[IaC] Create app registration for BFF app using terraform

rufer7 · rufer7 · commit 8dd25d646add · 2025-11-02T20:23:24.000+01:00
#2
diff --git a/iac/icon-192.png b/iac/icon-192.png
diff --git a/iac/main-appsrv.tf b/iac/main-appsrv.tf
@@ -26,7 +26,11 @@ resource "azurerm_linux_web_app" "appsrv" {
   }
   app_settings = merge(
     {
-      "WEBSITE_RUN_FROM_PACKAGE" = "1"
+      "WEBSITE_RUN_FROM_PACKAGE"       = "1"
+      "MicrosoftEntraID__Domain"       = data.azuread_domains.aad_domains.domains[0].domain_name
+      "MicrosoftEntraID__TenantId"     = var.tenant_id
+      "MicrosoftEntraID__ClientId"     = azuread_application.aadapp.client_id
+      "MicrosoftEntraID__ClientSecret" = azuread_application_password.aadapppwd.value
     }
   )
   lifecycle {
diff --git a/iac/main-entraid.tf b/iac/main-entraid.tf
@@ -0,0 +1,41 @@
+locals {
+  dev_redirect_uris    = ["https://localhost:5001/signin-oidc", "https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signin-oidc"]
+  nondev_redirect_uris = var.custom_domain_name != "" ? ["https://${var.custom_domain_name}/signin-oidc", "https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signin-oidc"] : ["https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signin-oidc"]
+}
+
+resource "azuread_application" "aadapp" {
+  display_name     = format("%s Application %s", var.resource_prefix, var.stage)
+  identifier_uris  = []
+  sign_in_audience = "AzureADMyOrg"
+  logo_image       = filebase64("icon-192.png")
+  web {
+    redirect_uris = var.stage == "dev" ? local.dev_redirect_uris : local.nondev_redirect_uris
+    logout_url    = var.custom_domain_name != "" ? "https://${var.custom_domain_name}/signout-callback-oidc" : "https://${replace(local.name_template, "<service>", "appsrv")}.azurewebsites.net/signout-callback-oidc"
+  }
+  api {
+    requested_access_token_version = 2
+  }
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000"
+    resource_access {
+      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" // User.Read
+      type = "Scope"
+    }
+  }
+}
+
+resource "time_rotating" "example" {
+  rotation_days = 7
+}
+
+resource "azuread_application_password" "aadapppwd" {
+  display_name   = "apppwd"
+  application_id = azuread_application.aadapp.id
+  rotate_when_changed = {
+    rotation = time_rotating.example.id
+  }
+}
+
+resource "azuread_service_principal" "aadapp-sp" {
+  client_id = azuread_application.aadapp.client_id
+}

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,11 @@ resource "azurerm_linux_web_app" "appsrv" {`
`26`	`26`	`}`
`27`	`27`	`app_settings = merge(`
`28`	`28`	`{`
`29`		`- "WEBSITE_RUN_FROM_PACKAGE" = "1"`
	`29`	`+ "WEBSITE_RUN_FROM_PACKAGE" = "1"`
	`30`	`+ "MicrosoftEntraID__Domain" = data.azuread_domains.aad_domains.domains[0].domain_name`
	`31`	`+ "MicrosoftEntraID__TenantId" = var.tenant_id`
	`32`	`+ "MicrosoftEntraID__ClientId" = azuread_application.aadapp.client_id`
	`33`	`+ "MicrosoftEntraID__ClientSecret" = azuread_application_password.aadapppwd.value`
`30`	`34`	`}`
`31`	`35`	`)`
`32`	`36`	`lifecycle {`