Merge branch 'feat/automatic-release-notes' of https://github.com/Alt…

…inn/altinn-broker into feat/automatic-release-notes
Altinn · May 23, 2024 · 8e5e2ad · 8e5e2ad
2 parents 04e66f5 + 2d37853
commit 8e5e2ad
Show file tree

Hide file tree

Showing 28 changed files with 128 additions and 178 deletions.
diff --git a/.azure/applications/api/main.bicep b/.azure/applications/api/main.bicep
@@ -1,4 +1,4 @@
-targetScope = 'resourceGroup'
+targetScope = 'subscription'
 
 @minLength(3)
 param imageTag string
@@ -15,90 +15,81 @@ param maskinporten_environment string
 param sourceKeyVaultName string
 @secure()
 param keyVaultUrl string
-
-@secure()
-param client_id string
-
-@secure()
-param tenant_id string
 @secure()
 param namePrefix string
 
-var baseImageUrl = 'ghcr.io/altinn/altinn-broker'
+var image = 'ghcr.io/altinn/altinn-broker:${imageTag}'
 var containerAppName = '${namePrefix}-app'
 
-resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: '${namePrefix}-app-identity'
+var resourceGroupName = '${namePrefix}-rg'
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
+  name: resourceGroupName
   location: location
 }
 
+module appIdentity '../../modules/identity/create.bicep' = {
+  name: 'appIdentity'
+  scope: resourceGroup
+  params: {
+    namePrefix: namePrefix
+    location: location
+  }
+}
+
+module addContributorAccess '../../modules/identity/addContributorAccess.bicep' = {
+  name: 'appDeployToAzureAccess'
+  params: {
+    userAssignedIdentityPrincipalId: appIdentity.outputs.principalId
+  }
+}
+
 module keyVaultReaderAccessPolicyUserIdentity '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'kvreader-${namePrefix}-app'
+  scope: resourceGroup
   params: {
     keyvaultName: sourceKeyVaultName
-    tenantId: userAssignedIdentity.properties.tenantId
-    principalIds: [userAssignedIdentity.properties.principalId]
+    tenantId: appIdentity.outputs.tenantId
+    principalIds: [appIdentity.outputs.principalId]
   }
 }
 
 module databaseAccess '../../modules/postgreSql/AddAdministrationAccess.bicep' = {
   name: 'databaseAccess'
+  scope: resourceGroup
   dependsOn: [
     keyVaultReaderAccessPolicyUserIdentity // Timing issue
   ]
   params: {
-    tenantId: userAssignedIdentity.properties.tenantId
-    principalId: userAssignedIdentity.properties.principalId
-    appName: userAssignedIdentity.name
+    tenantId: appIdentity.outputs.tenantId
+    principalId: appIdentity.outputs.principalId
+    appName: appIdentity.name
     namePrefix: namePrefix
   }
 }
 
 resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: sourceKeyVaultName
+  scope: resourceGroup
 }
 
 module containerApp '../../modules/containerApp/main.bicep' = {
   name: containerAppName
+  scope: resourceGroup
   dependsOn: [keyVaultReaderAccessPolicyUserIdentity, databaseAccess]
   params: {
     namePrefix: namePrefix
-    image: '${baseImageUrl}:${imageTag}'
+    image: image
     location: location
     environment: environment
-    client_id: client_id
-    tenant_id: tenant_id
     subscription_id: subscription().subscriptionId
-    principal_id: userAssignedIdentity.id
+    principal_id: appIdentity.outputs.id
     platform_base_url: platform_base_url
     keyVaultUrl: keyVaultUrl
     maskinporten_environment: maskinporten_environment
-    malwarescan_event_grid_topic_name: eventgrid_topic.name
-    userIdentityTenantId: userAssignedIdentity.properties.tenantId
-    userIdentityClientId: userAssignedIdentity.properties.clientId
-    userIdentityPrincipalId: userAssignedIdentity.properties.principalId
+    userIdentityClientId: appIdentity.outputs.clientId
     containerAppEnvId: keyvault.getSecret('container-app-env-id')
   }
 }
 
