feat(pipeline): Fix pipeline to use key vault instead of app setting …

…config and add key vault info to apps in terraform

.github/actions/database-migration/action.yml

@@ -20,7 +20,13 @@ inputs:
   az_firewall_rule_name:
     required: true
     type: string
-
+  general_key_vault:
+    required: true
+    type: string
+  keyvault_prefix:
+    required: true
+    type: string
+
 runs:
   using: composite
 
@@ -39,8 +45,11 @@ runs:
         az_firewall_rule_name: ${{ inputs.az_firewall_rule_name }}
 
     - name: Apply Database Migration
-      shell: bash
-      run: dotnet ef database update -c ${{ inputs.db_context }} --project ${{ inputs.data_project_path }} --startup-project ${{ inputs.startup_project_path }}
+      shell: pwsh
+      run:  |-
+        dotnet user-secrets set "AppConfiguration:KeyVaultIdentifier" "${{ inputs.general_key_vault }}" --project ${{ inputs.startup_project_path }}
+        dotnet user-secrets set "AppConfiguration:KeyVaultPrefix" "${{ inputs.keyvault_prefix }}" --project ${{ inputs.startup_project_path }}
+        dotnet ef database update -c ${{ inputs.db_context }} --project ${{ inputs.data_project_path }} --startup-project ${{ inputs.startup_project_path }}
 
     - name: Remove Azure Firewall Rule
       if: always()

.github/workflows/deploy-function.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-22.04
     environment: ${{ inputs.environment }}
     env:
-      KEYVAULT: ${{ vars.AZURE_RESOURCE_PREFIX }}-kv-fh-general
+      KEYVAULT: ${{ vars.AZURE_RESOURCE_PREFIX }}-kv-fh-admin
       APP_NAME: ${{ vars.AZURE_RESOURCE_PREFIX }}-${{ inputs.azure_app_name }}
       RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_PREFIX }}-familyhubs
     steps:
@@ -44,18 +44,16 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: App Settings Variable Substitution
-        id: substitution
-        uses: ./.github/actions/variable-substitution
-        with:
-          keyvault_name: ${{ env.KEYVAULT }}
-          keyvault_prefix: ${{ inputs.keyvault_prefix }}
-          files: "./out/appsettings.json"
-          configure: 'Functions'
+      - name: Fetch Publish Profile
+        id: fetch_profile
+        shell: pwsh
+        run: |-
+          $PublishProfile = az keyvault secret show --name ${{ inputs.keyvault_prefix }}-AZURE-WEBAPP-PUBLISH-PROFILE --vault-name ${{ env.KEYVAULT }} --query value --output tsv
+          Write-Output "publish_profile=$PublishProfile" >> $env:GITHUB_OUTPUT
 
       - name: Deploy Artifact to Azure
         uses: azure/functions-action@v1
         with:
           app-name: ${{ env.APP_NAME }}
-          publish-profile: ${{ steps.substitution.outputs.publish_profile }}
+          publish-profile: ${{ steps.fetch_profile.outputs.publish_profile }}
           package: ./out

.github/workflows/deploy-service.yml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-22.04
     environment: ${{ inputs.environment }}
     env:
-      KEYVAULT: ${{ vars.AZURE_RESOURCE_PREFIX }}-kv-fh-general
+      KEYVAULT: ${{ vars.AZURE_RESOURCE_PREFIX }}-kv-fh-admin
       APP_NAME: ${{ vars.AZURE_RESOURCE_PREFIX }}-${{ inputs.azure_app_name }}
       RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_PREFIX }}-familyhubs
       SQL_SERVER: ${{ vars.AZURE_RESOURCE_PREFIX }}-as-fh-sql-server
@@ -67,18 +67,6 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      # We replace two appsettings.json files for our deployments..
-      #   1. In the checked out repository, because the DB migration step reads the connection string from it
-      #   2. In the downloaded artifact, because this is deployed to Azure
-      - name: App Settings Variable Substitution
-        id: substitution
-        uses: ./.github/actions/variable-substitution
-        with:
-          keyvault_name: ${{ env.KEYVAULT }}
-          keyvault_prefix: ${{ inputs.keyvault_prefix }}
-          files: "${{ github.workspace }}/src/${{ inputs.project_type }}/${{ inputs.artifact_name }}/src/${{ inputs.project_name }}/appsettings.json, ./out/appsettings.json"
-          configure: 'Applications'
-
       - name: Apply Database Migration
         if: ${{ inputs.data_project_name != '' && inputs.database_context != ''}}
         uses: ./.github/actions/database-migration
@@ -89,10 +77,19 @@ jobs:
           azure_resource_group: ${{ env.RESOURCE_GROUP }}
           azure_sql_server_resource_name: ${{ env.SQL_SERVER }}
           az_firewall_rule_name: ${{ inputs.artifact_name }}
-
+          general_key_vault: ${{ env.KEYVAULT }}
+          keyvault_prefix: ${{ inputs.keyvault_prefix }}
+
+      - name: Fetch Publish Profile
+        id: fetch_profile
+        shell: pwsh
+        run: |-
+          $PublishProfile = az keyvault secret show --name ${{ inputs.keyvault_prefix }}-AZURE-WEBAPP-PUBLISH-PROFILE --vault-name ${{ env.KEYVAULT }} --query value --output tsv
+          Write-Output "publish_profile=$PublishProfile" >> $env:GITHUB_OUTPUT
+            
       - name: Deploy Artifact to Azure
         uses: azure/webapps-deploy@v3
         with:
           app-name: ${{ env.APP_NAME }}
-          publish-profile: ${{ steps.substitution.outputs.publish_profile }}
+          publish-profile: ${{ steps.fetch_profile.outputs.publish_profile }}
           package: ./out

