update doc

Krusty93 · Krusty93 · commit 27eb6bd234f3 · 2025-11-24T18:24:25.000+01:00
diff --git a/apps/website/docs/azure/app-configuration/azure-app-configuration.md b/apps/website/docs/azure/app-configuration/azure-app-configuration.md
@@ -12,72 +12,28 @@ exploiting the hot reload capabilities.
 
 ## Configuring the resource via Terraform
 
-As the resource is quite simple to configure, you can use `azurerm` resource to
-deploy an instance of the service. Below is an example showing how to configure
-an instance with private connectivity and allowing authentication only via Entra
-ID.
+The resource can be provisioned using the module
+[`azure_app_configuration`](https://registry.terraform.io/modules/pagopa-dx/azure-app-configuration/azurerm/latest),
+which deploys an instance with private conenctivity and allowing authentication
+only via Entra ID.
 
 ```hcl
 
-resource "azurerm_app_configuration" "example" {
-  name = provider::azuredx::resource_name(merge(
-    var.naming_config,
-    {
-      name          = "demo",
-      resource_type = "app_configuration",
-    })
-  )
-  resource_group_name = local.resource_group_name
-  location            = local.environment.location
-
-  identity {
-    type = "SystemAssigned"
-  }
-
-  sku                                  = "standard" # others are free and premium
-  data_plane_proxy_authentication_mode = "Pass-through"
-  local_auth_enabled                   = false
+module "appcs" {
+  source  = "pagopa-dx/azure-app-configuration/azurerm"
+  version = "~> 0.0"
 
-  public_network_access    = "Disabled"
-  purge_protection_enabled = true
-
-  tags = local.tags
-}
+  environment         = local.environment
+  resource_group_name = var.resource_group_name
 
-data "azurerm_private_dns_zone" "appconfig" {
-  name                = "privatelink.azconfig.io"
-  resource_group_name = var.private_dns_zone_resource_group_name
-}
+  subnet_pep_id = data.azurerm_subnet.pep.id
 
-resource "azurerm_private_endpoint" "app_config" {
-  name                = provider::azuredx::resource_name(merge(
-    var.naming_config,
-    {
-      name          = "demo",
-      resource_type = "app_configuration_private_endpoint",
-    })
-  )
-  location            = local.environment.location
-  resource_group_name = local.resource_group_name
-  subnet_id           = var.subnet_pep_id
-
-  private_service_connection {
-    name                           = provider::azuredx::resource_name(merge(
-    var.naming_config,
-    {
-      name          = "demo",
-      resource_type = "app_configuration_private_endpoint",
-    })
-  )
-    private_connection_resource_id = azurerm_app_configuration.example.id
-    is_manual_connection           = false
-    subresource_names              = ["configurationStores"]
+  virtual_network = {
+    name                = local.virtual_network.name
+    resource_group_name = local.virtual_network.resource_group_name
   }
 
-  private_dns_zone_group {
-    name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.appconfig.id]
-  }
+  private_dns_zone_resource_group_name = data.azurerm_resource_group.network.name
 
   tags = local.tags
 }
@@ -86,7 +42,7 @@ module "roles" {
   source  = "pagopa-dx/azure-role-assignments/azurerm"
   version = "~> 1.3"
 
-  principal_id    = module.test_app.app_service.app_service.principal_id
+  principal_id    = module.test_app.app_service.app_service.principal_id # example application which needs to access App Configuration
   subscription_id = data.azurerm_subscription.current.subscription_id
 
   app_config = [
@@ -122,28 +78,27 @@ provider "azurerm" {
 If your application has sensitive application settings (secrets), the
 AppConfiguration instance should be configured to retrieve those secrets from
 Azure Key Vault, to make them available to the application. The authentication
-via identities between AppConfiguration and KeyVault is managed via Terraform:
+via identities between AppConfiguration and KeyVault is managed by the module
+[`azure_app_configuration`](https://registry.terraform.io/modules/pagopa-dx/azure-app-configuration/azurerm/latest),
+which optionally accepts a KeyVault reference:
 
 ```hcl
 
-module "roles" {
-  source  = "pagopa-dx/azure-role-assignments/azurerm"
-  version = "~> 1.3"
 
-  principal_id    = azurerm_app_configuration.example.identity[0].principal_id
-  subscription_id = data.azurerm_subscription.current.subscription_id
+module "appcs_with_kv" {
+  source  = "pagopa-dx/azure-app-configuration/azurerm"
+  version = "~> 0.0"
 
-  app_config = [
-    {
-      name                = azurerm_app_configuration.example.name
-      resource_group_name = azurerm_app_configuration.example.resource_group_name
-      has_rbac_support    = true # or false if KeyVault is using Access Policies
-      description         = "Complete access to app configuration control plane and data"
-      roles               = {
-        secrets           = "Reader" # Allow AppConfiguration to read secrets from KeyVault
-      }
-    }
-  ]
+  ...
+
+  key_vault = {
+    subscription_id     = data.azurerm_subscription.current.subscription_id
+    name                = azurerm_key_vault.kv.name
+    resource_group_name = azurerm_key_vault.kv.resource_group_name
+    has_rbac_support    = true # or false if KeyVault uses Access Policies
+  }
+
+  tags = local.tags
 }
 
 ```
