Using azure appservice with role
TypeScriptCreating an Azure App Service with a role assignment involves several steps: provisioning the App Service itself, creating an identity for the App Service, and then assigning a role to that identity. Below is a detailed explanation and a program that demonstrates how to achieve this with Pulumi using TypeScript.
Firstly, we will use the
AppService
andRoleAssignment
resources. TheAppService
resource creates an instance of an Azure App Service. We will then enable a Managed Service Identity (MSI) for the App Service by setting theidentity
property. This MSI will be used to give the App Service permissions to other Azure resources.The
RoleAssignment
resource is used to grant the App Service's MSI a specific role, providing it with the necessary permissions. In this example, we're granting theContributor
role, but you can change this to any other role that fits your requirements.Additionally, we will need to include other resources such as
ResourceGroup
to group our resources, andAppServicePlan
which dictates the underlying compute resources on which our App Service will run.The
Contributor
role allows the service to manage resources in the subscription but does not allow it to grant access to others. If your use case requires different permissions, you may substitute the appropriate role identifier (role definition ID or role name).Here is your Pulumi program:
import * as azure from "@pulumi/azure"; import * as pulumi from "@pulumi/pulumi"; // Create a resource group to contain all the App Service resources const resourceGroup = new azure.core.ResourceGroup("myresourcegroup"); // Set up an App Service Plan const appServicePlan = new azure.appservice.Plan("myappserviceplan", { resourceGroupName: resourceGroup.name, sku: { tier: "Basic", size: "B1", }, }); // Create an App Service with system-assigned managed identity const appService = new azure.appservice.AppService("myappservice", { resourceGroupName: resourceGroup.name, appServicePlanId: appServicePlan.id, identity: { type: "SystemAssigned", }, }); // Grant the App Service's managed identity the "Contributor" role in the resource group const contribRoleAssignment = new azure.authorization.RoleAssignment("contrib-role-assignment", { scope: resourceGroup.id, roleDefinitionName: "Contributor", principalId: appService.identity.apply(id => id.principalId), }, { dependsOn: [appService] }); // Ensure the app service is created before trying to assign a role to its identity. export const appServiceUrl = appService.defaultSiteHostname.apply(hostname => `https://${hostname}`); // Export the App Service URL so it can be easily accessed
In this program:
ResourceGroup
creates a new group where all the resources will reside.AppServicePlan
defines the pricing tier and capacity for the App Service. Here, we're using a basic B1 size for simplicity. Visit the AppServicePlan documentation for more details and other configurations.AppService
represents the Azure App Service which hosts web applications, REST APIs, and backend services. Theidentity
property configures a managed identity for this App Service, which can be used to authenticate with other Azure services that support Azure AD authentication. Check the AppService documentation for further information.RoleAssignment
associates the managed identity with a role (Contributor in this case) that defines what actions the identity can perform within the specified scope. For more information on Role Assignments, explore the RoleAssignment documentation.
The
export
statement at the end of the program is used to output the resulting App Service URL once the deployment is complete. This URL can be used to access the web app deployed on the App Service.Deploy this Pulumi program by executing
pulumi up
in the Pulumi project directory. Ensure that you have the Azure CLI installed and are logged in withaz login
, and that Pulumi is set up correctly to interact with your Azure subscription.