move IaC to broker repo (#403)

* move IaC to broker repo * remove example files * Fix bug * Container app job name can be max 32 characters long * Also can get too long * Remove dead code * Consistent file name * Fix migration bicep * Fixes after testing * Shorter name * Need to expose name from bicep for use in pipeline * Use environment for azure cli * Use app version env variable to find container job instead of name * Fix * Select first in array * Fix * There seems to be a delay after Postgres password has been updated during a bicep deployment before said password can be used. Therefore uses existing broker password if possible. * Fix * Failed to use keyvault in same deployment that creates it * Generate password without characters that become troublesome in an url. Easier to change generation than do html encode/decode in bicep * We do not use source keys because we use Github secrets as our configuration source * Added logic for initial deploy * This works * Required parameter is required * Fixed pwd generator to not use chars not supported by postgres (and also compatible with jdbc url) * activate action on push to main * merge --------- Co-authored-by: Hammerbeck <[email protected]> Co-authored-by: Roar Mjelde <[email protected]> Co-authored-by: Roar Mjelde <[email protected]>
Altinn · Apr 29, 2024 · e9a0cf0 · e9a0cf0
1 parent e454460
commit e9a0cf0
Show file tree

Hide file tree

Showing 40 changed files with 2,037 additions and 54 deletions.
diff --git a/.azure/applications/api/main.bicep b/.azure/applications/api/main.bicep
@@ -0,0 +1,104 @@
+targetScope = 'resourceGroup'
+
+@minLength(3)
+param imageTag string
+@minLength(3)
+param environment string
+@minLength(3)
+param location string
+@minLength(3)
+param platform_base_url string
+@minLength(3)
+param maskinporten_environment string
+@secure()
+@minLength(3)
+param sourceKeyVaultName string
+@secure()
+param keyVaultUrl string
+
+@secure()
+param client_id string
+
+@secure()
+param tenant_id string
+@secure()
+param namePrefix string
+
+var baseImageUrl = 'ghcr.io/altinn/altinn-broker'
+var containerAppName = '${namePrefix}-app'
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-app-identity'
+  location: location
+}
+
+module keyVaultReaderAccessPolicyUserIdentity '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'kvreader-${namePrefix}-app'
+  params: {
+    keyvaultName: sourceKeyVaultName
+    tenantId: userAssignedIdentity.properties.tenantId
+    principalIds: [userAssignedIdentity.properties.principalId]
+  }
+}
+
+module databaseAccess '../../modules/postgreSql/AddAdministrationAccess.bicep' = {
+  name: 'databaseAccess'
+  dependsOn: [
+    keyVaultReaderAccessPolicyUserIdentity // Timing issue
+  ]
+  params: {
+    tenantId: userAssignedIdentity.properties.tenantId
+    principalId: userAssignedIdentity.properties.principalId
+    appName: userAssignedIdentity.name
+    namePrefix: namePrefix
+  }
+}
+
+resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: sourceKeyVaultName
+}
+
+module containerApp '../../modules/containerApp/main.bicep' = {
+  name: containerAppName
+  dependsOn: [keyVaultReaderAccessPolicyUserIdentity, databaseAccess]
+  params: {
+    namePrefix: namePrefix
+    image: '${baseImageUrl}:${imageTag}'
+    location: location
+    environment: environment
+    client_id: client_id
+    tenant_id: tenant_id
+    subscription_id: subscription().subscriptionId
+    principal_id: userAssignedIdentity.id
+    platform_base_url: platform_base_url
+    keyVaultUrl: keyVaultUrl
+    maskinporten_environment: maskinporten_environment
+    malwarescan_event_grid_topic_name: eventgrid_topic.name
+    userIdentityTenantId: userAssignedIdentity.properties.tenantId
+    userIdentityClientId: userAssignedIdentity.properties.clientId
+    userIdentityPrincipalId: userAssignedIdentity.properties.principalId
+    containerAppEnvId: keyvault.getSecret('container-app-env-id')
+  }
+}
+
+resource eventgrid_topic 'Microsoft.EventGrid/topics@2022-06-15' = {
+  name: '${namePrefix}-malware-scan-event-topic'
+  location: location
+}
+
+resource eventgrid_event_subscription 'Microsoft.EventGrid/topics/eventSubscriptions@2022-06-15' = {
+  name: '${namePrefix}-malware-scan-event-subscription'
+  parent: eventgrid_topic
+  dependsOn: [containerApp]
+  properties: {
+    destination: {
+      endpointType: 'WebHook'
+      properties: {
+        endpointUrl: 'https://${containerApp.outputs.app.properties.configuration.ingress.fqdn}/broker/api/v1/webhooks/malwarescanresults'
+      }
+    }
