From 71b91f934643bd4025843e1daa31958bf662d44a Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:20:40 +0100 Subject: [PATCH 01/35] fire --- .dockerignore | 3 ++ .github/workflow/deploy.yml | 32 ++++++++++++++++ Dockerfile | 15 ++++++++ gunicorn.conf.py | 14 +++++++ main.bicep | 65 +++++++++++++++++++++++++++++++++ modules/appServicePlan.bicep | 17 +++++++++ modules/containerRegistry.bicep | 17 +++++++++ modules/main.parameters.json | 28 ++++++++++++++ modules/webApp.bicep | 22 +++++++++++ 9 files changed, 213 insertions(+) create mode 100644 .dockerignore create mode 100644 .github/workflow/deploy.yml create mode 100644 Dockerfile create mode 100644 gunicorn.conf.py create mode 100644 main.bicep create mode 100644 modules/appServicePlan.bicep create mode 100644 modules/containerRegistry.bicep create mode 100644 modules/main.parameters.json create mode 100644 modules/webApp.bicep diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..ea7f2ce5e --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +.git* +**/*.pyc +.venv/ \ No newline at end of file diff --git a/.github/workflow/deploy.yml b/.github/workflow/deploy.yml new file mode 100644 index 000000000..6a0e4cc14 --- /dev/null +++ b/.github/workflow/deploy.yml @@ -0,0 +1,32 @@ +name: Deploy Azure Resources + +on: + push: + branches: + - main # Trigger on push to the main branch + +jobs: + deploy: + runs-on: ubuntu-latest + + steps: + # Step 1: Checkout the repository + - name: Checkout code + uses: actions/checkout@v3 + + # Step 2: Set up Azure CLI + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + # Step 3: Deploy Bicep template + - name: Deploy Bicep file + run: | + az deployment group create \ + --resource-group BCSAI2024-DEVOPS-STUDENTS-A-DEV \ + --template-file main.bicep \ + --parameters dmoneyContainerRegistryName=dmoneycontainerregistry \ + dmoneyAppServicePlanName=dmoneyAppServicePlan \ + dmoneyWebAppName=dmoneyWebApp \ + location=westeurope diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..f9940586c --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +# syntax=docker/dockerfile:1 + +FROM python:3.11 + +WORKDIR /code + +COPY requirements.txt . + +RUN pip3 install -r requirements.txt + +COPY . . + +EXPOSE 50505 + +ENTRYPOINT ["gunicorn", "app:app"] diff --git a/gunicorn.conf.py b/gunicorn.conf.py new file mode 100644 index 000000000..fea6a15e4 --- /dev/null +++ b/gunicorn.conf.py @@ -0,0 +1,14 @@ +# Gunicorn configuration file +import multiprocessing + +max_requests = 1000 +max_requests_jitter = 50 + +log_file = "-" + +bind = "0.0.0.0:50505" + +workers = (multiprocessing.cpu_count() * 2) + 1 +threads = workers + +timeout = 120 \ No newline at end of file diff --git a/main.bicep b/main.bicep new file mode 100644 index 000000000..2eb001fcc --- /dev/null +++ b/main.bicep @@ -0,0 +1,65 @@ +// Parameters +param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' // Container Registry Name +param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Plan Name +param location string = 'westeurope' // Desired Azure Region +param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name + +// Azure Container Registry Module +module containerRegistry 'modules/containerRegistry.bicep' = { + name: 'deployContainerRegistry' + params: { + dmoneyContainerRegistryName: dmoneyContainerRegistryName + location: location + } +} + +// Azure App Service Plan Module +module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { + name: 'deployAppServicePlan' + params: { + dmoneyAppServicePlanName: dmoneyAppServicePlanName + location: location + sku: { + capacity: 1 + family: 'B' + name: 'B1' + size: 'B1' + tier: 'Basic' + } + kind: 'Linux' + reserved: true + } +} + +// Pass appSettings as an array +module webApp 'modules/webApp.bicep' = { + name: 'deployWebApp' + params: { + name: dmoneyWebAppName + location: location + kind: 'app' + serverFarmResourceId: dmoneyAppServicePlan.outputs.id + siteConfig: { + linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' + appCommandLine: '' + } + appSettingsArray: [ + { + name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' + value: 'false' + } + { + name: 'DOCKER_REGISTRY_SERVER_URL' + value: containerRegistry.outputs.loginServer + } + { + name: 'DOCKER_REGISTRY_SERVER_USERNAME' + value: containerRegistry.outputs.username + } + { + name: 'DOCKER_REGISTRY_SERVER_PASSWORD' + value: containerRegistry.outputs.password + } + ] + } +} diff --git a/modules/appServicePlan.bicep b/modules/appServicePlan.bicep new file mode 100644 index 000000000..43aac3db2 --- /dev/null +++ b/modules/appServicePlan.bicep @@ -0,0 +1,17 @@ +param dmoneyAppServicePlanName string +param location string +param sku object +param kind string +param reserved bool + +resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = { + name: dmoneyAppServicePlanName + location: location + sku: sku + kind: kind + properties: { + reserved: reserved + } +} + +output id string = appServicePlan.id diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep new file mode 100644 index 000000000..24fb59d9e --- /dev/null +++ b/modules/containerRegistry.bicep @@ -0,0 +1,17 @@ +param dmoneyContainerRegistryName string +param location string + +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' = { + name: dmoneyContainerRegistryName + location: location + sku: { + name: 'Basic' + } + properties: { + adminUserEnabled: true + } +} + +output loginServer string = containerRegistry.properties.loginServer +output username string = listCredentials(containerRegistry.id, '2021-12-01-preview').username +output password string = listCredentials(containerRegistry.id, '2021-12-01-preview').passwords[0].value diff --git a/modules/main.parameters.json b/modules/main.parameters.json new file mode 100644 index 000000000..f22a8841d --- /dev/null +++ b/modules/main.parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2020-10-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enviromentType": { + "value": "dev" + }, + "dmoneycontainerRegistryName": { + "value": "dmoneycontainerregistry" + }, + "containerRegistryImageName": { + "value": "dmoneyimage" + }, + "containerRegistryImageVersion": { + "value": "v1" + }, + "appServicePlanName": { + "value": "dmoneyAppServicePlan" + }, + "webAppName": { + "value": "dmoneyWebApp" + }, + "location": { + "value": "westeurope" + } + } + } + \ No newline at end of file diff --git a/modules/webApp.bicep b/modules/webApp.bicep new file mode 100644 index 000000000..ff6b06395 --- /dev/null +++ b/modules/webApp.bicep @@ -0,0 +1,22 @@ +param name string +param location string +param kind string +param serverFarmResourceId string +param siteConfig object +param appSettingsArray array // Accept the array + +resource webApp 'Microsoft.Web/sites@2022-03-01' = { + name: name + location: location + kind: kind + properties: { + serverFarmId: serverFarmResourceId + siteConfig: siteConfig + appSettings: appSettingsArray // Use the array directly + } + identity: { + type: 'SystemAssigned' + } +} + +output id string = webApp.id From 75e611564362665b467298c03d07f7c42bd86643 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:24:40 +0100 Subject: [PATCH 02/35] fire --- .github/workflow/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflow/deploy.yml b/.github/workflow/deploy.yml index 6a0e4cc14..852cc7bef 100644 --- a/.github/workflow/deploy.yml +++ b/.github/workflow/deploy.yml @@ -4,7 +4,7 @@ on: push: branches: - main # Trigger on push to the main branch - +#Comment jobs: deploy: runs-on: ubuntu-latest From 054e2cc3208fef3f5c37cacaa2a3d408c1887533 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:27:01 +0100 Subject: [PATCH 03/35] fire --- .github/{workflow => workflows}/deploy.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{workflow => workflows}/deploy.yml (100%) diff --git a/.github/workflow/deploy.yml b/.github/workflows/deploy.yml similarity index 100% rename from .github/workflow/deploy.yml rename to .github/workflows/deploy.yml From 29b86598f43c1da814f97d6500594331c42d63f8 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:30:30 +0100 Subject: [PATCH 04/35] fire --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 852cc7bef..17a415035 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,3 +30,4 @@ jobs: dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=dmoneyWebApp \ location=westeurope + --name main-$(date +%s) From 0bbc08f2a023458628c88bc9819e019679ad9f4e Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:33:01 +0100 Subject: [PATCH 05/35] fire --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 17a415035..0c97e11ae 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,4 +30,4 @@ jobs: dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=dmoneyWebApp \ location=westeurope - --name main-$(date +%s) + --name main-$(date +%s) \ From 46a77b8a19f3322a5dd47ec16c7bdba552ec2a2a Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:35:33 +0100 Subject: [PATCH 06/35] fire --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0c97e11ae..51156855d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,4 +30,4 @@ jobs: dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=dmoneyWebApp \ location=westeurope - --name main-$(date +%s) \ + --name main-$(date +%s) \ From 2f050c7819fc38b6fa92cc23cf1966497d9106d0 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:37:59 +0100 Subject: [PATCH 07/35] fire --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 51156855d..c8ea731d4 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,4 +30,4 @@ jobs: dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=dmoneyWebApp \ location=westeurope - --name main-$(date +%s) \ + --name main-$(date +%s) From 2a85feac6890c2c72a704641ce5d276f62b86f6d Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:41:07 +0100 Subject: [PATCH 08/35] fire --- .github/workflows/deploy.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c8ea731d4..8fd4ac730 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -21,7 +21,7 @@ jobs: creds: ${{ secrets.AZURE_CREDENTIALS }} # Step 3: Deploy Bicep template - - name: Deploy Bicep file + - name: Dmoney Bicep Deployment run: | az deployment group create \ --resource-group BCSAI2024-DEVOPS-STUDENTS-A-DEV \ @@ -31,3 +31,5 @@ jobs: dmoneyWebAppName=dmoneyWebApp \ location=westeurope --name main-$(date +%s) + + From 82a9587a5149cdc88d7a20c2a02fbe684c23a947 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Tue, 10 Dec 2024 22:43:31 +0100 Subject: [PATCH 09/35] fire --- .github/workflows/deploy.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8fd4ac730..f40de5ce6 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -4,7 +4,7 @@ on: push: branches: - main # Trigger on push to the main branch -#Comment + jobs: deploy: runs-on: ubuntu-latest @@ -21,15 +21,14 @@ jobs: creds: ${{ secrets.AZURE_CREDENTIALS }} # Step 3: Deploy Bicep template - - name: Dmoney Bicep Deployment + - name: Deploy Bicep file run: | az deployment group create \ --resource-group BCSAI2024-DEVOPS-STUDENTS-A-DEV \ --template-file main.bicep \ - --parameters dmoneyContainerRegistryName=dmoneycontainerregistry \ - dmoneyAppServicePlanName=dmoneyAppServicePlan \ - dmoneyWebAppName=dmoneyWebApp \ - location=westeurope - --name main-$(date +%s) - - + --parameters \ + dmoneyContainerRegistryName=dmoneycontainerregistry \ + dmoneyAppServicePlanName=dmoneyAppServicePlan \ + dmoneyWebAppName=dmoneyWebApp \ + location=westeurope \ + --name main-$(date +%s) From a06912b5de2c70f1d0fb7f2d59f9785fe1a85018 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 00:16:51 +0100 Subject: [PATCH 10/35] Firee --- .github/workflows/deploy.yml | 60 ++++++++++++++----- ...in.parameters.json => main.parameters.json | 0 2 files changed, 44 insertions(+), 16 deletions(-) rename modules/main.parameters.json => main.parameters.json (100%) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index f40de5ce6..c0a627ac1 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,34 +1,62 @@ -name: Deploy Azure Resources +name: Build and Deploy Container App to Azure on: push: branches: - - main # Trigger on push to the main branch + - main # Trigger on pushes to the main branch + +env: + REGISTRY_LOGIN_SERVER: dmoneycontainerregistry.azurecr.io # Replace with your Azure Container Registry login server + IMAGE_BASE_NAME: dmoneyimage # Replace with your container image name jobs: - deploy: + build-and-publish: runs-on: ubuntu-latest steps: - # Step 1: Checkout the repository + # Step 1: Checkout code - name: Checkout code uses: actions/checkout@v3 - # Step 2: Set up Azure CLI + # Step 2: Log in to Azure - name: Log in to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 3: Deploy Bicep template - - name: Deploy Bicep file + # Step 3: Log in to Azure Container Registry (ACR) + - name: Log in to Azure Container Registry + uses: azure/docker-login@v1 + with: + login-server: ${{ env.REGISTRY_LOGIN_SERVER }} + username: ${{ secrets.ACR_USERNAME }} + password: ${{ secrets.ACR_PASSWORD }} + + # Step 4: Set image version + - name: Set image version + id: image-version + run: echo "::set-output name=version::$(date +'%Y%m%d%H%M%S')" + + # Step 5: Build and push the Docker image + - name: Build and push image run: | - az deployment group create \ - --resource-group BCSAI2024-DEVOPS-STUDENTS-A-DEV \ - --template-file main.bicep \ - --parameters \ - dmoneyContainerRegistryName=dmoneycontainerregistry \ - dmoneyAppServicePlanName=dmoneyAppServicePlan \ - dmoneyWebAppName=dmoneyWebApp \ - location=westeurope \ - --name main-$(date +%s) + docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + + deploy: + runs-on: ubuntu-latest + needs: build-and-publish # This job runs after the build-and-publish job + + steps: + # Step 1: Log in to Azure + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + # Step 2: Deploy Docker image to Azure Web App + - name: Deploy to Azure Web App + uses: azure/webapps-deploy@v3 + with: + app-name: dmoneyWebApp # Replace with your Azure Web App name + images: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} diff --git a/modules/main.parameters.json b/main.parameters.json similarity index 100% rename from modules/main.parameters.json rename to main.parameters.json From 9d659ff6d41960026ecc2570bdbed64860851c63 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 00:25:37 +0100 Subject: [PATCH 11/35] question3 --- .github/workflows/deploy.yml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c0a627ac1..17e923774 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,7 +6,7 @@ on: - main # Trigger on pushes to the main branch env: - REGISTRY_LOGIN_SERVER: dmoneycontainerregistry.azurecr.io # Replace with your Azure Container Registry login server + REGISTRY_LOGIN_SERVER: dmoneycontainerregistry.azurecr.io # Replace with your ACR login server IMAGE_BASE_NAME: dmoneyimage # Replace with your container image name jobs: @@ -24,20 +24,29 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 3: Log in to Azure Container Registry (ACR) + # Step 3: Fetch ACR credentials dynamically + - name: Fetch ACR credentials + id: acr-credentials + run: | + ACR_USERNAME=$(az acr credential show --name dmoneycontainerregistry --query "username" -o tsv) + ACR_PASSWORD=$(az acr credential show --name dmoneycontainerregistry --query "passwords[0].value" -o tsv) + echo "ACR_USERNAME=$ACR_USERNAME" >> $GITHUB_ENV + echo "ACR_PASSWORD=$ACR_PASSWORD" >> $GITHUB_ENV + + # Step 4: Log in to Azure Container Registry (ACR) - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: login-server: ${{ env.REGISTRY_LOGIN_SERVER }} - username: ${{ secrets.ACR_USERNAME }} - password: ${{ secrets.ACR_PASSWORD }} + username: ${{ env.ACR_USERNAME }} + password: ${{ env.ACR_PASSWORD }} - # Step 4: Set image version + # Step 5: Set image version - name: Set image version id: image-version run: echo "::set-output name=version::$(date +'%Y%m%d%H%M%S')" - # Step 5: Build and push the Docker image + # Step 6: Build and push the Docker image - name: Build and push image run: | docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} From 75ac79e5c71f6cfb9a2e015c025b0b15025a8ef9 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 00:31:58 +0100 Subject: [PATCH 12/35] question3 --- .github/workflows/deploy.yml | 57 ++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 17e923774..1dbd22def 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,11 +6,13 @@ on: - main # Trigger on pushes to the main branch env: - REGISTRY_LOGIN_SERVER: dmoneycontainerregistry.azurecr.io # Replace with your ACR login server - IMAGE_BASE_NAME: dmoneyimage # Replace with your container image name + REGISTRY_NAME: dmoneycontainerregistry # Replace with your ACR name + REGISTRY_LOCATION: westeurope # Replace with your desired location + REGISTRY_SKU: Basic # Replace with your desired SKU + IMAGE_BASE_NAME: dmoneyimage # Replace with your container image name jobs: - build-and-publish: + build-and-deploy: runs-on: ubuntu-latest steps: @@ -24,48 +26,45 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 3: Fetch ACR credentials dynamically + # Step 3: Ensure ACR exists + - name: Ensure ACR exists + run: | + if ! az acr show --name ${{ env.REGISTRY_NAME }} &>/dev/null; then + az acr create --name ${{ env.REGISTRY_NAME }} --resource-group BCSAI2024-DEVOPS-STUDENTS-A-DEV --sku ${{ env.REGISTRY_SKU }} --location ${{ env.REGISTRY_LOCATION }} --admin-enabled true + else + echo "ACR ${{ env.REGISTRY_NAME }} already exists." + fi + + # Step 4: Fetch ACR credentials dynamically - name: Fetch ACR credentials id: acr-credentials run: | - ACR_USERNAME=$(az acr credential show --name dmoneycontainerregistry --query "username" -o tsv) - ACR_PASSWORD=$(az acr credential show --name dmoneycontainerregistry --query "passwords[0].value" -o tsv) - echo "ACR_USERNAME=$ACR_USERNAME" >> $GITHUB_ENV - echo "ACR_PASSWORD=$ACR_PASSWORD" >> $GITHUB_ENV + echo "Fetching ACR credentials..." + echo "::set-output name=username::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" + echo "::set-output name=password::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" - # Step 4: Log in to Azure Container Registry (ACR) + # Step 5: Log in to Azure Container Registry - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: - login-server: ${{ env.REGISTRY_LOGIN_SERVER }} - username: ${{ env.ACR_USERNAME }} - password: ${{ env.ACR_PASSWORD }} + login-server: ${{ env.REGISTRY_NAME }}.azurecr.io + username: ${{ steps.acr-credentials.outputs.username }} + password: ${{ steps.acr-credentials.outputs.password }} - # Step 5: Set image version + # Step 6: Set image version - name: Set image version id: image-version run: echo "::set-output name=version::$(date +'%Y%m%d%H%M%S')" - # Step 6: Build and push the Docker image + # Step 7: Build and push the Docker image - name: Build and push image run: | - docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} - docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} - - deploy: - runs-on: ubuntu-latest - needs: build-and-publish # This job runs after the build-and-publish job - - steps: - # Step 1: Log in to Azure - - name: Log in to Azure - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker push ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} - # Step 2: Deploy Docker image to Azure Web App + # Step 8: Deploy Docker image to Azure Web App - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: app-name: dmoneyWebApp # Replace with your Azure Web App name - images: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + images: ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} From 47c64208983c82f03085241aadb444b5c7ce08bf Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 00:35:35 +0100 Subject: [PATCH 13/35] question3 --- .github/workflows/deploy.yml | 38 ++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1dbd22def..cda282dea 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,22 +1,24 @@ -name: Build and Deploy Container App to Azure +name: Build, Deploy Resources, and Deploy App on: push: branches: - - main # Trigger on pushes to the main branch + - main # Trigger on push to the main branch env: - REGISTRY_NAME: dmoneycontainerregistry # Replace with your ACR name - REGISTRY_LOCATION: westeurope # Replace with your desired location - REGISTRY_SKU: Basic # Replace with your desired SKU - IMAGE_BASE_NAME: dmoneyimage # Replace with your container image name + REGISTRY_NAME: dmoneycontainerregistry + REGISTRY_LOCATION: westeurope + REGISTRY_SKU: Basic + IMAGE_BASE_NAME: dmoneyimage + WEB_APP_NAME: dmoneyWebApp + RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-A-DEV jobs: - build-and-deploy: + build-deploy: runs-on: ubuntu-latest steps: - # Step 1: Checkout code + # Step 1: Checkout the repository - name: Checkout code uses: actions/checkout@v3 @@ -26,14 +28,16 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 3: Ensure ACR exists - - name: Ensure ACR exists + # Step 3: Create or ensure resources exist + - name: Deploy infrastructure using Bicep run: | - if ! az acr show --name ${{ env.REGISTRY_NAME }} &>/dev/null; then - az acr create --name ${{ env.REGISTRY_NAME }} --resource-group BCSAI2024-DEVOPS-STUDENTS-A-DEV --sku ${{ env.REGISTRY_SKU }} --location ${{ env.REGISTRY_LOCATION }} --admin-enabled true - else - echo "ACR ${{ env.REGISTRY_NAME }} already exists." - fi + az deployment group create \ + --resource-group ${{ env.RESOURCE_GROUP }} \ + --template-file main.bicep \ + --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ + dmoneyAppServicePlanName=dmoneyAppServicePlan \ + dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ + location=${{ env.REGISTRY_LOCATION }} # Step 4: Fetch ACR credentials dynamically - name: Fetch ACR credentials @@ -56,7 +60,7 @@ jobs: id: image-version run: echo "::set-output name=version::$(date +'%Y%m%d%H%M%S')" - # Step 7: Build and push the Docker image + # Step 7: Build and push Docker image - name: Build and push image run: | docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} @@ -66,5 +70,5 @@ jobs: - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: - app-name: dmoneyWebApp # Replace with your Azure Web App name + app-name: ${{ env.WEB_APP_NAME }} images: ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} From 313af769ac0014087a2d1dffcab8d4ea11d8cffc Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 00:43:10 +0100 Subject: [PATCH 14/35] question3 --- .github/workflows/deploy.yml | 43 ++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index cda282dea..11e7ef76f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,4 +1,4 @@ -name: Build, Deploy Resources, and Deploy App +name: Build and Deploy Container App to Azure on: push: @@ -6,17 +6,15 @@ on: - main # Trigger on push to the main branch env: + RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-A-DEV REGISTRY_NAME: dmoneycontainerregistry - REGISTRY_LOCATION: westeurope - REGISTRY_SKU: Basic IMAGE_BASE_NAME: dmoneyimage WEB_APP_NAME: dmoneyWebApp - RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-A-DEV + LOCATION: westeurope jobs: - build-deploy: + build: runs-on: ubuntu-latest - steps: # Step 1: Checkout the repository - name: Checkout code @@ -28,7 +26,7 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 3: Create or ensure resources exist + # Step 3: Deploy infrastructure using Bicep - name: Deploy infrastructure using Bicep run: | az deployment group create \ @@ -37,13 +35,14 @@ jobs: --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ - location=${{ env.REGISTRY_LOCATION }} + location=${{ env.LOCATION }} # Step 4: Fetch ACR credentials dynamically - name: Fetch ACR credentials id: acr-credentials run: | echo "Fetching ACR credentials..." + echo "::set-output name=login-server::$(az acr show --name ${{ env.REGISTRY_NAME }} --query "loginServer" -o tsv)" echo "::set-output name=username::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" echo "::set-output name=password::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" @@ -51,24 +50,40 @@ jobs: - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: - login-server: ${{ env.REGISTRY_NAME }}.azurecr.io + login-server: ${{ steps.acr-credentials.outputs.login-server }} username: ${{ steps.acr-credentials.outputs.username }} password: ${{ steps.acr-credentials.outputs.password }} # Step 6: Set image version - name: Set image version id: image-version - run: echo "::set-output name=version::$(date +'%Y%m%d%H%M%S')" + run: echo "::set-output name=version::$(echo ${GITHUB_REF#refs/heads/})-$(date +'%Y.%m.%d.%H.