Add examples and e2e tests to AppConfiguration modules

[Krusty93]

Depends on #1105

Resolves CES-1469

[changeset-bot]

🦋 Changeset detected

Latest commit: bde111b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
azure_app_configuration	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gunzip]

question: what's this for? can we link related docs?

[Krusty93]

it refers to role assignment module. It says whether the indicated keyvault uses access policies or RBAC as access model

[github-actions]

Tip

✅ All Terraform module locks are up to date

No module changes detected - everything is in sync!

📋 Pre-commit Output Log

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Lock Terraform Registry modules......................................................Passed
Terraform Providers Lock (on staged .terraform.lock.hcl files).......................Passed
- hook id: terraform_providers_lock_staged
- duration: 0.02s

No .terraform.lock.hcl files to process.

Terraform fmt........................................................................Passed
terraform_docs on modules............................................................Passed
terraform_docs on resources..........................................................Passed
Terraform validate with tflint.......................................................Passed
Terraform validate...................................................................Failed
- hook id: terraform_validate
- files were modified by this hook

Command 'terraform init' successfully done: infra/modules/azure_core_infra
Command 'terraform init' successfully done: infra/modules/azure_app_configuration/tests/setup
Command 'terraform init' successfully done: infra/modules/azure_app_configuration
Command 'terraform init' successfully done: infra/core/dev
Command 'terraform init' successfully done: infra/modules/azure_cosmos_account/tests/setup
Command 'terraform init' successfully done: infra/resources/dev

Terraform validate with trivy........................................................Failed
- hook id: terraform_trivy
- exit code: 1

2025-11-26T10:25:28Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:28Z	INFO	[misconfig] Need to update the checks bundle
2025-11-26T10:25:28Z	INFO	[misconfig] Downloading the checks bundle...

165.46 KiB / 165.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms
2025-11-26T10:25:30Z	INFO	[terraform scanner] Scanning root module	file_path="examples/keyvault_integration"
2025-11-26T10:25:30Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	module="root" loc="examples/keyvault_integration/mut.tf:6-30" err="unexpected status code for versions endpoint: 404"
2025-11-26T10:25:30Z	INFO	[terraform scanner] Scanning root module	file_path="examples/network_access"
2025-11-26T10:25:32Z	INFO	[terraform scanner] Scanning root module	file_path="tests/setup"
2025-11-26T10:25:32Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="environment, tags, test_kind"
2025-11-26T10:25:32Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-content-type-for-secret" range="examples/network_access/fixtures.tf:127-135"
2025-11-26T10:25:32Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-no-purge" range="examples/network_access/fixtures.tf:114"
2025-11-26T10:25:32Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-ensure-secret-expiry" range="examples/network_access/fixtures.tf:127-135"
2025-11-26T10:25:32Z	INFO	Detected config files	num=5

Report Summary

┌─────────────────────────────────────┬────────────┬───────────────────┐
│               Target                │    Type    │ Misconfigurations │
├─────────────────────────────────────┼────────────┼───────────────────┤
│ examples/keyvault_integration       │ terraform  │         0         │
├─────────────────────────────────────┼────────────┼───────────────────┤
│ examples/network_access             │ terraform  │         0         │
├─────────────────────────────────────┼────────────┼───────────────────┤
│ examples/network_access/fixtures.tf │ terraform  │         0         │
├─────────────────────────────────────┼────────────┼───────────────────┤
│ tests/apps/all_scenarios/Dockerfile │ dockerfile │         2         │
├─────────────────────────────────────┼────────────┼───────────────────┤
│ tests/setup                         │ terraform  │         0         │
└─────────────────────────────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


tests/apps/all_scenarios/Dockerfile (dockerfile)

Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────


2025-11-26T10:25:32Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-11-26T10:25:33Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	module="root" loc="mut.tf:6-30" err="unexpected status code for versions endpoint: 404"
2025-11-26T10:25:33Z	INFO	Detected config files	num=1

