bugfix: deployment slots sensitivity issue (#257)

* adding new example and new variable to help handle sensitive values

* running pre-commit scripts

* adding logic for empty slot app settings

* running pre-commit script

* refactor slot app settings

* fix locals

* fix typo

---------

Co-authored-by: Jared Holgate <jaredholgate@microsoft.com>

Author: donovm4

README.md

@@ -946,7 +946,6 @@ Type:
 ```hcl
 map(object({
     name                                     = optional(string)
-    app_settings                             = optional(map(string))
     builtin_logging_enabled                  = optional(bool, true)
     content_share_force_disabled             = optional(bool, false)
     client_affinity_enabled                  = optional(bool, false)
@@ -1352,15 +1351,7 @@ map(object({
           virtual_path  = optional(string)
         })), {})
         virtual_path = optional(string, "/")
-        })),
-        {
-          default = {
-            physical_path   = "site\\wwwroot"
-            preload_enabled = false
-            virtual_path    = "/"
-          }
-        }
-      )
+      })), {})
     }), {})
 
     timeouts = optional(object({
@@ -1947,6 +1938,14 @@ object({
 
 Default: `{}`
 
+### <a name="input_slot_app_settings"></a> [slot\_app\_settings](#input\_slot\_app\_settings)
+
+Description:   A map of app settings to apply to the deployment slot(s). The key MUST be the same key as the slot key, and the value is a map of app setting key-value pairs.
+
+Type: `map(map(string))`
+
+Default: `{}`
+
 ### <a name="input_slot_application_insights"></a> [slot\_application\_insights](#input\_slot\_application\_insights)
 
 Description:   Configures the Application Insights instance(s) for the deployment slot(s).

examples/deployment_slots_with_sensitive_values/.e2eignore

@@ -0,0 +1,259 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- Code generated by terraform-docs. DO NOT EDIT. -->
+# Deployment slots with sensitive values example
+
+This deploys the module utilizing app service slot capabilities with sensitive values.
+
+```hcl
+## Section to provide a random Azure region for the resource group
+# This allows us to randomize the region for the resource group.
+module "regions" {
+  source  = "Azure/regions/azurerm"
+  version = "0.8.0"
+}
+
+# This allows us to randomize the region for the resource group.
+resource "random_integer" "region_index" {
+  max = length(local.azure_regions) - 1
+  min = 0
+}
+## End of section to provide a random Azure region for the resource group
+
+# This ensures we have unique CAF compliant names for our resources.
+module "naming" {
+  source  = "Azure/naming/azurerm"
+  version = "0.4.2"
+}
+
+resource "azurerm_resource_group" "example" {
+  location = local.azure_regions[random_integer.region_index.result]
+  name     = module.naming.resource_group.name_unique
+}
+
+resource "azurerm_service_plan" "example" {
+  location            = azurerm_resource_group.example.location
+  name                = module.naming.app_service_plan.name_unique
+  os_type             = "Windows"
+  resource_group_name = azurerm_resource_group.example.name
+  sku_name            = "P1v2"
+  tags = {
+    example = "deployment-slots-sensitive"
+  }
+}
+
+# resource "azurerm_storage_account" "example" {
+#   account_replication_type = "LRS"
+#   account_tier             = "Standard"
+#   location                 = azurerm_resource_group.example.location
+#   name                     = "${module.naming.storage_account.name_unique}sens"
+#   resource_group_name      = azurerm_resource_group.example.name
+
+#   network_rules {
+#     default_action = "Allow"
+#     bypass         = ["AzureServices"]
+#   }
+#   tags = {
+#     SecurityControl = "Ignore"
+#   }
+# }
+
+# This is the module call with deployment slots containing sensitive values
+module "avm_res_web_site" {
+  source = "../.."
+
+  kind                     = "webapp"
+  location                 = azurerm_resource_group.example.location
+  name                     = module.naming.app_service.name_unique
+  os_type                  = "Windows"
+  resource_group_name      = azurerm_resource_group.example.name
+  service_plan_resource_id = azurerm_service_plan.example.id
+  # Deployment slots with SENSITIVE values
+  deployment_slots = {
+    test = {
+      name = "test"
+      site_config = {
+        always_on = true
+        application_stack = {
+          dotnet = {
+            current_stack               = "dotnet"
+            dotnet_version              = "v8.0"
+            use_custom_runtime          = false
+            use_dotnet_isolated_runtime = true
+          }
+        }
+      }
+    }
+    staging = {
+      name = "staging"
+      site_config = {
+        always_on = true
+        application_stack = {
+          dotnet = {
+            current_stack               = "dotnet"
+            dotnet_version              = "v8.0"
+            use_custom_runtime          = false
+            use_dotnet_isolated_runtime = true
+          }
+        }
+      }
+    }
+    production = {
+      name = "prod"
+      site_config = {
+        always_on = true
+        application_stack = {
+          dotnet = {
+            current_stack               = "dotnet"
