Altinn · renovate · Jan 8, 2025 · Jan 8, 2025
diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep
@@ -29,13 +29,9 @@ param idportenClientSecret string
 
 @secure()
 param storageAccountName string
+param maskinporten_token_exchange_environment string
 
-import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep'
-param keyVaultSku KeyVaultSku
-
-import { Sku as PostgresSku } from '../modules/postgreSql/create.bicep'
-param postgresSku PostgresSku
-
+var prodLikeEnvironment = environment == 'production' || maskinporten_token_exchange_environment == 'yt01'
 var resourceGroupName = '${namePrefix}-rg'
 
 // Create resource groups
@@ -50,7 +46,6 @@ module environmentKeyVault '../modules/keyvault/create.bicep' = {
   params: {
     vaultName: sourceKeyVaultName
     location: location
-    sku: keyVaultSku
     tenant_id: tenantId
     environment: environment
     test_client_id: test_client_id
@@ -120,8 +115,8 @@ module postgresql '../modules/postgreSql/create.bicep' = {
     srcKeyVault: srcKeyVault
     srcSecretName: correspondenceAdminPasswordSecretName
     administratorLoginPassword: correspondencePgAdminPassword
-    sku: postgresSku
     tenantId: tenantId
+    prodLikeEnvironment: prodLikeEnvironment
   }
 }
 

diff --git a/.azure/infrastructure/parameters.json b/.azure/infrastructure/parameters.json
diff --git a/.azure/infrastructure/params.bicepparam b/.azure/infrastructure/params.bicepparam
@@ -17,12 +17,4 @@ param accessManagementSubscriptionKey = readEnvironmentVariable('ACCESS_MANAGEME
 param slackUrl = readEnvironmentVariable('SLACK_URL')
 param idportenClientId = readEnvironmentVariable('IDPORTEN_CLIENT_ID')
 param idportenClientSecret = readEnvironmentVariable('IDPORTEN_CLIENT_SECRET')
-// SKUs
-param keyVaultSku = {
-  name: 'standard'
-  family: 'A'
-}
-param postgresSku = {
-  name: 'Standard_B1ms'
-  tier: 'Burstable'
-}
+param maskinporten_token_exchange_environment = readEnvironmentVariable('MASKINPORTEN_TOKEN_EXCHANGE_ENVIRONMENT')
diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep
@@ -25,6 +25,30 @@ param userIdentityClientId string
 @secure()
 param containerAppEnvId string
 
+type ContainerAppResources = {
+    cpu: int
+    memory: string
+}
+type ContainerAppScale = {
+    minReplicas: int
+    maxReplicas: int
+}
+param prodLikeEnvironment bool = environment == 'production' || maskinporten_token_exchange_environment == 'yt01'
+param containerAppResources ContainerAppResources = prodLikeEnvironment ? {
+  cpu: 2
+  memory: '4.0Gi'
+} : {
+  cpu: json('0.5')
+  memory: '1.0Gi'
+}
+param containerAppScale ContainerAppScale = prodLikeEnvironment ? {
+  minReplicas: 3
+  maxReplicas:10
+} : {
+  minReplicas: 1
+  maxReplicas: 1
+}
+
 var probes = [
   {
     type: 'Liveness'
@@ -174,20 +198,14 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
 
     environmentId: containerAppEnvId
     template: {
-      scale: {
-        minReplicas: 1
-        maxReplicas: 1
-      }
+      scale: containerAppScale
       containers: [
         {
           name: 'app'
           image: image
           env: containerAppEnvVars
           probes: probes
-          resources: {
-            cpu: json('0.5')
-            memory: '1.0Gi'
-          }
+          resources: containerAppResources
         }
       ]
     }

diff --git a/.azure/modules/keyvault/create.bicep b/.azure/modules/keyvault/create.bicep
@@ -5,12 +5,6 @@ param environment string
 param tenant_id string
 @secure()
 param test_client_id string
-@export()
-type Sku = {
-  name: 'standard'
-  family: 'A'
-}
-param sku Sku
 
 resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
   name: vaultName
@@ -19,7 +13,10 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
     enabledForTemplateDeployment: true
     enabledForDiskEncryption: true
     enabledForDeployment: true
-    sku: sku
+    sku: {
+      name: 'standard'
+      family: 'A'
+    }
     tenantId: tenant_id
     accessPolicies: environment == 'test'
       ? [

diff --git a/.azure/modules/postgreSql/create.bicep b/.azure/modules/postgreSql/create.bicep
@@ -3,12 +3,6 @@ param location string
 param environmentKeyVaultName string
 param srcSecretName string
 