%M')" # Step 7: Build and push Docker image - name: Build and push image run: | - docker build . -t ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} - docker push ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker build . -t ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker build . -t ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}-latest + docker push ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker push ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}-latest + + outputs: + image: ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + + deploy: + runs-on: ubuntu-latest + needs: build # This ensures the deploy job runs after build + + steps: + # Step 1: Log in to Azure + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 8: Deploy Docker image to Azure Web App + # Step 2: Deploy Docker image to Azure Web App - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: app-name: ${{ env.WEB_APP_NAME }} - images: ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + images: ${{ needs.build.outputs.image }} From d9178f6ada294cd2341b8e3c36240360b2a55dde Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 01:22:38 +0100 Subject: [PATCH 15/35] question3 --- .github/workflows/deploy.yml | 58 +++++++++++++++++++-------------- main.bicep | 30 ++++++++++++++--- modules/containerRegistry.bicep | 44 ++++++++++++++++++------- modules/key-vault.bicep | 23 +++++++++++++ modules/webApp.bicep | 20 ++++-------- 5 files changed, 121 insertions(+), 54 deletions(-) create mode 100644 modules/key-vault.bicep diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 11e7ef76f..d90839be9 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -32,43 +32,53 @@ jobs: az deployment group create \ --resource-group ${{ env.RESOURCE_GROUP }} \ --template-file main.bicep \ - --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ - dmoneyAppServicePlanName=dmoneyAppServicePlan \ - dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ - location=${{ env.LOCATION }} + --parameters \ + dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ + dmoneyAppServicePlanName=dmoneyAppServicePlan \ + dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ + location=${{ env.LOCATION }} \ + --mode Complete - # Step 4: Fetch ACR credentials dynamically - - name: Fetch ACR credentials - id: acr-credentials + # Step 4: Fetch ACR credentials dynamically from Azure + - name: Fetch ACR credentials from Azure run: | - echo "Fetching ACR credentials..." - echo "::set-output name=login-server::$(az acr show --name ${{ env.REGISTRY_NAME }} --query "loginServer" -o tsv)" - echo "::set-output name=username::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" - echo "::set-output name=password::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" + echo "REGISTRY_LOGIN_SERVER=$(az acr show --name ${{ env.REGISTRY_NAME }} --query "loginServer" -o tsv)" >> $GITHUB_ENV + echo "REGISTRY_USERNAME=$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" >> $GITHUB_ENV + echo "REGISTRY_PASSWORD=$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" >> $GITHUB_ENV - # Step 5: Log in to Azure Container Registry + # Step 5: Fetch Key Vault secrets dynamically + - name: Fetch Key Vault secrets + run: | + echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV + echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV + echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV + + # Step 6: Log in to Azure Container Registry - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: - login-server: ${{ steps.acr-credentials.outputs.login-server }} - username: ${{ steps.acr-credentials.outputs.username }} - password: ${{ steps.acr-credentials.outputs.password }} + login-server: ${{ env.REGISTRY_LOGIN_SERVER }} + username: ${{ env.REGISTRY_USERNAME }} + password: ${{ env.REGISTRY_PASSWORD }} - # Step 6: Set image version + # Step 7: Set image version - name: Set image version - id: image-version - run: echo "::set-output name=version::$(echo ${GITHUB_REF#refs/heads/})-$(date +'%Y.%m.%d.%H.%M')" + run: echo "IMAGE_VERSION=$(date +'%Y.%m.%d.%H.%M')" >> $GITHUB_ENV + + # Step 8: Ensure Docker is Installed + - name: Ensure Docker is Installed + run: docker --version - # Step 7: Build and push Docker image + # Step 9: Build and push Docker image - name: Build and push image run: | - docker build . -t ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} - docker build . -t ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}-latest - docker push ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} - docker push ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}-latest + docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} + docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:latest + docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} + docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:latest outputs: - image: ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + image: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} deploy: runs-on: ubuntu-latest diff --git a/main.bicep b/main.bicep index 2eb001fcc..b768d3414 100644 --- a/main.bicep +++ b/main.bicep @@ -4,12 +4,31 @@ param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Pl param location string = 'westeurope' // Desired Azure Region param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name +module keyVault 'modules/key-vault.bicep' = { + name: 'deployKeyVault' + params: { + name: 'dmoneyKeyVault' + location: location + enableVaultForDeployment: true + roleAssignments: [ + { + principalId: '7200f83e-ec45-4915-8c52-fb94147cfe5a' + roleDefinitionIdOrName: 'Key Vault Secrets User' + principalType: 'ServicePrincipal' + } + ] + } +} + // Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { dmoneyContainerRegistryName: dmoneyContainerRegistryName location: location + adminCredentialsKeyVaultResourceId: keyVault.outputs.resourceId + adminCredentialsKeyVaultSecretUserName: 'ACR-Username' + adminCredentialsKeyVaultSecretUserPassword: 'ACR-Password' } } @@ -39,6 +58,9 @@ module webApp 'modules/webApp.bicep' = { location: location kind: 'app' serverFarmResourceId: dmoneyAppServicePlan.outputs.id + dockerRegistryServerUrl: 'https://${dmoneycontainerregistryname}.azurecr.io/' + dockerRegistryServerUserName: keyVault.outputs.getSecret('ACR-Username') + dockerRegistryServerPassword: keyVault.outputs.getSecret('ACR-Password') siteConfig: { linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' appCommandLine: '' @@ -50,16 +72,16 @@ module webApp 'modules/webApp.bicep' = { } { name: 'DOCKER_REGISTRY_SERVER_URL' - value: containerRegistry.outputs.loginServer + value: 'https://${dmoneycontainerregistryname}.azurecr.io/' } { name: 'DOCKER_REGISTRY_SERVER_USERNAME' - value: containerRegistry.outputs.username + value: keyVault.outputs.getSecret('ACR-Username') } { name: 'DOCKER_REGISTRY_SERVER_PASSWORD' - value: containerRegistry.outputs.password + value: keyVault.outputs.getSecret('ACR-Password') } ] } -} +} \ No newline at end of file diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index 24fb59d9e..aa4acb854 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -1,17 +1,37 @@ -param dmoneyContainerRegistryName string -param location string +param adminCredentialsKeyVaultResourceId string +@secure() +param adminCredentialsKeyVaultSecretUserName string +@secure() +param adminCredentialsKeyVaultSecretUserPassword string -resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' = { - name: dmoneyContainerRegistryName - location: location - sku: { - name: 'Basic' - } +resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { + name: last(split(adminCredentialsKeyVaultResourceId, '/')) +} + +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-01-01' existing = { + name: '' // Replace or pass dynamically if needed +} + +resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { + name: adminCredentialsKeyVaultSecretUserName + parent: keyVault properties: { - adminUserEnabled: true + value: containerRegistry.listCredentials().username } + dependsOn: [ + keyVault + containerRegistry + ] } -output loginServer string = containerRegistry.properties.loginServer -output username string = listCredentials(containerRegistry.id, '2021-12-01-preview').username -output password string = listCredentials(containerRegistry.id, '2021-12-01-preview').passwords[0].value +resource secretPassword 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { + name: adminCredentialsKeyVaultSecretUserPassword + parent: keyVault + properties: { + value: containerRegistry.listCredentials().passwords[0].value + } + dependsOn: [ + keyVault + containerRegistry + ] +} diff --git a/modules/key-vault.bicep b/modules/key-vault.bicep new file mode 100644 index 000000000..fff8ea253 --- /dev/null +++ b/modules/key-vault.bicep @@ -0,0 +1,23 @@ +param name string +param location string +param enableVaultForDeployment bool +param roleAssignments array + +resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = { + name: name + location: location + properties: { + enableSoftDelete: true + enabledForDeployment: enableVaultForDeployment + } +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for role in roleAssignments: { + name: guid(keyVault.id, role.principalId, role.roleDefinitionIdOrName) + properties: { + roleDefinitionId: role.roleDefinitionIdOrName + principalId: role.principalId + principalType: role.principalType + scope: keyVault.id + } +}] diff --git a/modules/webApp.bicep b/modules/webApp.bicep index ff6b06395..f5677ff2c 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -1,22 +1,14 @@ -param name string -param location string -param kind string -param serverFarmResourceId string -param siteConfig object -param appSettingsArray array // Accept the array - resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: name location: location - kind: kind properties: { serverFarmId: serverFarmResourceId siteConfig: siteConfig - appSettings: appSettingsArray // Use the array directly - } - identity: { - type: 'SystemAssigned' + appSettings: [ + for key in union(appSettingsKeyValuePairs, dockerAppSettings): { + name: key + value: union(appSettingsKeyValuePairs, dockerAppSettings)[key] + } + ] } } - -output id string = webApp.id From 371a5907832f74af599511738502b71925fac132 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 01:33:48 +0100 Subject: [PATCH 16/35] question3 --- main.bicep | 11 +++++++---- modules/containerRegistry.bicep | 18 +++++++++++++++--- modules/key-vault.bicep | 7 +++++++ modules/webApp.bicep | 9 +++++++++ 4 files changed, 38 insertions(+), 7 deletions(-) diff --git a/main.bicep b/main.bicep index b768d3414..ea51ea603 100644 --- a/main.bicep +++ b/main.bicep @@ -4,7 +4,7 @@ param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Pl param location string = 'westeurope' // Desired Azure Region param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name -module keyVault 'modules/key-vault.bicep' = { +module keyVault 'key-vault.bicep' = { name: 'deployKeyVault' params: { name: 'dmoneyKeyVault' @@ -20,6 +20,7 @@ module keyVault 'modules/key-vault.bicep' = { } } + // Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' @@ -58,9 +59,11 @@ module webApp 'modules/webApp.bicep' = { location: location kind: 'app' serverFarmResourceId: dmoneyAppServicePlan.outputs.id - dockerRegistryServerUrl: 'https://${dmoneycontainerregistryname}.azurecr.io/' - dockerRegistryServerUserName: keyVault.outputs.getSecret('ACR-Username') - dockerRegistryServerPassword: keyVault.outputs.getSecret('ACR-Password') + dockerRegistryServerUrl: keyVault.outputs.vaultUri + '/secrets/ACR-Url' + dockerRegistryServerUserName: keyVault.outputs.vaultUri + '/secrets/ACR-Username' + dockerRegistryServerPassword: keyVault.outputs.vaultUri + '/secrets/ACR-Password' + + siteConfig: { linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' appCommandLine: '' diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index aa4acb854..34c704807 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -1,22 +1,28 @@ +// Parameters param adminCredentialsKeyVaultResourceId string @secure() param adminCredentialsKeyVaultSecretUserName string @secure() param adminCredentialsKeyVaultSecretUserPassword string +// Existing Key Vault resource resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { name: last(split(adminCredentialsKeyVaultResourceId, '/')) } +// Define the container registry dynamically or pass as a parameter +param containerRegistryName string + resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-01-01' existing = { - name: '' // Replace or pass dynamically if needed + name: containerRegistryName } +// Key Vault secret for container registry username resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { name: adminCredentialsKeyVaultSecretUserName parent: keyVault properties: { - value: containerRegistry.listCredentials().username + value: listCredentials(containerRegistry.id, containerRegistry.apiVersion).username } dependsOn: [ keyVault @@ -24,14 +30,20 @@ resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { ] } +// Key Vault secret for container registry password resource secretPassword 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { name: adminCredentialsKeyVaultSecretUserPassword parent: keyVault properties: { - value: containerRegistry.listCredentials().passwords[0].value + value: listCredentials(containerRegistry.id, containerRegistry.apiVersion).passwords[0].value } dependsOn: [ keyVault containerRegistry ] } + +// Outputs to expose login server and credentials dynamically +output loginServer string = containerRegistry.properties.loginServer +output usernameSecretName string = secretUserName.name +output passwordSecretName string = secretPassword.name diff --git a/modules/key-vault.bicep b/modules/key-vault.bicep index fff8ea253..92e17b89d 100644 --- a/modules/key-vault.bicep +++ b/modules/key-vault.bicep @@ -9,6 +9,10 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = { properties: { enableSoftDelete: true enabledForDeployment: enableVaultForDeployment + sku: { + family: 'A' + name: 'standard' + } } } @@ -21,3 +25,6 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev scope: keyVault.id } }] + +output resourceId string = keyVault.id +output vaultUri string = keyVault.properties.vaultUri diff --git a/modules/webApp.bicep b/modules/webApp.bicep index f5677ff2c..0f6195704 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -1,3 +1,12 @@ +@secure() +param name string +@secure() +param location string +param serverFarmResourceId string +param siteConfig object +param appSettingsKeyValuePairs object +param dockerAppSettings object + resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: name location: location From 798629e59c3ebfefa4c3aa99b0a1f297d4a2e40a Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 01:36:33 +0100 Subject: [PATCH 17/35] question4. --- main.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.bicep b/main.bicep index ea51ea603..44281d76e 100644 --- a/main.bicep +++ b/main.bicep @@ -4,7 +4,7 @@ param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Pl param location string = 'westeurope' // Desired Azure Region param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name -module keyVault 'key-vault.bicep' = { +module keyVault 'modules/key-vault.bicep' = { name: 'deployKeyVault' params: { name: 'dmoneyKeyVault' @@ -87,4 +87,4 @@ module webApp 'modules/webApp.bicep' = { } ] } -} \ No newline at end of file +} From 0427889e8ab788e26e84ae30c9e972b450c97c7f Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 01:54:08 +0100 Subject: [PATCH 18/35] question4. --- main.bicep | 5 +---- modules/containerRegistry.bicep | 16 ++++------------ modules/key-vault.bicep | 2 +- modules/webApp.bicep | 4 +--- 4 files changed, 7 insertions(+), 20 deletions(-) diff --git a/main.bicep b/main.bicep index 44281d76e..0cf5c9118 100644 --- a/main.bicep +++ b/main.bicep @@ -20,12 +20,11 @@ module keyVault 'modules/key-vault.bicep' = { } } - // Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { - dmoneyContainerRegistryName: dmoneyContainerRegistryName + containerRegistryName: dmoneyContainerRegistryName location: location adminCredentialsKeyVaultResourceId: keyVault.outputs.resourceId adminCredentialsKeyVaultSecretUserName: 'ACR-Username' @@ -62,8 +61,6 @@ module webApp 'modules/webApp.bicep' = { dockerRegistryServerUrl: keyVault.outputs.vaultUri + '/secrets/ACR-Url' dockerRegistryServerUserName: keyVault.outputs.vaultUri + '/secrets/ACR-Username' dockerRegistryServerPassword: keyVault.outputs.vaultUri + '/secrets/ACR-Password' - - siteConfig: { linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' appCommandLine: '' diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index 34c704807..72bff0041 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -22,12 +22,8 @@ resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { name: adminCredentialsKeyVaultSecretUserName parent: keyVault properties: { - value: listCredentials(containerRegistry.id, containerRegistry.apiVersion).username + value: listCredentials(containerRegistry.id, '2022-01-01').username } - dependsOn: [ - keyVault - containerRegistry - ] } // Key Vault secret for container registry password @@ -35,15 +31,11 @@ resource secretPassword 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { name: adminCredentialsKeyVaultSecretUserPassword parent: keyVault properties: { - value: listCredentials(containerRegistry.id, containerRegistry.apiVersion).passwords[0].value + value: listCredentials(containerRegistry.id, '2022-01-01').passwords[0].value } - dependsOn: [ - keyVault - containerRegistry - ] } // Outputs to expose login server and credentials dynamically output loginServer string = containerRegistry.properties.loginServer -output usernameSecretName string = secretUserName.name -output passwordSecretName string = secretPassword.name +output username string = listCredentials(containerRegistry.id, '2022-01-01').username +output password string = listCredentials(containerRegistry.id, '2022-01-01').passwords[0].value diff --git a/modules/key-vault.bicep b/modules/key-vault.bicep index 92e17b89d..767a2d132 100644 --- a/modules/key-vault.bicep +++ b/modules/key-vault.bicep @@ -9,6 +9,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = { properties: { enableSoftDelete: true enabledForDeployment: enableVaultForDeployment + tenantId: subscription().tenantId sku: { family: 'A' name: 'standard' @@ -22,7 +23,6 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev roleDefinitionId: role.roleDefinitionIdOrName principalId: role.principalId principalType: role.principalType - scope: keyVault.id } }] diff --git a/modules/webApp.bicep b/modules/webApp.bicep index 0f6195704..1cbc76fb4 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -1,6 +1,4 @@ -@secure() param name string -@secure() param location string param serverFarmResourceId string param siteConfig object @@ -14,7 +12,7 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { serverFarmId: serverFarmResourceId siteConfig: siteConfig appSettings: [ - for key in union(appSettingsKeyValuePairs, dockerAppSettings): { + for key in keys(union(appSettingsKeyValuePairs, dockerAppSettings)): { name: key value: union(appSettingsKeyValuePairs, dockerAppSettings)[key] } From 6e746ada62532a4840a10763ef087664c788b94b Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 01:57:32 +0100 Subject: [PATCH 19/35] question4. --- main.bicep | 8 ++++---- modules/webApp.bicep | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/main.bicep b/main.bicep index 0cf5c9118..7fb721921 100644 --- a/main.bicep +++ b/main.bicep @@ -25,13 +25,13 @@ module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { containerRegistryName: dmoneyContainerRegistryName - location: location adminCredentialsKeyVaultResourceId: keyVault.outputs.resourceId adminCredentialsKeyVaultSecretUserName: 'ACR-Username' adminCredentialsKeyVaultSecretUserPassword: 'ACR-Password' } } + // Azure App Service Plan Module module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { name: 'deployAppServicePlan' @@ -58,9 +58,9 @@ module webApp 'modules/webApp.bicep' = { location: location kind: 'app' serverFarmResourceId: dmoneyAppServicePlan.outputs.id - dockerRegistryServerUrl: keyVault.outputs.vaultUri + '/secrets/ACR-Url' - dockerRegistryServerUserName: keyVault.outputs.vaultUri + '/secrets/ACR-Username' - dockerRegistryServerPassword: keyVault.outputs.vaultUri + '/secrets/ACR-Password' + dockerRegistryServerUrl: '${keyVault.outputs.vaultUri}/secrets/ACR-Url' + dockerRegistryServerUserName: '${keyVault.outputs.vaultUri}/secrets/ACR-Username' + dockerRegistryServerPassword: '${keyVault.outputs.vaultUri}/secrets/ACR-Password' siteConfig: { linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' appCommandLine: '' diff --git a/modules/webApp.bicep b/modules/webApp.bicep index 1cbc76fb4..8165a3ccb 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -12,7 +12,7 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { serverFarmId: serverFarmResourceId siteConfig: siteConfig appSettings: [ - for key in keys(union(appSettingsKeyValuePairs, dockerAppSettings)): { + for key in union(appSettingsKeyValuePairs, dockerAppSettings).keys(): { name: key value: union(appSettingsKeyValuePairs, dockerAppSettings)[key] } From c7029e6b436c85bfc6d924984600f148a1bd50c5 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 02:02:18 +0100 Subject: [PATCH 20/35] question4. --- main.bicep | 9 +++------ modules/webApp.bicep | 2 +- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/main.bicep b/main.bicep index 7fb721921..5831913a9 100644 --- a/main.bicep +++ b/main.bicep @@ -71,16 +71,13 @@ module webApp 'modules/webApp.bicep' = { value: 'false' } { - name: 'DOCKER_REGISTRY_SERVER_URL' - value: 'https://${dmoneycontainerregistryname}.azurecr.io/' + dockerRegistryServerUrl: '${keyVault.outputs.vaultUri}/secrets/ACR-Url' } { - name: 'DOCKER_REGISTRY_SERVER_USERNAME' - value: keyVault.outputs.getSecret('ACR-Username') + dockerRegistryServerUserName: '${keyVault.outputs.vaultUri}/secrets/ACR-Username' } { - name: 'DOCKER_REGISTRY_SERVER_PASSWORD' - value: keyVault.outputs.getSecret('ACR-Password') + dockerRegistryServerPassword: '${keyVault.outputs.vaultUri}/secrets/ACR-Password' } ] } diff --git a/modules/webApp.bicep b/modules/webApp.bicep index 8165a3ccb..8402304db 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -12,7 +12,7 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { serverFarmId: serverFarmResourceId siteConfig: siteConfig appSettings: [ - for key in union(appSettingsKeyValuePairs, dockerAppSettings).keys(): { + for key in union(appSettingsKeyValuePairs, dockerAppSettings): { name: key value: union(appSettingsKeyValuePairs, dockerAppSettings)[key] } From 9ee4dd61c91760c2eb6e17f3b58e7479d39eca77 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 02:04:18 +0100 Subject: [PATCH 21/35] question4. --- main.bicep | 27 ++++++++------------------- modules/webApp.bicep | 2 +- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/main.bicep b/main.bicep index 5831913a9..8f78ea3d0 100644 --- a/main.bicep +++ b/main.bicep @@ -56,29 +56,18 @@ module webApp 'modules/webApp.bicep' = { params: { name: dmoneyWebAppName location: location - kind: 'app' serverFarmResourceId: dmoneyAppServicePlan.outputs.id - dockerRegistryServerUrl: '${keyVault.outputs.vaultUri}/secrets/ACR-Url' - dockerRegistryServerUserName: '${keyVault.outputs.vaultUri}/secrets/ACR-Username' - dockerRegistryServerPassword: '${keyVault.outputs.vaultUri}/secrets/ACR-Password' siteConfig: { linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' appCommandLine: '' } - appSettingsArray: [ - { - name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' - value: 'false' - } - { - dockerRegistryServerUrl: '${keyVault.outputs.vaultUri}/secrets/ACR-Url' - } - { - dockerRegistryServerUserName: '${keyVault.outputs.vaultUri}/secrets/ACR-Username' - } - { - dockerRegistryServerPassword: '${keyVault.outputs.vaultUri}/secrets/ACR-Password' - } - ] + appSettingsKeyValuePairs: { + WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false' + DOCKER_REGISTRY_SERVER_URL: 'https://${dmoneycontainerregistryname}.azurecr.io/' + } + dockerAppSettings: { + DOCKER_REGISTRY_SERVER_USERNAME: '${keyVault.outputs.vaultUri}/secrets/ACR-Username' + DOCKER_REGISTRY_SERVER_PASSWORD: '${keyVault.outputs.vaultUri}/secrets/ACR-Password' + } } } diff --git a/modules/webApp.bicep b/modules/webApp.bicep index 8402304db..435e37021 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -18,4 +18,4 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { } ] } -} +} \ No newline at end of file From a1cd1a5b62d9a7a307a906a1384c4b863eefae01 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 02:14:03 +0100 Subject: [PATCH 22/35] question4. --- .github/workflows/deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d90839be9..09c5c49b2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -97,3 +97,4 @@ jobs: with: app-name: ${{ env.WEB_APP_NAME }} images: ${{ needs.build.outputs.image }} +#Comment \ No newline at end of file From 45fc93e5210cfe78705abdc5f6e2ce5aec2b29b0 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 02:16:43 +0100 Subject: [PATCH 23/35] question4. --- modules/key-vault.bicep | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/modules/key-vault.bicep b/modules/key-vault.bicep index 767a2d132..0e9bfbad1 100644 --- a/modules/key-vault.bicep +++ b/modules/key-vault.bicep @@ -1,30 +1,35 @@ -param name string -param location string -param enableVaultForDeployment bool -param roleAssignments array +// Parameters +param name string // Name of the Key Vault +param location string // Location of the Key Vault +param enableVaultForDeployment bool = true // Enable Key Vault for deployment +param roleAssignments array // Array of role assignments for Key Vault +// Key Vault Resource resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = { name: name location: location properties: { - enableSoftDelete: true - enabledForDeployment: enableVaultForDeployment - tenantId: subscription().tenantId sku: { family: 'A' name: 'standard' } + tenantId: subscription().tenantId + enableSoftDelete: true + enabledForDeployment: enableVaultForDeployment } } +// Role Assignments for Key Vault resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for role in roleAssignments: { name: guid(keyVault.id, role.principalId, role.roleDefinitionIdOrName) properties: { roleDefinitionId: role.roleDefinitionIdOrName principalId: role.principalId principalType: role.principalType + scope: keyVault.id } }] +// Outputs output resourceId string = keyVault.id output vaultUri string = keyVault.properties.vaultUri From 4fb98fd1951e5195b51cfd76d722b8d83908f3d7 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 03:40:20 +0100 Subject: [PATCH 24/35] question4pt2 --- .github/workflows/deploy.yml | 20 ++++++-- main.bicep | 70 +++++++++++++++---------- modules/containerRegistry.bicep | 31 ++++++------ modules/key-vault.bicep | 90 ++++++++++++++++++++++++++------- modules/webApp.bicep | 19 +++++-- 5 files changed, 159 insertions(+), 71 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 09c5c49b2..88dc0fbdd 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -52,7 +52,12 @@ jobs: echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV + - name: Get Service Principal ID + run: | + SP_ID=$(az ad sp show --id ${{ secrets.CLIENT_ID }} --query "id" -o tsv) + echo "SERVICE_PRINCIPAL_ID=$SP_ID" >> $GITHUB_ENV +#Comment # Step 6: Log in to Azure Container Registry - name: Log in to Azure Container Registry uses: azure/docker-login@v1 @@ -91,10 +96,17 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 2: Deploy Docker image to Azure Web App + # Step 2: Deploy with Bicep + - name: Deploy with Bicep + run: | + az deployment group create \ + --resource-group RESOURCE_GROUP \ + --template-file main.bicep \ + --parameters ServicePrincipalId=$SERVICE_PRINCIPAL_ID + + # Step 3: Deploy Docker image to Azure Web App - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: - app-name: ${{ env.WEB_APP_NAME }} - images: ${{ needs.build.outputs.image }} -#Comment \ No newline at end of file + app-name: ${{ env.dmoneyWebApp }} + images: ${{ env.dmoneyContainerRegistryName }}/${{ env.dmoneyImage }}:${{ env.IMAGE_VERSION }} \ No newline at end of file diff --git a/main.bicep b/main.bicep index 8f78ea3d0..8b8cf39fb 100644 --- a/main.bicep +++ b/main.bicep @@ -3,35 +3,23 @@ param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' // Containe param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Plan Name param location string = 'westeurope' // Desired Azure Region param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name - -module keyVault 'modules/key-vault.bicep' = { - name: 'deployKeyVault' - params: { - name: 'dmoneyKeyVault' - location: location - enableVaultForDeployment: true - roleAssignments: [ - { - principalId: '7200f83e-ec45-4915-8c52-fb94147cfe5a' - roleDefinitionIdOrName: 'Key Vault Secrets User' - principalType: 'ServicePrincipal' - } - ] - } -} +param adminCredentialsKeyVaultResourceId string // Key Vault Resource ID +param adminCredentialsKeyVaultSecretUserName string // Key Vault Secret for Username +param adminCredentialsKeyVaultSecretUserPassword1 string // Key Vault Secret for Password 1 +param adminCredentialsKeyVaultSecretUserPassword2 string // Key Vault Secret for Password 2 // Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { containerRegistryName: dmoneyContainerRegistryName - adminCredentialsKeyVaultResourceId: keyVault.outputs.resourceId - adminCredentialsKeyVaultSecretUserName: 'ACR-Username' - adminCredentialsKeyVaultSecretUserPassword: 'ACR-Password' + adminCredentialsKeyVaultResourceId: adminCredentialsKeyVaultResourceId + adminCredentialsKeyVaultSecretUserName: adminCredentialsKeyVaultSecretUserName + adminCredentialsKeyVaultSecretUserPassword1: adminCredentialsKeyVaultSecretUserPassword1 + adminCredentialsKeyVaultSecretUserPassword2: adminCredentialsKeyVaultSecretUserPassword2 } } - // Azure App Service Plan Module module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { name: 'deployAppServicePlan' @@ -56,18 +44,44 @@ module webApp 'modules/webApp.bicep' = { params: { name: dmoneyWebAppName location: location + kind: 'app' serverFarmResourceId: dmoneyAppServicePlan.outputs.id siteConfig: { linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' appCommandLine: '' } - appSettingsKeyValuePairs: { - WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false' - DOCKER_REGISTRY_SERVER_URL: 'https://${dmoneycontainerregistryname}.azurecr.io/' - } - dockerAppSettings: { - DOCKER_REGISTRY_SERVER_USERNAME: '${keyVault.outputs.vaultUri}/secrets/ACR-Username' - DOCKER_REGISTRY_SERVER_PASSWORD: '${keyVault.outputs.vaultUri}/secrets/ACR-Password' - } + appSettingsArray: [ + { + name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' + value: 'false' + } + { + name: 'DOCKER_REGISTRY_SERVER_URL' + value: containerRegistry.outputs.loginServer + } + { + name: 'DOCKER_REGISTRY_SERVER_USERNAME' + value: containerRegistry.outputs.username + } + { + name: 'DOCKER_REGISTRY_SERVER_PASSWORD' + value: containerRegistry.outputs.password + } + ] } } + +module keyVault 'modules/key-vault.bicep' = { + name: 'deployKeyVault' + params: { + name: 'dmoneyKeyVault' + location: location + objectId: 'your-object-id' + registryName: 'dmoneyContainerRegistry' + ServicePrincipalId: '2c9d3d07-9aac-4d2e-9337-60284d4a993b' + } +} + + + + diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index 72bff0041..ede1b30b6 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -1,10 +1,3 @@ -// Parameters -param adminCredentialsKeyVaultResourceId string -@secure() -param adminCredentialsKeyVaultSecretUserName string -@secure() -param adminCredentialsKeyVaultSecretUserPassword string - // Existing Key Vault resource resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { name: last(split(adminCredentialsKeyVaultResourceId, '/')) @@ -12,29 +5,37 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { // Define the container registry dynamically or pass as a parameter param containerRegistryName string +param adminCredentialsKeyVaultResourceId string +param adminCredentialsKeyVaultSecretUserName @secure() +param adminCredentialsKeyVaultSecretUserPassword1 @secure() +param adminCredentialsKeyVaultSecretUserPassword2 @secure() resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-01-01' existing = { name: containerRegistryName } -// Key Vault secret for container registry username -resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { - name: adminCredentialsKeyVaultSecretUserName - parent: keyVault +// Store the container registry credentials in Key Vault +resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = { + name: '${keyVault.name}/${adminCredentialsKeyVaultSecretUserName}' properties: { value: listCredentials(containerRegistry.id, '2022-01-01').username } } -// Key Vault secret for container registry password -resource secretPassword 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = { - name: adminCredentialsKeyVaultSecretUserPassword - parent: keyVault +resource secretUserPassword1 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = { + name: '${keyVault.name}/${adminCredentialsKeyVaultSecretUserPassword1}' properties: { value: listCredentials(containerRegistry.id, '2022-01-01').passwords[0].value } } +resource secretUserPassword2 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = { + name: '${keyVault.name}/${adminCredentialsKeyVaultSecretUserPassword2}' + properties: { + value: listCredentials(containerRegistry.id, '2022-01-01').passwords[1].value + } +} + // Outputs to expose login server and credentials dynamically output loginServer string = containerRegistry.properties.loginServer output username string = listCredentials(containerRegistry.id, '2022-01-01').username diff --git a/modules/key-vault.bicep b/modules/key-vault.bicep index 0e9bfbad1..c3cca3cd5 100644 --- a/modules/key-vault.bicep +++ b/modules/key-vault.bicep @@ -1,35 +1,87 @@ -// Parameters +param location string // Azure region for the Key Vault param name string // Name of the Key Vault -param location string // Location of the Key Vault -param enableVaultForDeployment bool = true // Enable Key Vault for deployment -param roleAssignments array // Array of role assignments for Key Vault +@secure() +param registryName string // Name of the Azure Container Registry +param objectId string // Object ID for access policy +param ServicePrincipalId string // Service Principal ID for role assignment -// Key Vault Resource +// Reference an existing container registry +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' existing = { + name: registryName + scope: resourceGroup() +} + +// Create a new Key Vault resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = { name: name location: location properties: { + enabledForDeployment: true + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + tenantId: subscription().tenantId sku: { family: 'A' name: 'standard' } - tenantId: subscription().tenantId - enableSoftDelete: true - enabledForDeployment: enableVaultForDeployment + accessPolicies: [ + { + tenantId: subscription().tenantId + objectId: objectId + permissions: { + secrets: [ + 'get' + 'list' + 'set' + 'delete' + ] + certificates: [ + 'get' + 'list' + 'create' + 'delete' + ] + keys: [ + 'get' + 'list' + 'create' + 'delete' + ] + } + } + ] + enableRbacAuthorization: true } } -// Role Assignments for Key Vault -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for role in roleAssignments: { - name: guid(keyVault.id, role.principalId, role.roleDefinitionIdOrName) +// Store the registry admin password in Key Vault +resource registryPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = { + parent: keyVault + name: 'registry-password' properties: { - roleDefinitionId: role.roleDefinitionIdOrName - principalId: role.principalId - principalType: role.principalType - scope: keyVault.id + value: containerRegistry.listCredentials().passwords[0].value // Fetches the registry password dynamically } -}] +} + +// Store the registry admin username in Key Vault +resource registryUsernameSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = { + parent: keyVault + name: 'registry-username' + properties: { + value: containerRegistry.name + } +} + +// Add role assignment for GitHub Actions +resource keyVaultSecretsUserRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(keyVault.id, ServicePrincipalId, 'Key Vault Secrets User') + scope: keyVault + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') // Key Vault Secrets User role + principalId: ServicePrincipalId + principalType: 'ServicePrincipal' + } +} -// Outputs -output resourceId string = keyVault.id -output vaultUri string = keyVault.properties.vaultUri +// Output only the Key Vault URI (non-sensitive information) +output keyVaultUri string = keyVault.properties.vaultUri diff --git a/modules/webApp.bicep b/modules/webApp.bicep index 435e37021..b6cf78002 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -4,18 +4,27 @@ param serverFarmResourceId string param siteConfig object param appSettingsKeyValuePairs object param dockerAppSettings object +param containerImageName string +param containerImageTag string resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: name location: location properties: { serverFarmId: serverFarmResourceId - siteConfig: siteConfig + siteConfig: { + ...siteConfig + linuxFxVersion: 'DOCKER|${containerImageName}:${containerImageTag}' + } appSettings: [ - for key in union(appSettingsKeyValuePairs, dockerAppSettings): { - name: key - value: union(appSettingsKeyValuePairs, dockerAppSettings)[key] + for key in appSettingsKeyValuePairs: { + name: key.name + value: key.value + } + for key in dockerAppSettings: { + name: key.name + value: key.value } ] } -} \ No newline at end of file +} From 6aeddd734738ee56a7802f1107b26232c2f6727a Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 03:44:50 +0100 Subject: [PATCH 25/35] question4pt2 --- .github/workflows/deploy.yml | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 88dc0fbdd..dfdcc1d81 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -52,13 +52,14 @@ jobs: echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV + + # Step 6: Get Service Principal ID - name: Get Service Principal ID run: | - SP_ID=$(az ad sp show --id ${{ secrets.CLIENT_ID }} --query "id" -o tsv) - echo "SERVICE_PRINCIPAL_ID=$SP_ID" >> $GITHUB_ENV + SP_ID=$(az ad sp show --id ${{ secrets.CLIENT_ID }} --query "id" -o tsv) + echo "SERVICE_PRINCIPAL_ID=$SP_ID" >> $GITHUB_ENV -#Comment - # Step 6: Log in to Azure Container Registry + # Step 7: Log in to Azure Container Registry - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: @@ -66,15 +67,15 @@ jobs: username: ${{ env.REGISTRY_USERNAME }} password: ${{ env.REGISTRY_PASSWORD }} - # Step 7: Set image version + # Step 8: Set image version - name: Set image version run: echo "IMAGE_VERSION=$(date +'%Y.