+            dotnet_version              = "v8.0"
+            use_custom_runtime          = false
+            use_dotnet_isolated_runtime = true
+          }
+        }
+      }
+    }
+  }
+  enable_telemetry = var.enable_telemetry
+  site_config = {
+    application_stack = {
+      dotnet = {
+        current_stack               = "dotnet"
+        dotnet_version              = "v8.0"
+        use_custom_runtime          = false
+        use_dotnet_isolated_runtime = true
+      }
+    }
+  }
+  slot_app_settings = {
+    staging = {
+      "ASPNETCORE_ENVIRONMENT"     = "Staging"
+      "DATABASE_CONNECTION_STRING" = var.staging_database_connection_string
+      "THIRD_PARTY_API_KEY"        = var.staging_api_key
+      "LOG_LEVEL"                  = "Debug"
+      "FEATURE_FLAG_NEW_UI"        = "true"
+    }
+    production = {
+      "ASPNETCORE_ENVIRONMENT"     = "Production"
+      "DATABASE_CONNECTION_STRING" = var.production_database_connection_string
+      "THIRD_PARTY_API_KEY"        = var.production_api_key
+      "STORAGE_CONNECTION_STRING"  = var.production_storage_key
+      "LOG_LEVEL"                  = "Warning"
+      "FEATURE_FLAG_NEW_UI"        = "false"
+    }
+  }
+  tags = {
+    example         = "deployment-slots-with-sensitive-values"
+    environment     = "demo"
+    SecurityControl = "Ignore"
+  }
+}
+```
+
+<!-- markdownlint-disable MD033 -->
+## Requirements
+
+The following requirements are needed by this module:
+
+- <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) (~> 1.9)
+
+- <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) (~> 4.0)
+
+- <a name="requirement_random"></a> [random](#requirement\_random) (>= 3.5.0, < 4.0.0)
+
+## Resources
+
+The following resources are used by this module:
+
+- [azurerm_resource_group.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) (resource)
+- [azurerm_service_plan.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) (resource)
+- [random_integer.region_index](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) (resource)
+
+<!-- markdownlint-disable MD013 -->
+## Required Inputs
+
+No required inputs.
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### <a name="input_enable_telemetry"></a> [enable\_telemetry](#input\_enable\_telemetry)
+
+Description: This variable controls whether or not telemetry is enabled for the module.  
+For more information see <https://aka.ms/avm/telemetryinfo>.  
+If it is set to false, then no telemetry will be collected.
+
+Type: `bool`
+
+Default: `true`
+
+### <a name="input_production_api_key"></a> [production\_api\_key](#input\_production\_api\_key)
+
+Description: API key for third-party service in production (marked as sensitive)
+
+Type: `string`
+
+Default: `"production-api-key-def456uvw012"`
+
+### <a name="input_production_database_connection_string"></a> [production\_database\_connection\_string](#input\_production\_database\_connection\_string)
+
+Description: Database connection string for the production environment (marked as sensitive)
+
+Type: `string`
+
+Default: `"Server=tcp:prod-db.database.windows.net,1433;Database=mydb;User ID=admin;Password=Pr0duct10nP@ssw0rd!;Encrypt=true;"`
+
+### <a name="input_production_storage_key"></a> [production\_storage\_key](#input\_production\_storage\_key)
+
+Description: Storage account key for production (marked as sensitive)
+
+Type: `string`
+
+Default: `"DefaultEndpointsProtocol=https;AccountName=prodstg;AccountKey=FAKE_STORAGE_KEY_EXAMPLE_DO_NOT_USE_IN_PRODUCTION==;EndpointSuffix=core.windows.net"`
+
+### <a name="input_staging_api_key"></a> [staging\_api\_key](#input\_staging\_api\_key)
+
+Description: API key for third-party service in staging (marked as sensitive)
+
+Type: `string`
+
+Default: `"staging-api-key-abc123xyz789"`
+
+### <a name="input_staging_database_connection_string"></a> [staging\_database\_connection\_string](#input\_staging\_database\_connection\_string)
+
+Description: Database connection string for the staging environment (marked as sensitive)
+
+Type: `string`
+
+Default: `"Server=tcp:staging-db.database.windows.net,1433;Database=mydb;User ID=admin;Password=StagingP@ssw0rd!;Encrypt=true;"`
+
+## Outputs
+
+No outputs.
+
+## Modules
+
+The following Modules are called:
+
+### <a name="module_avm_res_web_site"></a> [avm\_res\_web\_site](#module\_avm\_res\_web\_site)
+
+Source: ../..
+
+Version:
+
+### <a name="module_naming"></a> [naming](#module\_naming)
+
+Source: Azure/naming/azurerm
+
+Version: 0.4.2
+
+### <a name="module_regions"></a> [regions](#module\_regions)
+
+Source: Azure/regions/azurerm
+
+Version: 0.8.0
+
+<!-- markdownlint-disable-next-line MD041 -->
+## Data Collection
+
+The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
+<!-- END_TF_DOCS -->

examples/deployment_slots_with_sensitive_values/README.md

@@ -0,0 +1,4 @@
+<!-- markdownlint-disable-next-line MD041 -->
+## Data Collection
+
+The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

examples/deployment_slots_with_sensitive_values/_footer.md

@@ -0,0 +1,3 @@
+# Deployment slots with sensitive values example
+
+This deploys the module utilizing app service slot capabilities with sensitive values.

examples/deployment_slots_with_sensitive_values/_header.md

@@ -0,0 +1,5 @@
+locals {
+  azure_regions = [
+    "eastus"
+  ]
+}