Is it possible to populate the secrets of an Azure Container App with values from AppConfiguration?

DanielSmith
May 7, 2024
101 views
0 votes
2 Answers

I’m using Terraform to create the infrastructure for an Azure Container Apps based project.

I have set up Azure Key Vault and AppConfiguration with a combination of config items that reference Key Vault values, and some that are manually defined (non-sensitive).

I am trying to create an Azure Container App instance whose secrets reference the values used by AppConfiguration, but have so far been unable to find a way to do this – using the app_configuration_keys data source gives me the items but the values are just url representations, and when I try to populate the container app secrets with this, those same urls are used.

Does anyone know if it’s possible to do this? Previously, I was using Key Vault without AppConfiguration and was able to populate the secrets by passing in a reference to the key vault items in my CDKTF but I am now looking to add more environments which will have different sources of config, so AppConfiguration seems a better fit.

Any advice appreciated.

Thanks

Answers

- RuiJarimba
- May 7, 2024 at 12:18 am
- 0 votes
0
I am trying to create an Azure Container App instance whose secrets reference the values used by AppConfiguration

From Use App Configuration references for App Service and Azure Functions:

An App Configuration reference is of the form:
```
@Microsoft.AppConfiguration({referenceString})
```
For example:
```
@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=myAppConfigKey; Label=myKeysLabel)
```
Or, as an alternative, without any Label:
```
@Microsoft.AppConfiguration(Endpoint=https://myAppConfigStore.azconfig.io; Key=myAppConfigKey)
```
Login or Signup to reply.

- ArchitectJamie
- May 7, 2024 at 4:20 am
- 0 votes
0
Terraform doesn’t expand KeyVault connection strings like App Service does. There is specific code which initialises on startup of an App Service, which makes the Graph API calls to retrieve the secrets referenced inside the {} braces.

TF knows nothing about this. But it can retrieve the secrets from KeyVault if you extract the necessary parts from the KV URI.

You are already extracting the app configuration keys, so you can adapt the below example to suit your requirements.
```
locals {
  secret_uri = "https://mykeyvault.vault.azure.net/secrets/mysecret/1234567890abcdef1234567890abcdef"
  parts      = split("/", local.secret_uri)
}

data "azurerm_key_vault_secret" "example" {
  name         = local.parts[length(local.parts) - 1] // Extracting the secret name from the URI
  key_vault_id = "${azurerm_key_vault.example.id}"
}

output "secret_value" {
  value = data.azurerm_key_vault_secret.example.value
}
```
You’ll need to change secret_uri = to pass in the value from app_configuration_keys output.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.