👷‍♂️🔥 bicep for Azure (by Jack R) (#154)

* Add bicep file

* Add bicep

* Update workflow

* Update staging workflow

* Update bicep and staging workflow

* Update bicep and staging workflow

* Add azure login to deploy section

* Add UI to deploy

* Add azure login to ui deploy

* Update workflow

* Fix issue with secret

* Add missing SWA name input

* Add new frontend stage URL to allowed CORS

* Update workflows

* Update workflow

* Change parameter format

* Remove environment var array

* Add env vars back

* Remove array

* Fix storage account name

* Add client id

* Change parameters syntax

* Debugging connection string secret failure

* Update bicep file

* Use vars in bicep parameters

* Fix parameter names

* Remove unused template inputs

* Add keyvault

* Try hard coding CORS URL

* Update bicep

* Use double underscore for connection string name

* Add 'get' to kv access policy

* Add system assigned identity

* Use system assigned identity in kv access policy

* Remove unused params

* Remove unused params from template workflow

* Add back commented code

* Remove blank parameters and add suffix to storage name

* Set enabledForTemplateDeployment to true

* Update workflows and bicep

* Fix app name

* Pass hosting plan details to bicep

* Revert "Pass hosting plan details to bicep"

This reverts commit cfe7d1e.

* Try using vars to pass to bicep

* Revert "Try using vars to pass to bicep"

This reverts commit dc1f260.

* Try using vars to pass to bicep

* Revert "Try using vars to pass to bicep"

This reverts commit 9e91ceb.

