PerfectThymeTech · marvinbuss · Jul 21, 2023 · Jul 21, 2023 · Jul 21, 2023 · Jul 21, 2023
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: [PerfectThymeTech, marvinbuss]
diff --git a/.github/workflows/_terraformApplyTemplate.yml b/.github/workflows/_terraformApplyTemplate.yml
@@ -29,6 +29,9 @@ on:
       SUBSCRIPTION_ID:
         required: true
         description: "Specifies the client id."
+      MY_SAMPLE_SECRET:
+        required: true
+        description: "Specifies a sample secret."
 
 permissions:
   id-token: write
@@ -79,4 +82,4 @@ jobs:
       - name: Terraform Apply
         working-directory: ${{ inputs.working_directory }}
         run: |
-          terraform apply -var-file vars.${{ inputs.environment }}.tfvars -auto-approve -input=false
+          terraform apply -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -auto-approve -input=false
diff --git a/.github/workflows/_terraformPlanTemplate.yml b/.github/workflows/_terraformPlanTemplate.yml
@@ -29,6 +29,9 @@ on:
       SUBSCRIPTION_ID:
         required: true
         description: "Specifies the client id."
+      MY_SAMPLE_SECRET:
+        required: true
+        description: "Specifies a sample secret."
 
 permissions:
   id-token: write
@@ -89,7 +92,7 @@ jobs:
         id: terraform_plan
         working-directory: ${{ inputs.working_directory }}
         run: |
-          terraform plan -var-file vars.${{ inputs.environment }}.tfvars -input=false
+          terraform plan -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -input=false
 
       # Add Pull Request Comment
       - name: Add Pull Request Comment

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -35,6 +35,7 @@ jobs:
       CLIENT_ID: ${{ secrets.CLIENT_ID }}
       CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
       SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
+      MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }}
 
   terraform_apply_dev:
     uses: ./.github/workflows/_terraformApplyTemplate.yml
@@ -50,3 +51,4 @@ jobs:
       CLIENT_ID: ${{ secrets.CLIENT_ID }}
       CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
       SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
+      MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }}
diff --git a/code/function/fastapp/core/config.py b/code/function/fastapp/core/config.py
@@ -14,6 +14,7 @@ class Settings(BaseSettings):
     APPLICATIONINSIGHTS_CONNECTION_STRING: str = Field(
         default="", env="APPLICATIONINSIGHTS_CONNECTION_STRING"
     )
+    MY_SECRET_CONFIG: str = Field(default="", env="MY_SECRET_CONFIG")
 
 
 settings = Settings()
diff --git a/code/infra/function.tf b/code/infra/function.tf
@@ -8,8 +8,43 @@ resource "azurerm_service_plan" "service_plan" {
   os_type                  = "Linux"
   per_site_scaling_enabled = false
   sku_name                 = "P1v3"
-  worker_count             = 3
-  zone_balancing_enabled   = true
+  worker_count             = 1     # Update to '3' for production
+  zone_balancing_enabled   = false # Update to 'true' for production
+}
+
+data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_service_plan" {
+  resource_id = azurerm_service_plan.service_plan.id
+}
+
+resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_service_plan" {
+  name                       = "logAnalytics"
+  target_resource_id         = azurerm_service_plan.service_plan.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+
+  dynamic "enabled_log" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.log_category_groups
+    content {
+      category_group = entry.value
+      retention_policy {
+        enabled = true
+        days    = 30
+      }
+    }
+  }
+
+  dynamic "metric" {
+    iterator = entry
+    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_service_plan.metrics
+    content {
+      category = entry.value
+      enabled  = true
+      retention_policy {
+        enabled = true
+        days    = 30
+      }
+    }
+  }
 }
 
 resource "azapi_resource" "function" {
@@ -87,6 +122,10 @@ resource "azapi_resource" "function" {
           {
             name  = "AzureWebJobsStorage__accountName"
             value = azurerm_storage_account.storage.name
+          },
+          {
+            name  = "MY_SECRET_CONFIG"
+            value = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.key_vault_secret_sample.id})"
           }
         ]
         azureStorageAccounts                   = {}

diff --git a/code/infra/keyvault.tf b/code/infra/keyvault.tf
@@ -22,6 +22,19 @@ resource "azurerm_key_vault" "key_vault" {
   tenant_id                     = data.azurerm_client_config.current.tenant_id
 }
 
+resource "azurerm_key_vault_secret" "key_vault_secret_sample" {
+  name         = "MySampleSecret"
+  key_vault_id = azurerm_key_vault.key_vault.id
+
+  content_type = "text/plain"
+  value        = var.my_secret
+
+  depends_on = [
+    azurerm_role_assignment.current_role_assignment_key_vault,
+    azurerm_private_endpoint.key_vault_private_endpoint
+  ]
+}
+
 data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_key_vault" {
   resource_id = azurerm_key_vault.key_vault.id
 }

diff --git a/code/infra/roleassignments.tf b/code/infra/roleassignments.tf
@@ -1,3 +1,9 @@
+resource "azurerm_role_assignment" "current_role_assignment_key_vault" {
+  scope                = azurerm_key_vault.key_vault.id
+  role_definition_name = "Key Vault Administrator"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
 resource "azurerm_role_assignment" "function_role_assignment_storage" {
   scope                = azurerm_storage_account.storage.id
   role_definition_name = "Storage Blob Data Owner"

diff --git a/code/infra/variables.tf b/code/infra/variables.tf
@@ -83,6 +83,16 @@ variable "function_health_path" {
   }
 }
 
+variable "my_secret" {
+  description = "Specifies a random secret value used in teh Logic App."
+  type        = string
+  sensitive   = true
+  validation {
+    condition     = length(var.my_secret) >= 2
+    error_message = "Please specify a valid resource ID."
+  }
+}
+
 variable "private_dns_zone_id_blob" {
   description = "Specifies the resource ID of the private DNS zone for Azure Storage blob endpoints. Not required if DNS A-records get created via Azue Policy."
   type        = string

diff --git a/code/infra/vars.dev.tfvars b/code/infra/vars.dev.tfvars
@@ -4,6 +4,7 @@ prefix                                = "myfunc"
 tags                                  = {}
 function_python_version               = "3.10"
 function_health_path                  = "/v1/health/heartbeat"
+my_secret                             = ""
 vnet_id                               = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-function-vnet001"
 nsg_id                                = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-function-nsg001"
 route_table_id                        = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-function-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-function-rt001"