Skip to content

[DTOSS-10700] Allows secrets to be stored within the container app and container app job #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mrlockstar merged 2 commits into from
Sep 2, 2025
Merged

[DTOSS-10700] Allows secrets to be stored within the container app and container app job #224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3e7edb8
Allow secrets to be stored in container app jobs
mrlockstar Sep 2, 2025
c252bfc
Allow secrets to be stored in container app and change ingress to all…
mrlockstar Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions infrastructure/modules/container-app-job/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@ resource "azurerm_container_app_job" "this" {
}
}

dynamic "secret" {
for_each = var.secret_variables
content {
name = replace(lower(secret.key), "_", "-")
value = secret.value
}
}

# Define the container template for the job.
template {

Expand All @@ -92,6 +100,7 @@ resource "azurerm_container_app_job" "this" {
value = env.value
}
}

dynamic "env" {
for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
content {
Expand All @@ -102,6 +111,16 @@ resource "azurerm_container_app_job" "this" {
secret_name = lower(env.value.name)
}
}

dynamic "env" {
for_each = var.secret_variables
content {
# Env vars are uppercase and underscore separated
name = upper(replace(env.key, "-", "_"))
# app container secrets are lowercase and hyphen separated
secret_name = replace(lower(env.key), "_", "-")
}
}
}
}

Expand Down
6 changes: 6 additions & 0 deletions infrastructure/modules/container-app-job/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,12 @@ variable "environment_variables" {
default = {}
}

variable "secret_variables" {
description = "Secret environment variables to pass to the container app."
type = map(string)
default = {}
}

variable "job_parallelism" {
description = "The number of replicas that can run in parallel."
type = number
Expand Down
35 changes: 34 additions & 1 deletion infrastructure/modules/container-app/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,14 @@ resource "azurerm_container_app" "main" {
}
}

dynamic "secret" {
for_each = var.secret_variables
content {
name = replace(lower(secret.key), "_", "-")
value = secret.value
}
}

template {
container {
name = var.name
Expand All @@ -76,6 +84,15 @@ resource "azurerm_container_app" "main" {
}
}

dynamic "env" {
for_each = var.secret_variables
content {
# Env vars are uppercase and underscore separated
name = upper(replace(env.key, "-", "_"))
secret_name = replace(lower(env.key), "_", "-")
}
}

dynamic "env" {
for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
content {
Expand Down Expand Up @@ -104,8 +121,24 @@ resource "azurerm_container_app" "main" {

content {
external_enabled = true
target_port = var.http_port
target_port = var.port
allow_insecure_connections = false
traffic_weight {
percentage = 100
latest_revision = true
}
}
}

dynamic "ingress" {
for_each = var.is_tcp_app ? [1] : []

content {
external_enabled = true
target_port = var.port
exposed_port = var.port
allow_insecure_connections = false
transport = "tcp"
traffic_weight {
percentage = 100
latest_revision = true
Expand Down
4 changes: 4 additions & 0 deletions infrastructure/modules/container-app/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,7 @@ output "url" {
description = "URL of the container app. Only available if is_web_app is true."
value = var.is_web_app ? "https://${azurerm_container_app.main.ingress[0].fqdn}" : ""
}

output "container_app_fqdn" {
value = azurerm_container_app.main.latest_revision_fqdn
}
18 changes: 15 additions & 3 deletions infrastructure/modules/container-app/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,13 @@ variable "docker_image" {
}

variable "environment_variables" {
description = "Environment variables to pass to the container app. Only non-secret variables. Secrets must be stored in key vault 'app_key_vault_id'"
description = "Environment variables to pass to the container app. Only non-secret variables. Secrets can be stored in key vault 'app_key_vault_id'"
type = map(string)
default = {}
}

variable "secret_variables" {
description = "Secret environment variables to pass to the container app."
type = map(string)
default = {}
}
Expand All @@ -69,8 +75,14 @@ variable "is_web_app" {
default = false
}

variable "http_port" {
description = "HTTP port for the web app. Default is 8080."
variable "is_tcp_app" {
description = "Is this a TCP app? If true, ingress is enabled."
type = bool
default = false
}

variable "port" {
description = "Port for the ingress. Default is 8080."
type = number
default = 8080
}
Expand Down
Loading