Support for EasyAuth / Authenticaton Block in azurerm_container_app resource

[Lachlan-White]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As Azure Container Apps become more frequently deployed the capability of Easy Auth or Authentication settings as a configurable block similar to that azurerm_linux_web_app is highly desirable.

Enabling the end to end container app to be managed by the AzureRM provider instead of cobbling together AzAPI or AzCLI workflows in addition to the resource definiton.

New or Affected Resource(s)/Data Source(s)

azurerm_container_app

Potential Terraform Configuration

resource "azurerm_container_app" "example" {
  name                         = "example-app"
  container_app_environment_id = azurerm_container_app_environment.example.id
  resource_group_name          = azurerm_resource_group.example.name
  revision_mode                = "Single"

  template {
    container {
      name   = "examplecontainerapp"
      image  = "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest"
      cpu    = 0.25
      memory = "0.5Gi"
    }
    auth_settings {
      enabled = true
      require_authentication = true
      unauthenticated_action = "Return403"
      default_provider = "azureactivedirectory"
        microsoft {
            client_id = "xxx-xxx-xxx-xxx"
            client_secret_name_setting = "microsoft-identity-provider-secret"
            supported_account_types = "currenttenant"
        }
    }
  }
}

References

Microsoft Documentation (Learn) Reference:
https://learn.microsoft.com/en-us/azure/container-apps/authentication-azure-active-directory

Linux Web App Auth Settings for Reference:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#auth_settings_v2

[fredlemieux]

This would be a great feature, any chance of moving this up the priority list?

[cfarrugia]

Bumped into this issue and pretty disappointed as I have all my infra nicely terraformed. However I managed to go around it using a provisioner within the azurerm_container_app definition like this:

provisioner "local-exec" {
command = "az containerapp auth update --name aca-feed-export-api-${var.name_of_app_resrouce} --resource-group ${var.rgname} --unauthenticated-client-action AllowAnonymous"

In my case i needed nothing but allowing anon access, and this worked brilliantly.

[dhduvall]

I put together a solution using the azapi provider, if it's useful to anyone else.

# https://learn.microsoft.com/en-us/rest/api/containerapps/container-apps-auth-configs/create-or-update
resource "azapi_resource_action" "my_app_auth" {
  type        = "Microsoft.App/containerApps/authConfigs@2024-03-01"
  resource_id = "${azurerm_container_app.my_app.id}/authConfigs/current"
  method      = "PUT"

  body = jsonencode({
    location = azurerm_resource_group.ev_rg.location
    properties = {
      globalValidation = {
        redirectToProvider          = "azureactivedirectory"
        unauthenticatedClientAction = "RedirectToLoginPage"
      }
      identityProviders = {
        azureActiveDirectory = {
          registration = {
            clientId                = azuread_application_registration.my_app.client_id
            clientSecretSettingName = "microsoft-provider-authentication-secret"
            openIdIssuer            = "https://sts.windows.net/${data.azurerm_subscription.current.tenant_id}/v2.0"
          }
          validation = {
            defaultAuthorizationPolicy = {
              allowedApplications = [
                azuread_application_registration.my_app.client_id,
              ]
            }
          }
        }
      }
      platform = {
        enabled = true
      }
    }
  })

[EpicWink]

Note you likely want: depends_on = [azurerm_container_app.my_app]

---

Resource for APIs (click to expand)

# See: https://learn.microsoft.com/en-us/rest/api/containerapps/container-apps-auth-configs/create-or-update
resource "azapi_resource_action" "my_app_auth" {
  depends_on = [azurerm_container_app.my_app]

  type        = "Microsoft.App/containerApps/authConfigs@2024-03-01"
  resource_id = "${azurerm_container_app.my_app.id}/authConfigs/current"
  method      = "PUT"

  body = jsonencode({
    location = azurerm_container_app.my_app.location
    properties = {
      globalValidation = {
        unauthenticatedClientAction = "Return401"
      }
      identityProviders = {
        azureActiveDirectory = {
          enabled = true
          registration = {
            clientId                = azuread_application.my_app.client_id
            clientSecretSettingName = "microsoft-provider-authentication-secret"
            openIdIssuer            = "https://sts.windows.net/${data.azuread_client_config.current.tenant_id}/v2.0"
          }
          validation = {
            allowedAudiences = [tolist(azuread_application.app.identifier_uris)[0]]
            defaultAuthorizationPolicy = {
              allowedApplications = [
                azuread_application.my_app.client_id,
              ]
            }
          }
        }
      }
      platform = {
        enabled = true
      }
    }
  })
}