Refactor Key Vault role assignment and add UAMI

tjsullivan1 · web-flow · commit 015f0306d105 · 2025-12-31T14:05:31.000-06:00
Updated Key Vault role assignment to use user assigned identity and added a user assigned managed identity resource for the backend container app.
diff --git a/infra/terraform/_aca-mcp.tf b/infra/terraform/_aca-mcp.tf
@@ -2,20 +2,27 @@
 resource "azurerm_role_assignment" "kv_secrets_camcp" {
   scope                = azurerm_key_vault.main.id
   role_definition_name = "Key Vault Secrets User"
-  principal_id         = azurerm_container_app.mcp.identity[0].principal_id
+  principal_id         = azurerm_user_assigned_identity.mcp.principal_id
+}
+
+# User Assigned Managed Identity for Backend Container App
+resource "azurerm_user_assigned_identity" "mcp" {
+  name                = "uami-mcp-${var.iteration}"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
 }
 
 resource "azurerm_container_app" "mcp" {
   name                         = "ca-mcp-${var.iteration}"
   container_app_environment_id = azurerm_container_app_environment.cae.id
   resource_group_name          = azurerm_resource_group.rg.name
   revision_mode                = "Single"
-
+  
   identity {
-    type = "SystemAssigned"
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.mcp.id]
   }
 
-
   ingress {
     target_port      = 8000
     external_enabled = true
