We have discussed "Store Azure Service Bus Connection String as a Secret in Azure Key Vault with Bicep IaC" previously. Setting such a secret in Azure App configuration service as a key vault reference will help the applications to access the connection string to Azure service bus via the app config service. This is applicable to setting up reference to any secret in Azure key vault, as Azure key vault reference in Azure app configuration service, via Bicep as Infrastructure as Code (IaC). Let's look at the steps required.
First we have to output the key vault reference url to the secret with its version as shown below. Refer "Store Azure Service Bus Connection String as a Secret in Azure Key Vault with Bicep IaC" for how to get the service bus If and API version in below code.
param keyvaultName string
param tenantId string = subscription().tenantId
param keyvaultSKUName string
param keyvaultSKUFamily string
param location string = resourceGroup().location
param servicebusId string
param servicebusApiVersion string
resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
name: keyvaultName
location: location
properties: {
enabledForDeployment: true
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
tenantId: tenantId
accessPolicies: []
sku: {
name: keyvaultSKUName //'standard'
family: keyvaultSKUFamily //'A'
}
}
}
var serviceBusEndpoint = '${servicebusId}/AuthorizationRules/RootManageSharedAccessKey'
resource ServiceBusConnectionString 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'ServiceBusConnectionString'
properties: {
value: listKeys(serviceBusEndpoint, servicebusApiVersion).primaryConnectionString
}
}
output serviceBusConnectionSecretUrl string = ServiceBusConnectionString.properties.secretUriWithVersionWe can pass the output parameter from keyvault modeul to app config module. You can learn how to pass output paramters from one module to another in bicep in the post "Passing Output Parameters from Bicep Modules". Note here we have set key vault as a dependency to the app config service.
module appconfig 'appconfig.bicep' = {
scope:rg
name:'appconfig'
params:{
appconfigName:appconfigName
appconfigSKUName:appconfigSKUName
envName:envName
location:rgLocation
serviceBusConnectionSecretUrl:keyvault.outputs.serviceBusConnectionSecretUrl
}
dependsOn:[
keyvault
]
}
Then in the appconfig module we can setup a key vault reference by using the code as follows. The name of the app configuration service key is set with label. $ is used to denote the label part of the name so that the content of envName variable set as the label for the created key in Azure app configuration service.
name: 'ServiceBus:ConnectionString$${envName}'Content type must be set as 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8' for key vault reference keys in app configuration service.
Value of the key is set with the output from key vault module refering to the url of the service bus connection string secret with version, in the Azure key vault.
value: serviceBusConnectionSecretUrl
param appconfigName string
param appconfigSKUName string
param envName string
param location string = resourceGroup().location
param serviceBusConnectionSecretUrl string
resource appconfig 'Microsoft.AppConfiguration/configurationStores@2021-03-01-preview' = {
name: appconfigName
location: location
sku: {
name: appconfigSKUName
}
properties: {
disableLocalAuth: false
encryption: {}
}
}
resource ServiceBusConnectionString 'Microsoft.AppConfiguration/configurationStores/keyValues@2021-10-01-preview' = {
parent: appconfig
name: 'ServiceBus:ConnectionString$${envName}'
properties: {
value: serviceBusConnectionSecretUrl
contentType: 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8'
}
}
Once deployed the app configuration service will be added with a key vault reference key, refering to the secret in the Azure key vault for service bus connection string, with label set as environment name.
No comments:
Post a Comment