Modeled after Microsoft ARM documentation
This example demonstrates using a managed identity with Azure App Service to access Azure KeyVault, Azure Storage, and Azure SQL Database without passwords or secrets.
The application consists of several parts:
- A SQL Server to rotate credendials
- A KeyVault that stores the credentials of the SQL Server
- A KeyVault that is only accessible to the WebApp and Function (through Managed Identity)
- An Azure Function that generates a new secret and sets it in SQL Server and Key Vault
- An Azure WebApp that shows that the secret is changing and still accessible
- An EventGrid subscription to receive SecretNearExpiry events from KeyVault and, in turn, call the Azure Function
IMPORTANT: For example purposes, new secrets are continually generated. Make sure to change the validityPeriod or destory the stack when you are done.
To deploy your infrastructure, follow the below steps.
-
Create a new stack:
$ pulumi stack init dev -
Login to Azure CLI (you will be prompted to do this during deployment if you forget this step):
$ az login -
Build and publish the ASP.NET Core project:
$ dotnet publish webapp -
Set the Azure region location to use:
$ pulumi config set azure-native:location westus2 -
Run
pulumi upto preview and deploy changes:$ pulumi up -
Check the deployed website endpoint:
$ pulumi stack output WebAppEndpoint https://app129968b8.azurewebsites.net/ $ Start-Process "$(pulumi stack output WebAppEndpoint)" -
From there, feel free to experiment. Simply making edits and running
pulumi upwill incrementally update your stack. -
Once you've finished experimenting, tear down your stack's resources by destroying and removing it:
$ pulumi destroy --yes $ pulumi stack rm --yes