From a309044bd40d9a56c453496aab9122b8f6c67adb Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Wed, 16 Oct 2024 12:24:32 +0200 Subject: [PATCH 1/5] feat(service): deploy application in container apps (#1303) ## Description - Added Service in all environments in container app. Using webapi for now until Service is ready - Added user assigned identity instead of using the created managed identity created by the container app to avoid potential race conditions. This should be required eventually for all container apps. Making it optional for now. ## Related Issue(s) - #1301 ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable) ## Summary by CodeRabbit - **New Features** - Introduced a new infrastructure configuration for deploying a container application in Azure. - Added support for multiple environments (production, staging, test) with dynamic parameter management. - Enhanced identity management for the container app, allowing for user-assigned identities. - **Bug Fixes** - Improved health probe configurations for better application monitoring. - **Documentation** - Updated workflow to include deployment capabilities for the new service component. --- .azure/applications/service/main.bicep | 161 ++++++++++++++++++ .azure/applications/service/prod.bicepparam | 12 ++ .../applications/service/staging.bicepparam | 12 ++ .azure/applications/service/test.bicepparam | 12 ++ .azure/modules/containerApp/main.bicep | 23 ++- .github/workflows/workflow-deploy-apps.yml | 1 + 6 files changed, 217 insertions(+), 4 deletions(-) create mode 100644 .azure/applications/service/main.bicep create mode 100644 .azure/applications/service/prod.bicepparam create mode 100644 .azure/applications/service/staging.bicepparam create mode 100644 .azure/applications/service/test.bicepparam diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep new file mode 100644 index 000000000..d037ce8fe --- /dev/null +++ b/.azure/applications/service/main.bicep @@ -0,0 +1,161 @@ +targetScope = 'resourceGroup' + +@description('The tag of the image to be used') +@minLength(3) +param imageTag string + +@description('The environment for the deployment') +@minLength(3) +param environment string + +@description('The location where the resources will be deployed') +@minLength(3) +param location string + +@description('The suffix for the revision of the container app') +@minLength(3) +param revisionSuffix string + +@description('CPU and memory resources for the container app') +param resources object? + +@description('The name of the container app environment') +@minLength(3) +@secure() +param containerAppEnvironmentName string + +@description('The connection string for Application Insights') +@minLength(3) +@secure() +param appInsightConnectionString string + +@description('The name of the App Configuration store') +@minLength(5) +param appConfigurationName string + +@description('The name of the Key Vault for the environment') +@minLength(3) +param environmentKeyVaultName string + +var namePrefix = 'dp-be-${environment}' +var baseImageUrl = 'ghcr.io/digdir/dialogporten-' +var tags = { + Environment: environment + Product: 'Dialogporten' +} + +resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { + name: appConfigurationName +} + +resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = { + name: containerAppEnvironmentName +} + +var containerAppEnvVars = [ + { + name: 'ASPNETCORE_ENVIRONMENT' + value: environment + } + { + name: 'APPLICATIONINSIGHTS_CONNECTION_STRING' + value: appInsightConnectionString + } + { + name: 'AZURE_APPCONFIG_URI' + value: appConfiguration.properties.endpoint + } + { + name: 'ASPNETCORE_URLS' + value: 'http://+:8080' + } +] + +resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { + name: environmentKeyVaultName +} + +var serviceName = 'service' + +var containerAppName = '${namePrefix}-${serviceName}' + +var port = 8080 + +var probes = [ + { + periodSeconds: 5 + initialDelaySeconds: 2 + type: 'Liveness' + httpGet: { + path: '/health/liveness' + port: port + } + } + { + periodSeconds: 5 + initialDelaySeconds: 2 + type: 'Readiness' + httpGet: { + path: '/health/readiness' + port: port + } + } + { + periodSeconds: 5 + initialDelaySeconds: 2 + type: 'Startup' + httpGet: { + path: '/health/startup' + port: port + } + } +] + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: '${namePrefix}-service-identity' + location: location + tags: tags +} + +module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = { + name: 'keyVaultReaderAccessPolicy-${containerAppName}' + params: { + keyvaultName: environmentKeyVaultResource.name + principalIds: [managedIdentity.properties.principalId] + } +} + +module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = { + name: 'appConfigReaderAccessPolicy-${containerAppName}' + params: { + appConfigurationName: appConfigurationName + principalIds: [managedIdentity.properties.principalId] + } +} + +module containerApp '../../modules/containerApp/main.bicep' = { + name: containerAppName + params: { + name: containerAppName + // todo: make this dynamic based on service name. Using webapi for now. + // image: '${baseImageUrl}${serviceName}:${imageTag}' + image: '${baseImageUrl}webapi:${imageTag}' + location: location + envVariables: containerAppEnvVars + containerAppEnvId: containerAppEnvironment.id + tags: tags + resources: resources + probes: probes + port: port + revisionSuffix: revisionSuffix + userAssignedIdentityId: managedIdentity.id + // TODO: Once all container apps use user-assigned identities, remove this comment and ensure userAssignedIdentityId is always provided + } + dependsOn: [ + keyVaultReaderAccessPolicy + appConfigReaderAccessPolicy + ] +} + +output name string = containerApp.outputs.name +output revisionName string = containerApp.outputs.revisionName diff --git a/.azure/applications/service/prod.bicepparam b/.azure/applications/service/prod.bicepparam new file mode 100644 index 000000000..7abc5dfbb --- /dev/null +++ b/.azure/applications/service/prod.bicepparam @@ -0,0 +1,12 @@ +using './main.bicep' + +param environment = 'prod' +param location = 'norwayeast' +param imageTag = readEnvironmentVariable('IMAGE_TAG') +param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') + +// secrets +param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') +param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') +param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') +param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') diff --git a/.azure/applications/service/staging.bicepparam b/.azure/applications/service/staging.bicepparam new file mode 100644 index 000000000..8f45eca13 --- /dev/null +++ b/.azure/applications/service/staging.bicepparam @@ -0,0 +1,12 @@ +using './main.bicep' + +param environment = 'staging' +param location = 'norwayeast' +param imageTag = readEnvironmentVariable('IMAGE_TAG') +param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') + +// secrets +param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') +param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') +param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') +param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') diff --git a/.azure/applications/service/test.bicepparam b/.azure/applications/service/test.bicepparam new file mode 100644 index 000000000..b3f5fed67 --- /dev/null +++ b/.azure/applications/service/test.bicepparam @@ -0,0 +1,12 @@ +using './main.bicep' + +param environment = 'test' +param location = 'norwayeast' +param imageTag = readEnvironmentVariable('IMAGE_TAG') +param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') + +// secrets +param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') +param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') +param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') +param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep index 7eb404bef..503a56da9 100644 --- a/.azure/modules/containerApp/main.bicep +++ b/.azure/modules/containerApp/main.bicep @@ -31,6 +31,10 @@ param revisionSuffix string @description('The probes for the container app') param probes array = [] +// TODO: Refactor to make userAssignedIdentityId a required parameter once all container apps use user-assigned identities +@description('The ID of the user-assigned managed identity (optional)') +param userAssignedIdentityId string = '' + // Container app revision name does not allow '.' character var cleanedRevisionSuffix = replace(revisionSuffix, '.', '-') @@ -50,12 +54,19 @@ var ingress = { ipSecurityRestrictions: ipSecurityRestrictions } +var identityConfig = empty(userAssignedIdentityId) ? { + type: 'SystemAssigned' +} : { + type: 'UserAssigned' + userAssignedIdentities: { + '${userAssignedIdentityId}': {} + } +} + resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { name: name location: location - identity: { - type: 'SystemAssigned' - } + identity: identityConfig properties: { configuration: { ingress: ingress @@ -81,6 +92,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { tags: tags } -output identityPrincipalId string = containerApp.identity.principalId +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(userAssignedIdentityId)) { + name: last(split(userAssignedIdentityId, '/')) +} + +output identityPrincipalId string = empty(userAssignedIdentityId) ? containerApp.identity.principalId : managedIdentity.properties.principalId output name string = containerApp.name output revisionName string = containerApp.properties.latestRevisionName diff --git a/.github/workflows/workflow-deploy-apps.yml b/.github/workflows/workflow-deploy-apps.yml index 79a87e76f..4caf110ff 100644 --- a/.github/workflows/workflow-deploy-apps.yml +++ b/.github/workflows/workflow-deploy-apps.yml @@ -145,6 +145,7 @@ jobs: - name: web-api-eu - name: web-api-so - name: graphql + - name: service environment: ${{ inputs.environment }} permissions: id-token: write From b1e6a1495e6ca9cd25a6a8cf060f39456db95c30 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Wed, 16 Oct 2024 13:03:58 +0200 Subject: [PATCH 2/5] fix(service): ensure