1

I'm using the azure nextgen provider. Given a key vault vault with a stored secret secret1.

  • How can I add the web app to the key vault's access policies?
  • How can I read the secret (get the url including version) and set it to a web app's setting?
  • What needs to be done first?

I haven't found any function in the pulumi documentation for these scenarios.

Script including missing parts:

import * as pulumi from "@pulumi/pulumi";
import * as random from "@pulumi/random";
import * as resources from "@pulumi/azure-nextgen/resources/latest";
import * as web from "@pulumi/azure-nextgen/web/latest";

const config = new pulumi.Config();
const location = config.require("location");

const resourceGroup = new resources.ResourceGroup("rootResourceGroup", {
    resourceGroupName: "resources",
    location,
});

const suffix = new random.RandomString("suffix", {
    length: 6,
    special: false,
    upper: false,
});

const appServicePlan = new web.AppServicePlan("appserviceplan", {
    name: "my-appservice-plan",
    resourceGroupName: resourceGroup.name,
    location,
    kind: "Linux",
    reserved: true,
    sku: {
        name: "B1",
        tier: "Basic",
    },
});


const vault = ???; // Get the vault by name
const secret1Identifier = vault.???; // fetch the secret by name

const webApp = new web.WebApp("web-app", {
    name: pulumi.interpolate`webapp${suffix.result}`,
    resourceGroupName: resourceGroup.name,
    location,
    serverFarmId: appServicePlan.id,
    identity: {
        type: "SystemAssigned",
    },
    siteConfig: {
        appSettings: [
            {
                name: "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
                value: "false",
            },
            {
                name: "SECRET1",
                value: pulumi.interpolate`@Microsoft.KeyVault(SecretUri=${secret1Identifier})`
            }
        ],
        alwaysOn: true,
    },
});

const principalId = webApp.identity.apply(id => id?.principalId);

vault.??? // Set access policy for web apps principal id
Sven-Michael Stübe
  • 14,560
  • 4
  • 52
  • 103
  • I would have expected that the SDK allows you to create the KeyVault access policy allowing th web app to read secrets separately from the KeyVault itself, allowing you to perform the setup in this order: 1) Create the KeyVault 2) Create the Secret 3) Create the web app, adding the secret into the app setting 4) Create the KeyVault Access Policy -- Steps 2) and 4) are unclear to me, given the current state of the nextgen Azure provider - I don't find the required classes, which where available in the "old" SDK. – Schweder Nov 11 '20 at 12:22

1 Answers1

0

The correct order is:

  1. Secret
  2. Web App with the secret
  3. Access Policy

KeyVault has an odd API model that is only partially exposed via Azure Resource Manager. At the moment, Azure NextGen doesn't have support for secrets, keys, certificates, or access policies. This is tracked in this issue.

Meanwhile, you can use the "old" Azure provider to add missing objects. The two providers can be used from the same program. This example is close to what you are trying to achieve order-wise.

Mikhail Shilkov
  • 34,128
  • 3
  • 68
  • 107