From ebc6a076b9d402b176b8145557544e6bece2c7fe Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 12:24:00 +0200 Subject: [PATCH 1/8] Update Scale for Function ASP --- code/infra/function.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/code/infra/function.tf b/code/infra/function.tf index 05e98d5..3152572 100644 --- a/code/infra/function.tf +++ b/code/infra/function.tf @@ -8,8 +8,8 @@ resource "azurerm_service_plan" "service_plan" { os_type = "Linux" per_site_scaling_enabled = false sku_name = "P1v3" - worker_count = 3 - zone_balancing_enabled = true + worker_count = 1 # Update to '3' for production + zone_balancing_enabled = false # Update to 'true' for production } resource "azapi_resource" "function" { From 5836ae0d96ff9a03e6e6d5a6e843a40e67c64676 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 12:25:06 +0200 Subject: [PATCH 2/8] Add funding ref --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..47a787b --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +github: [PerfectThymeTech, marvinbuss] From bf5adb437c77df0bfcd885254dc93ee6028ef64a Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 12:25:37 +0200 Subject: [PATCH 3/8] Add diagnostics for asp --- code/infra/function.tf | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/code/infra/function.tf b/code/infra/function.tf index 3152572..4b92096 100644 --- a/code/infra/function.tf +++ b/code/infra/function.tf @@ -12,6 +12,41 @@ resource "azurerm_service_plan" "service_plan" { zone_balancing_enabled = false # Update to 'true' for production } +data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_service_plan" { + resource_id = azurerm_service_plan.service_plan.id +} + +resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_service_plan" { + name = "logAnalytics" + target_resource_id = azurerm_service_plan.service_plan.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id + + dynamic "enabled_log" { + iterator = entry + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.log_category_groups + content { + category_group = entry.value + retention_policy { + enabled = true + days = 30 + } + } + } + + dynamic "metric" { + iterator = entry + for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.metrics + content { + category = entry.value + enabled = true + retention_policy { + enabled = true + days = 30 + } + } + } +} + resource "azapi_resource" "function" { type = "Microsoft.Web/sites@2022-09-01" parent_id = azurerm_resource_group.app_rg.id From 83f063b443670177e83dd39c1863c5c5990c4f41 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 12:26:36 +0200 Subject: [PATCH 4/8] Enable deployment for iac --- .github/workflows/terraform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index e1618dc..0361717 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -40,7 +40,7 @@ jobs: uses: ./.github/workflows/_terraformApplyTemplate.yml name: "Terraform Apply" needs: [terraform_plan_dev] - if: github.event_name == 'push' || github.event_name == 'release' + # if: github.event_name == 'push' || github.event_name == 'release' with: environment: "dev" terraform_version: "1.4.6" From 5701687dd7a49981997bd50ea7856a47c6368866 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 12:57:58 +0200 Subject: [PATCH 5/8] Deploy function --- .github/workflows/functionApp.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/functionApp.yml b/.github/workflows/functionApp.yml index f03355b..3df3e00 100644 --- a/.github/workflows/functionApp.yml +++ b/.github/workflows/functionApp.yml @@ -6,6 +6,7 @@ on: paths: - "**.py" - "code/function/**" + - ".github/workflows/functionApp.yml" pull_request: branches: @@ -13,6 +14,7 @@ on: paths: - "**.py" - "code/function/**" + - ".github/workflows/functionApp.yml" jobs: function_test: @@ -26,7 +28,7 @@ jobs: uses: ./.github/workflows/_functionAppDeployTemplate.yml name: "Function App Deploy" needs: [function_test] - if: github.event_name == 'push' || github.event_name == 'release' + # if: github.event_name == 'push' || github.event_name == 'release' with: environment: "dev" python_version: "3.10" From b7df08ef49be06916ea886a04dbddb847907ef78 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 13:47:42 +0200 Subject: [PATCH 6/8] Add sample secret deployment --- .github/workflows/_terraformApplyTemplate.yml | 5 ++++- .github/workflows/_terraformPlanTemplate.yml | 5 ++++- .github/workflows/terraform.yml | 2 ++ code/function/fastapp/core/config.py | 1 + code/infra/function.tf | 4 ++++ code/infra/keyvault.tf | 13 +++++++++++++ code/infra/variables.tf | 10 ++++++++++ code/infra/vars.dev.tfvars | 1 + 8 files changed, 39 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_terraformApplyTemplate.yml b/.github/workflows/_terraformApplyTemplate.yml index c7f188e..d1942bc 100644 --- a/.github/workflows/_terraformApplyTemplate.yml +++ b/.github/workflows/_terraformApplyTemplate.yml @@ -29,6 +29,9 @@ on: SUBSCRIPTION_ID: required: true description: "Specifies the client id." + MY_SAMPLE_SECRET: + required: true + description: "Specifies a sample secret." permissions: id-token: write @@ -79,4 +82,4 @@ jobs: - name: Terraform Apply working-directory: ${{ inputs.working_directory }} run: | - terraform apply -var-file vars.${{ inputs.environment }}.tfvars -auto-approve -input=false + terraform apply -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -auto-approve -input=false diff --git a/.github/workflows/_terraformPlanTemplate.yml b/.github/workflows/_terraformPlanTemplate.yml index 0c8530d..fd97d09 100644 --- a/.github/workflows/_terraformPlanTemplate.yml +++ b/.github/workflows/_terraformPlanTemplate.yml @@ -29,6 +29,9 @@ on: SUBSCRIPTION_ID: required: true description: "Specifies the client id." + MY_SAMPLE_SECRET: + required: true + description: "Specifies a sample secret." permissions: id-token: write @@ -89,7 +92,7 @@ jobs: id: terraform_plan working-directory: ${{ inputs.working_directory }} run: | - terraform plan -var-file vars.${{ inputs.environment }}.tfvars -input=false + terraform plan -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -input=false # Add Pull Request Comment - name: Add Pull Request Comment diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 0361717..93ed0ed 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -35,6 +35,7 @@ jobs: CLIENT_ID: ${{ secrets.CLIENT_ID }} CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }} + MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }} terraform_apply_dev: uses: ./.github/workflows/_terraformApplyTemplate.yml @@ -50,3 +51,4 @@ jobs: CLIENT_ID: ${{ secrets.CLIENT_ID }} CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }} + MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }} diff --git a/code/function/fastapp/core/config.py b/code/function/fastapp/core/config.py index 5d7009c..dc87cf7 100644 --- a/code/function/fastapp/core/config.py +++ b/code/function/fastapp/core/config.py @@ -14,6 +14,7 @@ class Settings(BaseSettings): APPLICATIONINSIGHTS_CONNECTION_STRING: str = Field( default="", env="APPLICATIONINSIGHTS_CONNECTION_STRING" ) + MY_SECRET_CONFIG: str = Field(default="", env="MY_SECRET_CONFIG") settings = Settings() diff --git a/code/infra/function.tf b/code/infra/function.tf index 4b92096..a41ef6d 100644 --- a/code/infra/function.tf +++ b/code/infra/function.tf @@ -122,6 +122,10 @@ resource "azapi_resource" "function" { { name = "AzureWebJobsStorage__accountName" value = azurerm_storage_account.storage.name + }, + { + name = "MY_SECRET_CONFIG" + value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.key_vault_secret_sample.id})" } ] azureStorageAccounts = {} diff --git a/code/infra/keyvault.tf b/code/infra/keyvault.tf index e0935dd..cc579df 100644 --- a/code/infra/keyvault.tf +++ b/code/infra/keyvault.tf @@ -22,6 +22,19 @@ resource "azurerm_key_vault" "key_vault" { tenant_id = data.azurerm_client_config.current.tenant_id } +resource "azurerm_key_vault_secret" "key_vault_secret_sample" { + name = "MySampleSecret" + key_vault_id = azurerm_key_vault.key_vault.id + + content_type = "text/plain" + value = var.my_secret + + depends_on = [ + azurerm_role_assignment.current_role_assignment_key_vault, + azurerm_private_endpoint.key_vault_private_endpoint + ] +} + data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" { resource_id = azurerm_key_vault.key_vault.id } diff --git a/code/infra/variables.tf b/code/infra/variables.tf index b20a02b..2241e13 100644 --- a/code/infra/variables.tf +++ b/code/infra/variables.tf @@ -83,6 +83,16 @@ variable "function_health_path" { } } +variable "my_secret" { + description = "Specifies a random secret value used in teh Logic App." + type = string + sensitive = true + validation { + condition = length(var.my_secret) >= 2 + error_message = "Please specify a valid resource ID." + } +} + variable "private_dns_zone_id_blob" { description = "Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azue Policy." type = string diff --git a/code/infra/vars.dev.tfvars b/code/infra/vars.dev.tfvars index 8575e38..48f032d 100644 --- a/code/infra/vars.dev.tfvars +++ b/code/infra/vars.dev.tfvars @@ -4,6 +4,7 @@ prefix = "myfunc" tags = {} function_python_version = "3.10" function_health_path = "/v1/health/heartbeat" +my_secret = "" vnet_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-function-vnet001" nsg_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-function-nsg001" route_table_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-function-rt001" From 2c5c25b4966817761149d3c8934b0b017e9b4fdf Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 13:50:47 +0200 Subject: [PATCH 7/8] Add role assignment --- code/infra/roleassignments.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/code/infra/roleassignments.tf b/code/infra/roleassignments.tf index cbe287d..17c6f1d 100644 --- a/code/infra/roleassignments.tf +++ b/code/infra/roleassignments.tf @@ -1,3 +1,9 @@ +resource "azurerm_role_assignment" "current_role_assignment_key_vault" { + scope = azurerm_key_vault.key_vault.id + role_definition_name = "Key Vault Administrator" + principal_id = data.azurerm_client_config.current.object_id +} + resource "azurerm_role_assignment" "function_role_assignment_storage" { scope = azurerm_storage_account.storage.id role_definition_name = "Storage Blob Data Owner" From c6e0a6e2b25dd68d24dc2cd33193684e6f67346b Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Fri, 21 Jul 2023 14:08:39 +0200 Subject: [PATCH 8/8] Update workflows --- .github/workflows/functionApp.yml | 4 +--- .github/workflows/terraform.yml | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/functionApp.yml b/.github/workflows/functionApp.yml index 3df3e00..f03355b 100644 --- a/.github/workflows/functionApp.yml +++ b/.github/workflows/functionApp.yml @@ -6,7 +6,6 @@ on: paths: - "**.py" - "code/function/**" - - ".github/workflows/functionApp.yml" pull_request: branches: @@ -14,7 +13,6 @@ on: paths: - "**.py" - "code/function/**" - - ".github/workflows/functionApp.yml" jobs: function_test: @@ -28,7 +26,7 @@ jobs: uses: ./.github/workflows/_functionAppDeployTemplate.yml name: "Function App Deploy" needs: [function_test] - # if: github.event_name == 'push' || github.event_name == 'release' + if: github.event_name == 'push' || github.event_name == 'release' with: environment: "dev" python_version: "3.10" diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 93ed0ed..029e9f5 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -41,7 +41,7 @@ jobs: uses: ./.github/workflows/_terraformApplyTemplate.yml name: "Terraform Apply" needs: [terraform_plan_dev] - # if: github.event_name == 'push' || github.event_name == 'release' + if: github.event_name == 'push' || github.event_name == 'release' with: environment: "dev" terraform_version: "1.4.6"