Merge branch 'main' into chore/mergeMain

.cspell.json

@@ -60,6 +60,7 @@
         "Curncy",
         "datafixes",
         "Dockerised",
+        "DTFS",
         "dtos",
         "EASS",
         "ecgd",
@@ -148,6 +149,7 @@
         "Useds",
         "venv",
         "VNET",
+        "vnets",
         "XLSX"
     ],
     "dictionaries": [

.github/workflows/deployment.yml

@@ -59,7 +59,6 @@ jobs:
     name: Database 💾
     needs: setup
     environment: ${{ needs.setup.outputs.environment }}
-    if: ${{ '1' == vars.DATABASE }}
     env:
       ENVIRONMENT: ${{ needs.setup.outputs.environment }}
     runs-on: [self-hosted, EXIP, deployment]
@@ -81,12 +80,14 @@ jobs:
             az configure --defaults group=rg-${{ env.PRODUCT }}-${{ github.ref_name }}-${{ vars.VERSION }}
 
       - name: Extension ➕
+        if: ${{ '1' == vars.DATABASE }}
         uses: azure/cli@v2
         with:
           inlineScript: |
             az config set extension.use_dynamic_install=yes_without_prompt
 
       - name: Import ⬇
+        if: ${{ '1' == vars.DATABASE }}
         uses: azure/cli@v2
         with:
           inlineScript: |

.github/workflows/infrastructure.yml

@@ -165,6 +165,12 @@ jobs:
             --address-prefixes ${{ vars.VNET_SUBNET_PRIVATE_PREFIX }} \
             --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }}
 
+            az network vnet subnet create \
+            --name snet-keyvault-${{ env.PRODUCT }}-${{ vars.VERSION }} \
+            --address-prefixes ${{ vars.VNET_SUBNET_KEYVAULT_PREFIX }} \
+            --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --service-endpoints Microsoft.KeyVault
+
       - name: VNET Peer - AMI 🔀
         uses: azure/cli@v2
         with:
@@ -365,6 +371,17 @@ jobs:
           inlineScript: |
             az extension add --name front-door
 
+      - name: Key Vault 🔑
+        uses: azure/cli@v2
+        with:
+          inlineScript: |
+            az keyvault create \
+            --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --default-action Deny \
+            --public-network-access Disabled \
+            --network-acls-ips ${{ secrets.WAF_ALLOWED_IP }} \
+            --network-acls-vnets $(az network vnet subnet list --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query '[?contains(name, `keyvault`)].id' -o tsv)
+
       - name: Private endpoint 🔏
         uses: azure/cli@v2
         with:
@@ -389,6 +406,16 @@ jobs:
             --group-id sites \
             --tags ${{ env.TAGS }}
 
+            #Key Vault
+            az network private-endpoint create \
+            --name private-endpoint-keyvault-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --private-connection-resource-id $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \
+            --connection-name private-link-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --subnet snet-private-${{ env.PRODUCT }}-${{ vars.VERSION }} \
+            --vnet-name vnet-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --group-id vault \
+            --tags ${{ env.TAGS }}
+
       - name: Private DNS 🌍
         uses: azure/cli@v2
         with:
@@ -441,7 +468,7 @@ jobs:
             --private-link-location ${{ vars.REGION }} \
             --private-link-resource $(az webapp show --name app-${{ env.PRODUCT }}-ui-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \
             --private-link-request-message '${{ env.PRODUCT }}-ui-${{ env.TARGET }}-${{ vars.VERSION }}' \
-            --private-link-sub-resource-type $(az network private-link-resource list --id $(az webapp show --name app-${{ env.PRODUCT }}-ui-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) --query [].name -o tsv) \
+            --private-link-sub-resource-type $(az network private-link-resource list --id $(az webapp show --name app-${{ env.PRODUCT }}-ui-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) --query '[]'.name -o tsv) \
             --origin-group-name ui \
             --profile-name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
             --enabled-state Enabled
@@ -491,8 +518,8 @@ jobs:
             # Associate FD
             az afd security-policy create \
             --security-policy-name security-policy-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
-            --waf-policy $(az network front-door waf-policy list --query [].id -o tsv) \
-            --domains $(az afd endpoint list --profile-name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query [].id -o tsv) \
+            --waf-policy $(az network front-door waf-policy list --query '[]'.id -o tsv) \
+            --domains $(az afd endpoint list --profile-name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query '[]'.id -o tsv) \
             --profile-name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }}
 
             # Custom rule - RL
@@ -649,11 +676,11 @@ jobs:
             COMPANIES_HOUSE_API_KEY='${{ secrets.COMPANIES_HOUSE_API_KEY }}' \
             JWT_SIGNING_KEY='${{ secrets.JWT_SIGNING_KEY }}' \
             UNDERWRITING_TEAM_EMAIL='${{ secrets.UNDERWRITING_TEAM_EMAIL }}' \
-            FEEDBACK_EMAIL_RECIPIENT='${{ secrets.FEEDBACK_EMAIL_RECIPIENT }}'
-            CRON_SCHEDULE_UNVERIFIED_ACCOUNT='${{ secrets.CRON_SCHEDULE_UNVERIFIED_ACCOUNT }}'
-            CRON_SCHEDULE_INACTIVE_APPLICATION='${{ secrets.CRON_SCHEDULE_INACTIVE_APPLICATION }}'
-            CRON_SCHEDULE_SUBMISSION_DEADLINE_REMINDER_EMAIL='${{ secrets.CRON_SCHEDULE_SUBMISSION_DEADLINE_REMINDER_EMAIL }}'
-            APPLICATION_URL='${{ secrets.APPLICATION_URL }}'
+            FEEDBACK_EMAIL_RECIPIENT='${{ secrets.FEEDBACK_EMAIL_RECIPIENT }}' \
+            CRON_SCHEDULE_UNVERIFIED_ACCOUNT='${{ secrets.CRON_SCHEDULE_UNVERIFIED_ACCOUNT }}' \
+            CRON_SCHEDULE_INACTIVE_APPLICATION='${{ secrets.CRON_SCHEDULE_INACTIVE_APPLICATION }}' \
+            CRON_SCHEDULE_SUBMISSION_DEADLINE_REMINDER_EMAIL='${{ secrets.CRON_SCHEDULE_SUBMISSION_DEADLINE_REMINDER_EMAIL }}' \
+            APPLICATION_URL='${{ vars.APPLICATION_URL }}'
 
