Merge pull request #43 from PerfectThymeTech/marvinbuss/update_vars

Update e2e configuration

.github/workflows/_terraformDestroyTemplate.yml

@@ -36,9 +36,6 @@ on:
       CLIENT_ID:
         required: true
         description: "Specifies the client id."
-      CLIENT_SECRET:
-        required: true
-        description: "Specifies the client secret."
       BOT_OAUTH_CLIENT_ID:
         required: true
         description: "Specifies the client id of the app used for the bot oauth."
@@ -65,8 +62,7 @@ jobs:
       ARM_TENANT_ID: ${{ inputs.tenant_id }}
       ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
       ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-      ARM_USE_OIDC: false
+      ARM_USE_OIDC: true
 
     steps:
       # Setup Node

.github/workflows/_terraformEnvironmentTemplate.yml

@@ -35,9 +35,6 @@ on:
       CLIENT_ID:
         required: true
         description: "Specifies the client id."
-      CLIENT_SECRET:
-        required: true
-        description: "Specifies the client secret."
       BOT_OAUTH_CLIENT_ID:
         required: true
         description: "Specifies the client id of the app used for the bot oauth."
@@ -111,8 +108,7 @@ jobs:
       ARM_TENANT_ID: ${{ inputs.tenant_id }}
       ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
       ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-      ARM_USE_OIDC: false
+      ARM_USE_OIDC: true
 
     steps:
       # Setup Node
@@ -210,8 +206,7 @@ jobs:
       ARM_TENANT_ID: ${{ inputs.tenant_id }}
       ARM_SUBSCRIPTION_ID: ${{ inputs.subscription_id }}
       ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-      ARM_USE_OIDC: false
+      ARM_USE_OIDC: true
 
     steps:
       # Setup Node

.github/workflows/_webappDeployTemplate.yml

@@ -33,9 +33,10 @@ on:
       CLIENT_ID:
         required: true
         description: "Specifies the client id."
-      CLIENT_SECRET:
-        required: true
-        description: "Specifies the client secret."
+
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
   deployment:
@@ -75,12 +76,14 @@ jobs:
         env:
           WEBAPP_DIRECTORY: ${{ inputs.webapp_directory }}
 
-      # Login to Azure
-      - name: Azure Login
+      # Azure login
+      - name: Azure login
         id: azure_login
         uses: azure/login@v2
         with:
-          creds:  '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ inputs.subscription_id }}","tenantId":"${{ inputs.tenant_id }}"}'
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ inputs.tenant_id }}
+          subscription-id: ${{ inputs.subscription_id }}
 
       # Deploy Web App
       - name: Deploy Web App

.github/workflows/lint.yml

@@ -26,7 +26,7 @@ jobs:
         id: terraform_setup
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: "1.6.6"
+          terraform_version: "1.9.6"
           terraform_wrapper: true
 
       # Checkout repository

.github/workflows/terraform.yml

@@ -7,6 +7,7 @@ on:
       - "**.tf"
       - "code/infra/**"
       - "code/backend/**"
+      - "config/**"
       - ".github/workflows/terraform.yml"
 
   pull_request:
@@ -16,6 +17,7 @@ on:
       - "**.tf"
       - "code/infra/**"
       - "code/backend/**"
+      - "config/**"
       - ".github/workflows/terraform.yml"
 
 jobs:
@@ -25,14 +27,13 @@ jobs:
     with:
       environment: "dev"
       config: "PerfectThymeTech"
-      terraform_version: "1.9.5"
+      terraform_version: "1.9.6"
       node_version: 20
       working_directory: "./code/infra"
-      tenant_id: "3556be79-2979-4b19-a1af-4dd4e6d9ed7e"
-      subscription_id: "8f171ff9-2b5b-4f0f-aed5-7fa360a1d094"
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
     secrets:
       CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
       BOT_OAUTH_CLIENT_ID: ${{ secrets.BOT_OAUTH_CLIENT_ID }}
       BOT_OAUTH_CLIENT_SECRET: ${{ secrets.BOT_OAUTH_CLIENT_SECRET }}
 
@@ -43,13 +44,12 @@ jobs:
     with:
       environment: "dev"
       config: "PerfectThymeTech"
-      terraform_version: "1.9.5"
+      terraform_version: "1.9.6"
       node_version: 20
       working_directory: "./code/infra"
-      tenant_id: "3556be79-2979-4b19-a1af-4dd4e6d9ed7e"
-      subscription_id: "8f171ff9-2b5b-4f0f-aed5-7fa360a1d094"
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
     secrets:
       CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
       BOT_OAUTH_CLIENT_ID: ${{ secrets.BOT_OAUTH_CLIENT_ID }}
       BOT_OAUTH_CLIENT_SECRET: ${{ secrets.BOT_OAUTH_CLIENT_SECRET }}

