Dynamic App Setting + App Config Support

app_config.tf

@@ -0,0 +1,15 @@
+module app_config {
+  source   = "./modules/databases/app_config"
+  for_each = local.database.app_config
+  name     = each.value.name
+
+  location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
+  resource_group_name = module.resource_groups[each.value.resource_group_key].name
+  global_settings     = local.global_settings
+  settings            = each.value
+}
+
+output app_config {
+  value     = module.app_config
+  sensitive = true
+}

app_services.tf

@@ -4,21 +4,22 @@ module "app_services" {
 
   for_each = local.webapp.app_services
 
-  name                = each.value.name
-  client_config       = local.client_config
-  resource_group_name = module.resource_groups[each.value.resource_group_key].name
-  location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
-  app_service_plan_id = try(each.value.lz_key, null) == null ? local.combined_objects_app_service_plans[local.client_config.landingzone_key][each.value.app_service_plan_key].id : local.combined_objects_app_service_plans[each.value.lz_key][each.value.app_service_plan_key].id
-  settings            = each.value.settings
-  identity            = try(each.value.identity, null)
-  connection_strings  = try(each.value.connection_strings, {})
-  app_settings        = try(each.value.app_settings, null)
-  slots               = try(each.value.slots, {})
-  global_settings     = local.global_settings
-  managed_identities  = local.combined_objects_managed_identities
-  base_tags           = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
-  application_insight = try(each.value.application_insight_key, null) == null ? null : module.azurerm_application_insights[each.value.application_insight_key]
-  tags                = try(each.value.tags, null)
+  name                 = each.value.name
+  client_config        = local.client_config
+  resource_group_name  = module.resource_groups[each.value.resource_group_key].name
+  location             = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
+  app_service_plan_id  = try(each.value.lz_key, null) == null ? local.combined_objects_app_service_plans[local.client_config.landingzone_key][each.value.app_service_plan_key].id : local.combined_objects_app_service_plans[each.value.lz_key][each.value.app_service_plan_key].id
+  settings             = each.value.settings
+  identity             = try(each.value.identity, null)
+  connection_strings   = try(each.value.connection_strings, {})
+  app_settings         = try(each.value.app_settings, null)
+  slots                = try(each.value.slots, {})
+  global_settings      = local.global_settings
+  dynamic_app_settings = try(each.value.dynamic_app_settings, {})
+  combined_objects     = local.dynamic_app_settings_combined_objects
+  base_tags            = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
+  application_insight  = try(each.value.application_insight_key, null) == null ? null : module.azurerm_application_insights[each.value.application_insight_key]
+  tags                 = try(each.value.tags, null)
 }
 
 output "app_services" {

cosmos_db.tf

@@ -1,5 +1,5 @@
-module cosmos_db {
-  source   = "./modules/databases/cosmos_db"
+module cosmos_dbs {
+  source   = "./modules/databases/cosmos_dbs"
   for_each = local.database.cosmos_dbs
 
   location            = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
@@ -9,7 +9,7 @@ module cosmos_db {
   base_tags           = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
 }
 
-output cosmos_db_id {
-  value     = module.cosmos_db
-
+output cosmos_dbs {
+  value     = module.cosmos_dbs
+  sensitive = true
 }

function_app.tf

@@ -6,7 +6,8 @@ module "function_apps" {
 
   name                        = each.value.name
   client_config               = local.client_config
-  managed_identities          = local.combined_objects_managed_identities
+  dynamic_app_settings        = try(each.value.dynamic_app_settings, {})
+  combined_objects            = local.dynamic_app_settings_combined_objects
   resource_group_name         = module.resource_groups[each.value.resource_group_key].name
   location                    = lookup(each.value, "region", null) == null ? module.resource_groups[each.value.resource_group_key].location : local.global_settings.regions[each.value.region]
   app_service_plan_id         = try(each.value.lz_key, null) == null ? local.combined_objects_app_service_plans[local.client_config.landingzone_key][each.value.app_service_plan_key].id : local.combined_objects_app_service_plans[each.value.lz_key][each.value.app_service_plan_key].id