* Use vars for template workflow

* Update bicep

* Suppress warning on bicep

* Use vars for deployment app names

* Remove hardcoded CORS url

* Update prod workflow

* Adding a app_offline.htm

* remove app_offline file

* Added logic for making the front end go offline

* Moved where the condition check is for deploy-api

* add skip on all steps in the job

* always use env name for kv

* set cors in infra

* use user assigned identity

* set AZURE_CLIENT_ID for the app

* Update key vault access policies

* use principal id

* show swagger always... for now

* drop v in netframework version

* set kind

* updating version for dotnet

* don't deploy swagger anymore

* setting key vault access

---------

Co-authored-by: Jack Reimers <jack.reimers.00@gmail.com>

.github/bicep/main.bicep

@@ -0,0 +1,226 @@
+param appName string = 'rulesgpt'
+param environment string = 'stage'
+
+@secure()
+param connectionString string
+@secure()
+param openAiApiKey string
+
+param allowedCors string
+param maxRequests string
+param signingAuthority string
+
+@description('Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets.')
+param objectId string
+
+param location string = resourceGroup().location
+param staticWebAppLocation string = 'eastasia'
+
+param hostingPlanName string 
+param hostingPlanRgName string
+
+var prodEnvironmentName = environment == 'prod' ? '' : '-${environment}'
+
+//Can't contain uppercase letters or special characters
+var storageAccountName = toLower(take(replace('sa${appName}${environment}', '-', ''), 24))
+var keyVaultName = 'kv-${appName}-${environment}'
+var tenantId = subscription().tenantId
+
+var apiAppName = 'ssw-${appName}-api${prodEnvironmentName}'
+var frontendAppName = 'ssw-${appName}-webui${prodEnvironmentName}'
+var applicationInsightsName = 'ai-${appName}-${environment}'
+// identity
+var managedIdentityName = 'id-${apiAppName}'
+
+
+var lawName = 'laws-${appName}${prodEnvironmentName}'
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
+#disable-next-line BCP334
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'Storage'
+  properties: {
+    supportsHttpsTrafficOnly: true
+    defaultToOAuthAuthentication: true
+  }
+}
+
+resource hostingPlan 'Microsoft.Web/serverfarms@2021-03-01' existing = {
+  name: hostingPlanName
+  scope: resourceGroup(hostingPlanRgName)
+}
+
+resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
+  name: keyVaultName
+  location: location
+  properties: {
+    enabledForDeployment: false
+    enabledForDiskEncryption: false
+    enabledForTemplateDeployment: true
+    tenantId: tenantId
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 90
+    accessPolicies: [
+    {
+        objectId: objectId
+        tenantId: tenantId
+        permissions: {
+          keys: [ 'get', 'list' ]
+          secrets: [ 'get', 'list' ]
+        }
+      }
+    ]
+    sku: {
+      name: 'standard'
+      family: 'A'
+    }
+    networkAcls: {
+      defaultAction: 'Allow'
+      bypass: 'AzureServices'
+    }
+  }
+}
+
+resource dbSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
+  parent: kv
+  name: 'ConnectionStrings--DefaultConnection'
+  properties: {
+    value: connectionString
+  }
+}
+
+resource openaiApiKeySecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
+  parent: kv
+  name: 'OpenAiApiKey'
+  properties: {
+    value: openAiApiKey
+  }
+}
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: managedIdentityName
+  location: location
+}
+
+resource backendAppService 'Microsoft.Web/sites@2020-12-01' = {
+  name: apiAppName
+  location: location
+  kind: 'app,linux'
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}': {}
+    }
+  }
+  properties: {
+    serverFarmId: hostingPlan.id
+    reserved: true
+    keyVaultReferenceIdentity: managedIdentity.id
+    siteConfig: {
+      numberOfWorkers: 1
+      linuxFxVersion: 'DOTNETCORE|7.0'
+      alwaysOn: false
+      http20Enabled: false
+      cors: {
+        allowedOrigins: [ allowedCors ]
+      }
+      appSettings: [
+        {
+          name: 'AZURE_CLIENT_ID'
+          value: managedIdentity.properties.clientId
+        }
+        {
+          name: 'AllowedCORSOrigins'
+          value: allowedCors
+        }
+        {
+          name: 'MaxRequestsPerMinute'
+          value: maxRequests
+        }
+        {
+          name: 'SigningAuthority'
+          value: signingAuthority
+        }
+        {
+          name: 'ConnectionStrings__DefaultConnection'
+          value: '@Microsoft.KeyVault(SecretUri=${dbSecret.properties.secretUri})'
+        }
+        {
+          name: 'OpenAiApiKey'
+          value: '@Microsoft.KeyVault(SecretUri=${openaiApiKeySecret.properties.secretUri})'
+        }
+        {
+          name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
+          value: applicationInsights.properties.InstrumentationKey
+        }
+        {
+          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+          value: applicationInsights.properties.ConnectionString
+        }
+      ]
+    }
+  }
+}
+
+resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
+  parent: kv
+  name: 'add'
+  properties: {
+    accessPolicies: [
+      {
+        objectId: managedIdentity.properties.principalId
+        tenantId: subscription().tenantId
+        permissions: {
+          secrets: [
+            'list'
+            'get'
+          ]
+          keys: [
+            'list'
+            'get'
+          ]
+        }
+      }
+    ]
+  }
+}
+
+resource frontendStaticWebApp 'Microsoft.Web/staticSites@2021-01-15' = {
+  name: frontendAppName
+  location: staticWebAppLocation
+  tags: null
+  properties: {}
+  sku: {
+    name: 'Standard'
+    size: 'Standard'
+  }
+}
+
+resource law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: lawName
+  location: location
+  properties: {
+    retentionInDays: 30
+    features: {
+      searchVersion: 1
+    }
+    sku: {
+      name: 'PerGB2018'
+    }
+  }
+}
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
+  name: applicationInsightsName
+  location: location
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+    Request_Source: 'rest'
+    WorkspaceResourceId: law.id
+  }
+}

.github/workflows/main-build-deploy.yml

@@ -9,10 +9,18 @@ jobs:
   call-reusable-build-and-deploy:
     uses: ./.github/workflows/template-build-deploy.yml
     with:
-      environment: 'Production'
-      AzureWebAppName: 'ssw-rulesgpt-api'
-
+      githubEnvironment: 'Production'
+      deployEnvironment: 'prod'
+
+      AppName: ${{ vars.APP_NAME }}
+
     secrets:
-      AzureWebAppSecret: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_1FEDFC8C3C4A497399C6318E5C173C42 }}
-      AzureStaticWebAppsApiToken: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_DESERT_00E3FB600 }}
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION }}
+      AZURE_RG: ${{ secrets.AZURE_RG }}
+      CLIENT_ID: ${{ secrets.CLIENT_ID }}
+
+      ConnectionString: ${{ secrets.CONNECTION_STRING }}
+      OpenAiApiKey: ${{ secrets.OPENAI_API_KEY }}
+
       GithubRepoToken: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stage-build-deploy.yml

@@ -6,14 +6,22 @@ on:
       - main
   workflow_dispatch:
 
-jobs: 
+jobs:
   call-reusable-build-and-deploy:
     uses: ./.github/workflows/template-build-deploy.yml
     with:
-      environment: 'Staging'
-      AzureWebAppName: 'ssw-rulesgpt-api-stage'
+      githubEnvironment: 'Staging'
+      deployEnvironment: 'stage'
+
+      AppName: ${{ vars.APP_NAME }}
 
     secrets:
-      AzureWebAppSecret: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_706C909B7DCB4379927A9D3AF3D8B5EF }}
-      AzureStaticWebAppsApiToken: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ASHY_MEADOW_0A2BAD900 }}
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+      AZURE_SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION }}
+      AZURE_RG: ${{ secrets.AZURE_RG }}
+      CLIENT_ID: ${{ secrets.CLIENT_ID }}
+
+      ConnectionString: ${{ secrets.CONNECTION_STRING }}
+      OpenAiApiKey: ${{ secrets.OPENAI_API_KEY }}
+
       GithubRepoToken: ${{ secrets.GITHUB_TOKEN }}