Skip to content

Commit 017aa84

Browse files
sinediedsinedied
committed
fix: use secrets for connection string
1 parent d428917 commit 017aa84

File tree

2 files changed

+31
-6
lines changed

2 files changed

+31
-6
lines changed

.azure/deploy.sh

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,25 +20,37 @@ echo "Deploying settings-api..."
2020
docker image tag settings-api "$REGISTRY_NAME.azurecr.io/settings-api:$commit_sha"
2121
docker image push "$REGISTRY_SERVER/settings-api:$commit_sha"
2222

23+
az containerapp secret set \
24+
--name "${CONTAINER_APP_NAMES[0]}" \
25+
--resource-group "$RESOURCE_GROUP_NAME" \
26+
--secrets DB_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
27+
--output tsv
28+
2329
az containerapp update \
2430
--name "${CONTAINER_APP_NAMES[0]}" \
2531
--resource-group "$RESOURCE_GROUP_NAME" \
2632
--image "$REGISTRY_SERVER/settings-api:$commit_sha" \
2733
--set-env-vars \
28-
DATABASE_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
34+
DATABASE_CONNECTION_STRING="secretref:DB_CONNECTION_STRING" \
2935
--query "properties.configuration.ingress.fqdn" \
3036
--output tsv
3137

3238
echo "Deploying dice-api..."
3339
docker image tag dice-api "$REGISTRY_NAME.azurecr.io/dice-api:$commit_sha"
3440
docker image push "$REGISTRY_SERVER/dice-api:$commit_sha"
3541

42+
az containerapp secret set \
43+
--name "${CONTAINER_APP_NAMES[1]}" \
44+
--resource-group "$RESOURCE_GROUP_NAME" \
45+
--secrets DB_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
46+
--output tsv
47+
3648
az containerapp update \
3749
--name "${CONTAINER_APP_NAMES[1]}" \
3850
--resource-group "$RESOURCE_GROUP_NAME" \
3951
--image "$REGISTRY_SERVER/dice-api:$commit_sha" \
4052
--set-env-vars \
41-
DATABASE_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
53+
DATABASE_CONNECTION_STRING="secretref:DB_CONNECTION_STRING" \
4254
--scale-rule-name http-rule \
4355
--scale-rule-type http \
4456
--scale-rule-http-concurrency 100 \

docs/workshop.md

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2215,25 +2215,37 @@ echo "Deploying settings-api..."
22152215
docker image tag settings-api "$REGISTRY_NAME.azurecr.io/settings-api:$commit_sha"
22162216
docker image push "$REGISTRY_SERVER/settings-api:$commit_sha"
22172217
2218+
az containerapp secret set \
2219+
--name "${CONTAINER_APP_NAMES[0]}" \
2220+
--resource-group "$RESOURCE_GROUP_NAME" \
2221+
--secrets DB_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
2222+
--output tsv
2223+
22182224
az containerapp update \
22192225
--name "${CONTAINER_APP_NAMES[0]}" \
22202226
--resource-group "$RESOURCE_GROUP_NAME" \
22212227
--image "$REGISTRY_SERVER/settings-api:$commit_sha" \
22222228
--set-env-vars \
2223-
DATABASE_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
2229+
DATABASE_CONNECTION_STRING="secretref:DB_CONNECTION_STRING" \
22242230
--query "properties.configuration.ingress.fqdn" \
22252231
--output tsv
22262232
22272233
echo "Deploying dice-api..."
22282234
docker image tag dice-api "$REGISTRY_NAME.azurecr.io/dice-api:$commit_sha"
22292235
docker image push "$REGISTRY_SERVER/dice-api:$commit_sha"
22302236
2237+
az containerapp secret set \
2238+
--name "${CONTAINER_APP_NAMES[1]}" \
2239+
--resource-group "$RESOURCE_GROUP_NAME" \
2240+
--secrets DB_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
2241+
--output tsv
2242+
22312243
az containerapp update \
22322244
--name "${CONTAINER_APP_NAMES[1]}" \
22332245
--resource-group "$RESOURCE_GROUP_NAME" \
22342246
--image "$REGISTRY_SERVER/dice-api:$commit_sha" \
22352247
--set-env-vars \
2236-
DATABASE_CONNECTION_STRING="$DATABASE_CONNECTION_STRING" \
2248+
DATABASE_CONNECTION_STRING="secretref:DB_CONNECTION_STRING" \
22372249
--query "properties.configuration.ingress.fqdn" \
22382250
--output tsv
22392251
@@ -2252,9 +2264,10 @@ az containerapp update \
22522264
--output tsv
22532265
```
22542266

2255-
We'll do the same thing for our 3 services:
2267+
We'll do the almost same thing for our 3 services:
22562268
1. We tag the Docker image with the current commit SHA, and push it to our registry
2257-
2. We use the Azure CLI to update the container app with the new image, and set the environment variables for each service. For the settings and dice APIs, we set the database connection string, and for the gateway API we set the URLs of the other services.
2269+
2. We add the database connection string in the list of secrets for the settings and dice APIs, so it's not exposed as plain text in the environment variables
2270+
3. We use the Azure CLI to update the container app with the new image, and set the environment variables for each service. For the settings and dice APIs, we set the database connection string with a reference to the secret set earlier with `secretref:<secret_name>`, and for the gateway API we set the URLs of the other services.
22582271

22592272
<div class="tip" data-title="tip">
22602273

0 commit comments

Comments
 (0)