Automation for First User and Script executions.

.github/workflows/build.yml

@@ -42,6 +42,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false

.github/workflows/release.yml

@@ -22,6 +22,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false

.github/workflows/test.yml

@@ -72,6 +72,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false
@@ -158,6 +159,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false
@@ -340,6 +342,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false
@@ -360,6 +363,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false
@@ -398,6 +402,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          auth-type: IDENTITY
           enable-AzPSSession: true
           environment: azurecloud
           allow-no-subscriptions: false

.gitignore

@@ -3,6 +3,8 @@
 ##
 ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
 
+*_env.json
+
 # User-specific files
 *.rsuser
 *.suo

README.md

@@ -144,8 +144,6 @@ Replace <your_ad_application_name> with your actual Azure AD Application Name.
 ```bash
 APP_NAME=<your_ad_application_name>
 azd env set AZURE_CLIENT_ID $(az ad app list --display-name $APP_NAME --query "[].appId" -otsv)
-azd env set AZURE_CLIENT_PRINCIPAL_OID $(az ad sp list --display-name $APP_NAME --query "[].id" -otsv)
-azd env set AZURE_CLIENT_SECRET $(az ad sp credential reset --id myServicePrincipalID --query "password" -otsv)
 ```
 
 3. Set Software Repository Location:
@@ -230,6 +228,43 @@ azd env set ENABLE_BLOB_PUBLIC_ACCESS false
 
 Efficiently manage the resources with these Azure Developer CLI commands. They are designed to streamline the deployment process, allowing for a smooth setup and teardown of your environment.
 
+<!--- https://diagrams.helpful.dev/ --->
+```mermaid 
+sequenceDiagram
+    participant Azd as user
+    participant Provision as command
+    participant Azure as azure
+
+
+    rect rgb(191, 223, 255)
+    alt 
+    Note over Provision: featureCheck
+    Note over Provision: credCheck
+    end
+    Azd->>+Provision: azd provision 
+    Provision->>Azure: arm deploy
+    Provision-->>-Azd: complete
+    alt 
+    Note over Provision: softwareCheck
+    Note over Provision: entraAuth
+    end
+    end
+
+    rect rgb(144,238,144)
+    alt 
+    Note over Provision: firstUser
+    Note over Provision: refreshToken
+    end
+    Azd->>Provision: azd deploy
+    activate Provision
+    Provision-->>Azd: complete
+    deactivate Provision
+    alt 
+    Note over Provision: settingsJson
+    end
+    end
+```
+
 __Starting the Deployment__
 
