Tips-Of-Mine/terraform
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add example for azure function app using key vault reference (#114)

Browse Source 
add examples for function app using key vault reference
This commit is contained in:
Xiaxin 2022-11-16 14:54:13 +08:00 committed by GitHub
parent e32966e242
commit 96afa1f2cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 268 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
quickstart/201-function-app-key-vault-ref/.terraform-docs.yml Normal file
View File

@ -0,0 +1,11 @@
formatter: "markdown table"
content: |-
{{ .Resources }}
{{ .Inputs }}
{{ .Providers }}
{{ .Requirements }}
output:
file: readme.html.markdown
mode: inject

71
quickstart/201-function-app-key-vault-ref/.tflint.hcl Normal file
View File

@ -0,0 +1,71 @@
/*
THIS FILE IS GENERATED BY TFMOD-SCAFFOLD, PLEASE DO NOT MODIFY IT.
IF YOU WANT TO USE A CUSTOMIZED CONFIGURATION, PLEASE CREATE YOUR OWN AND
SET THIS FILE'S PATH TO $TFLINT_CONFIG ENVVIRONMENT VARIABLE.
*/
plugin "azurerm" {
enabled = true
version = "0.18.0"
source = "github.com/terraform-linters/tflint-ruleset-azurerm"
}
rule "terraform_comment_syntax" {
enabled = true
}
rule "terraform_deprecated_index" {
enabled = true
}
rule "terraform_deprecated_interpolation" {
enabled = true
}
rule "terraform_documented_outputs" {
enabled = true
}
rule "terraform_documented_variables" {
enabled = true
}
rule "terraform_module_pinned_source" {
enabled = true
}
rule "terraform_module_version" {
enabled = true
}
rule "terraform_naming_convention" {
enabled = true
}
rule "terraform_required_providers" {
enabled = true
}
rule "terraform_required_version" {
enabled = true
}
rule "terraform_standard_module_structure" {
enabled = false
}
rule "terraform_typed_variables" {
enabled = true
}
rule "terraform_unused_declarations" {
enabled = true
}
rule "terraform_unused_required_providers" {
enabled = true
}
rule "terraform_workspace_remote" {
enabled = true
}

112
quickstart/201-function-app-key-vault-ref/main.tf Normal file
View File

@ -0,0 +1,112 @@
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "default" {
name = "${var.name_prefix}-rg"
location = var.location
}
resource "azurerm_user_assigned_identity" "default" {
name = "${var.name_prefix}-uai"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
}
resource "azurerm_storage_account" "default" {
name = "${var.name_prefix}sa"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_service_plan" "default" {
name = "${var.name_prefix}-sp"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
os_type = "Windows"
sku_name = "Y1"
}
resource "azurerm_key_vault" "default" {
name = "${var.name_prefix}-kv"
location = azurerm_resource_group.default.location
resource_group_name = azurerm_resource_group.default.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
soft_delete_retention_days = 7
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Get",
]
secret_permissions = [
"Get",
"Delete",
"List",
"Purge",
"Recover",
"Set",
]
}
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.default.principal_id
secret_permissions = [
"Get",
"List",
]
}
tags = {
environment = "tfTest"
}
}
resource "azurerm_key_vault_secret" "default" {
name = "${var.name_prefix}-kvs"
value = azurerm_storage_account.default.primary_connection_string
key_vault_id = azurerm_key_vault.default.id
}
/* when using key vault reference in functions app, please follow below instructions:
1. when using event-driven scaling plans such as consumption and premium plan, WEBSITE_CONTENTSHARE key should be set in app_setting block. You don't need to explicitly specify it as Azure will generate a unique file share for you, unless:
1) You are using a secure storage account in a virtual network. In this case, you must set the WEBSITE_CONTENTSHARE value to a predefined share and set a unique share name for the main function app and the app for each deployment slot.
2) You can using key vault reference for setting WEBSITE_CONTENTAZUREFILECONNECTIONSTRING. This setting has additional validation check to ensure that the app can be properly started, check will fail as the secret itself cannot be resolved while processing the incoming request.
3) Please don't make WEBSITE_CONTENTSHARE a slot setting.
To avoid the failure of the azure file check mentioned above, you can skip the validation by setting WEBSITE_SKIP_CONTENTSHARE_VALIDATION to "1". This will bypass all checks, and the content share will not be created for you. You should ensure it is created in advance.
2. please make sure to set storage_key_vault_secret_id property to configure the app to use this identity for Key Vault reference operations.
*/
resource "azurerm_windows_function_app" "default" {
name = "${var.name_prefix}-wfa"
resource_group_name = azurerm_resource_group.default.name
location = azurerm_resource_group.default.location
service_plan_id = azurerm_service_plan.default.id
storage_key_vault_secret_id = azurerm_key_vault_secret.default.id
key_vault_reference_identity_id = azurerm_user_assigned_identity.default.id
app_settings = {
WEBSITE_SKIP_CONTENTSHARE_VALIDATION = 1
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.default.id]
}
site_config {
application_stack {
node_version = "~14"
}
}
}

18
quickstart/201-function-app-key-vault-ref/providers.tf Normal file
View File

@ -0,0 +1,18 @@
terraform {
required_version = ">=1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.8"
}
}
}
provider "azurerm" {
features {
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = true
}
}
}

46
quickstart/201-function-app-key-vault-ref/readme.html.markdown Normal file
View File

@ -0,0 +1,46 @@
# Azure Windows/ Linux Function App using key vault reference
This template deploys an Azure Function App running using key vault reference
<!-- Run the following commands on your Windows machine to update document -->
<!-- docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest terraform-docs markdown table --output-file readme.html.markdown --output-mode inject ./ -->
<!-- docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest markdown-table-formatter readme.html.markdown -->
<!-- Run the following command to lint Terraform code with tflint -->
<!-- docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest tflint --config=.tflint.hcl -->
<!-- Run the following command to lint Terraform code with Checkov -->
<!-- docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest checkov --skip-framework dockerfile --quiet -d ./ -->
<!-- -->
<!-- BEGIN_TF_DOCS -->
## Resources
| Name | Type |
|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
| [azurerm_key_vault.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
| [azurerm_key_vault_secret.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
| [azurerm_resource_group.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_service_plan.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource |
| [azurerm_storage_account.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
| [azurerm_user_assigned_identity.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
| [azurerm_windows_function_app.default](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_function_app) | resource |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|-----------------------------------------------------------------------|---------------------------------------|----------|---------------|:--------:|
| <a name="input_location"></a> [location](#input\_location) | Location to deploy the resource group | `string` | `"West US 2"` | no |
| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix of the resource name | `string` | n/a | yes |
## Providers
| Name | Version |
|---------------------------------------------------------------|---------|
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | ~>3.8 |
## Requirements
| Name | Version |
|---------------------------------------------------------------------------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.0 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>3.8 |
<!-- END_TF_DOCS -->
## Example
To see how to run this example, see [Create an Azure Function App using Terraform](https://docs.microsoft.com/azure/developer/terraform/create-azure-windows-linux-function-app-using-key-vault-reference).

10
quickstart/201-function-app-key-vault-ref/variables.tf Normal file
View File

@ -0,0 +1,10 @@
variable "name_prefix" {
type = string
description = "Prefix of the resource name"
}
variable "location" {
type = string
description = "Location to deploy the resource group"
default = "West US 2"
}