From ce684ceb91ebe13d5776308efaebf24e43231c97 Mon Sep 17 00:00:00 2001
From: Christian Fosli <christian.fosli@capgemini.com>
Date: Sun, 28 Jan 2024 21:46:06 +0100
Subject: [PATCH] chore(terraform): ignore changes to dbconnstr secret for api

---
 terraform/api.tf | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/terraform/api.tf b/terraform/api.tf
index 6df2f62..6b938fb 100644
--- a/terraform/api.tf
+++ b/terraform/api.tf
@@ -57,13 +57,21 @@ resource "azurerm_container_app" "highscoreApi" {
     # because it is currently (July, 2023) not supported by azurerm terraform provider
   }
 
+  identity {
+    type = "SystemAssigned"
+    # Manaul step: Grant this Identity permissions to access the key vault
+  }
+
   secret {
     name  = "db-connstr"
     value = azurerm_key_vault_secret.mongoConnectionString.value
+    # Issue: Doesn't auto-update and if it does then the secret ends up in tf state
+    # Solution: Update to be a key vault reference in azure portal, ignore changes here.
+    # See upstream issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/21739
   }
 
   lifecycle {
-    ignore_changes = [template[0].container[0].image, ingress[0]]
+    ignore_changes = [template[0].container[0].image, ingress[0], secret[0]]
   }
 
   tags = local.common_tags