 To initiate the deployment, use the following command:
@@ -238,7 +273,37 @@ To initiate the deployment, use the following command:
 azd provision
 ```
 
-This command starts the provisioning process, setting up all necessary resources in Azure according to your configuration.
+This command starts the provisioning process, setting up all necessary resources in Azure according to your configuration.  It involves a pre and post hook that peforms some additional automation.
+
+_Prehook_
+
+1. Ensure that the subscription is configured with the required features.
+2. Ensure a Client Secret is available for use.
+3. Gather the Service Principal Object Id.
+
+_Posthook_
+
+1. Ensure that the software installation is in compliance.
+2. Ensure the AD Application has the Ingress Authentication Redirect URLs
+
+
+__Deploy Initial Configuration__
+
+Prior to running this command on the ingress url `https://<your_ingress>/auth/` an authorization code can be easily retrieved to use in getting a refresh token for ease of use in calling APIs that require a bearer token.
+
+```bash
+azd env set AUTH_CODE <your_auth_code>
+azd deploy
+azd env show AUTH_TOKEN
+```
+
+This command deploys some additional configuration helpful to using the solution.
+
+_Posthook_
+
+1. Configure the Initial User into Entitlements.
+2. Using a provided Authorization Code get an initial user refresh token.
+
 
 __Removal and Cleaning up__
 

azure.yaml

@@ -7,25 +7,24 @@ infra:
   provider: bicep
   path: bicep
 hooks:
-  # preprovision:
-  #   posix:
-  #     interactive: false
-  #     continueOnError: false
-  #     shell: sh
-  #     run: |
-  #       # Check if PREPARE is not set to true
-  #       if [[ "$PREPARE" == "true" ]]; then
-  #         # Check if Docker command exists
-  #         if command -v docker &> /dev/null; then
-  #           echo "Building Docker Image"
-  #           docker buildx build --no-cache -f scripts/Dockerfile-provision -t azd-provision scripts
-  #           docker run --rm -v $(pwd):/workspace -v "${HOME}/.azure:/root/.azure" -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/preprovision.sh -s ${AZURE_SUBSCRIPTION_ID}
-  #           sleep 5
-  #         else
-  #           echo "Docker is not installed."
-  #           exit 1
-  #         fi
-  #       fi
+  preprovision:
+    posix:
+      interactive: false
+      continueOnError: false
+      shell: sh
+      run: |
+        # Check if PREPARE is not set to true
+        env_vars=$(azd env get-values | tr -d '"' | awk '{print "-e " $0}')
+        # Check if Docker command exists
+        if command -v docker &> /dev/null; then
+          echo "Building Docker Image"
+          docker buildx build --no-cache -f scripts/Dockerfile-provision -t azd-provision scripts
+          docker run --rm -v $(pwd):/workspace -v "${HOME}/.azure:/root/.azure" $env_vars -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/preprovision.sh -s ${AZURE_SUBSCRIPTION_ID}
+          sleep 5
+        else
+          echo "Docker is not installed."
+          exit 1
+        fi
 
   #   windows:
   #     interactive: false
@@ -42,22 +41,55 @@ hooks:
   #       docker run --rm -v ${pwd}:/workspace -v "$($HOME)/.azure:/root/.azure" -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/preprovision.sh -s $env:AZURE_SUBSCRIPTION_ID
   #       Start-Sleep -Seconds 5
 
-  # postprovision:
-  #   posix:
-  #     interactive: false
-  #     continueOnError: false
-  #     shell: sh
-  #     run: |
-  #       # Check if FETCH_ENV is not set to true
-  #       if [[ "$FETCH_ENV" == "true" ]]; then
-  #         # Check if Docker command exists
-  #         if command -v docker &> /dev/null; then
-  #           echo "Building Docker Image"
-  #           docker buildx build --no-cache -f scripts/Dockerfile-provision -t azd-provision scripts
-  #           docker run --rm -v $(pwd):/workspace -v "${HOME}/.azure:/root/.azure" -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/postprovision.sh -s ${AZURE_SUBSCRIPTION_ID}
-  #           sleep 5
-  #         else
-  #           echo "Docker is not installed."
-  #           exit 1
-  #         fi
-  #       fi
+  postprovision:
+    posix:
+      interactive: false
+      continueOnError: false
+      shell: sh
+      run: |
+        env_vars=$(azd env get-values | tr -d '"' | awk '{print "-e " $0}')
+        # Check if Docker command exists
+        if command -v docker &> /dev/null; then
+          echo "Building Docker Image"
+          docker buildx build --no-cache -f scripts/Dockerfile-provision -t azd-provision scripts
+          docker run --rm -v $(pwd):/workspace -v "${HOME}/.azure:/root/.azure" $env_vars  -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/postprovision.sh -s ${AZURE_SUBSCRIPTION_ID}
+          sleep 5
+        else
+          echo "Docker is not installed."
+          exit 1
+        fi
+
+  predeploy:
+    posix:
+      interactive: false
+      continueOnError: false
+      shell: sh
+      run: |
+        env_vars=$(azd env get-values | tr -d '"' | awk '{print "-e " $0}')
+        # Check if Docker command exists
+        if command -v docker &> /dev/null; then
+          echo "Building Docker Image"
+          docker buildx build --no-cache -f scripts/Dockerfile-provision -t azd-provision scripts
+          docker run --rm -v $(pwd):/workspace -v "${HOME}/.azure:/root/.azure" $env_vars -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/predeploy.sh -s ${AZURE_SUBSCRIPTION_ID}
+          sleep 5
+        else
+          echo "Docker is not installed."
+          exit 1
+        fi
+  postdeploy:
+    posix:
+      interactive: false
+      continueOnError: false
+      shell: sh
+      run: |
+        env_vars=$(azd env get-values | tr -d '"' | awk '{print "-e " $0}')
+        # Check if Docker command exists
+        if command -v docker &> /dev/null; then
+          echo "Building Docker Image"
+          docker buildx build --no-cache -f scripts/Dockerfile-provision -t azd-provision scripts
+          docker run --rm -v $(pwd):/workspace -v "${HOME}/.azure:/root/.azure" $env_vars -e AZURE_CONFIG_DIR=/root/.azure azd-provision /usr/local/bin/postdeploy.sh -s ${AZURE_SUBSCRIPTION_ID}
+          sleep 5
+        else
+          echo "Docker is not installed."
+          exit 1
+        fi

bicep/main.bicep

@@ -438,5 +438,6 @@ module serviceBlade 'modules/blade_service.bicep' = {
 
 output KEYVAULT_NAME string = commonBlade.outputs.keyvaultName
 output ACR_NAME string = serviceBlade.outputs.registryName
+output AKS_NAME string = serviceBlade.outputs.clusterName
 
 //ACSCII Art link : https://textkool.com/en/ascii-art-generator?hl=default&vl=default&font=Star%20Wars&text=changeme

bicep/modules/blade_service.bicep

@@ -767,3 +767,6 @@ module grafana 'aks_grafana.bicep' = if(enableMonitoring){
 
 @description('The name of the container registry.')
 output registryName string = registry.outputs.name
+
+@description('The name of the cluster.')
+output clusterName string = cluster.outputs.aksClusterName

charts/osdu-developer-auth/templates/config-map.yaml

@@ -147,7 +147,7 @@ data:
               return "https://login.microsoftonline.com/" + this.clientId + "/oauth2/logout";
             },
             redirect: function () {
-              return location.protocol + '//' + location.host + location.pathname
+              return 'https://' + location.host + location.pathname
             }
           },
           beforeMount: function () {

docs/pipelines.md

@@ -58,6 +58,7 @@ This action ensures that the bicep can build properly.
 
 The release action will run whenever a release is created to ensure we have a copy of the ARM template from that release that could then be used by other systems as necessary.
 
+<!--- https://diagrams.helpful.dev/ --->
 ```mermaid
 sequenceDiagram
     participant Workflow as "GitHub Workflow"

