ci: refactor deployment of infrastructure and add PR validation

.azure/.test.bicepparam

@@ -0,0 +1,12 @@
+using 'main.bicep'
+
+param environment = 'test'
+param location = 'norwayeast'
+param keyVaultSourceKeys = json(readEnvironmentVariable('KEYVAULT_SOURCE_KEYS', '[]'))
+param gitSha = readEnvironmentVariable('GIT_SHA', '')
+
+param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD', '')
+param apiManagementDigDirEmail = readEnvironmentVariable('APIM_DIGDIR_EMAIL', '')
+param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEYVAULT_SUBSCRIPTION_ID', '')
+param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEYVAULT_RESOURCE_GROUP', '')
+param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEYVAULT_NAME', '')

.azure/apim/addBackends.bicep

@@ -1,4 +1,4 @@
-param apiManagementName string 
+param apiManagementName string
 param containerAppEnvName string
 param webApiSoName string
 param webApiEuName string
@@ -19,7 +19,7 @@ resource webApiEu 'Microsoft.App/containerApps@2023-05-01' existing = {
   name: webApiEuName
 }
 
-var managementBaseUrl = 'https://management.azure.com'
+var managementBaseUrl = environment().resourceManager
 
 var webApiSoFqdn = 'https://${webApiSoName}.${containerAppEnv.properties.defaultDomain}'
 resource serviceownerBackend 'Microsoft.ApiManagement/service/backends@2022-08-01' = {
@@ -65,14 +65,14 @@ resource apimPolicy 'Microsoft.ApiManagement/service/policies@2023-03-01-preview
       <inbound>
         <choose>
     <when condition="@(context.Request.Url.Path != null &amp;&amp; Regex.IsMatch(context.Request.Url.Path, @&quot;^api/[^/]+/enduser/&quot;) || context.Request.Url.Path.StartsWith(&quot;swagger&quot;))">
-    ''', 
-    '<set-backend-service backend-id="${enduserBackend.name}" />',
-    '''
+    ''',
+      '<set-backend-service backend-id="${enduserBackend.name}" />',
+      '''
           </when>
           <when condition="@(context.Request.Url.Path != null &amp;&amp; Regex.IsMatch(context.Request.Url.Path, @&quot;^api/[^/]+/serviceowner/&quot;))">
-    ''', 
-    '<set-backend-service backend-id="${serviceownerBackend.name}" />', 
-    '''
+    ''',
+      '<set-backend-service backend-id="${serviceownerBackend.name}" />',
+      '''
           </when>
           <otherwise>
             <return-response>
@@ -111,7 +111,7 @@ resource defaultApi 'Microsoft.ApiManagement/service/apis@2023-03-01-preview' =
     path: ''
   }
 
-  resource operations 'operations' = [for operation in ['DELETE', 'GET', 'POST', 'PUT', 'PATCH', 'OPTIONS', 'HEAD', 'TRACE'] : {
+  resource operations 'operations' = [for operation in [ 'DELETE', 'GET', 'POST', 'PUT', 'PATCH', 'OPTIONS', 'HEAD', 'TRACE' ]: {
     name: toLower(operation)
     properties: {
       displayName: operation

.azure/apim/create.bicep

@@ -13,6 +13,19 @@ resource apim 'Microsoft.ApiManagement/service@2023-03-01-preview' = {
     publisherEmail: publisherEmail
     publisherName: 'Digitaliseringsdirektoratet'
     developerPortalStatus: 'Disabled'
+    legacyPortalStatus: 'Enabled'
+    publicNetworkAccess: 'Enabled'
+    natGatewayState: 'Disabled'
+    customProperties: {
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'False'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'False'
+    }
   }
 }
 

.azure/applicationInsights/create.bicep

@@ -4,6 +4,15 @@ param location string
 resource appInsightsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
     name: '${namePrefix}-insightsWorkspace'
     location: location
+    properties: {
+        retentionInDays: 30
+        sku: {
+            name: 'PerGB2018'
+        }
+        workspaceCapping: {
+            dailyQuotaGb: -1
+        }
+    }
 }
 
 resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
@@ -13,6 +22,8 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
     properties: {
         Application_Type: 'web'
         WorkspaceResourceId: appInsightsWorkspace.id
+        Flow_Type: 'Bluefield'
+        Request_Source: 'rest'
     }
 }
 

.azure/functionApp/slackNotifier.bicep

@@ -71,7 +71,7 @@ module updateAppSettings 'appSettings.bicep' = {
 }
 
 var defaultFunctionKey = listkeys('${functionApp.id}/host/default', '2023-01-01').functionKeys.default
-
+var forwardAlertToSlackTriggerUrl = 'https://${functionApp.properties.defaultHostName}/api/forwardalerttoslack?code=${defaultFunctionKey}'
 resource notifyDevTeam 'Microsoft.Insights/actionGroups@2023-01-01' = {
     name: '${namePrefix}-notify-devteam-ag'
     location: 'Global'
@@ -83,7 +83,7 @@ resource notifyDevTeam 'Microsoft.Insights/actionGroups@2023-01-01' = {
                 name: functionApp.properties.defaultHostName
                 functionName: 'ForwardAlertToSlack'
                 functionAppResourceId: functionApp.id
-                httpTriggerUrl: 'https://${functionApp.properties.defaultHostName}/api/forwardalerttoslack?code=${defaultFunctionKey}'
+                httpTriggerUrl: forwardAlertToSlackTriggerUrl
                 useCommonAlertSchema: true
             }
         ]
@@ -94,6 +94,7 @@ resource exceptionOccuredAlertRule 'Microsoft.Insights/scheduledQueryRules@2023-
     name: '${namePrefix}-exception-occured-sqr'
     location: location
     properties: {
+        enabled: true
         severity: 1
         evaluationFrequency: 'PT5M'
         windowSize: 'PT5M'

