Azure Question posted in
The official documentation to get you started can be found here.

Azure – App service authentication to Application Insights through RBAC in Terraform

I am trying to eliminate using connection strings in my azure infra that is created using terraform. I am planning to assign specific rbac roles to resources like web app, function app etc to make them connect to Keyvault, storage account, cosmos db etc. How to do the same for Application insights? if i grant Application Insights Component Contributor to the managed identity of the app service, how do i point it to which application insights it should connect to? is using APPINSIGHTS_INSTRUMENTATIONKEY or connection string mandatory here? or can i pass this somewhere azurerm_application_insights.example.app_id ?

Thanks in advance.

Tags:

2

Answers


  1. 0

    You can get the System Managed Identity a few different ways. For your use case, when the Web App is deployed, the principal ID will be returned as output.

    If this isn’t suitable, you can get it with PowerShell or Azure CLI.

    CLI:

    az webapp identity show 
    --resource-group MyResourceGroup 
    --name MyAppService 
    --query principalId 
    --output tsv

    However. To send logs and telemetry data to App Insights, the instrumentation key must be provided in the connection string. The best workaround for this would be to use Azure KeyVault.

    Bearing in mind that this adds a bit of complexity and more security considerations to the solution, and the fact that the instrumentation key isn’t as sensitive as – for example – a database connection string, you may want to reevaluate whether this is really necessary. If you do want to go down this route, read on.

    1. Create your KeyVault
    2. Add a secret to KeyVault with the instrumentation key value
    3. Create an access policy
    4. Grant the system managed principal of your app the GET permission on secrets
    5. In the app config’s App Insights connection string, reference the KeyvaultSecret like this:

    [email protected](SecretUri=https://MyKeyVault.vault.azure.net/secrets/InstrumentationKey/...

    When the App Service runtime sees this in the config, it automatically fetches the secret from KeyVault using the identity of the app.

    Login or Signup to reply.
  2. 0

    The right way of securely ingesting data into Application Insights consists of a few steps:

    1. Disable local authentication for Application Insights resource (https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net#disable-local-authentication)
    2. Use Connection String, it contains ingestion endpoint and instrumentation key. With local auth disabled, the instrumentation key becomes just a resource identifier and not a secret. Knowing it alone is not enough to ingest data.
    3. Configure and enable Microsoft Entra ID-based authentication (https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=net#disable-local-authentication). This includes a few sub-steps:
      • Create an identity (for instance, System Managed Identity)
      • Give it Monitoring Metrics Publisher role to target Application Insights resource
      • Ensure that your app uses this identity (above link has examples for various languages)
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search