name
} }
env { env {
@@ -102,13 +120,8 @@ resource "azurerm_container_app" "app" {
value = var.subscription_id value = var.subscription_id
} }
} }
min_replicas = 1
max_replicas = 1
} }
workload_profile_name = "Consumption"
ingress { ingress {
target_port = 8501 target_port = 8501
external_enabled = true external_enabled = true
@@ -119,10 +132,21 @@ resource "azurerm_container_app" "app" {
} }
} }
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.uai.id]
}
registry { registry {
server = "skdomlab.azurecr.io" server = "skdomlab.azurecr.io"
identity = azurerm_user_assigned_identity.uai.id identity = azurerm_user_assigned_identity.uai.id
} }
depends_on = [
azurerm_key_vault.kv,
azurerm_key_vault_secret.azure_client_secret,
azurerm_role_assignment.app_assignment
]
} }
resource "azurerm_user_assigned_identity" "uai" { resource "azurerm_user_assigned_identity" "uai" {