Allow secrets to be stored in container app jobs

Author: mrlockstar

infrastructure/modules/container-app-job/main.tf

@@ -71,6 +71,14 @@ resource "azurerm_container_app_job" "this" {
     }
   }
 
+  dynamic "secret" {
+    for_each = var.secret_variables
+    content {
+      name  = replace(lower(secret.key), "_", "-")
+      value = secret.value
+    }
+  }
+
   # Define the container template for the job.
   template {
 
@@ -92,6 +100,7 @@ resource "azurerm_container_app_job" "this" {
           value = env.value
         }
       }
+
       dynamic "env" {
         for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
         content {
@@ -102,6 +111,16 @@ resource "azurerm_container_app_job" "this" {
           secret_name = lower(env.value.name)
         }
       }
+
+      dynamic "env" {
+        for_each = var.secret_variables
+        content {
+          # Env vars are uppercase and underscore separated
+          name = upper(replace(env.key, "-", "_"))
+          # app container secrets are lowercase and hyphen separated
+          secret_name = replace(lower(env.key), "_", "-")
+        }
+      }
     }
   }
 

infrastructure/modules/container-app-job/variables.tf

@@ -76,6 +76,12 @@ variable "environment_variables" {
   default     = {}
 }
 
+variable "secret_variables" {
+  description = "Secret environment variables to pass to the container app."
+  type        = map(string)
+  default     = {}
+}
+
 variable "job_parallelism" {
   description = "The number of replicas that can run in parallel."
   type        = number