+  }
+}
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName
diff --git a/.azure/applications/api/params.bicepparam b/.azure/applications/api/params.bicepparam
@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param namePrefix = readEnvironmentVariable('NAME_PREFIX')
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param platform_base_url = 'https://platform.tt02.altinn.no/'
+param maskinporten_environment = 'ver2'
+param environment = readEnvironmentVariable('ENVIRONMENT')
+// secrets
+param sourceKeyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
+param keyVaultUrl = readEnvironmentVariable('KEY_VAULT_URL')
+param client_id = readEnvironmentVariable('CLIENT_ID')
+param tenant_id = readEnvironmentVariable('TENANT_ID')
diff --git a/.azure/applications/migration/main.bicep b/.azure/applications/migration/main.bicep
@@ -0,0 +1,96 @@
+param namePrefix string
+param location string
+param appVersion string
+
+@secure()
+param keyVaultUrl string
+
+@secure()
+param keyVaultName string
+
+var containerAppJobName = '${namePrefix}-migration'
+var containerAppEnvName = '${namePrefix}-env'
+var migrationConnectionStringName = 'broker-migration-connection-string'
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-migration-identity'
+  location: location
+}
+
+module addKeyvaultRead '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'kvreader-${namePrefix}-migration'
+  params: {
+    keyvaultName: keyVaultName
+    tenantId: userAssignedIdentity.properties.tenantId
+    principalIds: [userAssignedIdentity.properties.principalId]
+  }
+}
+
+var secrets = [
+  {
+    name: migrationConnectionStringName
+    keyVaultUrl: '${keyVaultUrl}/secrets/${migrationConnectionStringName}'
+    identity: userAssignedIdentity.id
+  }
+]
+
+var containerAppEnvVars = [
+  {
+    name: 'FLYWAY_URL'
+    secretRef: migrationConnectionStringName
+  }
+  {
+    name: 'FLYWAY_CONNECT_RETRIES'
+    value: '3'
+  }
+  {
+    name: 'FLYWAY_VALIDATE_MIGRATION_NAMING'
+    value: 'true'
+  }
+  {
+    name: 'APP_VERSION'
+    value: appVersion
+  }
+]
+
+var volumes = [
+  {
+    name: 'migrations'
+    storageName: 'migrations'
+    storageType: 'AzureFile'
+    mountOptions: 'cache=none'
+  }
+]
+
+var volumeMounts = [
+  {
+    volumeName: 'migrations'
+    mountPath: '/flyway/sql'
+    subPath: ''
+  }
+]
+
+resource containerAppEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' existing = {
+  name: containerAppEnvName
+}
+
+module containerAppJob '../../modules/containerAppJob/main.bicep' = {
+  name: containerAppJobName
+  dependsOn: [
+    addKeyvaultRead
+  ]
+  params: {
+    name: containerAppJobName
+    location: location
+    containerAppEnvId: containerAppEnv.id
+    environmentVariables: containerAppEnvVars
+    secrets: secrets
+    command: ['/bin/bash', '-c', 'flyway migrate;']
+    image: 'flyway/flyway:latest'
+    volumes: volumes
+    volumeMounts: volumeMounts
+    principalId: userAssignedIdentity.id
+  }
+}
+
+output name string = containerAppJob.name
diff --git a/.azure/applications/migration/params.bicepparam b/.azure/applications/migration/params.bicepparam
@@ -0,0 +1,7 @@
+using './main.bicep'
+
+param location = 'norwayeast'
+param keyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
+param keyVaultUrl = readEnvironmentVariable('KEY_VAULT_URL')
+param namePrefix = readEnvironmentVariable('NAME_PREFIX')
+param appVersion = readEnvironmentVariable('APP_VERSION')
diff --git a/.azure/bicepconfig.json b/.azure/bicepconfig.json
@@ -0,0 +1,32 @@
+{
+    // See https://aka.ms/bicep/config for more information on Bicep configuration options
+    // Press CTRL+SPACE/CMD+SPACE at any location to see Intellisense suggestions
+    "analyzers": {
+        "core": {
+            "rules": {
+                "no-unused-params": {
+                    "level": "warning"
+                },
+                "no-unused-vars": {
+                    "level": "warning"
+                },
+                "no-hardcoded-env-urls": {
+                    "level": "warning"
+                },
+                "secure-secrets-in-params": {
+                    "level": "warning"
+                },
+                "no-unnecessary-dependson": {
+                    "level": "warning"
+                },
+                "outputs-should-not-contain-secrets": {
+                    "level": "warning"
+                }
+            }
+        }
+    },
+    "experimentalFeaturesEnabled": {
+        "compileTimeImports": true,
+        "userDefinedFunctions": false
+    }
+}