fix/make container apps a single instance resource as per AVM

Author: kewalaka

README.md

@@ -49,7 +49,9 @@ The following providers are used by this module:
 The following resources are used by this module:
 
 - [azapi_resource.container_app](https://registry.terraform.io/providers/Azure/azapi/1.9.0/docs/resources/resource) (resource)
+- [azurerm_management_lock.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) (resource)
 - [azurerm_resource_group_template_deployment.telemetry](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment) (resource)
+- [azurerm_role_assignment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) (resource)
 - [random_id.telem](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) (resource)
 - [azurerm_resource_group.rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) (data source)
 
@@ -71,7 +73,7 @@ Description: Specifies the container apps in the managed environment.
 Type:
 
 ```hcl
-list(object({
+object({
     name          = string
     revision_mode = optional(string, "Single")
 
@@ -255,7 +257,7 @@ list(object({
         storageType = string
       })))
     })
-  }))
+  })
 ```
 
 ### <a name="input_name"></a> [name](#input\_name)
@@ -292,6 +294,42 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_lock"></a> [lock](#input\_lock)
+
+Description: The lock level to apply to the Container App. Default is `None`. Possible values are `None`, `CanNotDelete`, and `ReadOnly`.
+
+Type:
+
+```hcl
+object({
+    name = optional(string, null)
+    kind = optional(string, "None")
+
+  })
+```
+
+Default: `{}`
+
+### <a name="input_role_assignments"></a> [role\_assignments](#input\_role\_assignments)
+
+Description: required AVM interfaces
+
+Type:
+
+```hcl
+map(object({
+    role_definition_id_or_name             = string
+    principal_id                           = string
+    description                            = optional(string, null)
+    skip_service_principal_aad_check       = optional(bool, true)
+    condition                              = optional(string, null)
+    condition_version                      = optional(string, "2.0")
+    delegated_managed_identity_resource_id = optional(string)
+  }))
+```
+
+Default: `{}`
+
 ### <a name="input_tags"></a> [tags](#input\_tags)
 
 Description: Custom tags to apply to the resource.

examples/default/README.md

@@ -56,7 +56,7 @@ module "container_app" {
   container_app_environment_resource_id = azurerm_container_app_environment.this.id
 
