fix: resolve KV reference timing bug on backend appSettings#196
Open
bradystroud wants to merge 1 commit intomainfrom
Open
fix: resolve KV reference timing bug on backend appSettings#196bradystroud wants to merge 1 commit intomainfrom
bradystroud wants to merge 1 commit intomainfrom
Conversation
Symptom: every call to OpenAI returned 401, with App Insights showing the literal string '@Microsoft.KeyVault(SecretUri=...)' being sent as the API key. Same root cause behind the Postgres KeyNotFoundException on the connection string. Cause: backendAppService had appSettings inlined in its body, so ARM created the App Service (and tried to resolve the KV references) before keyVaultAccessPolicy granted the identity 'get' on secrets. The App Service caches that initial failure as the literal reference string; no amount of subsequent restarts re-evaluates without an appSettings write. Fix: split the appSettings into a separate Microsoft.Web/sites/config 'appsettings' child resource that explicitly dependsOn keyVaultAccessPolicy. The compiled ARM template now orders: KV -> secrets -> App Service -> access policy -> appSettings. While we're here, also drop the misleading 'accessPolicies: []' on the parent KV (the policy is owned by the keyVaultAccessPolicy resource) and bump backendAppService API version to 2024-04-01. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Symptom
Every `/v1/embeddings` call from staging returned 401. App Insights showed the literal string `@Microsoft.KeyVault(SecretUri=...)` being sent as the API key — Azure was passing the unresolved KV reference straight through. The Postgres connection string was failing the same way (`Couldn't set @microsoft.keyvault(secreturi` from `Npgsql.NpgsqlConnectionStringBuilder`).
Root cause
`backendAppService` had its `appSettings` inlined in the resource body. Inferred deploy order:
The App Service caches the initial KV-reference resolution failure as the literal string and won't re-resolve without an `appSettings` write. Restarts don't help.
This explains why the access policy looked correct in the portal but resolution still failed.
Fix
Split `appSettings` into a separate `Microsoft.Web/sites/config` child resource that explicitly `dependsOn` `keyVaultAccessPolicy`. Compiled ARM dependsOn graph now correctly orders:
```
KV -> secrets -> App Service -> access policy -> appSettings
```
Also:
Test plan
🤖 Generated with Claude Code