Hey Y'all!

Type 1: IaC-Managed Secrets

Management: Automatically generated and managed by Infrastructure as Code (Terraform).

Consumption: For AKS, the Key Vault secrets are mapping to keys in a single Kubernetes secret via the Secrets Store CSI Driver. The app can then map the keys to either environment variables or file mounts in its own IaC.

Examples in this app:

• session-key: *$UgWxeUdLhR5&XViLm#tRz8as:_jdpE (generated by Terraform random_password)
• encryption-key: demo-shared-encryption-key-value (created by app adapter)

Type 2: IaC-Managed Config

Management: Values known to Infrastructure as Code because IaC creates or references the underlying resources.

Consumption: Passed as variables from IaC to application runtime configuration (environment variables).

Examples in this app:

• Environment Resource Group: rg-main-env-staging-base-infra
• Environment Location: eastus

Type 3: Externally-Managed Secrets

Management: IaC creates the secret itself in Key Vault but only initializes it with a placeholder value; administrators must then manually update the secreet with the actual values.

Consumption: For AKS, the Key Vault secrets are mapping to keys in a single Kubernetes secret via the Secrets Store CSI Driver. The app can then map the keys to either environment variables or file mounts in its own IaC.

Examples in this app:

• api-key: PLACEHOLDER-VALUE-CHANGE-ME (manually set by ops team)
• database-password: PLACEHOLDER-VALUE-CHANGE-ME (manually set by ops team)

Type 4: Externally-Managed Config

Management: Developers manage app-specific YAML files in the gw-system-live repository.

Consumption: IaC reads the YAML file and injects content into application runtime configuration (Kubernetes ConfigMap).

Example in this app: Configuration loaded from /config/config.yaml:

ui_settings:
  background_color: green
  greeting_message: Hey Y'all!
external_urls:
  link_url: https://www.microsoft.com

Try the configured external link: https://www.microsoft.com