From 5eda8a0f0675e74dbd836cd3180453d0ceb503b5 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:05:07 -0400 Subject: [PATCH 01/11] User assigned managed identity --- infra/terraform/identity.tf | 54 +++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 infra/terraform/identity.tf diff --git a/infra/terraform/identity.tf b/infra/terraform/identity.tf new file mode 100644 index 0000000..74d2b7f --- /dev/null +++ b/infra/terraform/identity.tf @@ -0,0 +1,54 @@ +# ------------------------------------------------ +# Identity for the Production Primary App Service +# ------------------------------------------------ + +resource "azurecaf_name" "primary_app_service_identity_name" { + count = var.environment == "prod" ? 1 : 0 + name = var.application_name + resource_type = "azurerm_user_assigned_identity" + suffixes = [var.location, var.environment] +} + +resource "azurerm_user_assigned_identity" "primary_app_service_identity" { + count = var.environment == "prod" ? 1 : 0 + location = azurerm_resource_group.spoke[0].location + name = azurecaf_name.primary_app_service_identity_name[0].result + resource_group_name = azurerm_resource_group.spoke[0].name +} + +# ------------------------------------------------ +# Identity for the Production Secondary App Service +# ------------------------------------------------ + +resource "azurecaf_name" "secondary_app_service_identity_name" { + count = var.environment == "prod" ? 1 : 0 + name = var.application_name + resource_type = "azurerm_user_assigned_identity" + suffixes = [var.secondary_location, var.environment] +} + +resource "azurerm_user_assigned_identity" "secondary_app_service_identity" { + count = var.environment == "prod" ? 1 : 0 + location = azurerm_resource_group.secondary_spoke[0].location + name = azurecaf_name.secondary_app_service_identity_name[0].result + resource_group_name = azurerm_resource_group.secondary_spoke[0].name +} + + +# ------------------------------------------------ +# Identity for the Production Dev App Service +# ------------------------------------------------ + +resource "azurecaf_name" "dev_app_service_identity_name" { + count = var.environment == "dev" ? 1 : 0 + name = var.application_name + resource_type = "azurerm_user_assigned_identity" + suffixes = [var.location, var.environment] +} + +resource "azurerm_user_assigned_identity" "dev_app_service_identity" { + count = var.environment == "dev" ? 1 : 0 + location = azurerm_resource_group.dev[0].location + name = azurecaf_name.dev_app_service_identity_name[0].result + resource_group_name = azurerm_resource_group.dev[0].name +} From 2a03fd318885db5922437d3f5b866474b2b54398 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:06:02 -0400 Subject: [PATCH 02/11] Redis access policies --- infra/terraform/cache.tf | 67 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/infra/terraform/cache.tf b/infra/terraform/cache.tf index b92723f..5878dd7 100644 --- a/infra/terraform/cache.tf +++ b/infra/terraform/cache.tf @@ -14,6 +14,29 @@ module "cache" { log_analytics_workspace_id = module.hub_app_insights[0].log_analytics_workspace_id } + +resource "azurerm_redis_cache_access_policy_assignment" "primary_current_user" { + count = var.environment == "prod" ? 1 : 0 + name = "primarycurrentuser" + redis_cache_id = module.cache[0].cache_id + access_policy_name = "Data Owner" + object_id = data.azuread_client_config.current.object_id + object_id_alias = "currentuser" +} + +resource "azurerm_redis_cache_access_policy_assignment" "app_user" { + count = var.environment == "prod" ? 