-@export()
-type Sku = {
-  name: 'Standard_B1ms' | 'Standard_B2s' | 'Standard_D2ads_v5'
-  tier: 'Burstable' | 'GeneralPurpose' | 'MemoryOptimized'
-}
-param sku Sku
 @secure()
 param srcKeyVault object
 
@@ -17,9 +11,11 @@ param administratorLoginPassword string
 @secure()
 param tenantId string
 
+param prodLikeEnvironment bool
+
 var databaseName = 'correspondence'
 var databaseUser = 'adminuser'
-var poolSize = 25
+var poolSize = prodLikeEnvironment ? 100 : 25
 
 module saveAdmPassword '../keyvault/upsertSecret.bicep' = {
   name: 'Save_${srcSecretName}'
@@ -51,6 +47,8 @@ resource postgres 'Microsoft.DBforPostgreSQL/flexibleServers@2023-12-01-preview'
     administratorLoginPassword: administratorLoginPassword
     storage: {
       storageSizeGB: 32
+      autoGrow: 'Enabled'
+      tier: prodLikeEnvironment ? 'P15': 'P4'
     }
     backup: { backupRetentionDays: 35 }
     authConfig: {
@@ -59,10 +57,25 @@ resource postgres 'Microsoft.DBforPostgreSQL/flexibleServers@2023-12-01-preview'
       tenantId: tenantId
     }
   }
-  sku: sku
+  sku: prodLikeEnvironment ? {
+    name: 'Standard_D8ads_v5'
+    tier: 'GeneralPurpose'
+  } : {
+    name: 'Standard_B1ms'
+    tier: 'Burstable'
+  }
 }
 
-resource configurations 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {
+resource database 'Microsoft.DBforPostgreSQL/flexibleServers/databases@2023-06-01-preview' = {
+  name: databaseName
+  parent: postgres
+  properties: {
+    charset: 'UTF8'
+    collation: 'nb_NO.utf8'
+  }
+}
+
+resource extensionsConfiguration 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {
   name: 'azure.extensions'
   parent: postgres
   dependsOn: [database]
@@ -72,19 +85,20 @@ resource configurations 'Microsoft.DBforPostgreSQL/flexibleServers/configuration
   }
 }
 
-resource database 'Microsoft.DBforPostgreSQL/flexibleServers/databases@2023-06-01-preview' = {
-  name: databaseName
+resource maxConnectionsConfiguration 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {
+  name: 'max_connections'
   parent: postgres
+  dependsOn: [extensionsConfiguration]
   properties: {
-    charset: 'UTF8'
-    collation: 'nb_NO.utf8'
+    value: prodLikeEnvironment ? '3000' : '50'
+    source: 'user-override'
   }
 }
 
 resource allowAzureAccess 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-06-01-preview' = {
   name: 'azure-access'
   parent: postgres
-  dependsOn: [configurations] // Needs to depend on database to avoid updating at the same time
+  dependsOn: [maxConnectionsConfiguration] // Needs to depend on database to avoid updating at the same time
   properties: {
     startIpAddress: '0.0.0.0'
     endIpAddress: '0.0.0.0'

diff --git a/.github/actions/deploy-to-environment/action.yml b/.github/actions/deploy-to-environment/action.yml
@@ -99,6 +99,7 @@ runs:
         MASKINPORTEN_JWK: ${{ inputs.MASKINPORTEN_JWK }}
         PLATFORM_SUBSCRIPTION_KEY: ${{ inputs.PLATFORM_SUBSCRIPTION_KEY }}
         SLACK_URL: ${{ inputs.SLACK_URL }}
+        MASKINPORTEN_TOKEN_EXCHANGE_ENVIRONMENT: ${{ inputs.MASKINPORTEN_TOKEN_EXCHANGE_ENVIRONMENT }}
 
