I'm using Terraform to create the infrastructure for an Azure Container Apps based project.
I have set up Azure Key Vault and AppConfiguration with a combination of config items that reference Key Vault values, and some that are manually defined (non-sensitive).
I am trying to create an Azure Container App instance whose secrets reference the values used by AppConfiguration, but have so far been unable to find a way to do this - using the app_configuration_keys data source gives me the items but the values are just url representations, and when I try to populate the container app secrets with this, those same urls are used.
Does anyone know if it's possible to do this? Previously, I was using Key Vault without AppConfiguration and was able to populate the secrets by passing in a reference to the key vault items in my CDKTF but I am now looking to add more environments which will have different sources of config, so AppConfiguration seems a better fit.
Any advice appreciated.
Thanks
Terraform doesn't expand KeyVault connection strings like App Service does. There is specific code which initialises on startup of an App Service, which makes the Graph API calls to retrieve the secrets referenced inside the {} braces.
TF knows nothing about this. But it can retrieve the secrets from KeyVault if you extract the necessary parts from the KV URI.
You are already extracting the app configuration keys, so you can adapt the below example to suit your requirements.
locals {
secret_uri = "https://mykeyvault.vault.azure.net/secrets/mysecret/1234567890abcdef1234567890abcdef"
parts = split("/", local.secret_uri)
}
data "azurerm_key_vault_secret" "example" {
name = local.parts[length(local.parts) - 1] // Extracting the secret name from the URI
key_vault_id = "${azurerm_key_vault.example.id}"
}
output "secret_value" {
value = data.azurerm_key_vault_secret.example.value
}
You'll need to change secret_uri = to pass in the value from app_configuration_keys output.