Merge branch 'main' into chore/harden-e2e-tests

Altinn · Oct 17, 2024 · 6f32e89 · 6f32e89
2 parents 298db03 + 0072488
commit 6f32e89
Show file tree

Hide file tree

Showing 32 changed files with 779 additions and 87 deletions.
diff --git a/.azure/applications/graphql/main.bicep b/.azure/applications/graphql/main.bicep
@@ -1,5 +1,7 @@
 targetScope = 'resourceGroup'
 
+import { Scale } from '../../modules/containerApp/main.bicep'
+
 @description('The tag of the image to be used')
 @minLength(3)
 param imageTag string
@@ -106,6 +108,34 @@ var probes = [
   }
 ]
 
+@description('The scaling configuration for the container app')
+param scale Scale = {
+  minReplicas: 2
+  maxReplicas: 10
+  rules: [
+    {
+      name: 'cpu'
+      custom: {
+        type: 'cpu'
+        metadata: {
+          type: 'Utilization'
+          value: '70'
+        }
+      }
+    }
+    {
+      name: 'memory'
+      custom: {
+        type: 'memory'
+        metadata: {
+          type: 'Utilization'
+          value: '70'
+        }
+      }
+    }
+  ]
+}
+
 resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: environmentKeyVaultName
 }
@@ -126,6 +156,7 @@ module containerApp '../../modules/containerApp/main.bicep' = {
     revisionSuffix: revisionSuffix
     probes: probes
     port: port
+    scale: scale
   }
 }
 

diff --git a/.azure/applications/graphql/yt01.bicepparam b/.azure/applications/graphql/yt01.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'yt01'
+param location = 'norwayeast'
+param apimIp = '51.13.85.197'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep
@@ -0,0 +1,177 @@
+targetScope = 'resourceGroup'
+
+@description('The tag of the image to be used')
+@minLength(3)
+param imageTag string
+
+@description('The environment for the deployment')
+@minLength(3)
+param environment string
+
+@description('The location where the resources will be deployed')
+@minLength(3)
+param location string
+
+@description('The suffix for the revision of the container app')
+@minLength(3)
+param revisionSuffix string
+
+@description('CPU and memory resources for the container app')
+param resources object?
+
+@description('The name of the container app environment')
+@minLength(3)
+param containerAppEnvironmentName string
+
+@description('The name of the Service Bus namespace')
+@minLength(3)
+param serviceBusNamespaceName string
+
+@description('The connection string for Application Insights')
+@minLength(3)
+@secure()
+param appInsightConnectionString string
+
+@description('The name of the App Configuration store')
+@minLength(5)
+param appConfigurationName string
+
+@description('The name of the Key Vault for the environment')
+@minLength(3)
+param environmentKeyVaultName string
+
+var namePrefix = 'dp-be-${environment}'
+var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
+var tags = {
+  Environment: environment
+  Product: 'Dialogporten'
+}
+
+resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: appConfigurationName
+}
+
+resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
+  name: containerAppEnvironmentName
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-service-identity'
+  location: location
+  tags: tags
+}
+
+var containerAppEnvVars = [
+  {
+    name: 'ASPNETCORE_ENVIRONMENT'
+    value: environment
+  }
+  {
+    name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+    value: appInsightConnectionString
+  }
+  {
+    name: 'AZURE_APPCONFIG_URI'
+    value: appConfiguration.properties.endpoint
+  }
+  {
+    name: 'ASPNETCORE_URLS'
+    value: 'http://+:8080'
+  }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
+]
+
+resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: environmentKeyVaultName
+}
+
+var serviceName = 'service'
+
+var containerAppName = '${namePrefix}-${serviceName}'
+
+var port = 8080
+
+var probes = [
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Liveness'
+    httpGet: {
+      path: '/health/liveness'
+      port: port
+    }
+  }
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Readiness'
+    httpGet: {
+      path: '/health/readiness'
+      port: port
+    }
+  }
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Startup'
+    httpGet: {
+      path: '/health/startup'
+      port: port
+    }
+  }
+]
+
+module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'keyVaultReaderAccessPolicy-${containerAppName}'
+  params: {
+    keyvaultName: environmentKeyVaultResource.name
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
+  name: 'appConfigReaderAccessPolicy-${containerAppName}'
+  params: {
+    appConfigurationName: appConfigurationName
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module serviceBusOwnerAccessPolicy '../../modules/serviceBus/addDataOwnerRoles.bicep' = {
+  name: 'serviceBusOwnerAccessPolicy-${containerAppName}'
+  params: {
+    serviceBusNamespaceName: serviceBusNamespaceName
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module containerApp '../../modules/containerApp/main.bicep' = {
+  name: containerAppName
+  params: {
+    name: containerAppName
+    // todo: make this dynamic based on service name. Using webapi for now.
+    // image: '${baseImageUrl}${serviceName}:${imageTag}'
+    image: '${baseImageUrl}webapi:${imageTag}'
+    location: location
+    envVariables: containerAppEnvVars
+    containerAppEnvId: containerAppEnvironment.id
+    tags: tags
+    resources: resources
+    probes: probes
+    port: port
+    revisionSuffix: revisionSuffix
+    userAssignedIdentityId: managedIdentity.id
+    // TODO: Once all container apps use user-assigned identities, remove this comment and ensure userAssignedIdentityId is always provided
+  }
+  dependsOn: [
+    keyVaultReaderAccessPolicy
+    appConfigReaderAccessPolicy
+    serviceBusOwnerAccessPolicy
+  ]
+}
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName
diff --git a/.azure/applications/service/prod.bicepparam b/.azure/applications/service/prod.bicepparam
@@ -0,0 +1,12 @@
+using './main.bicep'
+
+param environment = 'prod'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/service/staging.bicepparam b/.azure/applications/service/staging.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'staging'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/service/test.bicepparam b/.azure/applications/service/test.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'test'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/service/yt01.bicepparam b/.azure/applications/service/yt01.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'yt01'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/sync-subject-resource-mappings-job/yt01.bicepparam b/.azure/applications/sync-subject-resource-mappings-job/yt01.bicepparam
@@ -0,0 +1,11 @@
+using './main.bicep'
+
+param environment = 'yt01'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param jobSchedule = '*/5 * * * *' // Runs every 5 minutes
+
+//secrets
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
diff --git a/.azure/applications/web-api-eu/main.bicep b/.azure/applications/web-api-eu/main.bicep
@@ -1,5 +1,7 @@
 targetScope = 'resourceGroup'
 