.github/workflows/webapp.yml

@@ -6,6 +6,7 @@ on:
     paths:
       - "**.py"
       - "code/backend/**"
+      - "config/**"
       - "tests/**"
       - "requirements.txt"
 
@@ -15,6 +16,7 @@ on:
     paths:
       - "**.py"
       - "code/backend/**"
+      - "config/**"
       - "tests/**"
       - "requirements.txt"
 
@@ -34,9 +36,8 @@ jobs:
       environment: "dev"
       python_version: "3.11"
       webapp_directory: "./code/backend"
-      webapp_name: "assis-dev-app001"
-      tenant_id: "3556be79-2979-4b19-a1af-4dd4e6d9ed7e"
-      subscription_id: "8f171ff9-2b5b-4f0f-aed5-7fa360a1d094"
+      webapp_name: "bfr-dev-app001"
+      tenant_id: "37963dd4-f4e6-40f8-a7d6-24b97919e452"
+      subscription_id: "1fdab118-1638-419a-8b12-06c9543714a0"
     secrets:
       CLIENT_ID: ${{ secrets.CLIENT_ID }}
-      CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}

code/infra/applicationinsights.tf

@@ -7,7 +7,7 @@ module "application_insights" {
   location                                        = var.location
   resource_group_name                             = azurerm_resource_group.resource_group.name
   tags                                            = var.tags
-  application_insights_name                       = "${local.prefix}-ai001"
+  application_insights_name                       = "${local.prefix}-appi001"
   application_insights_application_type           = "web"
   application_insights_log_analytics_workspace_id = var.log_analytics_workspace_id
   diagnostics_configurations                      = local.diagnostics_configurations

code/infra/data.tf

@@ -16,6 +16,8 @@ data "azurerm_route_table" "route_table" {
 }
 
 data "azurerm_log_analytics_workspace" "log_analytics_workspace" {
+  provider = azurerm.management
+
   name                = local.log_analytics_workspace.name
   resource_group_name = local.log_analytics_workspace.resource_group_name
 }

code/infra/locals.tf

@@ -1,6 +1,17 @@
 locals {
   # Naming locals
   prefix = "${lower(var.prefix)}-${var.environment}"
+  resource_providers_to_register = [
+    "Microsoft.Authorization",
+    "Microsoft.BotService",
+    "Microsoft.CognitiveServices",
+    "microsoft.insights",
+    "Microsoft.KeyVault",
+    "Microsoft.ManagedIdentity",
+    "Microsoft.Network",
+    "Microsoft.Resources",
+    "Microsoft.Web",
+  ]
 
   # Web app locals
   app_settings_default = {
@@ -47,6 +58,7 @@ locals {
     name                = split("/", var.route_table_id)[8]
   }
   log_analytics_workspace = {
+    subscription_id     = split("/", var.log_analytics_workspace_id)[2]
     resource_group_name = split("/", var.log_analytics_workspace_id)[4]
     name                = split("/", var.log_analytics_workspace_id)[8]
   }

code/infra/providers.tf

@@ -1,21 +1,9 @@
 provider "azurerm" {
-  disable_correlation_request_id = false
-  environment                    = "public"
-  storage_use_azuread            = true
-  # use_oidc                       = true
-
+  disable_correlation_request_id  = false
+  environment                     = "public"
   resource_provider_registrations = "none"
-  resource_providers_to_register = [
-    "Microsoft.Authorization",
-    "Microsoft.BotService",
-    "Microsoft.CognitiveServices",
-    "microsoft.insights",
-    "Microsoft.KeyVault",
-    "Microsoft.ManagedIdentity",
-    "Microsoft.Network",
-    "Microsoft.Resources",
-    "Microsoft.Web",
-  ]
+  resource_providers_to_register  = local.resource_providers_to_register
+  storage_use_azuread             = true
 
   features {
     key_vault {
@@ -30,11 +18,31 @@ provider "azurerm" {
   }
 }
 
+provider "azurerm" {
+  alias                           = "management"
+  disable_correlation_request_id  = false
+  environment                     = "public"
+  resource_provider_registrations = "none"
+  storage_use_azuread             = true
+  subscription_id                 = local.log_analytics_workspace.subscription_id
+
+  features {
+    key_vault {
+      recover_soft_deleted_key_vaults   = true
+      recover_soft_deleted_certificates = true
+      recover_soft_deleted_keys         = true
+      recover_soft_deleted_secrets      = true
+    }
+    resource_group {
+      prevent_deletion_if_contains_resources = true
+    }
+  }
+}
+
 provider "azapi" {
   default_location               = var.location
   default_tags                   = var.tags
   disable_correlation_request_id = false
   environment                    = "public"
   skip_provider_registration     = false
-  # use_oidc                       = true
 }

