cleanup

Altinn · Oct 16, 2024 · 34afe72 · 34afe72
2 parents 1a93bda + 462f908
commit 34afe72
Show file tree

Hide file tree

Showing 15 changed files with 273 additions and 6 deletions.
diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep
@@ -0,0 +1,175 @@
+targetScope = 'resourceGroup'
+
+@description('The tag of the image to be used')
+@minLength(3)
+param imageTag string
+
+@description('The environment for the deployment')
+@minLength(3)
+param environment string
+
+@description('The location where the resources will be deployed')
+@minLength(3)
+param location string
+
+@description('The suffix for the revision of the container app')
+@minLength(3)
+param revisionSuffix string
+
+@description('CPU and memory resources for the container app')
+param resources object?
+
+@description('The name of the container app environment')
+@minLength(3)
+param containerAppEnvironmentName string
+
+@description('The name of the Service Bus namespace')
+@minLength(3)
+param serviceBusNamespaceName string
+
+@description('The connection string for Application Insights')
+@minLength(3)
+@secure()
+param appInsightConnectionString string
+
+@description('The name of the App Configuration store')
+@minLength(5)
+param appConfigurationName string
+
+@description('The name of the Key Vault for the environment')
+@minLength(3)
+param environmentKeyVaultName string
+
+var namePrefix = 'dp-be-${environment}'
+var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
+var tags = {
+  Environment: environment
+  Product: 'Dialogporten'
+}
+
+resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: appConfigurationName
+}
+
+resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
+  name: containerAppEnvironmentName
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-service-identity'
+  location: location
+  tags: tags
+}
+
+var containerAppEnvVars = [
+  {
+    name: 'ASPNETCORE_ENVIRONMENT'
+    value: environment
+  }
+  {
+    name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+    value: appInsightConnectionString
+  }
+  {
+    name: 'AZURE_APPCONFIG_URI'
+    value: appConfiguration.properties.endpoint
+  }
+  {
+    name: 'ASPNETCORE_URLS'
+    value: 'http://+:8080'
+  }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
+]
+
+resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: environmentKeyVaultName
+}
+
+var serviceName = 'service'
+
+var containerAppName = '${namePrefix}-${serviceName}'
+
+var port = 8080
+
+var probes = [
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Liveness'
+    httpGet: {
+      path: '/healthz'
+      port: port
+    }
+  }
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Readiness'
+    httpGet: {
+      path: '/healthz'
+      port: port
+    }
+  }
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Startup'
+    httpGet: {
+      path: '/healthz'
+      port: port
+    }
+  }
+]
+
+module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'keyVaultReaderAccessPolicy-${containerAppName}'
+  params: {
+    keyvaultName: environmentKeyVaultResource.name
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
+  name: 'appConfigReaderAccessPolicy-${containerAppName}'
+  params: {
+    appConfigurationName: appConfigurationName
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module serviceBusOwnerAccessPolicy '../../modules/serviceBus/addDataOwnerRoles.bicep' = {
+  name: 'serviceBusOwnerAccessPolicy-${containerAppName}'
+  params: {
+    serviceBusNamespaceName: serviceBusNamespaceName
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module containerApp '../../modules/containerApp/main.bicep' = {
+  name: containerAppName
+  params: {
+    name: containerAppName
+    image: '${baseImageUrl}${serviceName}:${imageTag}'
+    location: location
+    envVariables: containerAppEnvVars
+    containerAppEnvId: containerAppEnvironment.id
+    tags: tags
+    resources: resources
+    probes: probes
+    port: port
+    revisionSuffix: revisionSuffix
+    userAssignedIdentityId: managedIdentity.id
+    // TODO: Once all container apps use user-assigned identities, remove this comment and ensure userAssignedIdentityId is always provided
+  }
+  dependsOn: [
+    keyVaultReaderAccessPolicy
+    appConfigReaderAccessPolicy
+    serviceBusOwnerAccessPolicy
+  ]
+}
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName
diff --git a/.azure/applications/service/prod.bicepparam b/.azure/applications/service/prod.bicepparam
@@ -0,0 +1,12 @@
+using './main.bicep'
+
+param environment = 'prod'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/service/staging.bicepparam b/.azure/applications/service/staging.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'staging'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/service/test.bicepparam b/.azure/applications/service/test.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'test'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep
@@ -37,6 +37,10 @@ param scale object = {
   maxReplicas: 1 // temp disable scaling by default for outbox scheduling
 }
 
+// TODO: Refactor to make userAssignedIdentityId a required parameter once all container apps use user-assigned identities
+@description('The ID of the user-assigned managed identity (optional)')
+param userAssignedIdentityId string = ''
+
 // Container app revision name does not allow '.' character
 var cleanedRevisionSuffix = replace(revisionSuffix, '.', '-')
 
@@ -56,12 +60,19 @@ var ingress = {
   ipSecurityRestrictions: ipSecurityRestrictions
 }
 
+var identityConfig = empty(userAssignedIdentityId) ? {
+  type: 'SystemAssigned'
+} : {
+  type: 'UserAssigned'
+  userAssignedIdentities: {
+    '${userAssignedIdentityId}': {}
+  }
+}
+
 resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: name
   location: location
-  identity: {
-    type: 'SystemAssigned'
-  }
+  identity: identityConfig
   properties: {
     configuration: {
       ingress: ingress
@@ -84,6 +95,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   tags: tags
 }
 
-output identityPrincipalId string = containerApp.identity.principalId
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(userAssignedIdentityId)) {
+  name: last(split(userAssignedIdentityId, '/'))
+}
+
+output identityPrincipalId string = empty(userAssignedIdentityId) ? containerApp.identity.principalId : managedIdentity.properties.principalId
 output name string = containerApp.name
 output revisionName string = containerApp.properties.latestRevisionName
diff --git a/.azure/modules/serviceBus/addDataOwnerRoles.bicep b/.azure/modules/serviceBus/addDataOwnerRoles.bicep
@@ -0,0 +1,27 @@
+@description('The name of the Service Bus namespace')
+param serviceBusNamespaceName string
+
+@description('Array of principal IDs to assign the Azure Service Bus Data Owner role to')
+param principalIds array
+
+resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2023-01-01-preview' existing = {
+  name: serviceBusNamespaceName
+}
+
+@description('This is the built-in Azure Service Bus Data Owner role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-owner')
+resource serviceBusDataOwnerRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: '090c5cfd-751d-490a-894a-3ce6f1109419'
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for principalId in principalIds: {
+    scope: serviceBusNamespace
+    name: guid(serviceBusNamespace.id, principalId, serviceBusDataOwnerRoleDefinition.id)
+    properties: {
+      roleDefinitionId: serviceBusDataOwnerRoleDefinition.id
+      principalId: principalId
+      principalType: 'ServicePrincipal'
+    }
+  }
+]
diff --git a/.azure/modules/serviceBus/main.bicep b/.azure/modules/serviceBus/main.bicep
@@ -32,7 +32,7 @@ param sku Sku
 var serviceBusNameMaxLength = 50
 var serviceBusName = uniqueResourceName('${namePrefix}-service-bus', serviceBusNameMaxLength)
 
-resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
+resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2023-01-01-preview' = {
   name: serviceBusName
   location: location
   sku: sku

diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml
@@ -101,6 +101,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-prod.yml b/.github/workflows/ci-cd-prod.yml
@@ -73,6 +73,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: prod
       region: norwayeast
@@ -96,6 +97,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: prod
       region: norwayeast

diff --git a/.github/workflows/ci-cd-pull-request-release-please.yml b/.github/workflows/ci-cd-pull-request-release-please.yml
@@ -58,6 +58,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: staging
       region: norwayeast

diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml
@@ -82,6 +82,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml
@@ -65,6 +65,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: staging
       region: norwayeast

diff --git a/.github/workflows/dispatch-apps.yml b/.github/workflows/dispatch-apps.yml
@@ -54,6 +54,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: ${{ inputs.environment }}
       region: norwayeast

diff --git a/.github/workflows/workflow-deploy-apps.yml b/.github/workflows/workflow-deploy-apps.yml
@@ -20,6 +20,8 @@ on:
         required: true
       AZURE_APP_CONFIGURATION_NAME:
         required: true
+      AZURE_SERVICE_BUS_NAMESPACE_NAME:
+        required: true
 
     inputs:
       region:
@@ -145,6 +147,7 @@ jobs:
           - name: web-api-eu
           - name: web-api-so
           - name: graphql
+          - name: service
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write
@@ -174,6 +177,7 @@ jobs:
           AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
           AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
           AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
+          AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
         with:
           scope: resourcegroup
           template: ./.azure/applications/${{ matrix.name }}/main.bicep
@@ -198,6 +202,7 @@ jobs:
           AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
           AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
           AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
+          AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
         with:
           scope: resourcegroup
           template: ./.azure/applications/${{ matrix.name }}/main.bicep

diff --git a/README.md b/README.md
@@ -347,7 +347,7 @@ Ensure you have followed the steps in [Deploying a new infrastructure environmen
 
 Use the following steps:
 
-- From the infrastructure resources created, add the following GitHub secrets in the new environment (this will not be necessary in the future as secrets would be added directly from infrastructure deployment): `AZURE_APP_CONFIGURATION_NAME`, `AZURE_APP_INSIGHTS_CONNECTION_STRING`, `AZURE_CONTAINER_APP_ENVIRONMENT_NAME`, `AZURE_ENVIRONMENT_KEY_VAULT_NAME`, `AZURE_REDIS_NAME`, `AZURE_RESOURCE_GROUP_NAME` and `AZURE_SLACK_NOTIFIER_FUNCTION_APP_NAME`
+- From the infrastructure resources created, add the following GitHub secrets in the new environment (this will not be necessary in the future as secrets would be added directly from infrastructure deployment): `AZURE_APP_CONFIGURATION_NAME`, `AZURE_APP_INSIGHTS_CONNECTION_STRING`, `AZURE_CONTAINER_APP_ENVIRONMENT_NAME`, `AZURE_ENVIRONMENT_KEY_VAULT_NAME`, `AZURE_REDIS_NAME`, `AZURE_RESOURCE_GROUP_NAME`, `AZURE_SERVICE_BUS_NAMESPACE_NAME` and `AZURE_SLACK_NOTIFIER_FUNCTION_APP_NAME`
 
 - Add new parameter files for the environment in all applications `.azure/applications/*/<env>.bicepparam`