default credentials work (#1306) ## Description - Add AZURE_CLIENT_ID because it is needed when using user assigned identities: https://github.com/microsoft/azure-container-apps/issues/442 ## Related Issue(s) - #{issue number} ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable) ## Summary by CodeRabbit - **New Features** - Introduced a managed identity for secure access to Azure resources. - Updated environment variable configuration to include `AZURE_CLIENT_ID` for enhanced security. - **Improvements** - Restructured managed identity usage for better resource management and permissions. --- .azure/applications/service/main.bicep | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep index d037ce8fe..1925e1033 100644 --- a/.azure/applications/service/main.bicep +++ b/.azure/applications/service/main.bicep @@ -52,6 +52,12 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' name: containerAppEnvironmentName } +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: '${namePrefix}-service-identity' + location: location + tags: tags +} + var containerAppEnvVars = [ { name: 'ASPNETCORE_ENVIRONMENT' @@ -69,6 +75,10 @@ var containerAppEnvVars = [ name: 'ASPNETCORE_URLS' value: 'http://+:8080' } + { + name: 'AZURE_CLIENT_ID' + value: managedIdentity.properties.clientId + } ] resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { @@ -111,12 +121,6 @@ var probes = [ } ] -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: '${namePrefix}-service-identity' - location: location - tags: tags -} - module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = { name: 'keyVaultReaderAccessPolicy-${containerAppName}' params: { From 7bf41775fa2e1c343972df75d3e4138647fa5742 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Wed, 16 Oct 2024 13:40:07 +0200 Subject: [PATCH 3/5] feat(service): add permissions for service-bus (#1305) ## Description ## Related Issue(s) - #1302 ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable) ## Summary by CodeRabbit - **New Features** - Introduced support for Azure Service Bus integration, including new parameters for configuration. - Added functionality to manage Azure Service Bus role assignments dynamically. - **Bug Fixes** - Updated security handling for the container app environment name. - **Documentation** - Enhanced README with detailed instructions for local development, deployment processes, and database management. - **Chores** - Enhanced CI/CD workflow with new secret variables and input parameters for improved deployment control. --- .azure/applications/service/main.bicep | 14 +++++++++- .azure/applications/service/prod.bicepparam | 6 ++--- .../applications/service/staging.bicepparam | 7 ++--- .azure/applications/service/test.bicepparam | 7 ++--- .../serviceBus/addDataOwnerRoles.bicep | 27 +++++++++++++++++++ .github/workflows/ci-cd-main.yml | 1 + .github/workflows/ci-cd-prod.yml | 2 ++ .../ci-cd-pull-request-release-please.yml | 1 + .github/workflows/ci-cd-pull-request.yml | 1 + .github/workflows/ci-cd-staging.yml | 1 + .github/workflows/dispatch-apps.yml | 1 + .github/workflows/workflow-deploy-apps.yml | 4 +++ README.md | 2 +- 13 files changed, 63 insertions(+), 11 deletions(-) create mode 100644 .azure/modules/serviceBus/addDataOwnerRoles.bicep diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep index 1925e1033..1d170855f 100644 --- a/.azure/applications/service/main.bicep +++ b/.azure/applications/service/main.bicep @@ -21,9 +21,12 @@ param resources object? @description('The name of the container app environment') @minLength(3) -@secure() param containerAppEnvironmentName string +@description('The name of the Service Bus namespace') +@minLength(3) +param serviceBusNamespaceName string + @description('The connection string for Application Insights') @minLength(3) @secure() @@ -137,6 +140,14 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole } } +module serviceBusOwnerAccessPolicy '../../modules/serviceBus/addDataOwnerRoles.bicep' = { + name: 'serviceBusOwnerAccessPolicy-${containerAppName}' + params: { + serviceBusNamespaceName: serviceBusNamespaceName + principalIds: [managedIdentity.properties.principalId] + } +} + module containerApp '../../modules/containerApp/main.bicep' = { name: containerAppName params: { @@ -158,6 +169,7 @@ module containerApp '../../modules/containerApp/main.bicep' = { dependsOn: [ keyVaultReaderAccessPolicy appConfigReaderAccessPolicy + serviceBusOwnerAccessPolicy ] } diff --git a/.azure/applications/service/prod.bicepparam b/.azure/applications/service/prod.bicepparam index 7abc5dfbb..b35e25d76 100644 --- a/.azure/applications/service/prod.bicepparam +++ b/.azure/applications/service/prod.bicepparam @@ -4,9 +4,9 @@ param environment = 'prod' param location = 'norwayeast' param imageTag = readEnvironmentVariable('IMAGE_TAG') param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') - -// secrets param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') +param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') +param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME') +// secrets