+import { Scale } from '../../modules/containerApp/main.bicep'
+
 @description('The tag of the image to be used')
 @minLength(3)
 param imageTag string
@@ -77,6 +79,34 @@ var containerAppEnvVars = [
   }
 ]
 
+@description('The scaling configuration for the container app')
+param scale Scale = {
+  minReplicas: 2
+  maxReplicas: 10
+  rules: [
+    {
+      name: 'cpu'
+      custom: {
+        type: 'cpu'
+        metadata: {
+          type: 'Utilization'
+          value: '70'
+        }
+      }
+    }
+    {
+      name: 'memory'
+      custom: {
+        type: 'memory'
+        metadata: {
+          type: 'Utilization'
+          value: '70'
+        }
+      }
+    }
+  ]
+}
+
 resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: environmentKeyVaultName
 }
@@ -128,6 +158,7 @@ module containerApp '../../modules/containerApp/main.bicep' = {
     resources: resources
     probes: probes
     revisionSuffix: revisionSuffix
+    scale: scale
   }
 }
 

diff --git a/.azure/applications/web-api-eu/yt01.bicepparam b/.azure/applications/web-api-eu/yt01.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'yt01'
+param location = 'norwayeast'
+param apimIp = '51.13.85.197'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
diff --git a/.azure/applications/web-api-migration-job/yt01.bicepparam b/.azure/applications/web-api-migration-job/yt01.bicepparam
@@ -0,0 +1,9 @@
+using './main.bicep'
+
+param environment = 'yt01'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+
+//secrets
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
diff --git a/.azure/applications/web-api-so/yt01.bicepparam b/.azure/applications/web-api-so/yt01.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'yt01'
+param location = 'norwayeast'
+param apimIp = '51.13.85.197'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')