Allow secrets to be stored in container app and change ingress to allow tcp ports

Author: mrlockstar

infrastructure/modules/container-app/main.tf

@@ -61,6 +61,14 @@ resource "azurerm_container_app" "main" {
     }
   }
 
+  dynamic "secret" {
+    for_each = var.secret_variables
+    content {
+      name  = replace(lower(secret.key), "_", "-")
+      value = secret.value
+    }
+  }
+
   template {
     container {
       name   = var.name
@@ -76,6 +84,15 @@ resource "azurerm_container_app" "main" {
         }
       }
 
+      dynamic "env" {
+        for_each = var.secret_variables
+        content {
+          # Env vars are uppercase and underscore separated
+          name        = upper(replace(env.key, "-", "_"))
+          secret_name = replace(lower(env.key), "_", "-")
+        }
+      }
+
       dynamic "env" {
         for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
         content {
@@ -104,8 +121,24 @@ resource "azurerm_container_app" "main" {
 
     content {
       external_enabled           = true
-      target_port                = var.http_port
+      target_port                = var.port
+      allow_insecure_connections = false
+      traffic_weight {
+        percentage      = 100
+        latest_revision = true
+      }
+    }
+  }
+
+  dynamic "ingress" {
+    for_each = var.is_tcp_app ? [1] : []
+
+    content {
+      external_enabled           = true
+      target_port                = var.port
+      exposed_port               = var.port
       allow_insecure_connections = false
+      transport                  = "tcp"
       traffic_weight {
         percentage      = 100
         latest_revision = true

infrastructure/modules/container-app/output.tf

@@ -7,3 +7,7 @@ output "url" {
   description = "URL of the container app. Only available if is_web_app is true."
   value       = var.is_web_app ? "https://${azurerm_container_app.main.ingress[0].fqdn}" : ""
 }
+
+output "container_app_fqdn" {
+  value = azurerm_container_app.main.latest_revision_fqdn
+}

infrastructure/modules/container-app/variables.tf

@@ -52,7 +52,13 @@ variable "docker_image" {
 }
 
 variable "environment_variables" {
-  description = "Environment variables to pass to the container app. Only non-secret variables. Secrets must be stored in key vault 'app_key_vault_id'"
+  description = "Environment variables to pass to the container app. Only non-secret variables. Secrets can be stored in key vault 'app_key_vault_id'"
+  type        = map(string)
+  default     = {}
+}
+
+variable "secret_variables" {
+  description = "Secret environment variables to pass to the container app."
   type        = map(string)
   default     = {}
 }
@@ -69,8 +75,14 @@ variable "is_web_app" {
   default     = false
 }
 
-variable "http_port" {
-  description = "HTTP port for the web app. Default is 8080."
+variable "is_tcp_app" {
+  description = "Is this a TCP app? If true, ingress is enabled."
+  type        = bool
+  default     = false
+}
+
+variable "port" {
+  description = "Port for the ingress. Default is 8080."
   type        = number
   default     = 8080
 }