   workload_profile_name = "Consumption"
-  container_apps = [{
+  container_apps = {
     name = "helloworld"
     configuration = {
       ingress = {
@@ -77,8 +77,7 @@ module "container_app" {
         maxReplicas = 1
       }
     }
-    }
-  ]
+  }
 }
 ```
 

examples/default/main.tf

@@ -50,7 +50,7 @@ module "container_app" {
   container_app_environment_resource_id = azurerm_container_app_environment.this.id
 
   workload_profile_name = "Consumption"
-  container_apps = [{
+  container_apps = {
     name = "helloworld"
     configuration = {
       ingress = {
@@ -71,6 +71,5 @@ module "container_app" {
         maxReplicas = 1
       }
     }
-    }
-  ]
+  }
 }

locals.tf

@@ -1,3 +1,4 @@
 locals {
-  location = var.location != null ? var.location : data.azurerm_resource_group.rg.location
+  location                           = var.location != null ? var.location : data.azurerm_resource_group.rg.location
+  role_definition_resource_substring = "/providers/Microsoft.Authorization/roleDefinitions"
 }

main.tf

@@ -3,7 +3,6 @@ data "azurerm_resource_group" "rg" {
 }
 
 resource "azapi_resource" "container_app" {
-  for_each                  = { for app in var.container_apps : app.name => app }
   type                      = "Microsoft.App/containerApps@2023-05-01"
   schema_validation_enabled = false
   name                      = var.name
@@ -18,38 +17,38 @@ resource "azapi_resource" "container_app" {
   body = jsonencode({
     properties = {
       configuration = {
-        activeRevisionsMode  = try(each.value.revision_mode, "Single")
-        dapr                 = try(each.value.dapr, null)
-        ingress              = try(each.value.ingress, null)
-        maxInactiveRevisions = try(each.value.maxInactiveRevisions, null)
-        registries           = try(each.value.registries, null)
-        secrets              = try(each.value.secrets, null)
-        service              = try(each.value.service, null)
+        activeRevisionsMode  = try(var.container_apps.revision_mode, "Single")
+        dapr                 = try(var.container_apps.dapr, null)
+        ingress              = try(var.container_apps.ingress, null)
+        maxInactiveRevisions = try(var.container_apps.maxInactiveRevisions, null)
+        registries           = try(var.container_apps.registries, null)
+        secrets              = try(var.container_apps.secrets, null)
+        service              = try(var.container_apps.service, null)
       }
       environmentId       = var.container_app_environment_resource_id
-      template            = each.value.template
+      template            = var.container_apps.template
       workloadProfileName = var.workload_profile_name
     }
   })
 
   response_export_values = ["identity"]
 }
 
-# resource "azurerm_management_lock" "this" {
-#   count      = var.lock.kind != "None" ? 1 : 0
-#   name       = coalesce(var.lock.name, "lock-${var.name}")
-#   scope      = azapi_resource.container_app.id
-#   lock_level = var.lock.kind
-# }
+resource "azurerm_management_lock" "this" {
+  count      = var.lock.kind != "None" ? 1 : 0
+  name       = coalesce(var.lock.name, "lock-${var.name}")
+  scope      = azapi_resource.container_app.id
+  lock_level = var.lock.kind
+}
 
-# resource "azurerm_role_assignment" "this" {
-#   for_each                               = var.role_assignments
-#   scope                                  = azapi_resource.container_app.id
-#   role_definition_id                     = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null
-#   role_definition_name                   = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name
-#   principal_id                           = each.value.principal_id
-#   condition                              = each.value.condition
-#   condition_version                      = each.value.condition_version
-#   skip_service_principal_aad_check       = each.value.skip_service_principal_aad_check
-#   delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id
-# }
+resource "azurerm_role_assignment" "this" {
+  for_each                               = var.role_assignments
+  scope                                  = azapi_resource.container_app.id
+  role_definition_id                     = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null
+  role_definition_name                   = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name
+  principal_id                           = each.value.principal_id
+  condition                              = each.value.condition
+  condition_version                      = each.value.condition_version
+  skip_service_principal_aad_check       = each.value.skip_service_principal_aad_check
+  delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id
+}

variables.containerapps.tf

@@ -34,7 +34,7 @@ variable "workload_profile_name" {
 
 variable "container_apps" {
   description = "Specifies the container apps in the managed environment."
-  type = list(object({
+  type = object({
     name          = string
     revision_mode = optional(string, "Single")
 
@@ -218,5 +218,5 @@ variable "container_apps" {
         storageType = string
       })))
     })
-  }))
+  })
 }

variables.tf

@@ -16,54 +16,31 @@ variable "resource_group_name" {
 
 
 //required AVM interfaces
+variable "role_assignments" {
+  type = map(object({
+    role_definition_id_or_name             = string
+    principal_id                           = string
+    description                            = optional(string, null)
+    skip_service_principal_aad_check       = optional(bool, true)
+    condition                              = optional(string, null)
+    condition_version                      = optional(string, "2.0")
+    delegated_managed_identity_resource_id = optional(string)
+  }))
+  default = {}
+}
 
-# variable "diagnostic_settings" {
-#   type = map(object({
-#     name                                     = optional(string, null)
-#     log_categories_and_groups                = optional(set(string), ["allLogs"])
-#     metric_categories                        = optional(set(string), ["AllMetrics"])
-#     log_analytics_destination_type           = optional(string, "Dedicated")
-#     workspace_resource_id                    = optional(string, null)
-#     storage_account_resource_id              = optional(string, null)
-#     event_hub_authorization_rule_resource_id = optional(string, null)
-#     event_hub_name                           = optional(string, null)
-#     marketplace_partner_resource_id          = optional(string, null)
-#   }))
-#   default  = {}
-#   nullable = false
-
-#   validation {
-#     condition     = alltrue([for _, v in var.diagnostic_settings : contains(["Dedicated", "AzureDiagnostics"], v.log_analytics_destination_type)])
-#     error_message = "Log analytics destination type must be one of: 'Dedicated', 'AzureDiagnostics'."
-#   }
-# }
-
-
-# variable "role_assignments" {
-#   type = map(object({
-#     role_definition_id_or_name             = string
-#     principal_id                           = string
-#     description                            = optional(string, null)
-#     skip_service_principal_aad_check       = optional(bool, true)
-#     condition                              = optional(string, null)
-#     condition_version                      = optional(string, "2.0")
-#     delegated_managed_identity_resource_id = optional(string)
-#   }))
-#   default = {}
-# }
-
-# variable "lock" {
-#   type = object({
-#     name = optional(string, null)
-#     kind = optional(string, "None")
+variable "lock" {
+  type = object({
+    name = optional(string, null)
+    kind = optional(string, "None")
 
 
-#   })
-#   description = "The lock level to apply to the Container App. Default is `None`. Possible values are `None`, `CanNotDelete`, and `ReadOnly`."
-#   default     = {}
-#   nullable    = false
-#   validation {
-#     condition     = contains(["CanNotDelete", "ReadOnly", "None"], var.lock.kind)
-#     error_message = "The lock level must be one of: 'None', 'CanNotDelete', or 'ReadOnly'."
-#   }
-# }
+  })
+  description = "The lock level to apply to the Container App. Default is `None`. Possible values are `None`, `CanNotDelete`, and `ReadOnly`."
+  default     = {}
+  nullable    = false
+  validation {
+    condition     = contains(["CanNotDelete", "ReadOnly", "None"], var.lock.kind)
+    error_message = "The lock level must be one of: 'None', 'CanNotDelete', or 'ReadOnly'."
+  }
+}