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-11-26T10:25:33Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:34Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-11-26T10:25:34Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-content-type-for-secret" range="fixtures.tf:127-135"
2025-11-26T10:25:34Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-no-purge" range="fixtures.tf:114"
2025-11-26T10:25:34Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-ensure-secret-expiry" range="fixtures.tf:127-135"
2025-11-26T10:25:34Z	INFO	Detected config files	num=2

Report Summary

┌─────────────┬───────────┬───────────────────┐
│   Target    │   Type    │ Misconfigurations │
├─────────────┼───────────┼───────────────────┤
│ .           │ terraform │         0         │
├─────────────┼───────────┼───────────────────┤
│ fixtures.tf │ terraform │         0         │
└─────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-11-26T10:25:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:35Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-11-26T10:25:35Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="environment, tags, test_kind"
2025-11-26T10:25:35Z	INFO	Detected config files	num=1

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-11-26T10:25:35Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:36Z	INFO	[terraform scanner] Scanning root module	file_path="example/complete"
2025-11-26T10:25:36Z	INFO	[terraform scanner] Scanning root module	file_path="example/develop"
2025-11-26T10:25:36Z	INFO	[terraform scanner] Scanning root module	file_path="tests/setup"
2025-11-26T10:25:36Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-specify-network-acl" range="_modules/key_vault/kv.tf:23"
2025-11-26T10:25:36Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-ensure-secret-expiry" range="_modules/application_insights/appi.tf:21-27"
2025-11-26T10:25:36Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-no-purge" range="_modules/key_vault/kv.tf:17"
2025-11-26T10:25:36Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-specify-network-acl" range="_modules/key_vault/kv.tf:23"
2025-11-26T10:25:36Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-ensure-secret-expiry" range="_modules/application_insights/appi.tf:21-27"
2025-11-26T10:25:36Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-no-purge" range="_modules/key_vault/kv.tf:17"
2025-11-26T10:25:36Z	INFO	Detected config files	num=5

Report Summary

┌───────────────────────────────────────┬───────────┬───────────────────┐
│                Target                 │   Type    │ Misconfigurations │
├───────────────────────────────────────┼───────────┼───────────────────┤
│ _modules/application_insights/appi.tf │ terraform │         0         │
├───────────────────────────────────────┼───────────┼───────────────────┤
│ _modules/key_vault/kv.tf              │ terraform │         0         │
├───────────────────────────────────────┼───────────┼───────────────────┤
│ example/complete                      │ terraform │         0         │
├───────────────────────────────────────┼───────────┼───────────────────┤
│ example/develop                       │ terraform │         0         │
├───────────────────────────────────────┼───────────┼───────────────────┤
│ tests/setup                           │ terraform │         0         │
└───────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-11-26T10:25:36Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:37Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-11-26T10:25:37Z	WARN	[terraform parser] Variable values were not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="environment, tags, test_kind"
2025-11-26T10:25:37Z	INFO	[terraform executor] Ignore finding	rule="azure-keyvault-specify-network-acl" range="main.tf:71-82"
2025-11-26T10:25:37Z	INFO	Detected config files	num=2

Report Summary

┌─────────┬───────────┬───────────────────┐
│ Target  │   Type    │ Misconfigurations │
├─────────┼───────────┼───────────────────┤
│ .       │ terraform │         0         │
├─────────┼───────────┼───────────────────┤
│ main.tf │ terraform │         0         │
└─────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-11-26T10:25:37Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-26T10:25:38Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-11-26T10:25:38Z	INFO	Detected config files	num=1

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)