     - name: Migrate database
       uses: ./.github/actions/migrate-database

diff --git a/.github/actions/update-infrastructure/action.yml b/.github/actions/update-infrastructure/action.yml
@@ -56,6 +56,10 @@ inputs:
   IDPORTEN_CLIENT_SECRET:
     description: "Client secret for Maskinporten integration used for IDPorten auth"
     required: true
+  MASKINPORTEN_TOKEN_EXCHANGE_ENVIRONMENT:
+    description: "Maskinporten Token Exchange Environment"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -105,6 +109,7 @@ runs:
         IDPORTEN_ISSUER: ${{ inputs.IDPORTEN_ISSUER }}
         IDPORTEN_CLIENT_ID: ${{ inputs.IDPORTEN_CLIENT_ID }}
         IDPORTEN_CLIENT_SECRET: ${{ inputs.IDPORTEN_CLIENT_SECRET }}
+        MASKINPORTEN_TOKEN_EXCHANGE_ENVIRONMENT: ${{ inputs.MASKINPORTEN_TOKEN_EXCHANGE_ENVIRONMENT }}
       with:
         scope: subscription
         template: ./.azure/infrastructure/main.bicep

diff --git a/src/Altinn.Correspondence.API/Altinn.Correspondence.API.csproj b/src/Altinn.Correspondence.API/Altinn.Correspondence.API.csproj
@@ -10,7 +10,7 @@
     <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.1" />   
     <PackageReference Include="Hangfire.AspNetCore" Version="1.8.12" />
     <PackageReference Include="Hangfire.MemoryStorage" Version="1.8.1.1" />
-    <PackageReference Include="Hangfire.PostgreSql" Version="1.20.8" />     
+    <PackageReference Include="Hangfire.PostgreSql" Version="1.20.10" />     
     <PackageReference Include="Microsoft.ApplicationInsights" Version="2.22.0" />
     <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.6" />

diff --git a/src/Altinn.Correspondence.Application/Helpers/TransactionWithRetryPolicy.cs b/src/Altinn.Correspondence.Application/Helpers/TransactionWithRetryPolicy.cs
@@ -2,7 +2,7 @@
 
 using Hangfire;
 using Hangfire.PostgreSql;
-
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
 
 using Npgsql;
@@ -20,7 +20,11 @@ public static async Task<OneOf<T, Error>> Execute<T>(
     {
         var result = await RetryPolicy(logger).ExecuteAndCaptureAsync<OneOf<T, Error>>(async (cancellationToken) =>
         {
-            using var transaction = new TransactionScope(TransactionScopeAsyncFlowOption.Enabled);
+            using var transaction = new TransactionScope(TransactionScopeOption.Required, new TransactionOptions()
+            {
+                IsolationLevel = IsolationLevel.ReadCommitted,
+                Timeout = TimeSpan.FromSeconds(30)
+            }, TransactionScopeAsyncFlowOption.Enabled);
             var result = await operation(cancellationToken);
             transaction.Complete();
             return result;
@@ -38,6 +42,7 @@ public static AsyncRetryPolicy RetryPolicy(ILogger logger) => Policy
         .Or<PostgresException>()
         .Or<BackgroundJobClientException>()
         .Or<PostgreSqlDistributedLockException>()
+        .Or<DbUpdateConcurrencyException>()
         .WaitAndRetryAsync(
             10,
             retryAttempt => TimeSpan.FromMilliseconds(10),

diff --git a/src/Altinn.Correspondence.Integrations/Altinn.Correspondence.Integrations.csproj b/src/Altinn.Correspondence.Integrations/Altinn.Correspondence.Integrations.csproj
@@ -13,7 +13,7 @@
     <PackageReference Include="Altinn.Platform.Models" Version="1.6.0" />
     <PackageReference Include="Hangfire.AspNetCore" Version="1.8.12" />
     <PackageReference Include="Hangfire.Core" Version="1.8.12" />
-    <PackageReference Include="Hangfire.PostgreSql" Version="1.20.8" />
+    <PackageReference Include="Hangfire.PostgreSql" Version="1.20.10" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.6" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.1" />
     <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />