diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..47a787b --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +github: [PerfectThymeTech, marvinbuss] diff --git a/.github/workflows/_terraformApplyTemplate.yml b/.github/workflows/_terraformApplyTemplate.yml index c7f188e..d1942bc 100644 --- a/.github/workflows/_terraformApplyTemplate.yml +++ b/.github/workflows/_terraformApplyTemplate.yml @@ -29,6 +29,9 @@ on: SUBSCRIPTION_ID: required: true description: "Specifies the client id." + MY_SAMPLE_SECRET: + required: true + description: "Specifies a sample secret." permissions: id-token: write @@ -79,4 +82,4 @@ jobs: - name: Terraform Apply working-directory: ${{ inputs.working_directory }} run: | - terraform apply -var-file vars.${{ inputs.environment }}.tfvars -auto-approve -input=false + terraform apply -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -auto-approve -input=false diff --git a/.github/workflows/_terraformPlanTemplate.yml b/.github/workflows/_terraformPlanTemplate.yml index 0c8530d..fd97d09 100644 --- a/.github/workflows/_terraformPlanTemplate.yml +++ b/.github/workflows/_terraformPlanTemplate.yml @@ -29,6 +29,9 @@ on: SUBSCRIPTION_ID: required: true description: "Specifies the client id." + MY_SAMPLE_SECRET: + required: true + description: "Specifies a sample secret." permissions: id-token: write @@ -89,7 +92,7 @@ jobs: id: terraform_plan working-directory: ${{ inputs.working_directory }} run: | - terraform plan -var-file vars.${{ inputs.environment }}.tfvars -input=false + terraform plan -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -input=false # Add Pull Request Comment - name: Add Pull Request Comment diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index e1618dc..029e9f5 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -35,6 +35,7 @@ jobs: CLIENT_ID: ${{ secrets.CLIENT_ID }} CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }} + MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }} terraform_apply_dev: uses: ./.github/workflows/_terraformApplyTemplate.yml @@ -50,3 +51,4 @@ jobs: CLIENT_ID: ${{ secrets.CLIENT_ID }} CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }} + MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }} diff --git a/code/function/fastapp/core/config.py b/code/function/fastapp/core/config.py index 5d7009c..dc87cf7 100644 --- a/code/function/fastapp/core/config.py +++ b/code/function/fastapp/core/config.py @@ -14,6 +14,7 @@ class Settings(BaseSettings): APPLICATIONINSIGHTS_CONNECTION_STRING: str = Field( default="", env="APPLICATIONINSIGHTS_CONNECTION_STRING" ) + MY_SECRET_CONFIG: str = Field(default="", env="MY_SECRET_CONFIG") settings = Settings() diff --git a/code/infra/function.tf b/code/infra/function.tf index 05e98d5..a41ef6d 100644 --- a/code/infra/function.tf +++ b/code/infra/function.tf @@ -8,8 +8,43 @@ resource "azurerm_service_plan" "service_plan" { os_type = "Linux" per_site_scaling_enabled = false sku_name = "P1v3" - worker_count = 3 - zone_balancing_enabled = true + worker_count = 1 # Update to '3' for production + zone_balancing_enabled = false # Update to 'true' for production +} + +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_service_plan" { + resource_id = azurerm_service_plan.service_plan.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_service_plan" { + name = "logAnalytics" + target_resource_id = azurerm_service_plan.service_plan.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id + + dynamic "enabled_log" { + iterator = entry + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.log_category_groups + content { + category_group = entry.value + retention_policy { + enabled = true + days = 30 + } + } + } + + dynamic "metric" { + iterator = entry + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.metrics + content { + category = entry.value + enabled = true + retention_policy { + enabled = true + days = 30 + } + } + } } resource "azapi_resource" "function" { @@ -87,6 +122,10 @@ resource "azapi_resource" "function" { { name = "AzureWebJobsStorage__accountName" value = azurerm_storage_account.storage.name + }, + { + name = "MY_SECRET_CONFIG" + value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.key_vault_secret_sample.id})" } ] azureStorageAccounts = {} diff --git a/code/infra/keyvault.tf b/code/infra/keyvault.tf index e0935dd..cc579df 100644 --- a/code/infra/keyvault.tf +++ b/code/infra/keyvault.tf @@ -22,6 +22,19 @@ resource "azurerm_key_vault" "key_vault" { tenant_id = data.azurerm_client_config.current.tenant_id } +resource "azurerm_key_vault_secret" "key_vault_secret_sample" { + name = "MySampleSecret" + key_vault_id = azurerm_key_vault.key_vault.id + + content_type = "text/plain" + value = var.my_secret + + depends_on = [ + azurerm_role_assignment.current_role_assignment_key_vault, + azurerm_private_endpoint.key_vault_private_endpoint + ] +} + data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" { resource_id = azurerm_key_vault.key_vault.id } diff --git a/code/infra/roleassignments.tf b/code/infra/roleassignments.tf index cbe287d..17c6f1d 100644 --- a/code/infra/roleassignments.tf +++ b/code/infra/roleassignments.tf @@ -1,3 +1,9 @@ +resource "azurerm_role_assignment" "current_role_assignment_key_vault" { + scope = azurerm_key_vault.key_vault.id + role_definition_name = "Key Vault Administrator" + principal_id = data.azurerm_client_config.current.object_id +} + resource "azurerm_role_assignment" "function_role_assignment_storage" { scope = azurerm_storage_account.storage.id role_definition_name = "Storage Blob Data Owner" diff --git a/code/infra/variables.tf b/code/infra/variables.tf index b20a02b..2241e13 100644 --- a/code/infra/variables.tf +++ b/code/infra/variables.tf @@ -83,6 +83,16 @@ variable "function_health_path" { } } +variable "my_secret" { + description = "Specifies a random secret value used in teh Logic App." + type = string + sensitive = true + validation { + condition = length(var.my_secret) >= 2 + error_message = "Please specify a valid resource ID." + } +} + variable "private_dns_zone_id_blob" { description = "Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azue Policy." type = string diff --git a/code/infra/vars.dev.tfvars b/code/infra/vars.dev.tfvars index 8575e38..48f032d 100644 --- a/code/infra/vars.dev.tfvars +++ b/code/infra/vars.dev.tfvars @@ -4,6 +4,7 @@ prefix = "myfunc" tags = {} function_python_version = "3.10" function_health_path = "/v1/health/heartbeat" +my_secret = "" vnet_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-function-vnet001" nsg_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-function-nsg001" route_table_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-function-rt001"