locals.combined_objects.tf

@@ -1,6 +1,7 @@
 locals {
   # CAF landing zones can retrieve remote objects from a different landing zone and the
   # combined_objects will merge it with the local objects
+  combined_objects_app_config                 = merge(tomap({ (local.client_config.landingzone_key) = module.app_config }), try(var.remote_objects.app_config, {}))
   combined_objects_aks_clusters               = merge(tomap({ (local.client_config.landingzone_key) = module.aks_clusters }), try(var.remote_objects.aks_clusters, {}))
   combined_objects_app_service_environments   = merge(tomap({ (local.client_config.landingzone_key) = module.app_service_environments }), try(var.remote_objects.app_service_environments, {}))
   combined_objects_app_service_plans          = merge(tomap({ (local.client_config.landingzone_key) = module.app_service_plans }), try(var.remote_objects.app_service_plans, {}))
@@ -14,6 +15,7 @@ locals {
   combined_objects_event_hub_namespaces       = merge(tomap({ (local.client_config.landingzone_key) = module.event_hub_namespaces }), try(var.remote_objects.event_hub_namespaces, {}))
   combined_objects_front_door_waf_policies    = merge(tomap({ (local.client_config.landingzone_key) = module.front_door_waf_policies }), try(var.remote_objects.front_door_waf_policies, {}))
   combined_objects_keyvaults                  = merge(tomap({ (local.client_config.landingzone_key) = module.keyvaults }), try(var.remote_objects.keyvaults, {}))
+  combined_objects_machine_learning           = merge(tomap({ (local.client_config.landingzone_key) = module.machine_learning_workspaces }), try(var.remote_objects.machine_learning_workspaces, {}))
   combined_objects_managed_identities         = merge(tomap({ (local.client_config.landingzone_key) = module.managed_identities }), try(var.remote_objects.managed_identities, {}))
   combined_objects_mssql_databases            = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_databases }), try(var.remote_objects.mssql_databases, {}))
   combined_objects_mssql_elastic_pools        = merge(tomap({ (local.client_config.landingzone_key) = module.mssql_elastic_pools }), try(var.remote_objects.mssql_elastic_pools, {}))

locals.tf

@@ -2,6 +2,13 @@ locals {
 
   prefix = lookup(var.global_settings, "prefix", null) == null ? random_string.prefix.result : var.global_settings.prefix
 
+  dynamic_app_settings_combined_objects = {
+      app_config                  = local.combined_objects_app_config
+      keyvaults                   = local.combined_objects_keyvaults
+      machine_learning_workspaces = local.combined_objects_machine_learning
+      managed_identities          = local.combined_objects_managed_identities
+  }
+
   global_settings = {
     prefix             = local.prefix
     prefix_with_hyphen = local.prefix == "" ? "" : "${local.prefix}-"
@@ -63,6 +70,7 @@ locals {
 
   database = {
     azurerm_redis_caches              = try(var.database.azurerm_redis_caches, {})
+    app_config                        = try(var.database.app_config, {})
     cosmos_dbs                        = try(var.database.cosmos_dbs, {})
     databricks_workspaces             = try(var.database.databricks_workspaces, {})
     machine_learning_workspaces       = try(var.database.machine_learning_workspaces, {})

modules/analytics/machine_learning/output.tf

@@ -8,4 +8,8 @@ output identity {
   description = "An identity block exports the following: - principal_id: The (Client) ID of the Service Principal, -tenant_id: The ID of the Tenant the Service Principal is assigned in."
   value       = azurerm_machine_learning_workspace.ws.identity
 
