pulumi-azure icon indicating copy to clipboard operation
pulumi-azure copied to clipboard

Published 20 hours ago verified publisher icon pulumi

AppService AppSettings circular dependency

Open onlyann opened this issue 5 years ago • 0 comments

I have the following stack to setup an App Service to retrieve secrets from a Key Vault using managed identity:

        var clientConfig = Output.Create(GetClientConfig.InvokeAsync());
        var tenantId = clientConfig.Apply(x => x.TenantId);
        var pulumiObjectId = clientConfig.Apply(x => x.ObjectId);

        var resourceGroup = new ResourceGroup("my-resource-group");

        var keyVault = new KeyVault("my-keyvault", new KeyVaultArgs
        {
            ResourceGroupName = resourceGroup.Name,
            EnabledForDiskEncryption = true,
            SoftDeleteEnabled = true,
            SkuName = "standard",
            TenantId = tenantId,
            AccessPolicies = new InputList<KeyVaultAccessPolicyArgs>() {
                { new KeyVaultAccessPolicyArgs {
                    ObjectId = pulumiObjectId,
                    TenantId = tenantId,
                    SecretPermissions = new [] { "list", "set", "delete", "get"}
                }}
            }
        });

        var appServicePlan = new Plan("my-plan", new PlanArgs
        {
            Kind = "Linux",
            ResourceGroupName = resourceGroup.Name,
            Reserved = true,
            Sku = new PlanSkuArgs
            {
                Tier = "Basic",
                Size = "B1"
            }
        });

        var secret = new Secret("superSecret", new SecretArgs
        {
            Name = "superSecret",
            KeyVaultId = keyVault.Id,
            Value = "shush"
        });

        var appService = new AppService("web-app", new AppServiceArgs
        {
            ResourceGroupName = resourceGroup.Name,
            Identity = new AppServiceIdentityArgs
            {
                Type = "SystemAssigned"
            },
            AppServicePlanId = appServicePlan.Id,
            AppSettings =  {
                // special syntax to get secret from key vault using system assigned identity
                { "superSecret", Output.Format($"@Microsoft.KeyVault(SecretUri={secret.Id})")}
            }
        });

        // Work around a preview issue https://github.com/pulumi/pulumi-azure/issues/192
        var appServicePrincipalId = appService.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111");

        // access policy to give web app access to key vault secrets
        var policy= new AccessPolicy("policy", new AccessPolicyArgs
        {
            KeyVaultId = keyVault.Id,
            ObjectId = appServicePrincipalId ,
            TenantId = tenantId,
            SecretPermissions = new[] { "list", "get" }
        });

It is similar to what is described in this pulumi blog.

Now, I encounter a problem when the resources are first created. The app service is created with an app setting that references a key vault secret, before the creation of the key vault access policy. Azure tries to read the secret when the app service starts which results in Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault It only seems to go away after re-creating the app settings key or waiting many hours.

I can only create the access policy after the app service because it needs the principal id of the system assigned identity.

Can I define the app settings / config of the app service as a separate resource in Pulumi to break the circular dependency ? Is there another approach?

onlyann avatar Sep 07 '20 23:09 onlyann