Skip to content

feat: move from gha to azure functions for apim key rotation#123

Merged
mishraomp merged 11 commits intomainfrom
feat/apim-key-rotation-azure-functions
Mar 1, 2026
Merged

feat: move from gha to azure functions for apim key rotation#123
mishraomp merged 11 commits intomainfrom
feat/apim-key-rotation-azure-functions

Conversation

@mishraomp
Copy link
Collaborator

@mishraomp mishraomp commented Feb 28, 2026
edited by github-actions bot
Loading

AI Hub Infra Changes

Summary: 13 to add, 0 to change, 0 to destroy (across 2 stack(s))

Show plan details 
Terraform will perform the following actions:

  # module.container_app_environment[0].azurerm_container_app_environment.main will be created
  + resource "azurerm_container_app_environment" "main" {
      + custom_domain_verification_id      = (known after apply)
      + default_domain                     = (known after apply)
      + docker_bridge_cidr                 = (known after apply)
      + id                                 = (known after apply)
      + infrastructure_resource_group_name = "ME-ai-services-hub-test"
      + infrastructure_subnet_id           = (known after apply)
      + internal_load_balancer_enabled     = true
      + location                           = "canadacentral"
      + log_analytics_workspace_id         = "/subscriptions/****/resourceGroups/ai-services-hub-test/providers/Microsoft.OperationalInsights/workspaces/ai-services-hub-test-foundry-law"
      + logs_destination                   = (known after apply)
      + mutual_tls_enabled                 = true
      + name                               = "ai-services-hub-test-cae"
      + platform_reserved_cidr             = (known after apply)
      + platform_reserved_dns_ip_address   = (known after apply)
      + public_network_access              = (known after apply)
      + resource_group_name                = "ai-services-hub-test"
      + static_ip_address                  = (known after apply)
      + tags                               = {
          + "app_env"     = "test"
          + "environment" = "test"
          + "repo_name"   = "ai-hub-tracking"
        }
      + zone_redundancy_enabled            = false

      + workload_profile {
          + name                  = "Consumption"
          + workload_profile_type = "Consumption"
        }
    }

  # module.container_app_environment[0].azurerm_monitor_diagnostic_setting.cae[0] will be created
  + resource "azurerm_monitor_diagnostic_setting" "cae" {
      + id                             = (known after apply)
      + log_analytics_destination_type = (known after apply)
      + log_analytics_workspace_id     = "/subscriptions/****/resourceGroups/ai-services-hub-test/providers/Microsoft.OperationalInsights/workspaces/ai-services-hub-test-foundry-law"
      + name                           = "ai-services-hub-test-cae-diagnostics"
      + target_resource_id             = (known after apply)

      + enabled_log {
          + category       = "ContainerAppConsoleLogs"
            # (1 unchanged attribute hidden)
        }
      + enabled_log {
          + category       = "ContainerAppSystemLogs"
            # (1 unchanged attribute hidden)
        }

      + enabled_metric {
          + category = "AllMetrics"
        }

      + metric (known after apply)
    }

  # module.network.azapi_resource.aca_subnet[0] will be created
  + resource "azapi_resource" "aca_subnet" {
      + body                      = {
          + properties = {
              + addressPrefix        = "10.46.82.64/27"
              + delegations          = [
                  + {
                      + name       = "Microsoft.App.environments"
                      + properties = {
                          + serviceName = "Microsoft.App/environments"
                        }
                    },
                ]
              + networkSecurityGroup = {
                  + id = (known after apply)
                }
            }
        }
      + id                        = (known after apply)
      + ignore_casing             = false
      + ignore_missing_property   = true
      + ignore_null_property      = false
      + location                  = (known after apply)
      + locks                     = [
          + "/subscriptions/****/resourceGroups/da4cf6-test-networking/providers/Microsoft.Network/virtualNetworks/da4cf6-test-vwan-spoke",
        ]
      + name                      = "aca-subnet"
      + output                    = (known after apply)
      + parent_id                 = "/subscriptions/****/resourceGroups/da4cf6-test-networking/providers/Microsoft.Network/virtualNetworks/da4cf6-test-vwan-spoke"
      + response_export_values    = [
          + "*",
        ]
      + schema_validation_enabled = true
      + sensitive_body            = (write-only attribute)
      + tags                      = (known after apply)
      + type                      = "Microsoft.Network/virtualNetworks/subnets@2023-04-01"
    }

