azureazure-web-app-serviceazure-storageazure-keyvaultazure-bicep

Is there a way to mount Azure File Share on Web App via Key Vault Reference using Bicep?


Here is the module I am currently using:

// Parameters for the module
param appName string // Name of the existing Web App
param storageAccountName string // Name of the existing Storage Account

// Non-editable variables
var shareName = 'shared'
var mountPath = '/mounts/shared'

// Reference to the existing Web App
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
name: appName
}

// Reference to the existing storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {
  name: storageAccountName
}

resource storageSetting 'Microsoft.Web/sites/config@2021-01-15' = {
  name: 'azurestorageaccounts'
  parent: webApp
  properties: {
    '${shareName}': {
      type: 'AzureFiles'
      shareName: shareName
      mountPath: mountPath
      accountName: storageAccount.name
      accessKey: storageAccount.listKeys().keys[0].value
    }
  }
}

However, I'd like to use key vault reference like how it can be manually done in the Azure portal.

Is this possible?


Solution

  • Assuming that the connection string is already stored in key vault and that your app service has secret read permission over the key vault.

    1. You need a new app setting (key vault reference) pointing to the connectionstring your key vault.
    resource webApp 'Microsoft.Web/sites@2023-12-01' = {
      name: appName
      ...
      properties: {
        ...
        siteConfig: {
           appSettings: [
              {
                name: 'StorageconnectionString'
                value: '@Microsoft.KeyVault(VaultName=<key vault name>;SecretName=<name of the connectionstring secret>)'
              }
              ...
           ]
        }
      }
    }
    
    1. Then reference the app setting when creating the file share
    resource storageSetting 'Microsoft.Web/sites/config@2021-01-15' = {
      name: 'azurestorageaccounts'
      parent: webApp
      properties: {
        '${shareName}': {
          type: 'AzureFiles'
          shareName: shareName
          mountPath: mountPath
          accountName: storageAccount.name
          accessKey: '@AppSettingRef(StorageconnectionString)'
        }
      }
    }