From cd8107d0a36513a33dc75a42943f8a3ae44e60d8 Mon Sep 17 00:00:00 2001 From: Andreas Isnes Date: Tue, 8 Oct 2024 14:39:06 +0200 Subject: [PATCH 1/2] add initial deploy for bootstrap api --- infra/deploy/auth/variables.tf | 8 ++++ infra/modules/application_gateway/main.tf | 2 +- infra/modules/container_app_api/main.tf | 39 ++++++++----------- infra/modules/container_app_api/variables.tf | 25 +++++++++++- .../Altinn.Authorization.DeployApi/Dockerfile | 12 ++++++ .../deploy/at21.tfvars | 2 + .../deploy/at22.tfvars | 2 + .../deploy/at23.tfvars | 2 + .../deploy/at24.tfvars | 2 + .../deploy/main.tf | 37 ++++++++++++++++++ .../deploy/prod.tfvars | 2 + .../deploy/tt02.tfvars | 2 + .../deploy/variables.tf | 28 +++++++++++++ .../metadata.json | 3 ++ .../Altinn.Authorization.DeployApi/Program.cs | 2 +- 15 files changed, 142 insertions(+), 26 deletions(-) create mode 100644 src/apps/Altinn.Authorization.DeployApi/Dockerfile create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/main.tf create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars create mode 100644 src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf create mode 100644 src/apps/Altinn.Authorization.DeployApi/metadata.json diff --git a/infra/deploy/auth/variables.tf b/infra/deploy/auth/variables.tf index c33d36d9..3888d585 100644 --- a/infra/deploy/auth/variables.tf +++ b/infra/deploy/auth/variables.tf @@ -95,12 +95,20 @@ variable "services" { { domain = "api" # Must be present path = "accesspackages" + domain = "api" + path = "/accesspackages" hostname = "accesspackages" }, { domain = "frontend" # Must be present + domain = "frontend" path = "/" hostname = "index" + }, + { + domain = "api" + path = "/bootstrapper" + hostname = "bootstrapper" } ] diff --git a/infra/modules/application_gateway/main.tf b/infra/modules/application_gateway/main.tf index 05150420..373605c0 100644 --- a/infra/modules/application_gateway/main.tf +++ b/infra/modules/application_gateway/main.tf @@ -155,7 +155,7 @@ resource "azurerm_application_gateway" "appgw" { name = "path_rule_container_app_${path_rule.value.domain}_${path_rule.value.hostname}" backend_address_pool_name = "backend_address_pool_container_app_${path_rule.value.domain}_${path_rule.value.hostname}" backend_http_settings_name = "backend_http_settings_container_app_${path_rule.value.domain}_${path_rule.value.hostname}" - paths = path_rule.value.path == "/" ? ["/*"] : ["/${path_rule.value.path}/*", "/${path_rule.value.path}"] + paths = path_rule.value.path == "/" ? ["/*"] : ["${path_rule.value.path}/*", path_rule.value.path] } for_each = { for service in var.services : service.hostname => service if url_path_map.key == service.domain } diff --git a/infra/modules/container_app_api/main.tf b/infra/modules/container_app_api/main.tf index b153bfa8..256a202d 100644 --- a/infra/modules/container_app_api/main.tf +++ b/infra/modules/container_app_api/main.tf @@ -62,38 +62,29 @@ resource "azurerm_role_assignment" "rbac" { principal_id = azurerm_user_assigned_identity.app.principal_id role_definition_name = each.value.role_definition_name scope = each.value.scope + for_each = { for arm in [ { id = "service_bus_mass_transit" scope = data.azurerm_servicebus_namespace.sb.id role_definition_name = "Azure Service Bus Mass Transit" - should_assign = var.can_use_service_bus + should_assign = var.can_use_auth_service_bus }, { id = "app_configuration" scope = data.azurerm_app_configuration.appconf.id role_definition_name = "App Configuration Data Reader" - should_assign = true + should_assign = var.can_use_auth_app_configuration }, { id = "key_vault" scope = data.azurerm_key_vault.kv.id role_definition_name = "Key Vault Secrets User" - should_assign = true + should_assign = var.can_use_auth_key_vault } ] : arm.id => arm if try(arm.should_assign, false) } } -data "azurerm_postgresql_flexible_server" "server" { - name = "psqlsrvaltinn${local.infrastructure_suffix}" - resource_group_name = local.infrastructure_resource_group_name -} - -data "azurerm_user_assigned_identity" "postgres_admin" { - name = "mipsqlsrvadmin${local.infrastructure_suffix}" - resource_group_name = local.infrastructure_resource_group_name -} - resource "azurerm_container_app" "app" { name = "ca${local.suffix}" @@ -104,10 +95,10 @@ resource "azurerm_container_app" "app" { identity { type = "UserAssigned" - identity_ids = [ - azurerm_user_assigned_identity.app.id, - data.azurerm_user_assigned_identity.postgres_admin.id - ] + identity_ids = concat( + var.user_assigned_identities, + [azurerm_user_assigned_identity.app.id], + ) } ingress { @@ -127,10 +118,6 @@ resource "azurerm_container_app" "app" { max_replicas = var.max_replicas container { - env { - name = "EntraId__Identities__PostgresAdmin__ClientId" - value = data.azurerm_user_assigned_identity.postgres_admin.client_id - } env { name = "EntraId__Identities__Service__ClientId" value = azurerm_user_assigned_identity.app.client_id @@ -140,6 +127,15 @@ resource "azurerm_container_app" "app" { value = data.azurerm_app_configuration.appconf.endpoint } + dynamic "env" { + content { + name = env.key + value = env.value + } + + for_each = var.variables + } + name = var.name image = var.image @@ -164,4 +160,3 @@ resource "azurerm_container_app_custom_domain" "domain" { certificate_binding_type = "Disabled" container_app_id = azurerm_container_app.app.id } - diff --git a/infra/modules/container_app_api/variables.tf