.azure/main.bicep

@@ -2,11 +2,27 @@ targetScope = 'subscription'
 @minLength(3)
 param environment string
 param location string
-param keyVault object
+param keyVaultSourceKeys array
 param gitSha string
 
 @secure()
-param secrets object
+param dialogportenPgAdminPassword string
+@secure()
+param apiManagementDigDirEmail string
+@secure()
+param sourceKeyVaultSubscriptionId string
+@secure()
+param sourceKeyVaultResourceGroup string
+@secure()
+param sourceKeyVaultName string
+
+var secrets = {
+    dialogportenPgAdminPassword: dialogportenPgAdminPassword
+    apiManagementDigDirEmail: apiManagementDigDirEmail
+    sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId
+    sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup
+    sourceKeyVaultName: sourceKeyVaultName
+}
 
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
@@ -82,15 +98,15 @@ module postgresql 'postgreSql/create.bicep' = {
         keyVaultName: keyVaultModule.outputs.name
         srcKeyVault: srcKeyVault
         srcSecretName: 'dialogportenPgAdminPassword${environment}'
-        administratorLoginPassword: contains(keyVault.source.keys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword
+        administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword
     }
 }
 
 module copyEnvironmentSecrets 'keyvault/copySecrets.bicep' = {
     scope: resourceGroup
     name: 'copyEnvironmentSecrets'
     params: {
-        srcKeyVaultKeys: keyVault.source.keys
+        srcKeyVaultKeys: keyVaultSourceKeys
         srcKeyVaultName: secrets.sourceKeyVaultName
         srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
         srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
@@ -102,7 +118,7 @@ module copyEnvironmentSecrets 'keyvault/copySecrets.bicep' = {
 module copyCrossEnvironmentSecrets 'keyvault/copySecrets.bicep' = {
     scope: resourceGroup
     name: 'copyCrossEnvironmentSecrets'
-    params: { srcKeyVaultKeys: keyVault.source.keys
+    params: { srcKeyVaultKeys: keyVaultSourceKeys
         srcKeyVaultName: secrets.sourceKeyVaultName
         srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
         srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId

.azure/postgreSql/create.bicep

@@ -26,44 +26,55 @@ var databaseName = 'dialogporten'
 //}
 
 module saveAdmPassword '../keyvault/upsertSecret.bicep' = {
-	name: 'Save_${srcSecretName}'
-	scope: resourceGroup(srcKeyVault.subscriptionId, srcKeyVault.resourceGroupName)
-	params: {
-		destKeyVaultName: srcKeyVault.name
-		secretName: srcSecretName
-		secretValue: administratorLoginPassword
-	}
+    name: 'Save_${srcSecretName}'
+    scope: resourceGroup(srcKeyVault.subscriptionId, srcKeyVault.resourceGroupName)
+    params: {
+        destKeyVaultName: srcKeyVault.name
+        secretName: srcSecretName
+        secretValue: administratorLoginPassword
+    }
 }
 
 resource postgres 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
-	name: '${namePrefix}-postgres'
-	location: location
-	properties: {
-		version: '15'
-		administratorLogin: administratorLogin
-		administratorLoginPassword: administratorLoginPassword
-		storage: { storageSizeGB: 32 }
-	}
-	sku: {
-		name: 'Standard_B1ms'
-		tier: 'Burstable'
-	}
-	resource database 'databases' = {
-		name: databaseName
-	}
-	resource allowAzureAccess 'firewallRules' = {
-		name: 'AllowAccessFromAzure'
-		properties: {
-			startIpAddress: '0.0.0.0'
-			endIpAddress: '0.0.0.0'
-		}
-	}
-	//resource configurations 'configurations' = [for config in items(postgresqlConfiguration): {
-	//	name: config.key
-	//	properties: {
- //           value: config.value
- //       }
-	//}]
+    name: '${namePrefix}-postgres'
+    location: location
+    properties: {
+        version: '15'
+        administratorLogin: administratorLogin
+        administratorLoginPassword: administratorLoginPassword
+        storage: { storageSizeGB: 32 }
+        authConfig: {
+            activeDirectoryAuth: 'Disabled'
+        }
+        dataEncryption: {
+            type: 'SystemManaged'
+        }
+        replicationRole: 'Primary'
+    }
+    sku: {
+        name: 'Standard_B1ms'
+        tier: 'Burstable'
+    }
+    resource database 'databases' = {
+        name: databaseName
+        properties: {
+            charset: 'UTF8'
+            collation: 'en_US.utf8'
+        }
+    }
+    resource allowAzureAccess 'firewallRules' = {
+        name: 'AllowAccessFromAzure'
+        properties: {
+            startIpAddress: '0.0.0.0'
+            endIpAddress: '0.0.0.0'
+        }
+    }
+    //resource configurations 'configurations' = [for config in items(postgresqlConfiguration): {
+    //	name: config.key
+    //	properties: {
+    //           value: config.value
+    //       }
+    //}]
 }
 
 module adoConnectionString '../keyvault/upsertSecret.bicep' = {