Container apps - Mounting volumes from secret is broken

[jamesla]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

3.9.7

Affected Resource(s)/Data Source(s)

azurerm_container_app

Terraform Configuration Files

Secret based mounted volumes are in a semi working state:

In order for secrets to be mounted properly at a correct path there is an additional bit of config related to the way the volume is defined.

Microsoft example below: (note the secretRef block in their implementation)

  ...
  template:
    containers:
    - image: repo/testcontainerApp0:v1
      name: testcontainerApp0
      probes:
      - type: Liveness
        httpGet:
          path: "/health"
          port: 8080
          httpHeaders:
          - name: Custom-Header
            value: Awesome
        initialDelaySeconds: 3
        periodSeconds: 3
      volumeMounts:
      - mountPath: "/myempty"
        volumeName: myempty
      - mountPath: "/myfiles"
        volumeName: azure-files-volume
      - mountPath: "/mysecrets"
        volumeName: mysecrets
    volumes:
    - name: myempty
      storageType: EmptyDir
    - name: azure-files-volume
      storageType: AzureFile
      storageName: myazurefiles
    - name: mysecrets
      storageType: Secret
      secrets:
      - secretRef: mysecret
        path: mysecret.txt
      ...

Currently the azurerm provider does not support the secretRef block and incorrectly uses the name of the secret as the file that is being mounted.

The following example will work and will mount a file at /etc/hello with the contents of "test".

resource "azurerm_container_app" "app" {
  name                         = "prom-hcl-test"
  container_app_environment_id = azurerm_container_app_environment.app_env.id
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Single"

  secret {
    name  = "hello"
    value = "test"
  }

  template {
    container {
      name   = "prometheus-hcl"
      image  = "prom/prometheus"
      cpu    = 0.25
      memory = "0.5Gi"

      volume_mounts {
        name = "hello"
        path = "/etc"
      }
    }

    volume {
      name         = "hello"
      storage_type = "Secret"
    }
  }
}

However given that files generally use file extensions, the following will not work because a . is not valid in an azure secret resource name.

resource "azurerm_container_app" "app" {
  name                         = "prom-hcl-test"
  container_app_environment_id = azurerm_container_app_environment.app_env.id
  resource_group_name          = azurerm_resource_group.rg.name
  revision_mode                = "Single"

  secret {
    name  = "hello.yaml"
    value = "test"
  }

  template {
    container {
      name   = "prometheus-hcl"
      image  = "prom/prometheus"
      cpu    = 0.25
      memory = "0.5Gi"

      volume_mounts {
        name = "hello.yaml"
        path = "/etc"
      }
    }

    volume {
      name         = "hello.yaml"
      storage_type = "Secret"
    }
  }
}

Debug Output/Panic Output

Error: "secret.0.name" must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character

Expected Behaviour

Should be able to mount volumes from secrets with file extensions.

additional options should be added to the volume to match azures implementation: IE:

volume {
  name         = "hello" 
  storage_type = "Secret"

  storage_ref {
    name = "hello"
    path = "/etc/hello.yaml"
  }
}

Actual Behaviour

No response

Steps to Reproduce

see above

Important Factoids

No response

References

No response

[NicholasMcGrath]

bump

[beparmentier]

Hello,

It's actually an Azure API restriction.

I've got same issue using the azure portal