  # module.network.azurerm_network_security_group.aca[0] will be created
  + resource "azurerm_network_security_group" "aca" {
      + id                  = (known after apply)
      + location            = "canadacentral"
      + name                = "ai-services-hub-test-aca-nsg"
      + resource_group_name = "da4cf6-test-networking"
      + security_rule       = [
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "AzureActiveDirectory"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowAadOutbound"
              + priority                                   = 120
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "AzureContainerRegistry"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowAcrOutbound"
              + priority                                   = 100
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "AzureMonitor"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "443"
              + destination_port_ranges                    = []
              + direction                                  = "Outbound"
              + name                                       = "AllowMonitorOutbound"
              + priority                                   = 110
              + protocol                                   = "Tcp"
              + source_address_prefix                      = "VirtualNetwork"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "VirtualNetwork"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "*"
              + destination_port_ranges                    = []
              + direction                                  = "Inbound"
              + name                                       = "AllowVnetInbound-10-46-136-0-24"
              + priority                                   = 200
              + protocol                                   = "*"
              + source_address_prefix                      = "10.46.136.0/24"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
          + {
              + access                                     = "Allow"
              + destination_address_prefix                 = "VirtualNetwork"
              + destination_address_prefixes               = []
              + destination_application_security_group_ids = []
              + destination_port_range                     = "*"
              + destination_port_ranges                    = []
              + direction                                  = "Inbound"
              + name                                       = "AllowVnetInbound-10-46-82-0-24"
              + priority                                   = 201
              + protocol                                   = "*"
              + source_address_prefix                      = "10.46.82.0/24"
              + source_address_prefixes                    = []
              + source_application_security_group_ids      = []
              + source_port_range                          = "*"
              + source_port_ranges                         = []
                # (1 unchanged attribute hidden)
            },
        ]
      + tags                = {
          + "app_env"     = "test"
          + "environment" = "test"
          + "repo_name"   = "ai-hub-tracking"
        }
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + aca_subnet_id                            = (known after apply)
  + container_app_environment_id             = (known after apply)
  + container_app_environment_name           = "ai-services-hub-test-cae"

Warning: Argument is deprecated

  with module.hub_key_vault.azurerm_key_vault.this,
  on .terraform/modules/hub_key_vault/main.tf line 7, in resource "azurerm_key_vault" "this":
   7:   enable_rbac_authorization       = !var.legacy_access_policies_enabled

This property has been renamed to `rbac_authorization_enabled` and will be
removed in v5.0 of the provider

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Updated by CI — plan against test environment (run #227) at 2026-03-01 00:36:16 UTC.

@mishraomp mishraomp changed the title feat!: apim key rotation azure functions feat(infra)!: move from gha to azure functions for apim key rotation Feb 28, 2026
@mishraomp mishraomp changed the title feat(infra)!: move from gha to azure functions for apim key rotation feat(infra): move from gha to azure functions for apim key rotation Feb 28, 2026
@mishraomp mishraomp changed the title feat(infra): move from gha to azure functions for apim key rotation feat: move from gha to azure functions for apim key rotation Feb 28, 2026
@mishraomp mishraomp changed the title feat: move from gha to azure functions for apim key rotation feat: move from gha to azure functions for apim key rotation Feb 28, 2026
@mishraomp mishraomp merged commit 5c3c2a3 into main Mar 1, 2026
12 checks passed
@mishraomp mishraomp deleted the feat/apim-key-rotation-azure-functions branch March 1, 2026 00:49
@mishraomp mishraomp mentioned this pull request Mar 1, 2026
Closed
@mishraomp mishraomp self-assigned this Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mishraomp mishraomp

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mishraomp