All changes made by hooks:
diff --git a/infra/core/dev/.terraform.lock.hcl b/infra/core/dev/.terraform.lock.hcl
index f01e4f00..df3d283c 100644
--- a/infra/core/dev/.terraform.lock.hcl
+++ b/infra/core/dev/.terraform.lock.hcl
@@ -6,6 +6,7 @@ provider "registry.terraform.io/hashicorp/aws" {
   constraints = ">= 5.0.0, < 7.0.0"
   hashes = [
     "h1:PTgxp+nMDBd6EFHAIH6ceFfvwa2blqkCwXglZn6Dqa8=",
+    "h1:zfVzyJmwHhNP+YtLuroU36LTjuZTv2pBUpEJgtnX4HA=",
     "zh:3995ca97e6c2c1ed9e231c453287585d3dc1ca2a304683ac0b269b3448fda7c0",
     "zh:4f69f70d2edeb0dde9c693b7cd7e8e21c781b2fac7062bed5300092dbadb71e1",
     "zh:5c76042fdf3df56a1f581bc477e5d6fc3e099d4d6544fe725b3747e9990726bd",
@@ -52,6 +53,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
   constraints = "~> 4.0, ~> 4.42"
   hashes = [
     "h1:AeE+jsY9HfzMrTLjQZZ8IWtI/XxqBxbd3BRDSbGU2oM=",
+    "h1:uYLSLApU3bG/q6nxNb2N5FV0YddZxsg6Jlq27hDmPOA=",
     "zh:0adda2cfb2ae9ec394943164cbd5ab1f1fac89a0125ad3966a97363b06b1bd11",
     "zh:23dcc71a1586c2b8644476ccd3b4d4d22aa651d6ceb03d32f801bb7ecb09c84f",
     "zh:4573833c692a87df167e3adf71c4291879e1a5d2e430ba5255509d3510c7a2f5",
@@ -116,6 +118,7 @@ provider "registry.terraform.io/integrations/github" {
   version     = "6.8.3"
   constraints = "~> 6.0"
   hashes = [
+    "h1:LnpUTEWVHV5GToNxS239VLFPXWw2Hhe21/GuUTKhR9o=",
     "h1:aJDtXRORhhNljqxf8V8zE2PGXs0clB1NO9zR2Kduf2E=",
     "zh:0795635834c762371aae1748f68d17db778918f48a630c69e673e0339edc0869",
     "zh:191649a4ca68b8c5235712247b9ae05b16123e912c8e0f875267df68fda64452",
@@ -140,6 +143,7 @@ provider "registry.terraform.io/pagopa-dx/aws" {
   constraints = "~> 0.0"
   hashes = [
     "h1:+POvtAfsFJ1KMk2I7YALqeEB7mcEgxfsXebifCD4JRg=",
+    "h1:uNDum2DZ9sDjSFj4b9oCMs7ROacCfoqjyxSK2wkAOV0=",
     "zh:165475f513aa06774b701c3609848573782bc5f76014f1dd715281d8c39f53f5",
     "zh:27ee4cd71f382da04b762733d9d84d008385bc476c6f81adcc7ea8ded44df261",
     "zh:375d0304a3ec7107cb884b2a2921e8035ccf414c65c1a77fb84d6b4dd5f1ab96",
@@ -163,6 +167,7 @@ provider "registry.terraform.io/pagopa-dx/azure" {
   constraints = "~> 0.0, ~> 0.8"
   hashes = [
     "h1:Wv3/ER3Hf3+ruRPKODygPU3JrUyxvEfzJU+IWKkMJBU=",
+    "h1:Z/gH7Mx5+gtcYTdlGZoM9S3aVP81p/0fX35UrEr2uyI=",
     "zh:160a97068350ccd0aa27b5b5925cec84aecf8fac9bf1a8e854a77f6cf10dffad",
     "zh:4525c58b6facb1f20d5b2bc7a0514b161d196341d59b308d0215cadd93e867b2",
     "zh:4a242618292bd8b0a6db174e5d70d92bfbebc4552bd05c87552e1c619c7aac2b",

_{Generated on Wed Nov 26 10:25:39 UTC 2025
Run all checks on modified files}

[dpulls]

🎉 All dependencies have been resolved !