+}
+
+output rbac_id {
+  value = azurerm_machine_learning_workspace.ws.identity[0].principal_id
 }

modules/analytics/machine_learning/workspace.tf

@@ -18,7 +18,7 @@ resource "azurerm_machine_learning_workspace" "ws" {
   key_vault_id            = var.keyvault_id
   storage_account_id      = var.storage_account_id
   tags                    = try(local.tags, null)
-  sku_name                = try(var.settings.sku_name, "basic")
+  sku_name                = try(var.settings.sku_name, "Basic")
 
   identity {
     #Hardcoded as the only supported value is SystemAssigned as per azurerm 2.40

modules/databases/app_config/app_config.tf

@@ -0,0 +1,27 @@
+## App Configuration
+
+resource "azurecaf_name" "app_config" {
+  name          = var.name
+  resource_type = "azurerm_app_configuration"
+  prefixes      = [var.global_settings.prefix]
+  random_length = var.global_settings.random_length
+  clean_input   = true
+  passthrough   = var.global_settings.passthrough
+  use_slug      = var.global_settings.use_slug
+}
+
+# Create config data store resource
+resource "azurerm_app_configuration" "config" {
+  name                = azurecaf_name.app_config.result
+  resource_group_name = var.resource_group_name
+  sku                 = try(var.settings.sku_name, "standard")
+  location            = var.location
+
+  dynamic "identity" {
+    for_each = lookup(var.settings, "identity", {}) == {} ? [] : [1]
+
+    content {
+      type = var.settings.identity.type
+    }
+  }
+}

modules/databases/app_config/output.tf

@@ -0,0 +1,14 @@
+output id {
+  value       = azurerm_app_configuration.config.id
+  description = "The ID of the App Config."
+}
+
+output endpoint {
+  value       = azurerm_app_configuration.config.endpoint
+  description = "The URL of the App Configuration."
+}
+
+output identity {
+  value       = azurerm_app_configuration.config.identity
+  description = "The managed service identity object."
+}

modules/databases/app_config/variables.tf

@@ -0,0 +1,16 @@
+variable settings {}
+variable global_settings {
+  description = "Global settings object (see module README.md)"
+}
+variable resource_group_name {
+  description = "(Required) The name of the resource group where to create the resource."
+  type        = string
+}
+variable location {
+  description = "(Required) Specifies the supported Azure location where to create the resource. Changing this forces a new resource to be created."
+  type        = string
+}
+
+variable name {
+  description = "(Required) Name of the App Config"
+}

modules/databases/cosmos_dbs/output.tf

@@ -0,0 +1,9 @@
+output cosmos_account {
+  value     = azurerm_cosmosdb_account.cosmos_account.id
+  sensitive = true
+}
+
+output connection_string {
+  value     = azurerm_cosmosdb_account.cosmos_account.connection_strings[0]
+  sensitive = true
+}

modules/databases/cosmos_dbs/table/main.tf

@@ -0,0 +1,14 @@
+locals {
+  module_tag = {
+    "module" = basename(abspath(path.module))
+  }
+  #tags = merge(local.module_tag, try(var.settings.tags, null), var.base_tags)
+}
+
+terraform {
+  required_providers {
+    azurecaf = {
+      source = "aztfmod/azurecaf"
+    }
+  }
+}

modules/webapps/appservice/locals.dynamic_app_settings.tf

@@ -0,0 +1,27 @@
+locals {
+  # Expected Variable: dynamic_app_settings = {
+  #                      "KEYVAULT_URL" = {
+  #                         keyvaults = {
+  #                           my_common_vault = {
+  #                             lz_key = "common_services_lz"
+  #                             attribute_key = "vault_uri"
+  #                           }
+  #                         }
+  #                      }
+  #                     }
+  dynamic_settings_to_process = {
+    for setting in
+    flatten(
+      [                                                            
+        for setting_name, resources in var.dynamic_app_settings : [
+          for resource_type_key, resource in resources : [ 
+            for object_id_key, object_attributes in resource : {
+                key   = setting_name
+                value = try(var.combined_objects[resource_type_key][object_attributes.lz_key][object_id_key][object_attributes.attribute_key], var.combined_objects[resource_type_key][var.client_config.landingzone_key][object_id_key][object_attributes.attribute_key])
+            }
+          ]
+        ]
+      ]
+    ) : setting.key => setting.value
+  }
+}

modules/webapps/appservice/main.tf

@@ -15,7 +15,7 @@ locals {
 
   arm_filename = "${path.module}/arm_site_config.json"
 
