Skip to content

[DTOSS-12822] - Add managed identity for Azure Relay send access#1384

Merged
josielsouzanordcloud merged 1 commit intomainfrom
DTOSS-12822-managed-identity-azure-relay
Apr 28, 2026
Merged

[DTOSS-12822] - Add managed identity for Azure Relay send access#1384
josielsouzanordcloud merged 1 commit intomainfrom
DTOSS-12822-managed-identity-azure-relay

Conversation

@josielsouzanordcloud
Copy link
Copy Markdown
Contributor

@josielsouzanordcloud josielsouzanordcloud commented Apr 28, 2026

Description

This PR creates a user-assigned managed identity with Azure Relay Sender RBAC role at relay namespace level to replaces the existing SAS key approach, eliminating the need for secret rotation and following the principle of least privilege.

Changes:

  • Creates a relay-send managed identity scoped per environment
  • Assigns the Azure Relay Sender RBAC role at the namespace level, allowing send access to all hybrid connections
  • Exposes AZURE_RELAY_CLIENT_ID on the Container App, following the same convention as AZURE_DB_CLIENT_ID
  • Updates core.bicep to permit the Terraform managed identity to assign the Azure Relay Sender role (GUID 26baccc8-eea7-41f1-98f4-1762cc7f685d) - the Bicep bootstrap must be redeployed manually before applying Terraform

Jira link

DTOSS-12822

Review notes

Review checklist

  • Check database queries are correctly scoped to current_provider
  • If this changes the gateway API (/api/v1/), confirm whether it is a breaking change — if so, a new major version (/api/v2/) is required (see ADR-006)

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 28, 2026
edited
Loading

The review app at this URL has been deleted:
https://pr-1384.manage-breast-screening.non-live.screening.nhs.uk

@josielsouzanordcloud
DTOSS-12822: add managed identity for Azure Relay send access
f645d8c 
  - Add azurerm_relay_namespace data source to resolve namespace ID for RBAC scope
  - Create relay-send managed identity and assign Azure Relay Sender role at namespace level
  - Assign managed identity to webapp and expose AZURE_RELAY_CLIENT_ID env var
  - Update core.bicep RBAC condition to permit assignment of Azure Relay Sender role
@josielsouzanordcloud josielsouzanordcloud force-pushed the DTOSS-12822-managed-identity-azure-relay branch from 9c261bb to f645d8c Compare April 28, 2026 15:36
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

steventux
steventux approved these changes Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@steventux steventux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🖥️ ↔️ 🖥️

@josielsouzanordcloud josielsouzanordcloud merged commit 02d167b into main Apr 28, 2026
13 checks passed
@josielsouzanordcloud josielsouzanordcloud deleted the DTOSS-12822-managed-identity-azure-relay branch April 28, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@steventux steventux steventux approved these changes

Assignees

No one assigned

Labels

deploy

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josielsouzanordcloud @steventux