%m.%d.%H.%M')" >> $GITHUB_ENV - # Step 8: Ensure Docker is Installed + # Step 9: Ensure Docker is Installed - name: Ensure Docker is Installed run: docker --version - # Step 9: Build and push Docker image + # Step 10: Build and push Docker image - name: Build and push image run: | docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} @@ -100,13 +101,19 @@ jobs: - name: Deploy with Bicep run: | az deployment group create \ - --resource-group RESOURCE_GROUP \ - --template-file main.bicep \ - --parameters ServicePrincipalId=$SERVICE_PRINCIPAL_ID + --resource-group ${{ env.RESOURCE_GROUP }} \ + --template-file main.bicep \ + --parameters ServicePrincipalId=${{ env.SERVICE_PRINCIPAL_ID }} + + # Step 3: Fetch Key Vault secrets + run: | + echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV + echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV + echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV - # Step 3: Deploy Docker image to Azure Web App + # Step 4: Deploy Docker image to Azure Web App - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: - app-name: ${{ env.dmoneyWebApp }} - images: ${{ env.dmoneyContainerRegistryName }}/${{ env.dmoneyImage }}:${{ env.IMAGE_VERSION }} \ No newline at end of file + app-name: ${{ env.WEB_APP_NAME }} + images: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} \ No newline at end of file From 6742489ef2c6da884708ac674109b6ce003eacfd Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 03:46:14 +0100 Subject: [PATCH 26/35] question4pt2 --- .github/workflows/deploy.yml | 29 ++++------------------------- 1 file changed, 4 insertions(+), 25 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index dfdcc1d81..f04a95d73 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -3,7 +3,7 @@ name: Build and Deploy Container App to Azure on: push: branches: - - main # Trigger on push to the main branch + - main env: RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-A-DEV @@ -16,17 +16,14 @@ jobs: build: runs-on: ubuntu-latest steps: - # Step 1: Checkout the repository - name: Checkout code uses: actions/checkout@v3 - # Step 2: Log in to Azure - name: Log in to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 3: Deploy infrastructure using Bicep - name: Deploy infrastructure using Bicep run: | az deployment group create \ @@ -39,27 +36,23 @@ jobs: location=${{ env.LOCATION }} \ --mode Complete - # Step 4: Fetch ACR credentials dynamically from Azure - - name: Fetch ACR credentials from Azure + - name: Fetch ACR credentials run: | echo "REGISTRY_LOGIN_SERVER=$(az acr show --name ${{ env.REGISTRY_NAME }} --query "loginServer" -o tsv)" >> $GITHUB_ENV echo "REGISTRY_USERNAME=$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" >> $GITHUB_ENV echo "REGISTRY_PASSWORD=$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" >> $GITHUB_ENV - # Step 5: Fetch Key Vault secrets dynamically - name: Fetch Key Vault secrets run: | echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV - # Step 6: Get Service Principal ID - name: Get Service Principal ID run: | SP_ID=$(az ad sp show --id ${{ secrets.CLIENT_ID }} --query "id" -o tsv) echo "SERVICE_PRINCIPAL_ID=$SP_ID" >> $GITHUB_ENV - # Step 7: Log in to Azure Container Registry - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: @@ -67,37 +60,30 @@ jobs: username: ${{ env.REGISTRY_USERNAME }} password: ${{ env.REGISTRY_PASSWORD }} - # Step 8: Set image version - name: Set image version run: echo "IMAGE_VERSION=$(date +'%Y.%m.%d.%H.%M')" >> $GITHUB_ENV - # Step 9: Ensure Docker is Installed - name: Ensure Docker is Installed run: docker --version - # Step 10: Build and push Docker image - name: Build and push image run: | docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} - docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:latest docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} - docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:latest outputs: image: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} deploy: runs-on: ubuntu-latest - needs: build # This ensures the deploy job runs after build + needs: build steps: - # Step 1: Log in to Azure - name: Log in to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - # Step 2: Deploy with Bicep - name: Deploy with Bicep run: | az deployment group create \ @@ -105,15 +91,8 @@ jobs: --template-file main.bicep \ --parameters ServicePrincipalId=${{ env.SERVICE_PRINCIPAL_ID }} - # Step 3: Fetch Key Vault secrets - run: | - echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV - echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV - echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV - - # Step 4: Deploy Docker image to Azure Web App - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: app-name: ${{ env.WEB_APP_NAME }} - images: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} \ No newline at end of file + images: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} From 3816d6b6149c26e408cc5cfd51bed427936d3efe Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 03:52:30 +0100 Subject: [PATCH 27/35] question4pt2 --- main.bicep | 11 ++--------- modules/containerRegistry.bicep | 31 ++++++------------------------- modules/webApp.bicep | 11 +++++++---- 3 files changed, 15 insertions(+), 38 deletions(-) diff --git a/main.bicep b/main.bicep index 8b8cf39fb..631fc68d1 100644 --- a/main.bicep +++ b/main.bicep @@ -3,23 +3,17 @@ param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' // Containe param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Plan Name param location string = 'westeurope' // Desired Azure Region param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name -param adminCredentialsKeyVaultResourceId string // Key Vault Resource ID -param adminCredentialsKeyVaultSecretUserName string // Key Vault Secret for Username -param adminCredentialsKeyVaultSecretUserPassword1 string // Key Vault Secret for Password 1 -param adminCredentialsKeyVaultSecretUserPassword2 string // Key Vault Secret for Password 2 // Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { + adminCredentialsKeyVaultResourceId: keyVault.outputs.keyVaultUri containerRegistryName: dmoneyContainerRegistryName - adminCredentialsKeyVaultResourceId: adminCredentialsKeyVaultResourceId - adminCredentialsKeyVaultSecretUserName: adminCredentialsKeyVaultSecretUserName - adminCredentialsKeyVaultSecretUserPassword1: adminCredentialsKeyVaultSecretUserPassword1 - adminCredentialsKeyVaultSecretUserPassword2: adminCredentialsKeyVaultSecretUserPassword2 } } + // Azure App Service Plan Module module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { name: 'deployAppServicePlan' @@ -70,7 +64,6 @@ module webApp 'modules/webApp.bicep' = { ] } } - module keyVault 'modules/key-vault.bicep' = { name: 'deployKeyVault' params: { diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index ede1b30b6..8f47ec77e 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -1,3 +1,4 @@ + // Existing Key Vault resource resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { name: last(split(adminCredentialsKeyVaultResourceId, '/')) @@ -6,35 +7,15 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { // Define the container registry dynamically or pass as a parameter param containerRegistryName string param adminCredentialsKeyVaultResourceId string -param adminCredentialsKeyVaultSecretUserName @secure() -param adminCredentialsKeyVaultSecretUserPassword1 @secure() -param adminCredentialsKeyVaultSecretUserPassword2 @secure() +param adminCredentialsKeyVaultSecretUserName string +param adminCredentialsKeyVaultSecretUserPassword1 string +param adminCredentialsKeyVaultSecretUserPassword2 string -resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-01-01' existing = { - name: containerRegistryName -} -// Store the container registry credentials in Key Vault -resource secretUserName 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = { - name: '${keyVault.name}/${adminCredentialsKeyVaultSecretUserName}' - properties: { - value: listCredentials(containerRegistry.id, '2022-01-01').username - } +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' = { + name: registryName } -resource secretUserPassword1 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = { - name: '${keyVault.name}/${adminCredentialsKeyVaultSecretUserPassword1}' - properties: { - value: listCredentials(containerRegistry.id, '2022-01-01').passwords[0].value - } -} - -resource secretUserPassword2 'Microsoft.KeyVault/vaults/secrets@2021-10-01' = { - name: '${keyVault.name}/${adminCredentialsKeyVaultSecretUserPassword2}' - properties: { - value: listCredentials(containerRegistry.id, '2022-01-01').passwords[1].value - } -} // Outputs to expose login server and credentials dynamically output loginServer string = containerRegistry.properties.loginServer diff --git a/modules/webApp.bicep b/modules/webApp.bicep index b6cf78002..67c07b3e9 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -3,7 +3,7 @@ param location string param serverFarmResourceId string param siteConfig object param appSettingsKeyValuePairs object -param dockerAppSettings object +param dockerAppSettings object = {} param containerImageName string param containerImageTag string @@ -21,10 +21,13 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: key.name value: key.value } - for key in dockerAppSettings: { - name: key.name - value: key.value + ] + appSettings: [ + for keyValue in array(dockerAppSettings): { + name: keyValue.key + value: keyValue.value } ] + } } From 9bd0a875db9a38a627b9a2f16aae3144970705c9 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:25:26 +0100 Subject: [PATCH 28/35] daniel --- main.bicep | 82 +++++++++++++++++---------------- main.parameters.json | 5 +- modules/containerRegistry.bicep | 4 +- modules/webApp.bicep | 23 ++------- 4 files changed, 55 insertions(+), 59 deletions(-) diff --git a/main.bicep b/main.bicep index 631fc68d1..e0fc0e237 100644 --- a/main.bicep +++ b/main.bicep @@ -1,15 +1,50 @@ -// Parameters -param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' // Container Registry Name -param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Plan Name -param location string = 'westeurope' // Desired Azure Region -param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name +param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' +param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' +param location string = 'westeurope' +param dmoneyWebAppName string = 'dmoneyWebApp' +param appSettingsKeyValuePairs array = [ + { + name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' + value: 'false' + } + { + name: 'DOCKER_REGISTRY_SERVER_URL' + value: 'https://${dmoneycontainerregistryname}.azurecr.io/' + } + { + name: 'DOCKER_REGISTRY_SERVER_USERNAME' + value: 'username_placeholder' // Replace dynamically if needed + } + { + name: 'DOCKER_REGISTRY_SERVER_PASSWORD' + value: 'password_placeholder' // Replace dynamically if needed + } +] + +module webApp 'modules/webApp.bicep' = { + name: 'deployWebApp' + params: { + name: dmoneyWebAppName + location: location + appSettingsKeyValuePairs: appSettingsKeyValuePairs + serverFarmResourceId: dmoneyAppServicePlan.outputs.id + siteConfig: { + linuxFxVersion: 'DOCKER|${dmoneyContainerRegistryName}/dmoneyimage:latest' + appCommandLine: '' + } + } +} -// Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { - adminCredentialsKeyVaultResourceId: keyVault.outputs.keyVaultUri + containerRegistryName: dmoneyContainerRegistryName + adminCredentialsKeyVaultResourceId: keyVault.outputs.keyVaultUri + adminCredentialsKeyVaultSecretUserName: 'ACR-Username' + adminCredentialsKeyVaultSecretUserPassword1: 'ACR-Password1' + adminCredentialsKeyVaultSecretUserPassword2: 'ACR-Password2' + } } @@ -32,38 +67,7 @@ module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { } } -// Pass appSettings as an array -module webApp 'modules/webApp.bicep' = { - name: 'deployWebApp' - params: { - name: dmoneyWebAppName - location: location - kind: 'app' - serverFarmResourceId: dmoneyAppServicePlan.outputs.id - siteConfig: { - linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' - appCommandLine: '' - } - appSettingsArray: [ - { - name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' - value: 'false' - } - { - name: 'DOCKER_REGISTRY_SERVER_URL' - value: containerRegistry.outputs.loginServer - } - { - name: 'DOCKER_REGISTRY_SERVER_USERNAME' - value: containerRegistry.outputs.username - } - { - name: 'DOCKER_REGISTRY_SERVER_PASSWORD' - value: containerRegistry.outputs.password - } - ] - } -} + module keyVault 'modules/key-vault.bicep' = { name: 'deployKeyVault' params: { diff --git a/main.parameters.json b/main.parameters.json index f22a8841d..4130386a5 100644 --- a/main.parameters.json +++ b/main.parameters.json @@ -17,11 +17,14 @@ "appServicePlanName": { "value": "dmoneyAppServicePlan" }, - "webAppName": { + "dmoneyWebAppName": { "value": "dmoneyWebApp" }, "location": { "value": "westeurope" + }, + "containerImageTag": { + "value": "latest" } } } diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index 8f47ec77e..c77b80088 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -12,8 +12,10 @@ param adminCredentialsKeyVaultSecretUserPassword1 string param adminCredentialsKeyVaultSecretUserPassword2 string + + resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' = { - name: registryName + name: containerRegistryName } diff --git a/modules/webApp.bicep b/modules/webApp.bicep index 67c07b3e9..c4ee599c0 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -1,33 +1,20 @@ param name string param location string +param appSettingsKeyValuePairs array param serverFarmResourceId string param siteConfig object -param appSettingsKeyValuePairs object -param dockerAppSettings object = {} -param containerImageName string -param containerImageTag string resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: name location: location properties: { serverFarmId: serverFarmResourceId - siteConfig: { - ...siteConfig - linuxFxVersion: 'DOCKER|${containerImageName}:${containerImageTag}' - } + siteConfig: siteConfig appSettings: [ - for key in appSettingsKeyValuePairs: { - name: key.name - value: key.value + for setting in appSettingsKeyValuePairs: { + name: setting.name + value: setting.value } ] - appSettings: [ - for keyValue in array(dockerAppSettings): { - name: keyValue.key - value: keyValue.value - } - ] - } } From e0062b82895df2cf47ed038f91da08b26963a72e Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:30:54 +0100 Subject: [PATCH 29/35] daniel --- modules/key-vault.bicep | 82 ++++++----------------------------------- 1 file changed, 12 insertions(+), 70 deletions(-) diff --git a/modules/key-vault.bicep b/modules/key-vault.bicep index c3cca3cd5..141c0de0d 100644 --- a/modules/key-vault.bicep +++ b/modules/key-vault.bicep @@ -1,87 +1,29 @@ -param location string // Azure region for the Key Vault -param name string // Name of the Key Vault -@secure() -param registryName string // Name of the Azure Container Registry -param objectId string // Object ID for access policy -param ServicePrincipalId string // Service Principal ID for role assignment +param location string +param name string +param enableVaultForDeployment bool = true +param roleAssignments array -// Reference an existing container registry -resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' existing = { - name: registryName - scope: resourceGroup() -} - -// Create a new Key Vault resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = { name: name location: location properties: { - enabledForDeployment: true + enabledForDeployment: enableVaultForDeployment enabledForTemplateDeployment: true - enabledForDiskEncryption: true - tenantId: subscription().tenantId sku: { family: 'A' name: 'standard' } - accessPolicies: [ - { - tenantId: subscription().tenantId - objectId: objectId - permissions: { - secrets: [ - 'get' - 'list' - 'set' - 'delete' - ] - certificates: [ - 'get' - 'list' - 'create' - 'delete' - ] - keys: [ - 'get' - 'list' - 'create' - 'delete' - ] - } - } - ] - enableRbacAuthorization: true - } -} - -// Store the registry admin password in Key Vault -resource registryPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = { - parent: keyVault - name: 'registry-password' - properties: { - value: containerRegistry.listCredentials().passwords[0].value // Fetches the registry password dynamically } } -// Store the registry admin username in Key Vault -resource registryUsernameSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = { - parent: keyVault - name: 'registry-username' +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for role in roleAssignments: { + name: guid(keyVault.id, role.principalId, role.roleDefinitionIdOrName) properties: { - value: containerRegistry.name + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + principalId: role.principalId + principalType: role.principalType + scope: keyVault.id } -} - -// Add role assignment for GitHub Actions -resource keyVaultSecretsUserRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid(keyVault.id, ServicePrincipalId, 'Key Vault Secrets User') - scope: keyVault - properties: { - roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') // Key Vault Secrets User role - principalId: ServicePrincipalId - principalType: 'ServicePrincipal' - } -} +}] -// Output only the Key Vault URI (non-sensitive information) output keyVaultUri string = keyVault.properties.vaultUri From 6f3d85c704e85c1b85f9d4cdb2c91429ec078dc2 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:32:44 +0100 Subject: [PATCH 30/35] daniel --- main.bicep | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/main.bicep b/main.bicep index e0fc0e237..066e2731f 100644 --- a/main.bicep +++ b/main.bicep @@ -73,12 +73,14 @@ module keyVault 'modules/key-vault.bicep' = { params: { name: 'dmoneyKeyVault' location: location - objectId: 'your-object-id' - registryName: 'dmoneyContainerRegistry' - ServicePrincipalId: '2c9d3d07-9aac-4d2e-9337-60284d4a993b' + enableVaultForDeployment: true + roleAssignments: [ + { + principalId: '7200f83e-ec45-4915-8c52-fb94147cfe5a' + roleDefinitionIdOrName: 'Key Vault Secrets User' + principalType: 'ServicePrincipal' + } + ] } } - - - From 382b01c38c2854e6919e4268d80fee1c0cebc1f6 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:38:36 +0100 Subject: [PATCH 31/35] rollback --- .github/workflows/deploy.yml | 71 ++++++++++++-------------- main.bicep | 89 +++++++++++++-------------------- main.parameters.json | 52 +++++++++---------- modules/appServicePlan.bicep | 2 +- modules/containerRegistry.bicep | 32 +++++------- modules/webApp.bicep | 16 +++--- 6 files changed, 111 insertions(+), 151 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index f04a95d73..8a4df8c58 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -3,7 +3,7 @@ name: Build and Deploy Container App to Azure on: push: branches: - - main + - main # Trigger on push to the main branch env: RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-A-DEV @@ -16,83 +16,74 @@ jobs: build: runs-on: ubuntu-latest steps: + # Step 1: Checkout the repository - name: Checkout code uses: actions/checkout@v3 + # Step 2: Log in to Azure - name: Log in to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} + # Step 3: Deploy infrastructure using Bicep - name: Deploy infrastructure using Bicep run: | az deployment group create \ --resource-group ${{ env.RESOURCE_GROUP }} \ --template-file main.bicep \ - --parameters \ - dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ - dmoneyAppServicePlanName=dmoneyAppServicePlan \ - dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ - location=${{ env.LOCATION }} \ - --mode Complete + --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ + dmoneyAppServicePlanName=dmoneyAppServicePlan \ + dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ + location=${{ env.LOCATION }} + # Step 4: Fetch ACR credentials dynamically - name: Fetch ACR credentials + id: acr-credentials run: | - echo "REGISTRY_LOGIN_SERVER=$(az acr show --name ${{ env.REGISTRY_NAME }} --query "loginServer" -o tsv)" >> $GITHUB_ENV - echo "REGISTRY_USERNAME=$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" >> $GITHUB_ENV - echo "REGISTRY_PASSWORD=$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" >> $GITHUB_ENV - - - name: Fetch Key Vault secrets - run: | - echo "KEY_VAULT_NAME=$(az keyvault list --resource-group ${{ env.RESOURCE_GROUP }} --query "[0].name" -o tsv)" >> $GITHUB_ENV - echo "ACR_SECRET_USERNAME=$(az keyvault secret show --name acr-username --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV - echo "ACR_SECRET_PASSWORD=$(az keyvault secret show --name acr-password --vault-name ${{ env.KEY_VAULT_NAME }} --query value -o tsv)" >> $GITHUB_ENV - - - name: Get Service Principal ID - run: | - SP_ID=$(az ad sp show --id ${{ secrets.CLIENT_ID }} --query "id" -o tsv) - echo "SERVICE_PRINCIPAL_ID=$SP_ID" >> $GITHUB_ENV + echo "Fetching ACR credentials..." + echo "::set-output name=login-server::$(az acr show --name ${{ env.REGISTRY_NAME }} --query "loginServer" -o tsv)" + echo "::set-output name=username::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "username" -o tsv)" + echo "::set-output name=password::$(az acr credential show --name ${{ env.REGISTRY_NAME }} --query "passwords[0].value" -o tsv)" + # Step 5: Log in to Azure Container Registry - name: Log in to Azure Container Registry uses: azure/docker-login@v1 with: - login-server: ${{ env.REGISTRY_LOGIN_SERVER }} - username: ${{ env.REGISTRY_USERNAME }} - password: ${{ env.REGISTRY_PASSWORD }} + login-server: ${{ steps.acr-credentials.outputs.login-server }} + username: ${{ steps.acr-credentials.outputs.username }} + password: ${{ steps.acr-credentials.outputs.password }} + # Step 6: Set image version - name: Set image version - run: echo "IMAGE_VERSION=$(date +'%Y.%m.%d.%H.%M')" >> $GITHUB_ENV - - - name: Ensure Docker is Installed - run: docker --version + id: image-version + run: echo "::set-output name=version::$(echo ${GITHUB_REF#refs/heads/})-$(date +'%Y.%m.%d.%H.