scripts/Dockerfile-provision

@@ -1,23 +1,40 @@
 FROM mcr.microsoft.com/azure-cli:latest
 
 # Install OS packages
-RUN apk add --no-cache curl ncurses
+RUN apk --no-cache update && \
+    apk add --no-cache \
+        curl \
+        ncurses \
+        # build dependencies for native binaries in Python packages
+        gcc \
+        make \
+        openssl-dev \
+        libffi-dev \
+        musl-dev \
+        python3-dev 
 
 # Install azd
 RUN curl -fsSL https://aka.ms/install-azd.sh | bash
 
+RUN pip3 install --no-cache-dir --upgrade pip setuptools wheel httpie \
+    && pip3 install --no-cache-dir --force-reinstall pycryptodome
+
 # Copy the script into the container
 COPY functions.sh /usr/local/bin/functions.sh
 COPY hook-postprovision.sh /usr/local/bin/postprovision.sh
 COPY hook-preprovision.sh /usr/local/bin/preprovision.sh
+COPY hook-predeploy.sh /usr/local/bin/predeploy.sh
+COPY hook-postdeploy.sh /usr/local/bin/postdeploy.sh
 
 # Create a directory to work in
 WORKDIR /workspace
 
 # Make the script executable
 RUN chmod +x /usr/local/bin/functions.sh \
     && chmod +x /usr/local/bin/postprovision.sh \
-    && chmod +x /usr/local/bin/preprovision.sh 
+    && chmod +x /usr/local/bin/preprovision.sh \
+    && chmod +x /usr/local/bin/predeploy.sh \
+    && chmod +x /usr/local/bin/postdeploy.sh
 
 # Set the entrypoint to run your script
 CMD ["/bin/bash"]