param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') -param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') diff --git a/.azure/applications/service/staging.bicepparam b/.azure/applications/service/staging.bicepparam index 8f45eca13..f1c8a3305 100644 --- a/.azure/applications/service/staging.bicepparam +++ b/.azure/applications/service/staging.bicepparam @@ -4,9 +4,10 @@ param environment = 'staging' param location = 'norwayeast' param imageTag = readEnvironmentVariable('IMAGE_TAG') param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') - -// secrets param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') +param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') +param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME') + +// secrets param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') -param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') diff --git a/.azure/applications/service/test.bicepparam b/.azure/applications/service/test.bicepparam index b3f5fed67..87c700860 100644 --- a/.azure/applications/service/test.bicepparam +++ b/.azure/applications/service/test.bicepparam @@ -4,9 +4,10 @@ param environment = 'test' param location = 'norwayeast' param imageTag = readEnvironmentVariable('IMAGE_TAG') param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') - -// secrets param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') +param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') +param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME') + +// secrets param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') -param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') diff --git a/.azure/modules/serviceBus/addDataOwnerRoles.bicep b/.azure/modules/serviceBus/addDataOwnerRoles.bicep new file mode 100644 index 000000000..fe263062a --- /dev/null +++ b/.azure/modules/serviceBus/addDataOwnerRoles.bicep @@ -0,0 +1,27 @@ +@description('The name of the Service Bus namespace') +param serviceBusNamespaceName string + +@description('Array of principal IDs to assign the Azure Service Bus Data Owner role to') +param principalIds array + +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { + name: serviceBusNamespaceName +} + +@description('This is the built-in Azure Service Bus Data Owner role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-owner') +resource serviceBusDataOwnerRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = { + scope: subscription() + name: '090c5cfd-751d-490a-894a-3ce6f1109419' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ + for principalId in principalIds: { + scope: serviceBusNamespace + name: guid(serviceBusNamespace.id, principalId, serviceBusDataOwnerRoleDefinition.id) + properties: { + roleDefinitionId: serviceBusDataOwnerRoleDefinition.id + principalId: principalId + principalType: 'ServicePrincipal' + } + } +] diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml index 8918519ae..350c80019 100644 --- a/.github/workflows/ci-cd-main.yml +++ b/.github/workflows/ci-cd-main.yml @@ -101,6 +101,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: test region: norwayeast diff --git a/.github/workflows/ci-cd-prod.yml b/.github/workflows/ci-cd-prod.yml index 9189675f2..37fefee08 100644 --- a/.github/workflows/ci-cd-prod.yml +++ b/.github/workflows/ci-cd-prod.yml @@ -73,6 +73,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: prod region: norwayeast @@ -96,6 +97,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: prod region: norwayeast diff --git a/.github/workflows/ci-cd-pull-request-release-please.yml b/.github/workflows/ci-cd-pull-request-release-please.yml index 8f559d143..f6a73c4ce 100644 --- a/.github/workflows/ci-cd-pull-request-release-please.yml +++ b/.github/workflows/ci-cd-pull-request-release-please.yml @@ -58,6 +58,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: staging region: norwayeast diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml index 523f85e78..85909d889 100644 --- a/.github/workflows/ci-cd-pull-request.yml +++ b/.github/workflows/ci-cd-pull-request.yml @@ -82,6 +82,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: test region: norwayeast diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml index c1a818358..9ae57c024 100644 --- a/.github/workflows/ci-cd-staging.yml +++ b/.github/workflows/ci-cd-staging.yml @@ -65,6 +65,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: staging region: norwayeast diff --git a/.github/workflows/dispatch-apps.yml b/.github/workflows/dispatch-apps.yml index cadcfc066..a23fe7999 100644 --- a/.github/workflows/dispatch-apps.yml +++ b/.github/workflows/dispatch-apps.yml @@ -54,6 +54,7 @@ jobs: AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: environment: ${{ inputs.environment }} region: norwayeast diff --git a/.github/workflows/workflow-deploy-apps.yml b/.github/workflows/workflow-deploy-apps.yml index 4caf110ff..0fc5048cf 100644 --- a/.github/workflows/workflow-deploy-apps.yml +++ b/.github/workflows/workflow-deploy-apps.yml @@ -20,6 +20,8 @@ on: required: true AZURE_APP_CONFIGURATION_NAME: required: true + AZURE_SERVICE_BUS_NAMESPACE_NAME: + required: true inputs: region: @@ -175,6 +177,7 @@ jobs: AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: scope: resourcegroup template: ./.azure/applications/${{ matrix.name }}/main.bicep @@ -199,6 +202,7 @@ jobs: AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }} AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }} AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }} + AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }} with: scope: resourcegroup template: ./.azure/applications/${{ matrix.name }}/main.bicep diff --git a/README.md b/README.md index 09f6fdc17..9744e5000 100644 --- a/README.md +++ b/README.md @@ -347,7 +347,7 @@ Ensure you have followed the steps in [Deploying a new infrastructure environmen Use the following steps: -- From the infrastructure resources created, add the following GitHub secrets in the new environment (this will not be necessary in the future as secrets would be added directly from infrastructure deployment): `AZURE_APP_CONFIGURATION_NAME`, `AZURE_APP_INSIGHTS_CONNECTION_STRING`, `AZURE_CONTAINER_APP_ENVIRONMENT_NAME`, `AZURE_ENVIRONMENT_KEY_VAULT_NAME`, `AZURE_REDIS_NAME`, `AZURE_RESOURCE_GROUP_NAME` and `AZURE_SLACK_NOTIFIER_FUNCTION_APP_NAME` +- From the infrastructure resources created, add the following GitHub secrets in the new environment (this will not be necessary in the future as secrets would be added directly from infrastructure deployment): `AZURE_APP_CONFIGURATION_NAME`, `AZURE_APP_INSIGHTS_CONNECTION_STRING`, `AZURE_CONTAINER_APP_ENVIRONMENT_NAME`, `AZURE_ENVIRONMENT_KEY_VAULT_NAME`, `AZURE_REDIS_NAME`, `AZURE_RESOURCE_GROUP_NAME`, `AZURE_SERVICE_BUS_NAMESPACE_NAME` and `AZURE_SLACK_NOTIFIER_FUNCTION_APP_NAME` - Add new parameter files for the environment in all applications `.azure/applications/*/.bicepparam` From f620f06ddce528e1174f9a7c0aac3485c5d5ab3d Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Wed, 16 Oct 2024 13:52:55 +0200 Subject: [PATCH 4/5] chore(servicebus): upgrade version (#1307) ## Description Update to use the new version of servicebus namespace ## Related Issue(s) - #{issue number} ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable) --- .azure/modules/serviceBus/addDataOwnerRoles.bicep | 2 +- .azure/modules/serviceBus/main.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.azure/modules/serviceBus/addDataOwnerRoles.bicep b/.azure/modules/serviceBus/addDataOwnerRoles.bicep index fe263062a..aa0dd5b1a 100644 --- a/.azure/modules/serviceBus/addDataOwnerRoles.bicep +++ b/.azure/modules/serviceBus/addDataOwnerRoles.bicep @@ -4,7 +4,7 @@ param serviceBusNamespaceName string @description('Array of principal IDs to assign the Azure Service Bus Data Owner role to') param principalIds array -resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = { +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2023-01-01-preview' existing = { name: serviceBusNamespaceName } diff --git a/.azure/modules/serviceBus/main.bicep b/.azure/modules/serviceBus/main.bicep index dca532ff6..74607b134 100644 --- a/.azure/modules/serviceBus/main.bicep +++ b/.azure/modules/serviceBus/main.bicep @@ -32,7 +32,7 @@ param sku Sku var serviceBusNameMaxLength = 50 var serviceBusName = uniqueResourceName('${namePrefix}-service-bus', serviceBusNameMaxLength) -resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2023-01-01-preview' = { name: serviceBusName location: location sku: sku From 462f9080529491775c5763fca6074168ee2d1fdc Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Wed, 16 Oct 2024 14:01:11 +0200 Subject: [PATCH 5/5] chore(service): use correct docker image (#1308) ## Description Using the healthz endpoint before the proper service is deployed ## Related Issue(s) - #1301 ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable) --- .azure/applications/service/main.bicep | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep index 1d170855f..5fb8a62dd 100644 --- a/.azure/applications/service/main.bicep +++ b/.azure/applications/service/main.bicep @@ -100,7 +100,7 @@ var probes = [ initialDelaySeconds: 2 type: 'Liveness' httpGet: { - path: '/health/liveness' + path: '/healthz' port: port } } @@ -109,7 +109,7 @@ var probes = [ initialDelaySeconds: 2 type: 'Readiness' httpGet: { - path: '/health/readiness' + path: '/healthz' port: port } } @@ -118,7 +118,7 @@ var probes = [ initialDelaySeconds: 2 type: 'Startup' httpGet: { - path: '/health/startup' + path: '/healthz' port: port } } @@ -152,9 +152,7 @@ module containerApp '../../modules/containerApp/main.bicep' = { name: containerAppName params: { name: containerAppName - // todo: make this dynamic based on service name. Using webapi for now. - // image: '${baseImageUrl}${serviceName}:${imageTag}' - image: '${baseImageUrl}webapi:${imageTag}' + image: '${baseImageUrl}${serviceName}:${imageTag}' location: location envVariables: containerAppEnvVars containerAppEnvId: containerAppEnvironment.id