feat(service): add permissions for service-bus (#1305)

## Description  ## Related Issue(s) - #1302 ## Verification - [ ] **Your** code builds clean without any errors or warnings - [ ] Manual testing done (required) - [ ] Relevant automated test added (if you find this hard, leave it and we'll help out) ## Documentation - [ ] Documentation is updated (either in `docs`-directory, Altinnpedia or a separate linked PR in [altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if applicable)  ## Summary by CodeRabbit - **New Features** - Introduced support for Azure Service Bus integration, including new parameters for configuration. - Added functionality to manage Azure Service Bus role assignments dynamically. - **Bug Fixes** - Updated security handling for the container app environment name. - **Documentation** - Enhanced README with detailed instructions for local development, deployment processes, and database management. - **Chores** - Enhanced CI/CD workflow with new secret variables and input parameters for improved deployment control.
Altinn · Oct 16, 2024 · 7bf4177 · 7bf4177
1 parent b1e6a14
commit 7bf4177
Show file tree

Hide file tree

Showing 13 changed files with 63 additions and 11 deletions.
diff --git a/.azure/applications/service/main.bicep b/.azure/applications/service/main.bicep
@@ -21,9 +21,12 @@ param resources object?
 
 @description('The name of the container app environment')
 @minLength(3)
-@secure()
 param containerAppEnvironmentName string
 
+@description('The name of the Service Bus namespace')
+@minLength(3)
+param serviceBusNamespaceName string
+
 @description('The connection string for Application Insights')
 @minLength(3)
 @secure()
@@ -137,6 +140,14 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole
   }
 }
 
+module serviceBusOwnerAccessPolicy '../../modules/serviceBus/addDataOwnerRoles.bicep' = {
+  name: 'serviceBusOwnerAccessPolicy-${containerAppName}'
+  params: {
+    serviceBusNamespaceName: serviceBusNamespaceName
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
 module containerApp '../../modules/containerApp/main.bicep' = {
   name: containerAppName
   params: {
@@ -158,6 +169,7 @@ module containerApp '../../modules/containerApp/main.bicep' = {
   dependsOn: [
     keyVaultReaderAccessPolicy
     appConfigReaderAccessPolicy
+    serviceBusOwnerAccessPolicy
   ]
 }
 

diff --git a/.azure/applications/service/prod.bicepparam b/.azure/applications/service/prod.bicepparam
@@ -4,9 +4,9 @@ param environment = 'prod'
 param location = 'norwayeast'
 param imageTag = readEnvironmentVariable('IMAGE_TAG')
 param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
-
-// secrets
 param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+// secrets
 param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
-param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
diff --git a/.azure/applications/service/staging.bicepparam b/.azure/applications/service/staging.bicepparam
@@ -4,9 +4,10 @@ param environment = 'staging'
 param location = 'norwayeast'
 param imageTag = readEnvironmentVariable('IMAGE_TAG')
 param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
-
-// secrets
 param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
 param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
-param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
diff --git a/.azure/applications/service/test.bicepparam b/.azure/applications/service/test.bicepparam
@@ -4,9 +4,10 @@ param environment = 'test'
 param location = 'norwayeast'
 param imageTag = readEnvironmentVariable('IMAGE_TAG')
 param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
-
-// secrets
 param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
 param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param serviceBusNamespaceName = readEnvironmentVariable('AZURE_SERVICE_BUS_NAMESPACE_NAME')
+
+// secrets
 param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
-param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
diff --git a/.azure/modules/serviceBus/addDataOwnerRoles.bicep b/.azure/modules/serviceBus/addDataOwnerRoles.bicep
@@ -0,0 +1,27 @@
+@description('The name of the Service Bus namespace')
+param serviceBusNamespaceName string
+
+@description('Array of principal IDs to assign the Azure Service Bus Data Owner role to')
+param principalIds array
+
+resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
+  name: serviceBusNamespaceName
+}
+
+@description('This is the built-in Azure Service Bus Data Owner role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azure-service-bus-data-owner')
+resource serviceBusDataOwnerRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: '090c5cfd-751d-490a-894a-3ce6f1109419'
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for principalId in principalIds: {
+    scope: serviceBusNamespace
+    name: guid(serviceBusNamespace.id, principalId, serviceBusDataOwnerRoleDefinition.id)
+    properties: {
+      roleDefinitionId: serviceBusDataOwnerRoleDefinition.id
+      principalId: principalId
+      principalType: 'ServicePrincipal'
+    }
+  }
+]
diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml
@@ -101,6 +101,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-prod.yml b/.github/workflows/ci-cd-prod.yml
@@ -73,6 +73,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: prod
       region: norwayeast
@@ -96,6 +97,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: prod
       region: norwayeast

diff --git a/.github/workflows/ci-cd-pull-request-release-please.yml b/.github/workflows/ci-cd-pull-request-release-please.yml
@@ -58,6 +58,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: staging
       region: norwayeast

diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml
@@ -82,6 +82,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: test
       region: norwayeast

diff --git a/.github/workflows/ci-cd-staging.yml b/.github/workflows/ci-cd-staging.yml
@@ -65,6 +65,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: staging
       region: norwayeast

diff --git a/.github/workflows/dispatch-apps.yml b/.github/workflows/dispatch-apps.yml
@@ -54,6 +54,7 @@ jobs:
       AZURE_CONTAINER_APP_ENVIRONMENT_NAME: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
       AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
       AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
+      AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
     with:
       environment: ${{ inputs.environment }}
       region: norwayeast

diff --git a/.github/workflows/workflow-deploy-apps.yml b/.github/workflows/workflow-deploy-apps.yml
@@ -20,6 +20,8 @@ on:
         required: true
       AZURE_APP_CONFIGURATION_NAME:
         required: true
+      AZURE_SERVICE_BUS_NAMESPACE_NAME:
+        required: true
 
     inputs:
       region:
@@ -175,6 +177,7 @@ jobs:
           AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
           AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
           AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
+          AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
         with:
           scope: resourcegroup
           template: ./.azure/applications/${{ matrix.name }}/main.bicep
@@ -199,6 +202,7 @@ jobs:
           AZURE_APP_INSIGHTS_CONNECTION_STRING: ${{ secrets.AZURE_APP_INSIGHTS_CONNECTION_STRING }}
           AZURE_APP_CONFIGURATION_NAME: ${{ secrets.AZURE_APP_CONFIGURATION_NAME }}
           AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
+          AZURE_SERVICE_BUS_NAMESPACE_NAME: ${{ secrets.AZURE_SERVICE_BUS_NAMESPACE_NAME }}
         with:
           scope: resourcegroup
           template: ./.azure/applications/${{ matrix.name }}/main.bicep

diff --git a/README.md b/README.md
@@ -347,7 +347,7 @@ Ensure you have followed the steps in [Deploying a new infrastructure environmen
 
 Use the following steps:
 
-- From the infrastructure resources created, add the following GitHub secrets in the new environment (this will not be necessary in the future as secrets would be added directly from infrastructure deployment): `AZURE_APP_CONFIGURATION_NAME`, `AZURE_APP_INSIGHTS_CONNECTION_STRING`, `AZURE_CONTAINER_APP_ENVIRONMENT_NAME`, `AZURE_ENVIRONMENT_KEY_VAULT_NAME`, `AZURE_REDIS_NAME`, `AZURE_RESOURCE_GROUP_NAME` and `AZURE_SLACK_NOTIFIER_FUNCTION_APP_NAME`
+- From the infrastructure resources created, add the following GitHub secrets in the new environment (this will not be necessary in the future as secrets would be added directly from infrastructure deployment): `AZURE_APP_CONFIGURATION_NAME`, `AZURE_APP_INSIGHTS_CONNECTION_STRING`, `AZURE_CONTAINER_APP_ENVIRONMENT_NAME`, `AZURE_ENVIRONMENT_KEY_VAULT_NAME`, `AZURE_REDIS_NAME`, `AZURE_RESOURCE_GROUP_NAME`, `AZURE_SERVICE_BUS_NAMESPACE_NAME` and `AZURE_SLACK_NOTIFIER_FUNCTION_APP_NAME`
 
 - Add new parameter files for the environment in all applications `.azure/applications/*/<env>.bicepparam`