Merge pull request azure-javaee#3 from rujche/rujche/java-analyzer

Use managed-identity instead of username and password
haoozhang · Sep 29, 2024 · 85ec20b · 85ec20b
2 parents 103a005 + 708681a
commit 85ec20b
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 44 deletions.
diff --git a/cli/azd/resources/scaffold/templates/db-mysql.bicept b/cli/azd/resources/scaffold/templates/db-mysql.bicept
@@ -4,6 +4,7 @@ param location string = resourceGroup().location
 param tags object = {}
 
 param keyVaultName string
+param identityName string
 
 param databaseUser string = 'mysqladmin'
 param databaseName string = '{{.DatabaseName}}'
@@ -12,14 +13,25 @@ param databasePassword string
 
 param allowAllIPsFirewall bool = false
 
-resource mysqlServer'Microsoft.DBforMySQL/flexibleServers@2023-06-30' = {
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: identityName
+  location: location
+}
+
+resource mysqlServer 'Microsoft.DBforMySQL/flexibleServers@2023-06-30' = {
   location: location
   tags: tags
   name: serverName
   sku: {
     name: 'Standard_B1ms'
     tier: 'Burstable'
   }
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${userAssignedIdentity.id}': {}
+    }
+  }
   properties: {
     version: '8.0.21'
     administratorLogin: databaseUser
@@ -67,8 +79,6 @@ resource dbPasswordKey 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
   }
 }
 
-output databaseHost string = mysqlServer.properties.fullyQualifiedDomainName
-output databaseName string = databaseName
-output databaseUser string = databaseUser
-output databaseConnectionKey string = 'databasePassword'
+output databaseId string = database.id
+output identityName string = userAssignedIdentity.name
 {{ end}}
diff --git a/cli/azd/resources/scaffold/templates/host-containerapp.bicept b/cli/azd/resources/scaffold/templates/host-containerapp.bicept
@@ -19,11 +19,8 @@ param postgresDatabaseName string
 param postgresDatabasePassword string
 {{- end}}
 {{- if .DbMySql}}
-param mysqlDatabaseHost string
-param mysqlDatabaseUser string
-param mysqlDatabaseName string
-@secure()
-param mysqlDatabasePassword string
+param mysqlDatabaseId string
+param mysqlIdentityName string
 {{- end}}
 {{- if .DbRedis}}
 param redisName string
@@ -153,12 +150,6 @@ resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
           value: postgresDatabasePassword
         }
         {{- end}}
-        {{- if .DbMySql}}
-        {
-          name: 'mysql-db-pass'
-          value: mysqlDatabasePassword
-        }
-        {{- end}}
       ],
       map(secrets, secret => {
         name: secret.secretRef
@@ -203,28 +194,6 @@ resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
               value: '5432'
             }
             {{- end}}
-            {{- if .DbMySql}}
-            {
-              name: 'MYSQL_HOST'
-              value: mysqlDatabaseHost
-            }
-            {
-              name: 'MYSQL_USERNAME'
-              value: mysqlDatabaseUser
-            }
-            {
-              name: 'MYSQL_DATABASE'
-              value: mysqlDatabaseName
-            }
-            {
-              name: 'MYSQL_PASSWORD'
-              secretRef: 'mysql-db-pass'
-            }
-            {
-              name: 'MYSQL_PORT'
-              value: '3306'
-            }
-            {{- end}}
             {{- if .Frontend}}
             {{- range $i, $e := .Frontend.Backends}}
             {
@@ -266,6 +235,44 @@ resource app 'Microsoft.App/containerApps@2023-05-02-preview' = {
     }
   }
 }
+{{- if .DbMySql}}
+
+resource linkerCreatorIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: 'linkerCreatorIdentity'
+  location: location
+}
+
+resource linkerCreatorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: resourceGroup()
+  name: guid(subscription().id, resourceGroup().id, linkerCreatorIdentity.id, 'linkerCreatorRole')
+  properties: {
+    roleDefinitionId:  subscriptionResourceId(
+      'Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+    principalType: 'ServicePrincipal'
+    principalId: linkerCreatorIdentity.properties.principalId
+  }
+}
+
+resource appLinkToMySql 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  dependsOn: [ linkerCreatorRole ]
+  name: 'appLinkToMySql'
+  location: location
+  kind: 'AzureCLI'
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${linkerCreatorIdentity.id}': {}
+    }
+  }
+  properties: {
+    azCliVersion: '2.63.0'
+    timeout: 'PT10M'
+    scriptContent: 'apk update; apk add g++; apk add unixodbc-dev; az extension add --name containerapp; az extension add --name serviceconnector-passwordless --upgrade; az containerapp connection create mysql-flexible --connection appLinkToMySql --source-id ${app.id} --target-id ${mysqlDatabaseId} --client-type springBoot --user-identity client-id=${identity.properties.clientId} subs-id=${subscription().subscriptionId} user-object-id=${linkerCreatorIdentity.properties.principalId} mysql-identity-id=${mysqlIdentityName} -c main --yes; az tag create --resource-id ${app.id} --tags azd-service-name={{.Name}} '
+    cleanupPreference: 'OnSuccess'
+    retentionInterval: 'P1D'
+  }
+}
+{{- end}}
 
 output defaultDomain string = containerAppsEnvironment.properties.defaultDomain
 output name string = app.name

diff --git a/cli/azd/resources/scaffold/templates/main.bicept b/cli/azd/resources/scaffold/templates/main.bicept
@@ -111,8 +111,8 @@ module cosmosDb './app/db-cosmos-mongo.bicep' = {
   scope: rg
 }
 {{- end}}
-
 {{- if .DbPostgres}}
+
 module postgresDb './app/db-postgres.bicep' = {
   name: 'postgresDb'
   params: {
@@ -126,20 +126,22 @@ module postgresDb './app/db-postgres.bicep' = {
   scope: rg
 }
 {{- end}}
-
 {{- if .DbMySql}}
+
 module mysqlDb './app/db-mysql.bicep' = {
   name: 'mysqlDb'
   params: {
     serverName: '${abbrs.dBforMySQLServers}${resourceToken}'
     location: location
     tags: tags
+    identityName: '${abbrs.managedIdentityUserAssignedIdentities}mysql-${resourceToken}'
     databasePassword: databasePassword
     keyVaultName: keyVault.outputs.name
     allowAllIPsFirewall: true
   }
   scope: rg
 }
+
 {{- end}}
 
 {{- range .Services}}
@@ -168,10 +170,8 @@ module {{bicepName .Name}} './app/{{.Name}}.bicep' = {
     postgresDatabasePassword: vault.getSecret(postgresDb.outputs.databaseConnectionKey)
     {{- end}}
     {{- if .DbMySql}}
-    mysqlDatabaseName: mysqlDb.outputs.databaseName
-    mysqlDatabaseHost: mysqlDb.outputs.databaseHost
-    mysqlDatabaseUser: mysqlDb.outputs.databaseUser
-    mysqlDatabasePassword: vault.getSecret(mysqlDb.outputs.databaseConnectionKey)
+    mysqlDatabaseId: mysqlDb.outputs.databaseId
+    mysqlIdentityName: mysqlDb.outputs.identityName
     {{- end}}
     {{- if (and .Frontend .Frontend.Backends)}}
     apiUrls: [