From cd8107d0a36513a33dc75a42943f8a3ae44e60d8 Mon Sep 17 00:00:00 2001
From: Andreas Isnes <andreas.isnes@gmail.com>
Date: Tue, 8 Oct 2024 14:39:06 +0200
Subject: [PATCH] add initial deploy for bootstrap api

---
 infra/deploy/auth/variables.tf                |  8 ++++
 infra/modules/application_gateway/main.tf     |  2 +-
 infra/modules/container_app_api/main.tf       | 39 ++++++++-----------
 infra/modules/container_app_api/variables.tf  | 25 +++++++++++-
 .../Altinn.Authorization.DeployApi/Dockerfile | 12 ++++++
 .../deploy/at21.tfvars                        |  2 +
 .../deploy/at22.tfvars                        |  2 +
 .../deploy/at23.tfvars                        |  2 +
 .../deploy/at24.tfvars                        |  2 +
 .../deploy/main.tf                            | 37 ++++++++++++++++++
 .../deploy/prod.tfvars                        |  2 +
 .../deploy/tt02.tfvars                        |  2 +
 .../deploy/variables.tf                       | 28 +++++++++++++
 .../metadata.json                             |  3 ++
 .../Altinn.Authorization.DeployApi/Program.cs |  2 +-
 15 files changed, 142 insertions(+), 26 deletions(-)
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/Dockerfile
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/main.tf
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf
 create mode 100644 src/apps/Altinn.Authorization.DeployApi/metadata.json

diff --git a/infra/deploy/auth/variables.tf b/infra/deploy/auth/variables.tf
index c33d36d9..3888d585 100644
--- a/infra/deploy/auth/variables.tf
+++ b/infra/deploy/auth/variables.tf
@@ -95,12 +95,20 @@ variable "services" {
     {
       domain   = "api" # Must be present
       path     = "accesspackages"
+      domain   = "api"
+      path     = "/accesspackages"
       hostname = "accesspackages"
     },
     {
       domain   = "frontend" # Must be present
+      domain   = "frontend"
       path     = "/"
       hostname = "index"
+    },
+    {
+      domain   = "api"
+      path     = "/bootstrapper"
+      hostname = "bootstrapper"
     }
   ]
 
diff --git a/infra/modules/application_gateway/main.tf b/infra/modules/application_gateway/main.tf
index 05150420..373605c0 100644
--- a/infra/modules/application_gateway/main.tf
+++ b/infra/modules/application_gateway/main.tf
@@ -155,7 +155,7 @@ resource "azurerm_application_gateway" "appgw" {
           name                       = "path_rule_container_app_${path_rule.value.domain}_${path_rule.value.hostname}"
           backend_address_pool_name  = "backend_address_pool_container_app_${path_rule.value.domain}_${path_rule.value.hostname}"
           backend_http_settings_name = "backend_http_settings_container_app_${path_rule.value.domain}_${path_rule.value.hostname}"
-          paths                      = path_rule.value.path == "/" ? ["/*"] : ["/${path_rule.value.path}/*", "/${path_rule.value.path}"]
+          paths                      = path_rule.value.path == "/" ? ["/*"] : ["${path_rule.value.path}/*", path_rule.value.path]
         }
 
         for_each = { for service in var.services : service.hostname => service if url_path_map.key == service.domain }
diff --git a/infra/modules/container_app_api/main.tf b/infra/modules/container_app_api/main.tf
index b153bfa8..256a202d 100644
--- a/infra/modules/container_app_api/main.tf
+++ b/infra/modules/container_app_api/main.tf
@@ -62,38 +62,29 @@ resource "azurerm_role_assignment" "rbac" {
   principal_id         = azurerm_user_assigned_identity.app.principal_id
   role_definition_name = each.value.role_definition_name
   scope                = each.value.scope
+
   for_each = { for arm in [
     {
       id                   = "service_bus_mass_transit"
       scope                = data.azurerm_servicebus_namespace.sb.id
       role_definition_name = "Azure Service Bus Mass Transit"
-      should_assign        = var.can_use_service_bus
+      should_assign        = var.can_use_auth_service_bus
     },
     {
       id                   = "app_configuration"
       scope                = data.azurerm_app_configuration.appconf.id
       role_definition_name = "App Configuration Data Reader"
-      should_assign        = true
+      should_assign        = var.can_use_auth_app_configuration
     },
     {
       id                   = "key_vault"
       scope                = data.azurerm_key_vault.kv.id
       role_definition_name = "Key Vault Secrets User"
-      should_assign        = true
+      should_assign        = var.can_use_auth_key_vault
     }
   ] : arm.id => arm if try(arm.should_assign, false) }
 }
 
