[Security] Move App Insights Secrets to Key Vault References

[emmanuelknafo]

Summary

Move Application Insights instrumentation key and connection string from plain text App Settings to Key Vault references for improved secret management.

Secrets Addressed

• SEC-003: App Insights Instrumentation Key (Medium Risk)
• SEC-004: App Insights Connection String (Medium Risk)

Current State

• App Insights keys stored directly in App Service app settings
• Keys visible in Azure Portal and deployment logs
• No rotation capability

Acceptance Criteria

• App Insights instrumentation key stored in Key Vault
• App Insights connection string stored in Key Vault
• App Service app settings use Key Vault reference syntax
• App Service has Key Vault Secrets User role for new secrets
• Deployment verified and telemetry confirmed working

Implementation Reference

1. Add secrets to Key Vault:

\\�icep
resource appInsightsInstrumentationKeySecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
parent: keyVault
name: 'AppInsightsInstrumentationKey'
properties: {
value: appInsights.properties.InstrumentationKey
}
}

resource appInsightsConnectionStringSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
parent: keyVault
name: 'AppInsightsConnectionString'
properties: {
value: appInsights.properties.ConnectionString
}
}
\\

2. Update App Service app settings to use Key Vault references:

\\�icep
appSettings: [
{
name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
value: '@Microsoft.KeyVault(VaultName=;SecretName=AppInsightsInstrumentationKey)'
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: '@Microsoft.KeyVault(VaultName=;SecretName=AppInsightsConnectionString)'
}
{
name: 'KeyVaultUri'
value: keyVault.properties.vaultUri
}
]
\\

Priority

P2 - High - Implement within 30 days