From c9e0d06789c2a4ad1f58c79636954582d48be17c Mon Sep 17 00:00:00 2001
From: Matt Wicks <mattwicks@ssw.com.au>
Date: Tue, 21 Nov 2023 11:59:34 +1100
Subject: [PATCH] Add key vault role assignments for staging slot

---
 infra/appService.bicep | 22 +++++++++++++++++++++-
 infra/main.bicep       | 11 +----------
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/infra/appService.bicep b/infra/appService.bicep
index fd578505b9..0cd4aa38a4 100644
--- a/infra/appService.bicep
+++ b/infra/appService.bicep
@@ -1,3 +1,4 @@
+param now string
 param projectName string = 'sswwebsite'
 param location string = resourceGroup().location
 param tags object
@@ -185,5 +186,24 @@ resource appServiceAcrPullRoleAssignment 'Microsoft.Authorization/roleAssignment
   }
 }
 
+
+module kvAppRoleAssignment 'keyVaultRoleAssignment.bicep' = {
+  name: 'KVRoleAssignment-${now}'
+  params: {
+    keyVaultName: keyVaultName
+    principalId: appService.identity.principalId
+    roleName: 'Key Vault Secrets User'
+  }
+}
+
+
+module kvSlotRoleAssignment 'keyVaultRoleAssignment.bicep' = {
+  name: 'KVRoleAssignment-${now}'
+  params: {
+    keyVaultName: keyVaultName
+    principalId: stagingSlot.identity.principalId
+    roleName: 'Key Vault Secrets User'
+  }
+}
+
 output appServiceHostName string = appService.properties.defaultHostName
-output AppPrincipalId string = appService.identity.principalId
diff --git a/infra/main.bicep b/infra/main.bicep
index cbf61f6b6e..4f2de1c8f2 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -64,6 +64,7 @@ module appInsight 'appInsight.bicep' = {
 module appService 'appService.bicep' = {
   name: 'appService-${now}'
   params: {
+    now: now
     projectName: projectName
     location: location
     tags: core
@@ -77,16 +78,6 @@ module appService 'appService.bicep' = {
   }
 }
 
-
-module kVAppRoleAssignment 'keyVaultRoleAssignment.bicep' = {
-  name: 'KVRoleAssignment-${now}'
-  params: {
-    keyVaultName: keyVault.outputs.keyVaultName
-    principalId: appService.outputs.AppPrincipalId
-    roleName: 'Key Vault Secrets User'
-  }
-}
-
 module kVServicePrincipalRoleAssignment 'keyVaultRoleAssignment.bicep' = {
   name: 'KVServicePrincipalRoleAssignment-${now}'
   params: {