-data "azurerm_postgresql_flexible_server" "server" {
-  name                = "psqlsrvaltinn${local.infrastructure_suffix}"
-  resource_group_name = local.infrastructure_resource_group_name
-}
-
-data "azurerm_user_assigned_identity" "postgres_admin" {
-  name                = "mipsqlsrvadmin${local.infrastructure_suffix}"
-  resource_group_name = local.infrastructure_resource_group_name
-}
-
 resource "azurerm_container_app" "app" {
   name = "ca${local.suffix}"
 
@@ -104,10 +95,10 @@ resource "azurerm_container_app" "app" {
 
   identity {
     type = "UserAssigned"
-    identity_ids = [
-      azurerm_user_assigned_identity.app.id,
-      data.azurerm_user_assigned_identity.postgres_admin.id
-    ]
+    identity_ids = concat(
+      var.user_assigned_identities,
+      [azurerm_user_assigned_identity.app.id],
+    )
   }
 
   ingress {
@@ -127,10 +118,6 @@ resource "azurerm_container_app" "app" {
     max_replicas = var.max_replicas
 
     container {
-      env {
-        name  = "EntraId__Identities__PostgresAdmin__ClientId"
-        value = data.azurerm_user_assigned_identity.postgres_admin.client_id
-      }
       env {
         name  = "EntraId__Identities__Service__ClientId"
         value = azurerm_user_assigned_identity.app.client_id
@@ -140,6 +127,15 @@ resource "azurerm_container_app" "app" {
         value = data.azurerm_app_configuration.appconf.endpoint
       }
 
+      dynamic "env" {
+        content {
+          name  = env.key
+          value = env.value
+        }
+
+        for_each = var.variables
+      }
+
       name  = var.name
       image = var.image
 
@@ -164,4 +160,3 @@ resource "azurerm_container_app_custom_domain" "domain" {
   certificate_binding_type = "Disabled"
   container_app_id         = azurerm_container_app.app.id
 }
-
diff --git a/infra/modules/container_app_api/variables.tf b/infra/modules/container_app_api/variables.tf
index b43d752d..d4f756f5 100644
--- a/infra/modules/container_app_api/variables.tf
+++ b/infra/modules/container_app_api/variables.tf
@@ -14,6 +14,17 @@ variable "location" {
   description = "Specifies the Azure region where the resources will be provisioned (e.g., 'norwayeast')."
 }
 
+variable "variables" {
+  type    = map(string)
+  default = {}
+}
+
+variable "user_assigned_identities" {
+  type        = list(string)
+  default     = []
+  description = "List of principal IDs"
+}
+
 variable "environment" {
   type = string
 }
@@ -31,9 +42,19 @@ variable "registry" {
   default = "ghcr.io"
 }
 
-variable "can_use_service_bus" {
+variable "can_use_auth_service_bus" {
+  type    = bool
+  default = false
+}
+
+variable "can_use_auth_key_vault" {
+  type    = bool
+  default = false
+}
+
+variable "can_use_auth_app_configuration" {
   type    = bool
-  default = true
+  default = false
 }
 
