swift-hamburger-98290
01/31/2022, 9:07 AMRoleAssignment
(https://www.pulumi.com/registry/packages/azure-native/api-docs/authorization/roleassignment/)? We run into the following problem:
1. Create KeyVault and a secret;
2. Create WebApp;
3. Give Key Vault Secrets User
to WebApp on the KeyVault;
4. WebApp crashes because it starts without having the permission yet.
Is there a way to solve this?fresh-pilot-59899
01/31/2022, 1:13 PMconst secret = new azure.keyvault.Secret("deployment-zip", {
keyVaultId: vault.id,
value: azure.storage.signedBlobReadUrl(blob, storageAccount),
});
const secretUri = pulumi.interpolate`${vault.vaultUri}secrets/${secret.name}/${secret.version}`;
// The application hosted in App Service
const app = new azure.appservice.AppService("app", {
resourceGroupName: resourceGroup.name,
appServicePlanId: appServicePlan.id,
// A system-assigned managed service identity to be used for authentication and authorization to the SQL Database and the Blob Storage
identity: {
type: "SystemAssigned",
},
appSettings: {
// Website is deployed from a URL read from the Key Vault
"WEBSITE_RUN_FROM_ZIP": pulumi.interpolate`@Microsoft.KeyVault(SecretUri=${secretUri})`,
...
},
...
});
const principalId = app.identity.apply(id => id.principalId || "11111111-1111-1111-1111-111111111111");
// Grant App Service access to KV secrets
const policy = new azure.keyvault.AccessPolicy("app-policy", {
keyVaultId: vault.id,
tenantId: tenantId,
objectId: principalId,
secretPermissions: ["get"],
});
swift-hamburger-98290
01/31/2022, 1:57 PMnew azure.appservice.AppService("app", {
resourceGroupName: rg.name,
appServicePlanId: plan.id,
identity: {
type: "SystemAssigned",
},
appSettings: {
"vault": vault.id,
...
},
...
});
new azure.authorization.Assignment("asg", {
roleDefinitionName: "Key Vault Secrets User",
...
});
The permissions are correct, but the app may start (does it happen always?) before the azure.authorization.Assignment
is created, meaning that the app won't be able to read from the KeyVault. So it is only a timing issue. Something like a restart mechanism on some AppServices
would fix the problem, which is actually what we do on the pipeline after the pulumi up
, but it is of course not idealfresh-pilot-59899
01/31/2022, 2:22 PMswift-hamburger-98290
01/31/2022, 3:41 PM