https://pulumi.com logo
Powered by
#azure
Title
# azure
s

swift-hamburger-98290

01/31/2022, 9:07 AM
Is there a way to restart a WebApp after assigning a 
RoleAssignment
(https://www.pulumi.com/registry/packages/azure-native/api-docs/authorization/roleassignment/)? We run into the following problem: 1. Create KeyVault and a secret; 2. Create WebApp; 3. Give 
Key Vault Secrets User
to WebApp on the KeyVault; 4. WebApp crashes because it starts without having the permission yet. Is there a way to solve this?
f

fresh-pilot-59899

01/31/2022, 1:13 PM
could you paste the code you use to create the resources?
this code worked fine:
Copy code
const secret = new azure.keyvault.Secret("deployment-zip", {
    keyVaultId: vault.id,
    value: azure.storage.signedBlobReadUrl(blob, storageAccount),
});
const secretUri = pulumi.interpolate`${vault.vaultUri}secrets/${secret.name}/${secret.version}`;

// The application hosted in App Service
const app = new azure.appservice.AppService("app", {
    resourceGroupName: resourceGroup.name,
    appServicePlanId: appServicePlan.id,

    // A system-assigned managed service identity to be used for authentication and authorization to the SQL Database and the Blob Storage
    identity: {
        type: "SystemAssigned",
    },

    appSettings: {
        // Website is deployed from a URL read from the Key Vault
        "WEBSITE_RUN_FROM_ZIP": pulumi.interpolate`@Microsoft.KeyVault(SecretUri=${secretUri})`,

        ...
    },

    ...
});

const principalId = app.identity.apply(id => id.principalId || "11111111-1111-1111-1111-111111111111");

// Grant App Service access to KV secrets
const policy = new azure.keyvault.AccessPolicy("app-policy", {
    keyVaultId: vault.id,
    tenantId: tenantId,
    objectId: principalId,
    secretPermissions: ["get"],
});
s

swift-hamburger-98290

01/31/2022, 1:57 PM
Thanks Alex. So our application gets some secrets directly from the KeyVault. Something like:
Copy code
new azure.appservice.AppService("app", {
    resourceGroupName: rg.name,
    appServicePlanId: plan.id,
    identity: {
        type: "SystemAssigned",
    },
    appSettings: {
        "vault": vault.id,
        ...
    },
    ...
});

new azure.authorization.Assignment("asg", {
    roleDefinitionName: "Key Vault Secrets User",
    ...
});
The permissions are correct, but the app may start (does it happen always?) before the 
azure.authorization.Assignment
is created, meaning that the app won't be able to read from the KeyVault. So it is only a timing issue. Something like a restart mechanism on some 
AppServices
would fix the problem, which is actually what we do on the pipeline after the 
pulumi up
, but it is of course not ideal
f

fresh-pilot-59899

01/31/2022, 2:22 PM
ok you are using RBAC for that
it seems to me like the chicken and the egg problem due to usage of SystemAssigned Identity
Maybe you can try using a UserAssigned Identity which you can create before the App and do the Assignment also before the App creation
s

swift-hamburger-98290

01/31/2022, 3:41 PM
Yes, the chicken/egg problem. It is not really a cyclic dependency in the sense that we can declare the infrastructure properly, and the end result is correct. But along the way there are some inconsistencies. That might work yes. We will have a look. Thank you
👍 1
8 Views
Powered by