%M')" + # Step 7: Build and push Docker image - name: Build and push image run: | - docker build . -t ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} - docker push ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} + docker build . -t ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker build . -t ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}-latest + docker push ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} + docker push ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ github.ref_name }}-latest outputs: - image: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} + image: ${{ steps.acr-credentials.outputs.login-server }}/${{ env.IMAGE_BASE_NAME }}:${{ steps.image-version.outputs.version }} deploy: runs-on: ubuntu-latest - needs: build + needs: build # This ensures the deploy job runs after build steps: + # Step 1: Log in to Azure - name: Log in to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Deploy with Bicep - run: | - az deployment group create \ - --resource-group ${{ env.RESOURCE_GROUP }} \ - --template-file main.bicep \ - --parameters ServicePrincipalId=${{ env.SERVICE_PRINCIPAL_ID }} - + # Step 2: Deploy Docker image to Azure Web App - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: app-name: ${{ env.WEB_APP_NAME }} - images: ${{ env.REGISTRY_LOGIN_SERVER }}/${{ env.IMAGE_BASE_NAME }}:${{ env.IMAGE_VERSION }} + images: ${{ needs.build.outputs.image }} \ No newline at end of file diff --git a/main.bicep b/main.bicep index 066e2731f..fc3b785ba 100644 --- a/main.bicep +++ b/main.bicep @@ -1,54 +1,18 @@ -param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' -param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' -param location string = 'westeurope' -param dmoneyWebAppName string = 'dmoneyWebApp' -param appSettingsKeyValuePairs array = [ - { - name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' - value: 'false' - } - { - name: 'DOCKER_REGISTRY_SERVER_URL' - value: 'https://${dmoneycontainerregistryname}.azurecr.io/' - } - { - name: 'DOCKER_REGISTRY_SERVER_USERNAME' - value: 'username_placeholder' // Replace dynamically if needed - } - { - name: 'DOCKER_REGISTRY_SERVER_PASSWORD' - value: 'password_placeholder' // Replace dynamically if needed - } -] - -module webApp 'modules/webApp.bicep' = { - name: 'deployWebApp' - params: { - name: dmoneyWebAppName - location: location - appSettingsKeyValuePairs: appSettingsKeyValuePairs - serverFarmResourceId: dmoneyAppServicePlan.outputs.id - siteConfig: { - linuxFxVersion: 'DOCKER|${dmoneyContainerRegistryName}/dmoneyimage:latest' - appCommandLine: '' - } - } -} +// Parameters +param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' // Container Registry Name +param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Plan Name +param location string = 'westeurope' // Desired Azure Region +param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name +// Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' params: { - - containerRegistryName: dmoneyContainerRegistryName - adminCredentialsKeyVaultResourceId: keyVault.outputs.keyVaultUri - adminCredentialsKeyVaultSecretUserName: 'ACR-Username' - adminCredentialsKeyVaultSecretUserPassword1: 'ACR-Password1' - adminCredentialsKeyVaultSecretUserPassword2: 'ACR-Password2' - + dmoneyContainerRegistryName: dmoneyContainerRegistryName + location: location } } - // Azure App Service Plan Module module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { name: 'deployAppServicePlan' @@ -67,20 +31,35 @@ module dmoneyAppServicePlan 'modules/appServicePlan.bicep' = { } } - -module keyVault 'modules/key-vault.bicep' = { - name: 'deployKeyVault' +// Pass appSettings as an array +module webApp 'modules/webApp.bicep' = { + name: 'deployWebApp' params: { - name: 'dmoneyKeyVault' + name: dmoneyWebAppName location: location - enableVaultForDeployment: true - roleAssignments: [ + kind: 'app' + serverFarmResourceId: dmoneyAppServicePlan.outputs.id + siteConfig: { + linuxFxVersion: 'DOCKER|${containerRegistry.outputs.loginServer}/dmoneyimage:latest' + appCommandLine: '' + } + appSettingsArray: [ { - principalId: '7200f83e-ec45-4915-8c52-fb94147cfe5a' - roleDefinitionIdOrName: 'Key Vault Secrets User' - principalType: 'ServicePrincipal' + name: 'WEBSITES_ENABLE_APP_SERVICE_STORAGE' + value: 'false' + } + { + name: 'DOCKER_REGISTRY_SERVER_URL' + value: containerRegistry.outputs.loginServer + } + { + name: 'DOCKER_REGISTRY_SERVER_USERNAME' + value: containerRegistry.outputs.username + } + { + name: 'DOCKER_REGISTRY_SERVER_PASSWORD' + value: containerRegistry.outputs.password } ] } -} - +} \ No newline at end of file diff --git a/main.parameters.json b/main.parameters.json index 4130386a5..7ca37fefd 100644 --- a/main.parameters.json +++ b/main.parameters.json @@ -1,31 +1,27 @@ { - "$schema": "https://schema.management.azure.com/schemas/2020-10-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "enviromentType": { - "value": "dev" - }, - "dmoneycontainerRegistryName": { - "value": "dmoneycontainerregistry" - }, - "containerRegistryImageName": { - "value": "dmoneyimage" - }, - "containerRegistryImageVersion": { - "value": "v1" - }, - "appServicePlanName": { - "value": "dmoneyAppServicePlan" - }, - "dmoneyWebAppName": { - "value": "dmoneyWebApp" - }, - "location": { - "value": "westeurope" - }, - "containerImageTag": { - "value": "latest" - } + "$schema": "https://schema.management.azure.com/schemas/2020-10-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enviromentType": { + "value": "dev" + }, + "dmoneycontainerRegistryName": { + "value": "dmoneycontainerregistry" + }, + "containerRegistryImageName": { + "value": "dmoneyimage" + }, + "containerRegistryImageVersion": { + "value": "v1" + }, + "appServicePlanName": { + "value": "dmoneyAppServicePlan" + }, + "webAppName": { + "value": "dmoneyWebApp" + }, + "location": { + "value": "westeurope" } } - \ No newline at end of file +} diff --git a/modules/appServicePlan.bicep b/modules/appServicePlan.bicep index 43aac3db2..4d44919f3 100644 --- a/modules/appServicePlan.bicep +++ b/modules/appServicePlan.bicep @@ -14,4 +14,4 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = { } } -output id string = appServicePlan.id +output id string = appServicePlan.id \ No newline at end of file diff --git a/modules/containerRegistry.bicep b/modules/containerRegistry.bicep index c77b80088..9ed32547b 100644 --- a/modules/containerRegistry.bicep +++ b/modules/containerRegistry.bicep @@ -1,25 +1,17 @@ - -// Existing Key Vault resource -resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = { - name: last(split(adminCredentialsKeyVaultResourceId, '/')) -} - -// Define the container registry dynamically or pass as a parameter -param containerRegistryName string -param adminCredentialsKeyVaultResourceId string -param adminCredentialsKeyVaultSecretUserName string -param adminCredentialsKeyVaultSecretUserPassword1 string -param adminCredentialsKeyVaultSecretUserPassword2 string - - - +param dmoneyContainerRegistryName string +param location string resource containerRegistry 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' = { - name: containerRegistryName + name: dmoneyContainerRegistryName + location: location + sku: { + name: 'Basic' + } + properties: { + adminUserEnabled: true + } } - -// Outputs to expose login server and credentials dynamically output loginServer string = containerRegistry.properties.loginServer -output username string = listCredentials(containerRegistry.id, '2022-01-01').username -output password string = listCredentials(containerRegistry.id, '2022-01-01').passwords[0].value +output username string = listCredentials(containerRegistry.id, '2021-12-01-preview').username +output password string = listCredentials(containerRegistry.id, '2021-12-01-preview').passwords[0].value \ No newline at end of file diff --git a/modules/webApp.bicep b/modules/webApp.bicep index c4ee599c0..61d4df507 100644 --- a/modules/webApp.bicep +++ b/modules/webApp.bicep @@ -1,20 +1,22 @@ param name string param location string -param appSettingsKeyValuePairs array +param kind string param serverFarmResourceId string param siteConfig object +param appSettingsArray array // Accept the array resource webApp 'Microsoft.Web/sites@2022-03-01' = { name: name location: location + kind: kind properties: { serverFarmId: serverFarmResourceId siteConfig: siteConfig - appSettings: [ - for setting in appSettingsKeyValuePairs: { - name: setting.name - value: setting.value - } - ] + appSettings: appSettingsArray // Use the array directly + } + identity: { + type: 'SystemAssigned' } } + +output id string = webApp.id \ No newline at end of file From e34abad38b1fee2b83dad1630e071030815e0fb0 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:41:41 +0100 Subject: [PATCH 32/35] tryagain --- main.bicep | 17 ++++++++++++++++- main.parameters.json | 4 ++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/main.bicep b/main.bicep index fc3b785ba..40b31c8f9 100644 --- a/main.bicep +++ b/main.bicep @@ -62,4 +62,19 @@ module webApp 'modules/webApp.bicep' = { } ] } -} \ No newline at end of file +} +param keyVaultName string = 'dmoneyKeyVault' // Key Vault Name + +// Azure Key Vault Module +resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = { + name: keyVaultName + location: location + properties: { + tenantId: subscription().tenantId + sku: { + family: 'A' + name: 'standard' + } + accessPolicies: [] // Add policies later if required + } +} diff --git a/main.parameters.json b/main.parameters.json index 7ca37fefd..31469a1a7 100644 --- a/main.parameters.json +++ b/main.parameters.json @@ -22,6 +22,10 @@ }, "location": { "value": "westeurope" + }, + "keyVaultName": { + "value": "dmoneyKeyVault" } + } } From 5eda9eb49b52e4fcff2b9f6f3941d0e865211ebf Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:46:29 +0100 Subject: [PATCH 33/35] tryagain --- .github/workflows/deploy.yml | 1 + main.bicep | 9 ++++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8a4df8c58..0642b64d2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -35,6 +35,7 @@ jobs: --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ + keyVaultName=dmoneyKeyVault location=${{ env.LOCATION }} # Step 4: Fetch ACR credentials dynamically diff --git a/main.bicep b/main.bicep index 40b31c8f9..1573df1a0 100644 --- a/main.bicep +++ b/main.bicep @@ -3,7 +3,7 @@ param dmoneyContainerRegistryName string = 'dmoneycontainerregistry' // Containe param dmoneyAppServicePlanName string = 'dmoneyAppServicePlan' // App Service Plan Name param location string = 'westeurope' // Desired Azure Region param dmoneyWebAppName string = 'dmoneyWebApp' // Web App Name - +param keyVaultName string = 'dmoneyKeyVault' // Key Vault Name // Azure Container Registry Module module containerRegistry 'modules/containerRegistry.bicep' = { name: 'deployContainerRegistry' @@ -63,9 +63,6 @@ module webApp 'modules/webApp.bicep' = { ] } } -param keyVaultName string = 'dmoneyKeyVault' // Key Vault Name - -// Azure Key Vault Module resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = { name: keyVaultName location: location @@ -75,6 +72,8 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = { family: 'A' name: 'standard' } - accessPolicies: [] // Add policies later if required } } + +// Output for verification or integration +output keyVaultUri string = keyVault.properties.vaultUri From 2ed61175ba840b691f7c7af4d6427905c2a43426 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:50:33 +0100 Subject: [PATCH 34/35] tryagain --- .github/workflows/deploy.yml | 1 - main.bicep | 2 -- 2 files changed, 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0642b64d2..8a4df8c58 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -35,7 +35,6 @@ jobs: --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ - keyVaultName=dmoneyKeyVault location=${{ env.LOCATION }} # Step 4: Fetch ACR credentials dynamically diff --git a/main.bicep b/main.bicep index 1573df1a0..33ae663ba 100644 --- a/main.bicep +++ b/main.bicep @@ -75,5 +75,3 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = { } } -// Output for verification or integration -output keyVaultUri string = keyVault.properties.vaultUri From d83bd11b9168adf4efc439cc8a47e3b944b058e9 Mon Sep 17 00:00:00 2001 From: Daniel Mora Date: Wed, 11 Dec 2024 04:53:10 +0100 Subject: [PATCH 35/35] tryagain --- .github/workflows/deploy.yml | 1 + main.bicep | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8a4df8c58..0642b64d2 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -35,6 +35,7 @@ jobs: --parameters dmoneyContainerRegistryName=${{ env.REGISTRY_NAME }} \ dmoneyAppServicePlanName=dmoneyAppServicePlan \ dmoneyWebAppName=${{ env.WEB_APP_NAME }} \ + keyVaultName=dmoneyKeyVault location=${{ env.LOCATION }} # Step 4: Fetch ACR credentials dynamically diff --git a/main.bicep b/main.bicep index 33ae663ba..edf9ab867 100644 --- a/main.bicep +++ b/main.bicep @@ -72,6 +72,9 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = { family: 'A' name: 'standard' } + accessPolicies: [] // Explicitly set to an empty array } } +// Output for verification or integration +output keyVaultUri string = keyVault.properties.vaultUri