 variable "max_replicas" {
diff --git a/src/apps/Altinn.Authorization.DeployApi/Dockerfile b/src/apps/Altinn.Authorization.DeployApi/Dockerfile
new file mode 100644
index 00000000..3dfa71b4
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/Dockerfile
@@ -0,0 +1,12 @@
+FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build
+WORKDIR /app
+WORKDIR /src
+COPY src/ .
+WORKDIR /src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi
+RUN dotnet publish -c Release -o /app
+
+FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine AS final
+WORKDIR /app
+COPY --from=build /app .
+
+ENTRYPOINT ["dotnet", "Altinn.Authorization.DeployApi.dll"]
\ No newline at end of file
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars
new file mode 100644
index 00000000..d5145c80
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars
@@ -0,0 +1,2 @@
+environment = "at21"
+instance    = "001"
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars
new file mode 100644
index 00000000..1e79c5af
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars
@@ -0,0 +1,2 @@
+environment = "at22"
+instance    = "001"
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars
new file mode 100644
index 00000000..11a96a9b
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars
@@ -0,0 +1,2 @@
+environment = "at23"
+instance    = "001"
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars
new file mode 100644
index 00000000..47e2cab0
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars
@@ -0,0 +1,2 @@
+environment = "at24"
+instance    = "001"
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/main.tf b/src/apps/Altinn.Authorization.DeployApi/deploy/main.tf
new file mode 100644
index 00000000..c6cb89af
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/main.tf
@@ -0,0 +1,37 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.1.0"
+    }
+  }
+
+  backend "azurerm" {
+    use_azuread_auth = true
+  }
+}
+provider "azurerm" {
+  use_oidc = true
+  features {}
+}
+
+locals {
+  infrastructure_suffix              = "${var.infrastructure_name}${var.instance}${var.environment}"
+  infrastructure_resource_group_name = "rg${local.infrastructure_suffix}"
+}
+
+data "azurerm_user_assigned_identity" "application_admin" {
+  name                = "miappadmin${local.infrastructure_suffix}"
+  resource_group_name = local.infrastructure_resource_group_name
+}
+
+module "app" {
+  source = "../../../../infra/modules/container_app_api"
+
+  user_assigned_identities = [data.azurerm_user_assigned_identity.application_admin.principal_id]
+
+  instance    = var.instance
+  environment = var.environment
+  name        = "bootstrapper"
+  image       = var.image
+}
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars
new file mode 100644
index 00000000..720f7cd0
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars
@@ -0,0 +1,2 @@
+environment = "prod"
+instance    = "001"
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars
new file mode 100644
index 00000000..4de76f52
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars
@@ -0,0 +1,2 @@
+environment = "tt02"
+instance    = "001"
diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf b/src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf
new file mode 100644
index 00000000..88aa0a95
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf
@@ -0,0 +1,28 @@
+variable "environment" {
+  type        = string
+  description = <<EOT
+Specifies the target environment where the infrastructure will be deployed. 
+It supports specific environment values, including 'at21', 'at22', 'at23', 'at24', 'at25', 'yt01', 'tt02', and 'prod'. 
+This variable is used to differentiate between various deployment environments, such as testing (at/yt), staging (tt02), or (prod).
+  EOT
+  validation {
+    condition     = contains(["at21", "at22", "at23", "at24", "at25", "yt01", "tt02", "prod"], var.environment)
+    error_message = "The environment must be one of the following: at21, at22, at23, at24, at25, yt01, tt02, prod."
+  }
+}
+
+variable "instance" {
+  type        = string
+  description = "A string to represent the specific instance of the deployment, used for resource naming. Used distinguishing between different deployments of the same infrastructure."
+  default     = "001"
+}
+
+variable "image" {
+  type        = string
+  description = "Image of the resource that should be deployed"
+}
+
+variable "infrastructure_name" {
+  type    = string
+  default = "auth"
+}
diff --git a/src/apps/Altinn.Authorization.DeployApi/metadata.json b/src/apps/Altinn.Authorization.DeployApi/metadata.json
new file mode 100644
index 00000000..d7e67936
--- /dev/null
+++ b/src/apps/Altinn.Authorization.DeployApi/metadata.json
@@ -0,0 +1,3 @@
+{
+    "image_name": "altinn-authorization-bootstrapper"
+}
\ No newline at end of file
diff --git a/src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Program.cs b/src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Program.cs
index c67413ff..6bcbf4c7 100644
--- a/src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Program.cs
+++ b/src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi/Program.cs
@@ -31,6 +31,6 @@
 
 var app = builder.Build();
 
-app.MapPost("/api/v1/database/bootstrap", (BootstrapDatabasePipeline pipeline, HttpContext context) => pipeline.Run(context));
+app.MapPost("bootstrapper/api/v1/databases", (BootstrapDatabasePipeline pipeline, HttpContext context) => pipeline.Run(context));
 
 app.Run();