-  app_settings = merge(try(var.app_settings, {}), var.application_insight == null ? {} :
+  app_settings = merge(try(var.app_settings, {}), try(local.dynamic_settings_to_process, {}), var.application_insight == null ? {} :
     {
       "APPINSIGHTS_INSTRUMENTATIONKEY"             = var.application_insight.instrumentation_key,
       "APPLICATIONINSIGHTS_CONNECTION_STRING"      = var.application_insight.connection_string,

modules/webapps/appservice/managed_identities.tf

@@ -1,14 +1,14 @@
 locals {
   managed_local_identities = flatten([
     for managed_identity_key in try(var.identity.managed_identity_keys, []) : [
-      var.managed_identities[var.client_config.landingzone_key][managed_identity_key].id
+      var.combined_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id
     ]
   ])
 
   managed_remote_identities = flatten([
     for keyvault_key, value in try(var.identity.remote, []) : [
       for managed_identity_key in value.managed_identity_keys : [
-        var.managed_identities[keyvault_key][managed_identity_key].id
+        var.combined_objects.managed_identities[keyvault_key][managed_identity_key].id
       ]
     ]
   ])

modules/webapps/appservice/variables.tf

@@ -31,6 +31,10 @@ variable app_settings {
   default = null
 }
 
+variable dynamic_app_settings {
+  default = {}
+}
+
 variable slots {
   default = {}
 }
@@ -52,6 +56,6 @@ variable base_tags {
   type        = map
 }
 
-variable managed_identities {
+variable combined_objects {
   default = {}
 }

modules/webapps/function_app/locals.dynamic_app_settings.tf

@@ -0,0 +1,27 @@
+locals {
+  # Expected Variable: dynamic_app_settings = {
+  #                      "KEYVAULT_URL" = {
+  #                         keyvaults = {
+  #                           my_common_vault = {
+  #                             lz_key = "common_services_lz"
+  #                             attribute_key = "vault_uri"
+  #                           }
+  #                         }
+  #                      }
+  #                     }
+  dynamic_settings_to_process = {
+    for setting in
+    flatten(
+      [                                                            
+        for setting_name, resources in var.dynamic_app_settings : [
+          for resource_type_key, resource in resources : [ 
+            for object_id_key, object_attributes in resource : {
+                key   = setting_name
+                value = try(var.combined_objects[resource_type_key][object_attributes.lz_key][object_id_key][object_attributes.attribute_key], var.combined_objects[resource_type_key][var.client_config.landingzone_key][object_id_key][object_attributes.attribute_key])
+            }
+          ]
+        ]
+      ]
+    ) : setting.key => setting.value
+  }
+}

modules/webapps/function_app/main.tf

@@ -15,7 +15,7 @@ locals {
 
   arm_filename = "${path.module}/arm_site_config.json"
 
-  app_settings = merge(try(var.app_settings, {}), var.application_insight == null ? {} :
+  app_settings = merge(try(var.app_settings, {}), try(local.dynamic_settings_to_process, {}), var.application_insight == null ? {} :
     {
       "APPINSIGHTS_INSTRUMENTATIONKEY"             = var.application_insight.instrumentation_key,
       "APPLICATIONINSIGHTS_CONNECTION_STRING"      = var.application_insight.connection_string,

modules/webapps/function_app/managed_identities.tf

@@ -1,14 +1,14 @@
 locals {
   managed_local_identities = flatten([
     for managed_identity_key in try(var.identity.managed_identity_keys, []) : [
-      var.managed_identities[var.client_config.landingzone_key][managed_identity_key].id
+      var.combined_objects.managed_identities[var.client_config.landingzone_key][managed_identity_key].id
     ]
   ])
 
   managed_remote_identities = flatten([
     for keyvault_key, value in try(var.identity.remote, []) : [
       for managed_identity_key in value.managed_identity_keys : [
-        var.managed_identities[keyvault_key][managed_identity_key].id
+        var.combined_objects.managed_identities[keyvault_key][managed_identity_key].id
       ]
     ]
   ])

modules/webapps/function_app/variables.tf

@@ -52,8 +52,12 @@ variable application_insight {
 
 variable base_tags {}
 
-variable managed_identities {
+variable combined_objects {
   default = {}
 }
 
 variable client_config {}
+
+variable dynamic_app_settings {
+  default = {}
+}