Azure Container Apps – secrets [part 5]

Azure Container Apps – secrets, every application typically needs to reference some secrets. To achieve this, I’ll demonstrate how to load secrets into Azure Container Apps using Azure KeyVault. While it’s not currently feasible to do this solely with Terraform due to the absence of a provider for adding secrets from Key Vault, I’ll guide you through the process in this article. You may view all of the series’ about Azure Container Apps here.

Azure Container Apps – secrets – Terraform setup

Before delving into the Terraform setup, you can access all the necessary source files by downloading them from this location. If you’re unsure about how to configure Azure Container Apps with Terraform, please refer to my previous post titled “Azure Container Apps – Using Terraform to Create [Part 1].”

Now, let’s outline the components covered in this tutorial:

  1. Sample application: This demonstrates the usage of secrets within the application, and you can find the source code for it here.
  2. Terraform script: This script is used for creating Azure Key Vault and Container Apps. For Key Vault access, I utilize RBAC (Role-Based Access Control), and the script includes role assignments. Additionally, the script provides the necessary data for referencing the secret, including the secret URL, identity ID, and secret name.
  3. Azure CLI: We’ll use Azure CLI to add secrets to Azure Container Apps.

Please note that after running the Terraform script for the first time, you may encounter an error indicating that the image is not found. This is expected, and it can be resolved in subsequent steps.

Build sample application

The sample application I’ve created is essentially an API. It comes with a default endpoint that retrieves a secret value from an environment variable. You can locate the source code for this application at the provided link. To construct an image for this application, you can utilize the following command:

az acr build --registry #REGISTRY_NAME --image containerappssecret:v1 .

Don’t forget to execute this command once the Terraform script has been initially applied. Make sure to replace “#REGISTRY_NAME” with the name of your current Azure Container Registry instance. Additionally, run the provided command within the directory of the sample application.

Terraform script execution

All Terraform variables come with default values, but you have the flexibility to override them if necessary. After execution, which should take approximately 10 minutes, you may encounter an error indicating the absence of the image. Not to worry, simply follow the provided instructions to build a sample image in the above section.

Once the Terraform script successfully completes, you’ll receive output on the console containing four variables:

  • keyVaultSecretUrl: The URL for the Azure Key Vault secret, in my case, without versioning.
  • keyVaultSecretName: The name of the secret stored in Azure Key Vault.
  • keyVaultIdentity: The identity used for acquiring the secret.
  • envSecretName: The environment variable name that holds the secret value.

Ensure you preserve the aforementioned values for future use. Give special consideration to the lifecycle section. I deliberately exclude environment variables and secrets from Terraform’s purview because I do not want this aspect to be controlled or managed through Terraform.

Azure Container Apps – secrets

Azure Container Apps – secret – adding by Azure CLI

I usually prefer to consolidate all configurations within Terraform scripts. However, in this particular situation, it’s not feasible to configure Key Vault secrets directly using Terraform for Azure Container Apps. Personally, I favour using the Azure CLI over AzAPI, which isn’t my preferred choice. Therefore, to incorporate secrets into Azure Container Apps, we must follow a two-step process:

  1. Add the secret to Container Apps, making use of Azure Key Vault references and the associated identity.
  2. Create an environment variable that is linked to the recently added secret.

Regarding the first step, you should execute the following:

az containerapp secret set -n #ACA_Name -g #RESOURCE_GROUP --secrets #keyVaultSecretName=keyvaultref:#keyVaultSecretUrl ,identityref:#keyVaultIdentity

Here’s where you specify the following variables:

  • #ACA_Name: The name of the Azure Container App.
  • RESOURCE_GROUP: The name of the resource group.
  • keyVaultSecretName: The value retrieved from the Terraform execution.
  • keyVaultSecretUrl: The value obtained from the Terraform execution.
  • keyVaultIdentity: The value derived from the Terraform execution.

Once the script has finished executing, we can proceed to the second phase of the configuration:

az containerapp update -n #ACA_Name -g #RESOURCE_GROUP --set-env-vars '#envSecretName=secretref:#keyVaultSecretName'

Here’s where you define the following variables:

  • envSecretName: This represents the name of the environment variable in the demonstration application. The value derived from the Terraform execution.
  • keyVaultSecretName: This corresponds to the name of the secret that is linked from Azure Key Vault. The value derived from the Terraform execution.

Once you’ve configured these secrets, you should access the Azure Container App and observe the response as follows:

Azure Container Apps – secrets

I sincerely hope you enjoyed it, and if so, I’d appreciate a Like or Comment on my LinkedIn profile.

Here you can find all the articles from the series.

One thought on “Azure Container Apps – secrets [part 5]

Leave a Reply

Your email address will not be published. Required fields are marked *