b/infra/modules/container_app_api/variables.tf index b43d752d..d4f756f5 100644 --- a/infra/modules/container_app_api/variables.tf +++ b/infra/modules/container_app_api/variables.tf @@ -14,6 +14,17 @@ variable "location" { description = "Specifies the Azure region where the resources will be provisioned (e.g., 'norwayeast')." } +variable "variables" { + type = map(string) + default = {} +} + +variable "user_assigned_identities" { + type = list(string) + default = [] + description = "List of principal IDs" +} + variable "environment" { type = string } @@ -31,9 +42,19 @@ variable "registry" { default = "ghcr.io" } -variable "can_use_service_bus" { +variable "can_use_auth_service_bus" { + type = bool + default = false +} + +variable "can_use_auth_key_vault" { + type = bool + default = false +} + +variable "can_use_auth_app_configuration" { type = bool - default = true + default = false } variable "max_replicas" { diff --git a/src/apps/Altinn.Authorization.DeployApi/Dockerfile b/src/apps/Altinn.Authorization.DeployApi/Dockerfile new file mode 100644 index 00000000..3dfa71b4 --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/Dockerfile @@ -0,0 +1,12 @@ +FROM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build +WORKDIR /app +WORKDIR /src +COPY src/ . +WORKDIR /src/apps/Altinn.Authorization.DeployApi/src/Altinn.Authorization.DeployApi +RUN dotnet publish -c Release -o /app + +FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine AS final +WORKDIR /app +COPY --from=build /app . + +ENTRYPOINT ["dotnet", "Altinn.Authorization.DeployApi.dll"] \ No newline at end of file diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars new file mode 100644 index 00000000..d5145c80 --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at21.tfvars @@ -0,0 +1,2 @@ +environment = "at21" +instance = "001" diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars new file mode 100644 index 00000000..1e79c5af --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at22.tfvars @@ -0,0 +1,2 @@ +environment = "at22" +instance = "001" diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars new file mode 100644 index 00000000..11a96a9b --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at23.tfvars @@ -0,0 +1,2 @@ +environment = "at23" +instance = "001" diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars new file mode 100644 index 00000000..47e2cab0 --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/at24.tfvars @@ -0,0 +1,2 @@ +environment = "at24" +instance = "001" diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/main.tf b/src/apps/Altinn.Authorization.DeployApi/deploy/main.tf new file mode 100644 index 00000000..c6cb89af --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/main.tf @@ -0,0 +1,37 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "4.1.0" + } + } + + backend "azurerm" { + use_azuread_auth = true + } +} +provider "azurerm" { + use_oidc = true + features {} +} + +locals { + infrastructure_suffix = "${var.infrastructure_name}${var.instance}${var.environment}" + infrastructure_resource_group_name = "rg${local.infrastructure_suffix}" +} + +data "azurerm_user_assigned_identity" "application_admin" { + name = "miappadmin${local.infrastructure_suffix}" + resource_group_name = local.infrastructure_resource_group_name +} + +module "app" { + source = "../../../../infra/modules/container_app_api" + + user_assigned_identities = [data.azurerm_user_assigned_identity.application_admin.principal_id] + + instance = var.instance + environment = var.environment + name = "bootstrapper" + image = var.image +} diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars new file mode 100644 index 00000000..720f7cd0 --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/prod.tfvars @@ -0,0 +1,2 @@ +environment = "prod" +instance = "001" diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars b/src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars new file mode 100644 index 00000000..4de76f52 --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/tt02.tfvars @@ -0,0 +1,2 @@ +environment = "tt02" +instance = "001" diff --git a/src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf b/src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf new file mode 100644 index 00000000..88aa0a95 --- /dev/null +++ b/src/apps/Altinn.Authorization.DeployApi/deploy/variables.tf @@ -0,0 +1,28 @@ +variable "environment" { + type = string + description = < pipeline.Run(context)); +app.MapPost("bootstrapper/api/v1/databases", (BootstrapDatabasePipeline pipeline, HttpContext context) => pipeline.Run(context)); app.Run(); From 6718ddadb4c5a6a46f868dcebabb3ae42891b418 Mon Sep 17 00:00:00 2001 From: Andreas Isnes Date: Tue, 8 Oct 2024 16:40:58 +0200 Subject: [PATCH 2/2] update container app template --- src/apps/Altinn.Authorization.AccessPackages/deploy/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/apps/Altinn.Authorization.AccessPackages/deploy/main.tf b/src/apps/Altinn.Authorization.AccessPackages/deploy/main.tf index 0724b0c8..5a3f8167 100644 --- a/src/apps/Altinn.Authorization.AccessPackages/deploy/main.tf +++ b/src/apps/Altinn.Authorization.AccessPackages/deploy/main.tf @@ -24,5 +24,7 @@ module "app" { name = "accesspackages" image = var.image - can_use_service_bus = true + can_use_auth_service_bus = true + can_use_auth_app_configuration = true + can_use_auth_key_vault = true }