fix(infra): ensure correct permissions to key vault from jobs #2324

arealmaas · 2025-05-22T10:46:52Z

Description

We create user-assigned identity for the jobs. There is some weird behaviour for the container app jobs now relating to secrets. This might be the underlying issue..

Related Issue(s)

#N/A

Verification

Your code builds clean without any errors or warnings
Manual testing done (required)
Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

coderabbitai · 2025-05-22T10:46:58Z

📝 Walkthrough

Walkthrough

The changes update Bicep templates to use a user-assigned managed identity for accessing Key Vault secrets instead of a system-assigned identity. Additionally, the type constraint for the identity property in the container app job module is generalized from a fixed value to a string, allowing greater flexibility in specifying identity references.

Changes

File(s)	Change Summary
.azure/applications/sync-resource-policy-information-job/main.bicep .azure/applications/sync-subject-resource-mappings-job/main.bicep .azure/applications/web-api-migration-job/main.bicep	Updated the `identity` property for Key Vault secrets from `'System'` to reference `managedIdentity.id`, switching from system-assigned to user-assigned managed identity.
.azure/modules/containerAppJob/main.bicep	Changed the `identity` property type in the `secrets` parameter from the literal `'System'` to `string`, removing the restriction to only the system-assigned identity.

Suggested reviewers

elsand
oskogstad

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 30th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

.azure/modules/containerAppJob/main.bicep (1)
16-17: Clarify the secrets parameter description.
Consider updating the parameter description to mention that identity should be the resource ID of a user-assigned managed identity:
- @description('The secrets to be used in the job')
+ @description('The secrets to be used in the job, including a name, keyVaultUrl, and the resource ID of the identity to use for accessing Key Vault')

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 837c4a3 and 9ff3ada.

📒 Files selected for processing (4)

.azure/applications/sync-resource-policy-information-job/main.bicep (1 hunks)
.azure/applications/sync-subject-resource-mappings-job/main.bicep (1 hunks)
.azure/applications/web-api-migration-job/main.bicep (1 hunks)
.azure/modules/containerAppJob/main.bicep (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

GitHub Check: Dry run deploy infrastructure / Deploy to test
GitHub Check: build / build-and-test

🔇 Additional comments (6)

.azure/modules/containerAppJob/main.bicep (1)

16-17: Generalize identity parameter type to support user-assigned identities.
The change from a fixed 'System' literal to a string type correctly enables support for user-assigned managed identities.

.azure/applications/web-api-migration-job/main.bicep (1)

67-67: Use user-assigned managed identity for Key Vault access.
Switching identity from the fixed 'System' to managedIdentity.id aligns with the module's generalized identity parameter and enables container app jobs to leverage a user-assigned managed identity.

.azure/applications/sync-subject-resource-mappings-job/main.bicep (2)

92-92: Leverage user-assigned managed identity for DB secret access.
Updating identity to managedIdentity.id ensures the job uses the designated user-assigned identity for Key Vault retrieval.

97-97: Use user-assigned identity for Redis secret retrieval.
Switching identity to managedIdentity.id aligns with the module signature and grants the appropriate identity for accessing the Redis secret.

.azure/applications/sync-resource-policy-information-job/main.bicep (2)

92-92: Configure user-assigned identity for DB secret.
Changing identity to reference managedIdentity.id enables the job to use the user-assigned identity for Key Vault access.

97-97: Apply user-assigned managed identity for Redis secret.
Switching from a static 'System' literal to managedIdentity.id ensures the job uses the correct user-assigned identity for secret retrieval.

fix(infra): ensure correct permissions to key vault from jobs

9ff3ada

arealmaas requested review from a team as code owners May 22, 2025 10:46

knuhau approved these changes May 22, 2025

View reviewed changes

coderabbitai bot reviewed May 22, 2025

View reviewed changes

arealmaas merged commit f52f972 into main May 22, 2025
26 checks passed

arealmaas deleted the fix/infra-use-the-managed-identity-for-the-secrets branch May 22, 2025 10:51

dialogporten-bot mentioned this pull request May 22, 2025

chore(main): release 1.66.0 #2282

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(infra): ensure correct permissions to key vault from jobs #2324

fix(infra): ensure correct permissions to key vault from jobs #2324

Uh oh!

Uh oh!

Walkthrough

Changes

Suggested reviewers

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

Documentation and Community

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fix(infra): ensure correct permissions to key vault from jobs #2324

fix(infra): ensure correct permissions to key vault from jobs #2324

Uh oh!

Conversation

Description

Related Issue(s)

Verification

Documentation

Uh oh!

Uh oh!

Walkthrough

Changes

Suggested reviewers

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

Documentation and Community

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!