My goal is to have a template that lets me deploy an infrastructure for a client that runs a web application with a database.
I have defined resources for my web app:
- app service (w/ a plan)
- postgresql db
- key vault
- key vault secret
The problem is though, that I have caused a cycle in app service -> secret -> vault. I'd love to know how I could avoid this and still be able to define everything in and deploy everything from a single template. Here are relevant snippets:
var tenantId = subscription().tenantId
resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: 'vault-${clientId}'
location: location
properties: {
/* .. */
enabledForTemplateDeployment: true
tenantId: tenantId
accessPolicies: [
{
tenantId: tenantId
objectId: appService.identity.principalId
permissions: { /* */ }
}
]
}
}
@secure()
param dbPassword string = newGuid()
resource dbPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = {
parent: vault
name: 'db-password-${clientId}'
properties: {
value: dbPassword
}
}
resource appService 'Microsoft.Web/sites@2022-09-01' = {
identity: {
type: 'SystemAssigned'
}
properties: {
siteConfig: {
appSettings: [
{
name: 'DB_PASSWORD'
value: '${reference(dbPasswordSecret).secretValue}'
}
]
}
}
}