Skip to content

Commit b7df08e

Browse files
marvinbussmarvinbuss
committed
Add sample secret deployment
1 parent 5701687 commit b7df08e

File tree

8 files changed

+39
-2
lines changed

8 files changed

+39
-2
lines changed

.github/workflows/_terraformApplyTemplate.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@ on:
2929
SUBSCRIPTION_ID:
3030
required: true
3131
description: "Specifies the client id."
32+
MY_SAMPLE_SECRET:
33+
required: true
34+
description: "Specifies a sample secret."
3235

3336
permissions:
3437
id-token: write
@@ -79,4 +82,4 @@ jobs:
7982
- name: Terraform Apply
8083
working-directory: ${{ inputs.working_directory }}
8184
run: |
82-
terraform apply -var-file vars.${{ inputs.environment }}.tfvars -auto-approve -input=false
85+
terraform apply -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -auto-approve -input=false

.github/workflows/_terraformPlanTemplate.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@ on:
2929
SUBSCRIPTION_ID:
3030
required: true
3131
description: "Specifies the client id."
32+
MY_SAMPLE_SECRET:
33+
required: true
34+
description: "Specifies a sample secret."
3235

3336
permissions:
3437
id-token: write
@@ -89,7 +92,7 @@ jobs:
8992
id: terraform_plan
9093
working-directory: ${{ inputs.working_directory }}
9194
run: |
92-
terraform plan -var-file vars.${{ inputs.environment }}.tfvars -input=false
95+
terraform plan -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -input=false
9396
9497
# Add Pull Request Comment
9598
- name: Add Pull Request Comment

.github/workflows/terraform.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ jobs:
3535
CLIENT_ID: ${{ secrets.CLIENT_ID }}
3636
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
3737
SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
38+
MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }}
3839

3940
terraform_apply_dev:
4041
uses: ./.github/workflows/_terraformApplyTemplate.yml
@@ -50,3 +51,4 @@ jobs:
5051
CLIENT_ID: ${{ secrets.CLIENT_ID }}
5152
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
5253
SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
54+
MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }}

code/function/fastapp/core/config.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ class Settings(BaseSettings):
1414
APPLICATIONINSIGHTS_CONNECTION_STRING: str = Field(
1515
default="", env="APPLICATIONINSIGHTS_CONNECTION_STRING"
1616
)
17+
MY_SECRET_CONFIG: str = Field(default="", env="MY_SECRET_CONFIG")
1718

1819

1920
settings = Settings()

code/infra/function.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,10 @@ resource "azapi_resource" "function" {
122122
{
123123
name = "AzureWebJobsStorage__accountName"
124124
value = azurerm_storage_account.storage.name
125+
},
126+
{
127+
name = "MY_SECRET_CONFIG"
128+
value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.key_vault_secret_sample.id})"
125129
}
126130
]
127131
azureStorageAccounts = {}

code/infra/keyvault.tf

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,19 @@ resource "azurerm_key_vault" "key_vault" {
2222
tenant_id = data.azurerm_client_config.current.tenant_id
2323
}
2424

25+
resource "azurerm_key_vault_secret" "key_vault_secret_sample" {
26+
name = "MySampleSecret"
27+
key_vault_id = azurerm_key_vault.key_vault.id
28+
29+
content_type = "text/plain"
30+
value = var.my_secret
31+
32+
depends_on = [
33+
azurerm_role_assignment.current_role_assignment_key_vault,
34+
azurerm_private_endpoint.key_vault_private_endpoint
35+
]
36+
}
37+
2538
data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" {
2639
resource_id = azurerm_key_vault.key_vault.id
2740
}

code/infra/variables.tf

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,16 @@ variable "function_health_path" {
8383
}
8484
}
8585

86+
variable "my_secret" {
87+
description = "Specifies a random secret value used in teh Logic App."
88+
type = string
89+
sensitive = true
90+
validation {
91+
condition = length(var.my_secret) >= 2
92+
error_message = "Please specify a valid resource ID."
93+
}
94+
}
95+
8696
variable "private_dns_zone_id_blob" {
8797
description = "Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azue Policy."
8898
type = string

code/infra/vars.dev.tfvars

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ prefix = "myfunc"
44
tags = {}
55
function_python_version = "3.10"
66
function_health_path = "/v1/health/heartbeat"
7+
my_secret = ""
78
vnet_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-function-vnet001"
89
nsg_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-function-nsg001"
910
route_table_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-function-rt001"

0 commit comments

Comments
 (0)