add kv to terraform sample of aci sample app

Author: DrisDary

samples/aci-blob-storage/python/terraform/deploy.sh

@@ -128,6 +128,7 @@ fi
 # Get the output values
 RESOURCE_GROUP_NAME=$(terraform output -raw resource_group_name)
 STORAGE_ACCOUNT_NAME=$(terraform output -raw storage_account_name)
+KEY_VAULT_NAME=$(terraform output -raw key_vault_name)
 ACR_NAME=$(terraform output -raw acr_name)
 ACI_GROUP_NAME=$(terraform output -raw aci_group_name)
 FQDN=$(terraform output -raw fqdn)
@@ -138,6 +139,7 @@ echo "Deployment Complete!"
 echo "============================================================"
 echo "Resource Group:    $RESOURCE_GROUP_NAME"
 echo "Storage Account:   $STORAGE_ACCOUNT_NAME"
+echo "Key Vault:         $KEY_VAULT_NAME"
 echo "ACR:               $ACR_NAME"
 echo "ACI Container:     $ACI_GROUP_NAME"
 echo "FQDN:              $FQDN"

samples/aci-blob-storage/python/terraform/main.tf

@@ -2,10 +2,14 @@
 locals {
   resource_group_name  = "${var.prefix}-aci-rg"
   storage_account_name = "${var.prefix}acistorage${var.suffix}"
+  key_vault_name       = "${var.prefix}acikv${var.suffix}"
   acr_name             = "${var.prefix}aciacr${var.suffix}"
   aci_group_name       = "${var.prefix}-aci-planner-${var.suffix}"
 }
 
+# Get the current client configuration (for tenant_id)
+data "azurerm_client_config" "current" {}
+
 # Create a resource group
 resource "azurerm_resource_group" "example" {
   name     = local.resource_group_name
@@ -37,6 +41,30 @@ resource "azurerm_storage_container" "example" {
   container_access_type = "private"
 }
 
+# Create Key Vault
+resource "azurerm_key_vault" "example" {
+  name                       = local.key_vault_name
+  resource_group_name        = azurerm_resource_group.example.name
+  location                   = azurerm_resource_group.example.location
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "standard"
+  enable_rbac_authorization  = true
+  tags                       = var.tags
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
+
+# Store the storage connection string in Key Vault
+resource "azurerm_key_vault_secret" "storage_conn" {
+  name         = "storage-conn"
+  value        = "DefaultEndpointsProtocol=http;AccountName=${azurerm_storage_account.example.name};AccountKey=${azurerm_storage_account.example.primary_access_key};BlobEndpoint=${azurerm_storage_account.example.primary_blob_endpoint}"
+  key_vault_id = azurerm_key_vault.example.id
+}
+
 # Reference the pre-created ACR (created by deploy.sh before terraform apply)
 data "azurerm_container_registry" "example" {
   name                = local.acr_name
@@ -76,7 +104,7 @@ resource "azurerm_container_group" "example" {
     }
 
     secure_environment_variables = {
-      AZURE_STORAGE_CONNECTION_STRING = "DefaultEndpointsProtocol=http;AccountName=${azurerm_storage_account.example.name};AccountKey=${azurerm_storage_account.example.primary_access_key};BlobEndpoint=${azurerm_storage_account.example.primary_blob_endpoint}"
+      AZURE_STORAGE_CONNECTION_STRING = azurerm_key_vault_secret.storage_conn.value
     }
   }
 

samples/aci-blob-storage/python/terraform/outputs.tf

@@ -6,6 +6,10 @@ output "storage_account_name" {
   value = azurerm_storage_account.example.name
 }
 
+output "key_vault_name" {
+  value = azurerm_key_vault.example.name
+}
+
 output "acr_name" {
   value = data.azurerm_container_registry.example.name
 }