Redis authentication managed identity #213
Conversation
…dentity client id
…or Azure Cache for Redis
| @@ -26,6 +26,8 @@ resource "azurerm_redis_cache" "cache" { | |||
|
|
|||
| # https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#default-redis-server-configuration | |||
There was a problem hiding this comment.
nit: no need for en-us; if you remove that, it will automatically redirect to the right locale for the user
| @@ -92,6 +106,13 @@ module "dev_application" { | |||
| frontdoor_profile_uuid = module.dev_frontdoor[0].resource_guid | |||
| public_network_access_enabled = true | |||
|
|
|||
| identity = { | |||
| type = "SystemAssigned, UserAssigned" | |||
There was a problem hiding this comment.
does this create both a systemassigned and userassigned? do you need both?
There was a problem hiding this comment.
Yes, this will create both. We need both as Redis is the first use case that uses user assigned managed identity. Key Vault still uses the System Assigned managed identity. We have an item in the backlog to transition to user assigned managed identity.
infra/terraform/cache.tf
Outdated
| count = var.environment == "prod" ? 1 : 0 | ||
| name = "secondarycurrentuser" | ||
| redis_cache_id = module.secondary_cache[0].cache_id | ||
| access_policy_name = "Data Owner" |
There was a problem hiding this comment.
I found Data Contributor was sufficent and least privilege
| count = var.environment == "prod" ? 1 : 0 | ||
| name = "secondaryappuser" | ||
| redis_cache_id = module.secondary_cache[0].cache_id | ||
| access_policy_name = "Data Contributor" |
There was a problem hiding this comment.
I found Data Contributor was sufficient and least privilege
| object_id_alias = azurerm_user_assigned_identity.secondary_app_service_identity[0].principal_id | ||
|
|
||
| depends_on = [ | ||
| azurerm_redis_cache_access_policy_assignment.secondary_current_user |
There was a problem hiding this comment.
maybe leave a comment as an fyi that access policy assignments must be done serially, hence why you're depending on it
There was a problem hiding this comment.
It looks like this was fixed - hashicorp/terraform-provider-azurerm#26085. I'm going to get rid of this dependency.
infra/terraform/cache.tf
Outdated
| count = var.environment == "dev" ? 1 : 0 | ||
| name = "devcurrentuser" | ||
| redis_cache_id = module.dev-cache[0].cache_id | ||
| access_policy_name = "Data Owner" |
| @@ -123,6 +125,11 @@ | |||
| <artifactId>spring-boot-starter-aop</artifactId> | |||
| </dependency> | |||
|
|
|||
| <dependency> | |||
There was a problem hiding this comment.
Why is this dependency necessary?
There was a problem hiding this comment.
Enable support for managed identity authentication for Azure Cache for Redis.