Add support for excluding paths from Entra ID authentication (#270)

josielsouzanordcloud · web-flow · commit 1cf69af05158 · 2026-01-28T10:53:23.000Z
Allow container apps to specify paths (e.g., /healthcheck, /sha) that
  bypass authentication via the new auth_excluded_paths variable.
  Updated tfdocs
diff --git a/infrastructure/modules/container-app/README.md b/infrastructure/modules/container-app/README.md
@@ -106,6 +106,21 @@ module "container-app" {
 }
 ```
 
+### Excluding paths from authentication
+
+You can exclude specific paths from authentication using the `auth_excluded_paths` variable. These paths will respond without requiring authentication, which is useful for health checks or version endpoints.
+
+Example:
+```hcl
+module "container-app" {
+  ...
+  enable_entra_id_authentication = true
+  auth_excluded_paths            = ["/healthcheck", "/sha"]
+}
+```
+
+By default, no paths are excluded (`auth_excluded_paths = []`).
+
 ## Alerts
 
 To enable container app alerting:
diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf
@@ -192,6 +192,7 @@ resource "azapi_resource" "auth" {
       }
       globalValidation = {
         unauthenticatedClientAction = var.unauthenticated_action
+        excludedPaths               = var.auth_excluded_paths
       }
       identityProviders = {
         azureActiveDirectory = {
diff --git a/infrastructure/modules/container-app/tfdocs.md b/infrastructure/modules/container-app/tfdocs.md
@@ -88,6 +88,14 @@ Type: `string`
 
 Default: `null`
 
+### <a name="input_auth_excluded_paths"></a> [auth\_excluded\_paths](#input\_auth\_excluded\_paths)
+
+Description: List of paths to exclude from authentication (e.g., ["/healthcheck", "/sha"]). These paths will respond without requiring authentication.
+
+Type: `list(string)`
+
+Default: `[]`
+
 ### <a name="input_enable_alerting"></a> [enable\_alerting](#input\_enable\_alerting)
 
 Description: Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server.
diff --git a/infrastructure/modules/container-app/variables.tf b/infrastructure/modules/container-app/variables.tf
@@ -128,6 +128,12 @@ variable "unauthenticated_action" {
   }
 }
 
+variable "auth_excluded_paths" {
+  description = "List of paths to exclude from authentication (e.g., [\"/healthcheck\", \"/sha\"]). These paths will respond without requiring authentication."
+  type        = list(string)
+  default     = []
+}
+
 # Always fetch the AAD client secret from Key Vault
 variable "infra_key_vault_name" {
   description = "Name of Key Vault to retrieve the AAD client secrets"

Original file line number	Diff line number	Diff line change
`@@ -192,6 +192,7 @@ resource "azapi_resource" "auth" {`
`192`	`192`	`}`
`193`	`193`	`globalValidation = {`
`194`	`194`	`unauthenticatedClientAction = var.unauthenticated_action`
	`195`	`+ excludedPaths = var.auth_excluded_paths`
`195`	`196`	`}`
`196`	`197`	`identityProviders = {`
`197`	`198`	`azureActiveDirectory = {`
Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,12 @@ variable "unauthenticated_action" {`
`128`	`128`	`}`
`129`	`129`	`}`
`130`	`130`
	`131`	`+variable "auth_excluded_paths" {`
	`132`	`+ description = "List of paths to exclude from authentication (e.g., [\"/healthcheck\", \"/sha\"]). These paths will respond without requiring authentication."`
	`133`	`+ type = list(string)`
	`134`	`+ default = []`
	`135`	`+}`
	`136`	`+`
`131`	`137`	`# Always fetch the AAD client secret from Key Vault`
`132`	`138`	`variable "infra_key_vault_name" {`
`133`	`139`	`description = "Name of Key Vault to retrieve the AAD client secrets"`