DTOSS-12822: add managed identity for Azure Relay send access

josielsouzanordcloud · josielsouzanordcloud · commit 927fb79c3df8 · 2026-04-28T15:08:34.000+01:00
- Add azurerm_relay_namespace data source to resolve namespace ID for RBAC scope                                                                                                        - Create relay-send managed identity and assign Azure Relay Sender role at namespace level
  - Assign managed identity to webapp and expose AZURE_RELAY_CLIENT_ID env var                                                                                                            - Update core.bicep RBAC condition to permit assignment of Azure Relay Sender role
diff --git a/infrastructure/modules/container-apps/data.tf b/infrastructure/modules/container-apps/data.tf
@@ -26,3 +26,9 @@ data "azurerm_private_dns_zone" "storage-account-queue" {
   name                = "privatelink.queue.core.windows.net"
   resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
 }
+
+data "azurerm_relay_namespace" "relay" {
+  count               = var.relay_namespace_name != null ? 1 : 0
+  name                = var.relay_namespace_name
+  resource_group_name = var.resource_group_name_infra
+}
diff --git a/infrastructure/modules/container-apps/main.tf b/infrastructure/modules/container-apps/main.tf
@@ -34,13 +34,17 @@ module "webapp" {
   enable_entra_id_authentication   = var.enable_entra_id_authentication
   app_key_vault_id                 = var.app_key_vault_id
   docker_image                     = var.docker_image
-  user_assigned_identity_ids       = var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
+  user_assigned_identity_ids = flatten([
+    var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id],
+    var.relay_namespace_name != null ? [module.relay_send_identity[0].id] : []
+  ])
   environment_variables = merge(
     local.common_env,
     {
       ALLOWED_HOSTS = "${var.app_short_name}-web-${var.environment}.${var.default_domain},localhost,127.0.0.1"
     },
-    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env
+    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env,
+    var.relay_namespace_name != null ? { AZURE_RELAY_CLIENT_ID = module.relay_send_identity[0].client_id } : {}
   )
   secret_variables = merge(
     { APPLICATIONINSIGHTS_CONNECTION_STRING = var.app_insights_connection_string },
diff --git a/infrastructure/modules/container-apps/relay.tf b/infrastructure/modules/container-apps/relay.tf
@@ -13,3 +13,20 @@ module "relay_hybrid_connection" {
     }
   }
 }
+
+module "relay_send_identity" {
+  count               = var.relay_namespace_name != null ? 1 : 0
+  source              = "../dtos-devops-templates/infrastructure/modules/managed-identity"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+  uai_name            = "mi-${var.app_short_name}-${var.environment}-relay-send"
+}
+
+module "relay_send_role_assignment" {
+  count                = var.relay_namespace_name != null ? 1 : 0
+  source               = "../dtos-devops-templates/infrastructure/modules/rbac-assignment"
+  principal_id         = module.relay_send_identity[0].principal_id
+  role_definition_name = "Azure Relay Sender"
+  scope                = data.azurerm_relay_namespace.relay[0].id
+  depends_on           = [module.relay_send_identity]
+}
diff --git a/infrastructure/terraform/resource_group_init/core.bicep b/infrastructure/terraform/resource_group_init/core.bicep
@@ -17,6 +17,7 @@ var roleID = {
   rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
   storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
   storageQueueDataContributor: '974c5e8b-45b9-4653-ba55-5f855dd0fb88'
+  azureRelaySender: '26baccc8-eea7-41f1-98f4-1762cc7f685d'
 }
 
 // Define role assignments for managed identity
@@ -36,7 +37,7 @@ var miRoleAssignments = [
     roleId: roleID.rbacAdmin
     description: 'Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets User, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'
     // Optional properties - only rbacAdmin has a condition
-    condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}}))'
+    condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}}))'
     conditionVersion: '2.0'
   }
 ]
@@ -58,7 +59,7 @@ var groupRoleAssignments = [
     roleId: roleID.rbacAdmin
     description: 'Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets Officer, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'
     // Optional properties - only rbacAdmin has a condition
-    condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}}))'
+    condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}}))'
     conditionVersion: '2.0'
   }
 ]

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ var roleID = {`
`17`	`17`	`rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'`
`18`	`18`	`storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'`
`19`	`19`	`storageQueueDataContributor: '974c5e8b-45b9-4653-ba55-5f855dd0fb88'`
	`20`	`+ azureRelaySender: '26baccc8-eea7-41f1-98f4-1762cc7f685d'`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`// Define role assignments for managed identity`
`@@ -36,7 +37,7 @@ var miRoleAssignments = [`
`36`	`37`	`roleId: roleID.rbacAdmin`
`37`	`38`	`description: 'Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets User, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'`
`38`	`39`	`// Optional properties - only rbacAdmin has a condition`
`39`		- condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}}))'
	`40`	+ condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}}))'
`40`	`41`	`conditionVersion: '2.0'`
`41`	`42`	`}`
`42`	`43`	`]`
`@@ -58,7 +59,7 @@ var groupRoleAssignments = [`
`58`	`59`	`roleId: roleID.rbacAdmin`
`59`	`60`	`description: 'Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets Officer, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'`
`60`	`61`	`// Optional properties - only rbacAdmin has a condition`
`61`		- condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}}))'
	`62`	+ condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}}))'
`62`	`63`	`conditionVersion: '2.0'`
`63`	`64`	`}`
`64`	`65`	`]`