Skip to content

Commit 3c9863b

Browse files
[PR-20] setup cosmosdb connection string access in rest api (#29)
* add cosmosdb connection string as env variable in rest api from key vault * reference as env variable * todo comment * fix biceps * give arm access to kv * deny access by default as best practice * also add list * enabledForTemplateDeployment true * remove manual set access * todo later * rename cosmos secret string
1 parent c80b19c commit 3c9863b

File tree

5 files changed

+49
-29
lines changed

5 files changed

+49
-29
lines changed

.github/workflows/deploy.yaml

-1
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,6 @@ jobs:
6464

6565
parameters: |
6666
{
67-
"environment": "Development",
6867
"envFriendlyName": "dev",
6968
"restApiContainerImage": "${{ env.REST_API_IMAGE_NAME }}:${{ env.IMAGE_TAG }}",
7069
"registryServer": "${{ secrets.AZURE_REGISTRY_LOGIN_SERVER }}",

deploy/azure/bicep/main.bicep

+24-24
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
param environment string
21
param envFriendlyName string
32
param restApiContainerImage string
43
param registryServer string
@@ -13,7 +12,7 @@ param objectId string
1312

1413
var serviceName = 'chat-service'
1514

16-
module monitor './modules/shared/monitor.bicep' = {
15+
module monitorModule './modules/shared/monitor.bicep' = {
1716
name: 'monitor'
1817
params: {
1918
serviceName: serviceName
@@ -22,32 +21,17 @@ module monitor './modules/shared/monitor.bicep' = {
2221
}
2322
}
2423

25-
module containerAppEnvironment './modules/shared/container-app-environment.bicep' = {
24+
module containerAppEnvironmentModule './modules/shared/container-app-environment.bicep' = {
2625
name: 'container-app-environment'
2726
params: {
2827
serviceName: serviceName
2928
envFriendlyName: envFriendlyName
3029
location: location
31-
logAnalyticsWorkspaceName: monitor.outputs.logAnalyticsWorkspaceName
30+
logAnalyticsWorkspaceName: monitorModule.outputs.logAnalyticsWorkspaceName
3231
}
3332
}
3433

35-
module restApi './modules/apis-rest.bicep' = {
36-
name: 'rest-api'
37-
params: {
38-
location: location
39-
serviceName: serviceName
40-
managedEnvironmentId: containerAppEnvironment.outputs.managedEnvironmentId
41-
containerImage: restApiContainerImage
42-
registryServer: registryServer
43-
registryUsername: username
44-
registryPassword: password
45-
environment: environment
46-
envFriendlyName: envFriendlyName
47-
}
48-
}
49-
50-
module cosmosDb './modules/shared/cosmosdb.bicep' = {
34+
module cosmosDbModule './modules/shared/cosmosdb.bicep' = {
5135
name: 'cosmos-db'
5236
params: {
5337
envFriendlyName: envFriendlyName
@@ -56,7 +40,7 @@ module cosmosDb './modules/shared/cosmosdb.bicep' = {
5640
}
5741
}
5842

59-
module keyVault './modules/shared/key-vault.bicep' = {
43+
module keyVaultModule './modules/shared/key-vault.bicep' = {
6044
name: 'key-vault'
6145
params: {
6246
serviceName: serviceName
@@ -66,11 +50,27 @@ module keyVault './modules/shared/key-vault.bicep' = {
6650
}
6751
}
6852

69-
module keyVaultSecrets './modules/shared/key-vault-secrets.bicep' = {
53+
module keyVaultSecretsModule './modules/shared/key-vault-secrets.bicep' = {
7054
name: 'key-vault-secrets'
7155
params: {
72-
keyVaultName: keyVault.outputs.name
73-
cosmosAccountName: cosmosDb.outputs.accountName
56+
keyVaultName: keyVaultModule.outputs.name
57+
cosmosAccountName: cosmosDbModule.outputs.accountName
58+
}
59+
}
60+
61+
module restApiModule './modules/container-app-rest-api.bicep' = {
62+
name: 'rest-api'
63+
params: {
64+
location: location
65+
serviceName: serviceName
66+
managedEnvironmentId: containerAppEnvironmentModule.outputs.managedEnvironmentId
67+
containerImage: restApiContainerImage
68+
registryServer: registryServer
69+
registryUsername: username
70+
registryPassword: password
71+
envFriendlyName: envFriendlyName
72+
cosmosDbConnectionStringName: keyVaultSecretsModule.outputs.cosmosDbConnectionStringName
73+
cosmosAccountName: cosmosDbModule.outputs.accountName
7474
}
7575
}
7676

deploy/azure/bicep/modules/apis-rest.bicep deploy/azure/bicep/modules/container-app-rest-api.bicep

+20-1
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,28 @@
11
param location string
22
param managedEnvironmentId string
33
param serviceName string
4-
param environment string
54
param envFriendlyName string
65

76
param containerImage string
87
param registryServer string
98
param registryUsername string
9+
param cosmosAccountName string
10+
param cosmosDbConnectionStringName string
1011

1112
@secure()
1213
param registryPassword string
1314

1415
var containerAppName = '${serviceName}-rest-api-${envFriendlyName}'
1516
var containerRegistryPasswordName = 'container-registry-password'
1617

18+
//todo - later, reference from Key Vault
19+
resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' existing = {
20+
name: cosmosAccountName
21+
}
22+
23+
var cosmosDbConnectionString = 'AccountEndpoint=${cosmosAccount.properties.documentEndpoint};AccountKey=${cosmosAccount.listKeys().primaryMasterKey};'
24+
25+
//todo - Reference secrets from Key Vault for added benefits like rotation
1726
resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
1827
name: containerAppName
1928
location: location
@@ -29,6 +38,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
2938
name: containerRegistryPasswordName
3039
value: registryPassword
3140
}
41+
{
42+
name: cosmosDbConnectionStringName
43+
value: cosmosDbConnectionString
44+
}
3245
]
3346
registries: [
3447
{
@@ -43,6 +56,12 @@ resource containerApp 'Microsoft.App/containerApps@2024-10-02-preview' = {
4356
{
4457
image: containerImage
4558
name: containerAppName
59+
env: [
60+
{
61+
name: cosmosDbConnectionStringName
62+
secretRef: cosmosDbConnectionStringName
63+
}
64+
]
4665
}
4766
]
4867
}

deploy/azure/bicep/modules/shared/key-vault-secrets.bicep

+3-1
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,10 @@ var cosmosDbConnectionString = 'AccountEndpoint=${cosmosAccount.properties.docum
1313

1414
resource cosmosDbConnectionStringSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
1515
parent: keyVault
16-
name: 'cosmosDbConnectionString'
16+
name: 'cosmos-db-connection-string'
1717
properties: {
1818
value: cosmosDbConnectionString
1919
}
2020
}
21+
22+
output cosmosDbConnectionStringName string = cosmosDbConnectionStringSecret.name

deploy/azure/bicep/modules/shared/key-vault.bicep

+2-2
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ param enabledForDeployment bool = false
1212
param enabledForDiskEncryption bool = false
1313

1414
@description('Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault.')
15-
param enabledForTemplateDeployment bool = false
15+
param enabledForTemplateDeployment bool = true
1616

1717
@description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet.')
1818
param tenantId string = subscription().tenantId
@@ -63,7 +63,7 @@ resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
6363
family: 'A'
6464
}
6565
networkAcls: {
66-
defaultAction: 'Allow'
66+
defaultAction: 'Deny'
6767
bypass: 'AzureServices'
6868
}
6969
}

0 commit comments

Comments
 (0)