-resource eventgrid_topic 'Microsoft.EventGrid/topics@2022-06-15' = {
-  name: '${namePrefix}-malware-scan-event-topic'
-  location: location
-}
-
-resource eventgrid_event_subscription 'Microsoft.EventGrid/topics/eventSubscriptions@2022-06-15' = {
-  name: '${namePrefix}-malware-scan-event-subscription'
-  parent: eventgrid_topic
-  dependsOn: [containerApp]
-  properties: {
-    destination: {
-      endpointType: 'WebHook'
-      properties: {
-        endpointUrl: 'https://${containerApp.outputs.app.properties.configuration.ingress.fqdn}/broker/api/v1/webhooks/malwarescanresults'
-      }
-    }
-  }
-}
-
 output name string = containerApp.outputs.name
 output revisionName string = containerApp.outputs.revisionName
diff --git a/.azure/applications/api/params.bicepparam b/.azure/applications/api/params.bicepparam
@@ -3,11 +3,9 @@ using './main.bicep'
 param namePrefix = readEnvironmentVariable('NAME_PREFIX')
 param location = 'norwayeast'
 param imageTag = readEnvironmentVariable('IMAGE_TAG')
-param platform_base_url = 'https://platform.tt02.altinn.no/'
+param platform_base_url = readEnvironmentVariable('PLATFORM_BASE_URL')
 param maskinporten_environment = 'ver2'
 param environment = readEnvironmentVariable('ENVIRONMENT')
 // secrets
 param sourceKeyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
 param keyVaultUrl = readEnvironmentVariable('KEY_VAULT_URL')
-param client_id = readEnvironmentVariable('CLIENT_ID')
-param tenant_id = readEnvironmentVariable('TENANT_ID')
diff --git a/.azure/applications/migration/main.bicep b/.azure/applications/migration/main.bicep
@@ -70,11 +70,11 @@ var volumeMounts = [
   }
 ]
 
-resource containerAppEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' existing = {
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
   name: containerAppEnvName
 }
 
-module containerAppJob '../../modules/containerAppJob/main.bicep' = {
+module containerAppJob '../../modules/migrationJob/main.bicep' = {
   name: containerAppJobName
   dependsOn: [
     addKeyvaultRead

diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep
@@ -8,11 +8,7 @@ param sourceKeyVaultName string
 @secure()
 param tenantId string
 @secure()
-param azureClientId string
-@secure()
 param test_client_id string
-@secure()
-param deploySecret string
 param environment string
 @secure()
 param namePrefix string
@@ -37,18 +33,6 @@ param postgresSku PostgresSku
 var resourceGroupName = '${namePrefix}-rg'
 
 var secrets = [
-  {
-    name: 'deploy-id'
-    value: azureClientId
-  }
-  {
-    name: 'deploy-secret'
-    value: deploySecret
-  }
-  {
-    name: 'deploy-tenant-id'
-    value: tenantId
-  }
   {
     name: 'maskinporten-client-id'
     value: maskinportenClientId
@@ -64,7 +48,7 @@ var secrets = [
 ]
 
 // Create resource groups
-resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' = {
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
   name: '${namePrefix}-rg'
   location: location
 }
@@ -78,7 +62,6 @@ module environmentKeyVault '../modules/keyvault/create.bicep' = {
     sku: keyVaultSku
     tenant_id: tenantId
     environment: environment
-    azureClientId: azureClientId
     test_client_id: test_client_id
   }
 }

diff --git a/.azure/infrastructure/params.bicepparam b/.azure/infrastructure/params.bicepparam
@@ -7,11 +7,9 @@ param environment = readEnvironmentVariable('ENVIRONMENT')
 // secrets
 param brokerPgAdminPassword = readEnvironmentVariable('BROKER_PG_ADMIN_PASSWORD')
 param tenantId = readEnvironmentVariable('TENANT_ID')
-param azureClientId = readEnvironmentVariable('CLIENT_ID')
 param test_client_id = readEnvironmentVariable('TEST_CLIENT_ID')
 param sourceKeyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
 param migrationsStorageAccountName = readEnvironmentVariable('MIGRATION_STORAGE_ACCOUNT_NAME')
-param deploySecret = readEnvironmentVariable('CLIENT_SECRET')
 param maskinportenJwk = readEnvironmentVariable('MASKINPORTEN_JWK')
 param maskinportenClientId = readEnvironmentVariable('MASKINPORTEN_CLIENT_ID')
 param platformSubscriptionKey = readEnvironmentVariable('PLATFORM_SUBSCRIPTION_KEY')

diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep
@@ -9,22 +9,12 @@ param maskinporten_environment string
 @secure()
 param subscription_id string
 @secure()
-param client_id string
-@secure()
-param tenant_id string
-@secure()
 param principal_id string
 @secure()
 param keyVaultUrl string
 @secure()
-param malwarescan_event_grid_topic_name string
-@secure()
-param userIdentityTenantId string
-@secure()
 param userIdentityClientId string
 @secure()
-param userIdentityPrincipalId string
-@secure()
 param containerAppEnvId string
 