       - name: Extension ➕
         uses: azure/cli@v2
@@ -670,7 +697,7 @@ jobs:
           inlineScript: |
             az webapp connection create mysql-flexible \
             --source-id $(az webapp show --name app-${{ env.PRODUCT }}-api-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \
-            --target-id $(az mysql flexible-server list --query [].id -o tsv)/databases/${{ env.PRODUCT }} \
+            --target-id $(az mysql flexible-server list --query '[]'.id -o tsv)/databases/${{ env.PRODUCT }} \
             --connection webapp_api_mysqlflexible_${{ env.PRODUCT }}_${{ env.TARGET }}_${{ vars.VERSION }} \
             --secret name=${{ secrets.MYSQL_USER }} secret=${{ secrets.MYSQL_PASSWORD }} \
             --client-type nodejs
@@ -769,13 +796,13 @@ jobs:
             --record-set-name  "@" \
             --zone ${{ vars.DOMAIN_QUOTE }} \
             --value ${{ vars.CA_VERIFICATION }} \
-            --if-none-match "*"
+            --if-none-match
 
             az network dns record-set txt add-record \
             --record-set-name  "@" \
             --zone ${{ vars.DOMAIN_INSURANCE }} \
             --value ${{ vars.CA_VERIFICATION }} \
-            --if-none-match "*"
+            --if-none-match
 
       - name: CAA records
         uses: azure/cli@v2
@@ -865,8 +892,8 @@ jobs:
           inlineScript: |
             az monitor diagnostic-settings create \
             --name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
-            --resource $(az monitor log-analytics workspace list --query [].id -o tsv) \
-            --workspace $(az monitor log-analytics workspace list --query [].id -o tsv) \
+            --resource $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
+            --workspace $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
             --logs "[{categoryGroup:allLogs,enabled:true}]" \
             --metrics "[{category:allMetrics,enabled:true}]"
 
@@ -914,8 +941,19 @@ jobs:
           inlineScript: |
             az monitor diagnostic-settings create \
             --name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
-            --resource $(az afd profile list --query [].id -o tsv) \
-            --workspace $(az monitor log-analytics workspace list --query [].id -o tsv) \
+            --resource $(az afd profile list --query '[]'.id -o tsv) \
+            --workspace $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
+            --logs "[{categoryGroup:allLogs,enabled:true}]" \
+            --metrics "[{category:allMetrics,enabled:true}]"
+
+      - name: Key Vault 🔑
+        uses: azure/cli@v2
+        with:
+          inlineScript: |
+            az monitor diagnostic-settings create \
+            --name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --resource $(az keyvault show --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} --query id -o tsv) \
+            --workspace $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
             --logs "[{categoryGroup:allLogs,enabled:true}]" \
             --metrics "[{category:allMetrics,enabled:true}]"
 
@@ -925,16 +963,23 @@ jobs:
           inlineScript: |
             # UI
             az monitor diagnostic-settings create \
-            --name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
-            --resource $(az network nic list --query ['?contains(name, `ui`)'].id -o tsv) \
-            --workspace $(az monitor log-analytics workspace list --query [].id -o tsv) \
+            --name webapp-ui-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --resource $(az network nic list --query '[?contains(name, `ui`)]'.id -o tsv) \
+            --workspace $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
             --metrics "[{category:allMetrics,enabled:true}]"
 
             # API
             az monitor diagnostic-settings create \
-            --name frontdoor-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
-            --resource $(az network nic list --query ['?contains(name, `api`)'].id -o tsv) \
-            --workspace $(az monitor log-analytics workspace list --query [].id -o tsv) \
+            --name webapp-api-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --resource $(az network nic list --query '[?contains(name, `api`)]'.id -o tsv) \
+            --workspace $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
+            --metrics "[{category:allMetrics,enabled:true}]"
+
+            # KV
+            az monitor diagnostic-settings create \
+            --name kv-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
+            --resource $(az network nic list --query '[?contains(name, `key`)]'.id -o tsv) \
+            --workspace $(az monitor log-analytics workspace list --query '[]'.id -o tsv) \
             --metrics "[{category:allMetrics,enabled:true}]"
 
   # 7. Various alerts
@@ -1008,8 +1053,8 @@ jobs:
             --name alert-healthcheck-${{ env.PRODUCT }}-${{ env.TARGET }}-${{ vars.VERSION }} \
             --description "1 minute health check" \
             --condition  "avg 'OriginHealthPercentage' <= 99.0 where OriginGroup includes ui" \
-            --scope $(az afd profile list --query [].id -o tsv) \
-            --action $(az monitor action-group list --query [].id -o tsv) \
+            --scope $(az afd profile list --query '[]'.id -o tsv) \
+            --action $(az monitor action-group list --query '[]'.id -o tsv) \
             --auto-mitigate true \
             --severity 0 \
             --tags ${{ env.TAGS }}