.github/workflows/run-acceptance-tests.yml

@@ -32,6 +32,7 @@ jobs:
       RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_PREFIX }}-familyhubs
       API_APP_NAME: ${{ vars.AZURE_RESOURCE_PREFIX }}-${{ inputs.app_name }}
       APP_FIREWALL_NAME: acceptance-tests
+      PROJECT_PATH: ${{ github.workspace }}/src/${{ inputs.project_type }}/${{ inputs.project_name }}/acceptance-tests/${{ inputs.test_project_name }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -59,18 +60,12 @@ jobs:
         run: |-
           az webapp config access-restriction add -g ${{ env.RESOURCE_GROUP }} -n ${{ env.API_APP_NAME }} --rule-name ${{ env.APP_FIREWALL_NAME }} --action Allow --ip-address ${{ steps.runner-ip.outputs.ip_address }} --priority 50
 
-      - name: Test Settings Variable Substitution
-        id: substitution
-        uses: ./.github/actions/variable-substitution
-        with:
-          keyvault_name: ${{ env.KEYVAULT }}
-          keyvault_prefix: ${{ inputs.keyvault_prefix }}
-          files: '${{ github.workspace }}/src/${{ inputs.project_type }}/${{ inputs.project_name }}/acceptance-tests/${{ inputs.test_project_name }}/appsettings.json'
-          configure: 'Tests'
-
       - name: Run Acceptance Tests
-        shell: bash
-        run: dotnet test "${{ github.workspace }}/src/${{ inputs.project_type }}/${{ inputs.project_name }}/acceptance-tests/${{ inputs.test_project_name }}/${{ inputs.test_project_name }}.csproj" --logger "html;logfilename=testResults.html"
+        shell: pwsh
+        run: |-
+          dotnet user-secrets set "AppConfiguration:KeyVaultIdentifier" "${{ inputs.general_key_vault }}" --project ${{ env.PROJECT_PATH }}
+          dotnet user-secrets set "AppConfiguration:KeyVaultPrefix" "${{ inputs.keyvault_prefix }}" --project ${{ env.PROJECT_PATH }}
+          dotnet test "${{ env.PROJECT_PATH }}/${{ inputs.test_project_name }}.csproj" --logger "html;logfilename=testResults.html"
         
       - name: Remove IP Address from App Firewall
         if: always()

terraform/modules/fhinfrastructurestack/fh-report-api-app.tf

@@ -7,6 +7,8 @@ resource "azurerm_windows_web_app" "fh_report_api" {
     XDT_MicrosoftApplicationInsights_Mode       = "Recommended"
     ASPNETCORE_ENVIRONMENT                      = "${var.asp_netcore_environment}"
     WEBSITE_RUN_FROM_PACKAGE                    = "1"
+    "AppConfiguration:KeyVaultIdentifier"       = "${var.prefix}-kv-fh-admin"
+    "AppConfiguration:KeyVaultPrefix"           = "REPORT_API"
   }
   name                                          = "${var.prefix}-as-fh-report-api"
   resource_group_name                           = local.resource_group_name