code/infra/webapplinux.tf

@@ -100,10 +100,19 @@ resource "azurerm_private_endpoint" "linux_web_app_private_endpoint" {
     subresource_names              = ["sites"]
   }
   subnet_id = azapi_resource.subnet_private_endpoints.id
-  private_dns_zone_group {
-    name = "${azurerm_linux_web_app.linux_web_app.name}-arecord"
-    private_dns_zone_ids = [
-      var.private_dns_zone_id_sites
+  dynamic "private_dns_zone_group" {
+    for_each = var.private_dns_zone_id_sites == "" ? [] : [1]
+    content {
+      name = "${azurerm_linux_web_app.linux_web_app.name}-arecord"
+      private_dns_zone_ids = [
+        var.private_dns_zone_id_sites
+      ]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      private_dns_zone_group
     ]
   }
 }

config/PerfectThymeTech/azurerm.tfbackend

@@ -1,7 +1,7 @@
 environment          = "public"
-subscription_id      = "8f171ff9-2b5b-4f0f-aed5-7fa360a1d094"
-resource_group_name  = "mycrp-prd-cicd"
-storage_account_name = "mycrpprdstg001"
+subscription_id      = "e82c5267-9dc4-4f45-ac13-abdd5e130d27"
+resource_group_name  = "rg-terraform"
+storage_account_name = "terraformststg001"
 container_name       = "assistant"
 key                  = "terraform.tfstate"
 use_azuread_auth     = true

config/PerfectThymeTech/vars.tfvars

@@ -2,9 +2,9 @@
 location        = "northeurope"
 location_openai = "swedencentral"
 environment     = "dev"
-prefix          = "assis"
+prefix          = "bfr"
 tags = {
-  workload = "assis"
+  workload = "bot-assistant"
 }
 
 # Service variables
@@ -17,17 +17,19 @@ bot_oauth_scopes = [
 ]
 
 # Logging variables
-log_analytics_workspace_id = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/DefaultResourceGroup-NEU/providers/Microsoft.OperationalInsights/workspaces/DefaultWorkspace-8f171ff9-2b5b-4f0f-aed5-7fa360a1d094-NEU"
+log_analytics_workspace_id = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-logging-rg/providers/Microsoft.OperationalInsights/workspaces/ptt-dev-log001"
 
 # Network variables
-vnet_id                                      = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-dpml-network-rg/providers/Microsoft.Network/virtualNetworks/mycrp-prd-dpml-vnet001"
-nsg_id                                       = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-dpml-network-rg/providers/Microsoft.Network/networkSecurityGroups/mycrp-prd-dpml-nsg001"
-route_table_id                               = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-dpml-network-rg/providers/Microsoft.Network/routeTables/mycrp-prd-dpml-rt001"
-subnet_cidr_web_app                          = "10.0.96.64/26"
-subnet_cidr_private_endpoints                = "10.0.96.128/27"
-private_dns_zone_id_vault                    = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
-private_dns_zone_id_sites                    = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
-private_dns_zone_id_bot_framework_directline = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.directline.botframework.com"
-private_dns_zone_id_bot_framework_token      = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.token.botframework.com"
-private_dns_zone_id_open_ai                  = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com"
-private_dns_zone_id_cosmos_sql               = "/subscriptions/8f171ff9-2b5b-4f0f-aed5-7fa360a1d094/resourceGroups/mycrp-prd-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com"
+vnet_id                       = "/subscriptions/1fdab118-1638-419a-8b12-06c9543714a0/resourceGroups/ptt-dev-networking-rg/providers/Microsoft.Network/virtualNetworks/spoke-ptt-dev-vnet001"
+nsg_id                        = "/subscriptions/1fdab118-1638-419a-8b12-06c9543714a0/resourceGroups/ptt-dev-networking-rg/providers/Microsoft.Network/networkSecurityGroups/ptt-dev-default-nsg001"
+route_table_id                = "/subscriptions/1fdab118-1638-419a-8b12-06c9543714a0/resourceGroups/ptt-dev-networking-rg/providers/Microsoft.Network/routeTables/ptt-dev-default-rt001"
+subnet_cidr_web_app           = "10.3.1.192/26"
+subnet_cidr_private_endpoints = "10.3.2.0/26"
+
+# DNS variables
+private_dns_zone_id_vault                    = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
+private_dns_zone_id_sites                    = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azurewebsites.net"
+private_dns_zone_id_bot_framework_directline = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.directline.botframework.com"
+private_dns_zone_id_bot_framework_token      = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.token.botframework.com"
+private_dns_zone_id_open_ai                  = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.openai.azure.com"
+private_dns_zone_id_cosmos_sql               = "/subscriptions/e82c5267-9dc4-4f45-ac13-abdd5e130d27/resourceGroups/ptt-dev-privatedns-rg/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com"