feat: Container-App - Removed workaround for secrets (#4426)

## Description Replaced workaround of `secureList` with UDT ## Pipeline Reference  | Pipeline | | -------- | | [![avm.res.app.container-app](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.app.container-app.yml/badge.svg?branch=users%2Falsehr%2FdeprecateSecureListContainerApp&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.app.container-app.yml) | ## Type of Change  - [x] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation
Azure · Feb 11, 2025 · 20a2949 · 20a2949
1 parent c891d23
commit 20a2949
Show file tree

Hide file tree

Showing 9 changed files with 168 additions and 129 deletions.
diff --git a/avm/res/app/container-app/README.md b/avm/res/app/container-app/README.md
@@ -59,8 +59,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     ]
     environmentResourceId: '<environmentResourceId>'
     name: 'acamin001'
-    // Non-required parameters
-    location: '<location>'
   }
 }
 ```
@@ -95,10 +93,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     },
     "name": {
       "value": "acamin001"
-    },
-    // Non-required parameters
-    "location": {
-      "value": "<location>"
     }
   }
 }
@@ -127,8 +121,6 @@ param containers = [
 ]
 param environmentResourceId = '<environmentResourceId>'
 param name = 'acamin001'
-// Non-required parameters
-param location = '<location>'
 ```
 
 </details>
@@ -162,7 +154,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     name: 'acapriv001'
     // Non-required parameters
     disableIngress: true
-    location: '<location>'
   }
 }
 ```
@@ -201,9 +192,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     // Non-required parameters
     "disableIngress": {
       "value": true
-    },
-    "location": {
-      "value": "<location>"
     }
   }
 }
@@ -234,7 +222,6 @@ param environmentResourceId = '<environmentResourceId>'
 param name = 'acapriv001'
 // Non-required parameters
 param disableIngress = true
-param location = '<location>'
 ```
 
 </details>
@@ -335,19 +322,17 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
         ]
       }
     }
-    secrets: {
-      secureList: [
-        {
-          name: 'containerappstoredsecret'
-          value: '<value>'
-        }
-        {
-          identity: '<identity>'
-          keyVaultUrl: '<keyVaultUrl>'
-          name: 'keyvaultstoredsecret'
-        }
-      ]
-    }
+    secrets: [
+      {
+        name: 'containerappstoredsecret'
+        value: '<value>'
+      }
+      {
+        identity: '<identity>'
+        keyVaultUrl: '<keyVaultUrl>'
+        name: 'keyvaultstoredsecret'
+      }
+    ]
     tags: {
       Env: 'test'
       'hidden-title': 'This is visible in the resource name'
@@ -467,19 +452,17 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
       }
     },
     "secrets": {
-      "value": {
-        "secureList": [
-          {
-            "name": "containerappstoredsecret",
-            "value": "<value>"
-          },
-          {
-            "identity": "<identity>",
-            "keyVaultUrl": "<keyVaultUrl>",
-            "name": "keyvaultstoredsecret"
-          }
-        ]
-      }
+      "value": [
+        {
+          "name": "containerappstoredsecret",
+          "value": "<value>"
+        },
+        {
+          "identity": "<identity>",
+          "keyVaultUrl": "<keyVaultUrl>",
+          "name": "keyvaultstoredsecret"
+        }
+      ]
     },
     "tags": {
       "value": {
@@ -583,19 +566,17 @@ param runtime = {
     ]
   }
 }
-param secrets = {
-  secureList: [
-    {
-      name: 'containerappstoredsecret'
-      value: '<value>'
-    }
-    {
-      identity: '<identity>'
-      keyVaultUrl: '<keyVaultUrl>'
-      name: 'keyvaultstoredsecret'
-    }
-  ]
-}
+param secrets = [
+  {
+    name: 'containerappstoredsecret'
+    value: '<value>'
+  }
+  {
+    identity: '<identity>'
+    keyVaultUrl: '<keyVaultUrl>'
+    name: 'keyvaultstoredsecret'
+  }
+]
 param tags = {
   Env: 'test'
   'hidden-title': 'This is visible in the resource name'
@@ -643,7 +624,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     ingressExternal: false
     ingressTargetPort: 80
     ingressTransport: 'tcp'
-    location: '<location>'
   }
 }
 ```
@@ -700,9 +680,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     },
     "ingressTransport": {
       "value": "tcp"
-    },
-    "location": {
-      "value": "<location>"
     }
   }
 }
@@ -743,7 +720,6 @@ param ingressAllowInsecure = false
 param ingressExternal = false
 param ingressTargetPort = 80
 param ingressTransport = 'tcp'
-param location = '<location>'
 ```
 
