-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for EasyAuth / Authenticaton Block in azurerm_container_app resource #22213
Comments
This would be a great feature, any chance of moving this up the priority list? |
Bumped into this issue and pretty disappointed as I have all my infra nicely terraformed. However I managed to go around it using a provisioner within the azurerm_container_app definition like this: provisioner "local-exec" { In my case i needed nothing but allowing anon access, and this worked brilliantly. |
I put together a solution using the # https://learn.microsoft.com/en-us/rest/api/containerapps/container-apps-auth-configs/create-or-update
resource "azapi_resource_action" "my_app_auth" {
type = "Microsoft.App/containerApps/authConfigs@2024-03-01"
resource_id = "${azurerm_container_app.my_app.id}/authConfigs/current"
method = "PUT"
body = jsonencode({
location = azurerm_resource_group.ev_rg.location
properties = {
globalValidation = {
redirectToProvider = "azureactivedirectory"
unauthenticatedClientAction = "RedirectToLoginPage"
}
identityProviders = {
azureActiveDirectory = {
registration = {
clientId = azuread_application_registration.my_app.client_id
clientSecretSettingName = "microsoft-provider-authentication-secret"
openIdIssuer = "https://sts.windows.net/${data.azurerm_subscription.current.tenant_id}/v2.0"
}
validation = {
defaultAuthorizationPolicy = {
allowedApplications = [
azuread_application_registration.my_app.client_id,
]
}
}
}
}
platform = {
enabled = true
}
}
}) |
Note you likely want: Resource for APIs (click to expand)# See: https://learn.microsoft.com/en-us/rest/api/containerapps/container-apps-auth-configs/create-or-update
resource "azapi_resource_action" "my_app_auth" {
depends_on = [azurerm_container_app.my_app]
type = "Microsoft.App/containerApps/authConfigs@2024-03-01"
resource_id = "${azurerm_container_app.my_app.id}/authConfigs/current"
method = "PUT"
body = jsonencode({
location = azurerm_container_app.my_app.location
properties = {
globalValidation = {
unauthenticatedClientAction = "Return401"
}
identityProviders = {
azureActiveDirectory = {
enabled = true
registration = {
clientId = azuread_application.my_app.client_id
clientSecretSettingName = "microsoft-provider-authentication-secret"
openIdIssuer = "https://sts.windows.net/${data.azuread_client_config.current.tenant_id}/v2.0"
}
validation = {
allowedAudiences = [tolist(azuread_application.app.identifier_uris)[0]]
defaultAuthorizationPolicy = {
allowedApplications = [
azuread_application.my_app.client_id,
]
}
}
}
}
platform = {
enabled = true
}
}
})
} |
Is there an existing issue for this?
Community Note
Description
As Azure Container Apps become more frequently deployed the capability of Easy Auth or Authentication settings as a configurable block similar to that
azurerm_linux_web_app
is highly desirable.Enabling the end to end container app to be managed by the AzureRM provider instead of cobbling together AzAPI or AzCLI workflows in addition to the resource definiton.
New or Affected Resource(s)/Data Source(s)
azurerm_container_app
Potential Terraform Configuration
References
Microsoft Documentation (Learn) Reference:
https://learn.microsoft.com/en-us/azure/container-apps/authentication-azure-active-directory
Linux Web App Auth Settings for Reference:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#auth_settings_v2
The text was updated successfully, but these errors were encountered: