ci(azure): add dry run of infrastructure (#312)

Relatert til #308

- Modifiserer bicep-filer og legger med bicepparam istedenfor json-fil.
- Legger til dry-run av infrastructure deployment

.azure/infrastructure/main.bicep

@@ -2,13 +2,31 @@ targetScope = 'subscription'
 
 param environment string
 param location string
-param keyVault object
-// param imageUrl string
-// param deployTimestamp string
+param keyVaultSourceKeys array
+
 param gitSha string
-var namePrefix = 'dp-fe-${environment}'
+
+@secure()
+@minLength(3)
+param dialogportenPgAdminPassword string
+@secure()
+@minLength(3)
+param sourceKeyVaultSubscriptionId string
+@secure()
+@minLength(3)
+param sourceKeyVaultResourceGroup string
 @secure()
-param secrets object
+@minLength(3)
+param sourceKeyVaultName string
+
+var secrets = {
+    dialogportenPgAdminPassword: dialogportenPgAdminPassword
+    sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId
+    sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup
+    sourceKeyVaultName: sourceKeyVaultName
+}
+
+var namePrefix = 'dp-fe-${environment}'
 
 var baseImageUrl = 'ghcr.io/digdir/dialogporten-frontend'
 
@@ -18,13 +36,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
     location: location
 }
 
-module keyVaultModule '../modules/keyvault/create.bicep' = {
+module environmentKeyVault '../modules/keyvault/create.bicep' = {
     scope: resourceGroup
     name: 'keyVault'
     params: {
         namePrefix: namePrefix
         location: location
-        adminObjectIds: keyVault.adminObjectIds
     }
 }
 
@@ -48,8 +65,14 @@ module appInsights '../modules/applicationInsights/create.bicep' = {
 
 // Create references to existing resources
 resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2022-11-01' existing = {
-    name: keyVault.source.name
-    scope: az.resourceGroup(keyVault.source.subscriptionId, keyVault.source.resourceGroupName)
+    name: secrets.sourceKeyVaultName
+    scope: az.resourceGroup(secrets.sourceKeyVaultSubscriptionId, secrets.sourceKeyVaultResourceGroup)
+}
+
+var srcKeyVault = {
+    name: secrets.sourceKeyVaultName
+    subscriptionId: secrets.sourceKeyVaultSubscriptionId
+    resourceGroupName: secrets.sourceKeyVaultResourceGroup
 }
 
 // Create resources with dependencies to other resources
@@ -59,22 +82,22 @@ module postgresql '../modules/postgreSql/create.bicep' = {
     params: {
         namePrefix: namePrefix
         location: location
-        keyVaultName: keyVaultModule.outputs.name
-        srcKeyVault: keyVault.source
+        keyVaultName: environmentKeyVault.outputs.name
+        srcKeyVault: srcKeyVault
         srcSecretName: 'dialogportenPgAdminPassword${environment}'
-        administratorLoginPassword: contains(keyVault.source.keys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword
+        administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword
     }
 }
 
 module copySecret '../modules/keyvault/copySecrets.bicep' = {
     scope: resourceGroup
     name: 'copySecrets'
     params: {
-        srcKeyVaultKeys: keyVault.source.keys
-        srcKeyVaultName: keyVault.source.name
-        srcKeyVaultRGNName: keyVault.source.resourceGroupName
-        srcKeyVaultSubId: keyVault.source.subscriptionId
-        destKeyVaultName: keyVaultModule.outputs.name
+        srcKeyVaultKeys: keyVaultSourceKeys
+        srcKeyVaultName: srcKeyVault.name
+        srcKeyVaultRGNName: srcKeyVault.resourceGroupName
+        srcKeyVaultSubId: srcKeyVault.subscriptionId
+        destKeyVaultName: environmentKeyVault.outputs.name
         secretPrefix: 'dialogporten--${environment}--'
     }
 }
@@ -99,7 +122,7 @@ module migrationJob '../modules/migrationJob/create.bicep' = {
             }
             {
                 name: 'KV_NAME'
-                value: keyVaultModule.outputs.name
+                value: environmentKeyVault.outputs.name
             }
             {
                 name: 'PSQL_CONNECTION_JSON_NAME' // MÅ BYTTES UT, DETTE SKAL HENTES FRA APP CONFIG
@@ -154,7 +177,7 @@ module keyVaultReaderAccessPolicy '../modules/keyvault/addReaderRoles.bicep' = {
     scope: resourceGroup
     name: 'keyVaultReaderAccessPolicy'
     params: {
-        keyvaultName: keyVaultModule.outputs.name
+        keyvaultName: environmentKeyVault.outputs.name
         // TODO: Har lagt til dialogporten-subscription-deploy-principal ettersom den m� hente ut db connectionstring fra keyvault for migrasjon
         principalIds: [ containerApp.outputs.identityPrincipalId, migrationJob.outputs.principalId, '49f570f3-9677-4eb7-b360-eaed33f98632', '2e8cd2b0-400f-4be7-9b8e-311c14263048' ] // FJERNES!!!!!
     }
@@ -214,7 +237,7 @@ module containerApp '../modules/containerApp/addNECertufucateToContainer.bicep'
             }
             {
                 name: 'KV_NAME'
-                value: keyVaultModule.outputs.name
+                value: environmentKeyVault.outputs.name
             }
             {
                 name: 'GIT_SHA'