 </details>
@@ -795,11 +771,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     // Non-required parameters
     ingressAllowInsecure: false
     ingressExternal: false
-    location: '<location>'
-    lock: {
-      kind: 'CanNotDelete'
-      name: 'myCustomLockName'
-    }
     managedIdentities: {
       userAssignedResourceIds: [
         '<managedIdentityResourceId>'
@@ -868,15 +839,6 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
     "ingressExternal": {
       "value": false
     },
-    "location": {
-      "value": "<location>"
-    },
-    "lock": {
-      "value": {
-        "kind": "CanNotDelete",
-        "name": "myCustomLockName"
-      }
-    },
     "managedIdentities": {
       "value": {
         "userAssignedResourceIds": [
@@ -937,11 +899,6 @@ param name = 'acawaf001'
 // Non-required parameters
 param ingressAllowInsecure = false
 param ingressExternal = false
-param location = '<location>'
-param lock = {
-  kind: 'CanNotDelete'
-  name: 'myCustomLockName'
-}
 param managedIdentities = {
   userAssignedResourceIds: [
     '<managedIdentityResourceId>'
@@ -997,7 +954,7 @@ param tags = {
 | [`scaleMaxReplicas`](#parameter-scalemaxreplicas) | int | Maximum number of container replicas. Defaults to 10 if not set. |
 | [`scaleMinReplicas`](#parameter-scaleminreplicas) | int | Minimum number of container replicas. Defaults to 3 if not set. |
 | [`scaleRules`](#parameter-scalerules) | array | Scaling rules. |
-| [`secrets`](#parameter-secrets) | secureObject | The secrets of the Container App. |
+| [`secrets`](#parameter-secrets) | array | The secrets of the Container App. |
 | [`service`](#parameter-service) | object | Dev ContainerApp service type. |
 | [`serviceBinds`](#parameter-servicebinds) | array | List of container app services bound to the app. |
 | [`stickySessionsAffinity`](#parameter-stickysessionsaffinity) | string | Bool indicating if the Container App should enable session affinity. |
@@ -1970,8 +1927,49 @@ Scaling rules.
 The secrets of the Container App.
 
 - Required: No
-- Type: secureObject
-- Default: `{}`
+- Type: array
+
+**Conditional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`keyVaultUrl`](#parameter-secretskeyvaulturl) | string | Azure Key Vault URL pointing to the secret referenced by the Container App Job. Required if `value` is null. |
+| [`value`](#parameter-secretsvalue) | securestring | The secret value, if not fetched from Key Vault. Required if `keyVaultUrl` is not null. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`identity`](#parameter-secretsidentity) | string | Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity. |
+| [`name`](#parameter-secretsname) | string | The name of the secret. |
+
+### Parameter: `secrets.keyVaultUrl`
+
+Azure Key Vault URL pointing to the secret referenced by the Container App Job. Required if `value` is null.
+
+- Required: No
+- Type: string
+
+### Parameter: `secrets.value`
+
+The secret value, if not fetched from Key Vault. Required if `keyVaultUrl` is not null.
+
+- Required: No
+- Type: securestring
+
+### Parameter: `secrets.identity`
+
+Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity.
+
+- Required: No
+- Type: string
+
+### Parameter: `secrets.name`
+
+The name of the secret.
+
+- Required: No
+- Type: string
 
 ### Parameter: `service`
 

diff --git a/avm/res/app/container-app/main.bicep b/avm/res/app/container-app/main.bicep
@@ -135,8 +135,7 @@ param containers containerType[]
 param initContainersTemplate array = []
 
 @description('Optional. The secrets of the Container App.')
-@secure()
-param secrets object = {}
+param secrets secretType[]?
 
 @description('Optional. User friendly suffix that is appended to the revision name.')
 param revisionSuffix string = ''
@@ -147,8 +146,6 @@ param volumes array = []
 @description('Optional. Workload profile name to pin for container app execution.')
 param workloadProfileName string = ''
 
-var secretList = !empty(secrets) ? secrets.secureList : []
-
 var formattedUserAssignedIdentities = reduce(
   map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
   {},
@@ -261,20 +258,24 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
       service: (includeAddOns && !empty(service)) ? service : null
       maxInactiveRevisions: maxInactiveRevisions
       registries: !empty(registries) ? registries : null
-      secrets: secretList
+      secrets: secrets
       runtime: {
-        dotnet: !empty(runtime.?dotnet) ? {
-          autoConfigureDataProtection: runtime.?dotnet.autoConfigureDataProtection
-        } : null
-        java: !empty(runtime.?java) ? {
-          enableMetrics: runtime.?java.enableMetrics
-          javaAgent: {
-            enabled: runtime.?java.enableJavaAgent
-            logging: {
-              loggerSettings: runtime.?java.?loggerSettings
+        dotnet: !empty(runtime.?dotnet)
+          ? {
+              autoConfigureDataProtection: runtime.?dotnet.autoConfigureDataProtection
             }
-          }
-        } : null
+          : null
+        java: !empty(runtime.?java)
+          ? {
+              enableMetrics: runtime.?java.enableMetrics
+              javaAgent: {
+                enabled: runtime.?java.enableJavaAgent
+                logging: {
+                  loggerSettings: runtime.?java.?loggerSettings
+                }
+              }
+            }
+          : null
       }
     }
     template: {
@@ -544,3 +545,20 @@ type runtimeType = {
     }[]?
   }?
 }?
+
+@export()
+@description('The type for a secret.')
+type secretType = {
+  @description('Optional. Resource ID of a managed identity to authenticate with Azure Key Vault, or System to use a system-assigned identity.')
+  identity: string?
+
+  @description('Conditional. Azure Key Vault URL pointing to the secret referenced by the Container App Job. Required if `value` is null.')
+  keyVaultUrl: string?
+
+  @description('Optional. The name of the secret.')
+  name: string?
+
+  @description('Conditional. The secret value, if not fetched from Key Vault. Required if `keyVaultUrl` is not null.')
+  @secure()
+  value: string?
+}