 var probes = [
@@ -44,11 +34,8 @@ var containerAppEnvVars = [
   { name: 'AzureResourceManagerOptions__SubscriptionId', value: subscription_id }
   { name: 'AzureResourceManagerOptions__Location', value: 'norwayeast' }
   { name: 'AzureResourceManagerOptions__Environment', value: environment }
-  { name: 'AzureResourceManagerOptions__ClientId', value: client_id }
-  { name: 'AzureResourceManagerOptions__TenantId', value: tenant_id }
-  { name: 'AzureResourceManagerOptions__ClientSecret', secretRef: 'deploy-client-secret' }
   { name: 'AzureResourceManagerOptions__ApplicationResourceGroupName', value: '${namePrefix}-rg' }
-  { name: 'AzureResourceManagerOptions__MalwareScanEventGridTopicName', value: malwarescan_event_grid_topic_name }
+  { name: 'AzureResourceManagerOptions__MalwareScanEventGridTopicName', value: eventgrid_topic.name }
   { name: 'AZURE_CLIENT_ID', value: userIdentityClientId }
   {
     name: 'AltinnOptions__OpenIdWellKnown'
@@ -64,7 +51,7 @@ var containerAppEnvVars = [
   }
   { name: 'MaskinportenSettings__EncodedJwk', secretRef: 'maskinporten-jwk' }
 ]
-resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
+resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: '${namePrefix}-app'
   location: location
   identity: {
@@ -81,11 +68,6 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
         transport: 'Auto'
       }
       secrets: [
-        {
-          identity: principal_id
-          keyVaultUrl: '${keyVaultUrl}/secrets/deploy-secret'
-          name: 'deploy-client-secret'
-        }
         {
           identity: principal_id
           keyVaultUrl: '${keyVaultUrl}/secrets/platform-subscription-key'
@@ -168,6 +150,25 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
   }
 }
 
+resource eventgrid_topic 'Microsoft.EventGrid/topics@2022-06-15' = {
+  name: '${namePrefix}-malware-scan-event-topic'
+  location: location
+}
+
+resource eventgrid_event_subscription 'Microsoft.EventGrid/topics/eventSubscriptions@2022-06-15' = {
+  name: '${namePrefix}-malware-scan-event-subscription'
+  parent: eventgrid_topic
+  properties: {
+    destination: {
+      endpointType: 'WebHook'
+      properties: {
+        endpointUrl: 'https://${containerApp.properties.configuration.ingress.fqdn}/broker/api/v1/webhooks/malwarescanresults'
+      }
+    }
+  }
+}
+
 output name string = containerApp.name
 output revisionName string = containerApp.properties.latestRevisionName
 output app object = containerApp
+output eventGridTopicName string = eventgrid_topic.name
diff --git a/.azure/modules/containerAppEnvironment/main.bicep b/.azure/modules/containerAppEnvironment/main.bicep
@@ -27,7 +27,7 @@ resource application_insights 'Microsoft.Insights/components@2020-02-02' = {
     WorkspaceResourceId: log_analytics_workspace.id
   }
 }
-resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2023-11-02-preview' = {
+resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' = {
   name: '${namePrefix}-env'
   location: location
   properties: {
@@ -57,7 +57,7 @@ resource application_insights_action 'Microsoft.Insights/actionGroups@2023-01-01
       ]
     }
   }
-resource exceptionOccuredAlertRule 'Microsoft.Insights/scheduledQueryRules@2023-03-15-preview' =
+resource exceptionOccuredAlertRule 'Microsoft.Insights/scheduledQueryRules@2023-12-01' =
   if (emailReceiver != null && emailReceiver != '') {
     name: '${namePrefix}-500-exception-occured'
     location: location
@@ -94,11 +94,11 @@ resource exceptionOccuredAlertRule 'Microsoft.Insights/scheduledQueryRules@2023-
     }
   }
 
-resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = {
+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {
   name: migrationsStorageAccountName
 }
 
-resource containerAppEnvironmentStorage 'Microsoft.App/managedEnvironments/storages@2023-11-02-preview' = {
+resource containerAppEnvironmentStorage 'Microsoft.App/managedEnvironments/storages@2024-03-01' = {
   name: 'migrations'
   parent: containerAppEnvironment
   properties: {

diff --git a/.azure/modules/identity/addContributorAccess.bicep b/.azure/modules/identity/addContributorAccess.bicep
@@ -0,0 +1,13 @@
+targetScope = 'subscription'
+
+param userAssignedIdentityPrincipalId string
+
+var roleDefinitionResourceId = 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor role
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, userAssignedIdentityPrincipalId, roleDefinitionResourceId)
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionResourceId)
+    principalId: userAssignedIdentityPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}
diff --git a/.azure/modules/identity/create.bicep b/.azure/modules/identity/create.bicep
@@ -0,0 +1,13 @@
+@secure()
+param namePrefix string
+param location string
+
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-app-identity'
+  location: location
+}
+output id string = userAssignedIdentity.id
+output clientId string = userAssignedIdentity.properties.clientId
+output principalId string = userAssignedIdentity.properties.principalId
+output tenantId string = userAssignedIdentity.properties.tenantId