Enabled KV RBAC. Added dependencies between resources. Fixed lack of identitfy for the app.

Fixed to restrictive ignore.
2025-08-15 15:53:06 +02:00 · 2025-08-15 15:52:06 +02:00
2 changed files with 36 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 # Terraform
 **/.terraform
-**/*.tfplan
+**/*tfplan
 **/*.tfstate*
 **/*.tfvars
 **/!*auto.tfvars
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -4,6 +4,11 @@ terraform {
      source  = "hashicorp/azurerm"
      version = ">= 4.0.0"
    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = ">= 3.0.0"
+    }
  }

  backend "local" {
@@ -19,6 +24,10 @@ provider "azurerm" {

 data "azurerm_client_config" "current" {}

+data "azuread_user" "az_lab_admin" {
+  user_principal_name = "az-lab-admin@lab.koszewscy.waw.pl"
+}
+
 locals {
  kv_secret_name = "azure-client-secret"
 }
@@ -42,6 +51,7 @@ resource "azurerm_key_vault" "kv" {
  resource_group_name       = azurerm_resource_group.rg.name
  sku_name                  = "standard"
  tenant_id                 = data.azurerm_client_config.current.tenant_id
+  enable_rbac_authorization = true
 }

 resource "azurerm_role_assignment" "app_assignment" {
@@ -50,10 +60,18 @@ resource "azurerm_role_assignment" "app_assignment" {
  role_definition_name = "Key Vault Secrets User"
 }

+resource "azurerm_role_assignment" "az_lab_admin_assignment" {
+  scope                = azurerm_key_vault.kv.id
+  principal_id         = data.azuread_user.az_lab_admin.object_id
+  role_definition_name = "Key Vault Secrets Officer"
+}
+
 resource "azurerm_key_vault_secret" "azure_client_secret" {
  key_vault_id = azurerm_key_vault.kv.id
  name         = local.kv_secret_name
  value        = var.azure_client_secret
+
+  depends_on = [azurerm_role_assignment.az_lab_admin_assignment]
 }

 resource "azurerm_container_app_environment" "env" {
@@ -94,7 +112,7 @@ resource "azurerm_container_app" "app" {

      env {
        name        = "AZURE_CLIENT_SECRET"
-        secret_name = "azure_client_secret"
+        secret_name = local.kv_secret_name
      }

      env {
@@ -102,13 +120,8 @@ resource "azurerm_container_app" "app" {
        value = var.subscription_id
      }
    }
-
-    min_replicas = 1
-    max_replicas = 1
  }

-  workload_profile_name = "Consumption"
-
  ingress {
    target_port      = 8501
    external_enabled = true
@@ -119,10 +132,21 @@ resource "azurerm_container_app" "app" {
    }
  }

+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.uai.id]
+  }
+
  registry {
    server   = "skdomlab.azurecr.io"
    identity = azurerm_user_assigned_identity.uai.id
  }
+
+  depends_on = [
+    azurerm_key_vault.kv,
+    azurerm_key_vault_secret.azure_client_secret,
+    azurerm_role_assignment.app_assignment
+  ]
 }

 resource "azurerm_user_assigned_identity" "uai" {
Author	SHA1	Message	Date
Slawek Koszewski	a75743e4e0	Enabled KV RBAC. Added dependencies between resources. Fixed lack of identitfy for the app.	2025-08-15 15:53:06 +02:00
Slawek Koszewski	319410fbcc	Fixed to restrictive ignore.	2025-08-15 15:52:06 +02:00