.azure/infrastructure/test.bicepparam

@@ -0,0 +1,13 @@
+using './main.bicep'
+
+param environment = 'test'
+param location = 'norwayeast'
+
+param gitSha = readEnvironmentVariable('GIT_SHA')
+param keyVaultSourceKeys = json(readEnvironmentVariable('KEY_VAULT_SOURCE_KEYS'))
+
+// secrets
+param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD')
+param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID')
+param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP')
+param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME')

.github/tools/pwdGenerator.ps1

@@ -0,0 +1,47 @@
+function Get-RandomCharacters([int]$length, [string]$characters) {
+    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length }
+    $private:ofs=""
+    return [string]$characters[$random]
+}
+function Scramble-String([string]$inputString){     
+    $characterArray = $inputString.ToCharArray()   
+    $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length     
+    $outputString = -join $scrambledStringArray
+    return $outputString 
+}
+function GeneratePassword{
+    param(
+		[Parameter()]
+        [ValidateRange(8,64)]
+		[int]$length=25,
+		[Parameter()]
+        [ValidateRange(0,64)]
+		[int]$minLower=1,
+		[Parameter()]
+        [ValidateRange(0,64)]
+		[int]$minUpper=1,
+		[Parameter()]
+        [ValidateRange(0,64)]
+		[int]$minNumber=1,
+		[Parameter()]
+        [ValidateRange(0,64)]
+		[int]$minSpecial=1
+	)
+	$lowercase = 'abcdefghiklmnoprstuvwxyz'
+	$uppercase = 'ABCDEFGHKLMNOPRSTUVWXYZ'
+	$numbers = '1234567890'
+	$special = '@#*+&%$!~'
+	$characters = $lowercase + $uppercase + $numbers + $special
+	$password = Get-RandomCharacters $minLower $lowercase
+	$password += Get-RandomCharacters $minUpper $uppercase
+	$password += Get-RandomCharacters $minNumber $numbers
+	$password += Get-RandomCharacters $minSpecial $special
+	$password += Get-RandomCharacters $($length-$password.Length) $characters
+	$password = Scramble-String $password
+	$Bytes = [System.Text.Encoding]::Unicode.GetBytes($password)
+	$EncodedText =[Convert]::ToBase64String($Bytes)
+	return @{
+	    Password = $password
+	    EncodedPassword = $EncodedText
+	}
+}

.github/workflows/ci-cd-main.yml

@@ -13,4 +13,4 @@ jobs:
 
   deploy-documentation:
     uses: ./.github/workflows/workflow-deploy-docs.yml
-    
+

.github/workflows/ci-cd-pull-request.yml

@@ -6,10 +6,41 @@ on:
     types: [opened, synchronize, reopened]
 
 jobs:
+  generate-git-short-sha:
+    name: Generate git short sha
+    uses: ./.github/workflows/workflow-generate-git-short-sha.yml
+
+  check-for-changes:
+    name: Check for changes
+    uses: ./.github/workflows/workflow-check-for-changes.yml
+
   build-and-test:
     uses: ./.github/workflows/workflow-build-and-test.yml
     with:
       environment: test
 
   playwright-test:
     uses: ./.github/workflows/workflow-playwright-test.yml
+
+  dry-run-deploy-infra:
+    uses: ./.github/workflows/workflow-deploy-infrastructure.yml
+    needs:
+      [
+        generate-git-short-sha,
+        check-for-changes
+      ]
+    if: ${{ needs.check-for-changes.outputs.hasInfrastructureChanges == 'true' }}
+    secrets:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }}
+      AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }}
+      AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }}
+    with:
+      environment: test
+      region: norwayeast
+      dryRun: true
+      version: ${{ github.sha }}
+
+

.github/workflows/workflow-check-for-changes.yml

@@ -0,0 +1,32 @@
+name: "Check for file changes"
+
+on:
+  workflow_call:
+    outputs:
+      hasInfrastructureChanges:
+        description: "Infrastructure related files changed"
+        value: ${{ jobs.check-for-changes.outputs.hasInfrastructureChanges }}
+
+jobs:
+  check-for-changes:
+    name: Filter
+    runs-on: ubuntu-latest
+    outputs:
+      hasInfrastructureChanges: ${{ steps.filter.outputs.infrastructure_any_changed == 'true' }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          # fetch-depth needs to be 0 in cases where we want to fetch changes since previous tag for example
+          fetch-depth: 0
+
+      - uses: tj-actions/changed-files@v42
+        id: filter
+        with:
+          files_yaml: |
+            infrastructure:
+              - '.github/**/*'
+              - '.azure/infrastructure/*'
+              - '.azure/modules/**/*'
+