1 : 0 + name = "primaryappuser" + redis_cache_id = module.cache[0].cache_id + access_policy_name = "Data Contributor" + object_id = azurerm_user_assigned_identity.primary_app_service_identity[0].principal_id + object_id_alias = azurerm_user_assigned_identity.primary_app_service_identity[0].principal_id + + depends_on = [ + azurerm_redis_cache_access_policy_assignment.primary_current_user + ] +} + # ---------------------------------------------------------------------------------------------- # Cache - Prod - Secondary Region # ---------------------------------------------------------------------------------------------- @@ -29,6 +52,28 @@ module "secondary_cache" { log_analytics_workspace_id = module.hub_app_insights[0].log_analytics_workspace_id } +resource "azurerm_redis_cache_access_policy_assignment" "secondary_current_user" { + count = var.environment == "prod" ? 1 : 0 + name = "secondarycurrentuser" + redis_cache_id = module.secondary_cache[0].cache_id + access_policy_name = "Data Owner" + object_id = data.azuread_client_config.current.object_id + object_id_alias = "currentuser" +} + +resource "azurerm_redis_cache_access_policy_assignment" "secondary_app_user" { + count = var.environment == "prod" ? 1 : 0 + name = "secondaryappuser" + redis_cache_id = module.secondary_cache[0].cache_id + access_policy_name = "Data Contributor" + object_id = azurerm_user_assigned_identity.secondary_app_service_identity[0].principal_id + object_id_alias = azurerm_user_assigned_identity.secondary_app_service_identity[0].principal_id + + depends_on = [ + azurerm_redis_cache_access_policy_assignment.secondary_current_user + ] +} + # ---------------------------------------------------------------------------------------------- # Cache - Dev # ---------------------------------------------------------------------------------------------- @@ -43,3 +88,25 @@ module "dev-cache" { private_endpoint_subnet_id = null log_analytics_workspace_id = module.dev_app_insights[0].log_analytics_workspace_id } + +resource "azurerm_redis_cache_access_policy_assignment" "dev_current_user" { + count = var.environment == "dev" ? 1 : 0 + name = "devcurrentuser" + redis_cache_id = module.dev-cache[0].cache_id + access_policy_name = "Data Owner" + object_id = data.azuread_client_config.current.object_id + object_id_alias = "currentuser" +} + +resource "azurerm_redis_cache_access_policy_assignment" "dev_app_user" { + count = var.environment == "dev" ? 1 : 0 + name = "devappuser" + redis_cache_id = module.dev-cache[0].cache_id + access_policy_name = "Data Contributor" + object_id = azurerm_user_assigned_identity.dev_app_service_identity[0].principal_id + object_id_alias = azurerm_user_assigned_identity.dev_app_service_identity[0].principal_id + + depends_on = [ + azurerm_redis_cache_access_policy_assignment.dev_current_user + ] +} From 680453cc8a5248fbf133e1f1ade9be25cfe26eb3 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:07:32 -0400 Subject: [PATCH 03/11] Enable Entra ID for Azure Cache for Redis authentication --- infra/shared/terraform/modules/cache/main.tf | 2 ++ infra/shared/terraform/modules/cache/outputs.tf | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/infra/shared/terraform/modules/cache/main.tf b/infra/shared/terraform/modules/cache/main.tf index 984c406..744c1ef 100644 --- a/infra/shared/terraform/modules/cache/main.tf +++ b/infra/shared/terraform/modules/cache/main.tf @@ -26,6 +26,8 @@ resource "azurerm_redis_cache" "cache" { # https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#default-redis-server-configuration redis_configuration { + enable_authentication = true + active_directory_authentication_enabled = true } } diff --git a/infra/shared/terraform/modules/cache/outputs.tf b/infra/shared/terraform/modules/cache/outputs.tf index acfb994..96231e2 100644 --- a/infra/shared/terraform/modules/cache/outputs.tf +++ b/infra/shared/terraform/modules/cache/outputs.tf @@ -1,6 +1,6 @@ -output "cache_secret" { - value = azurerm_redis_cache.cache.primary_access_key - description = "The secret to use when connecting to Azure Cache for Redis" +output "cache_id" { + value = azurerm_redis_cache.cache.id + description = "The id of the Azure Cache for Redis" } output "cache_hostname" { From 3eaf048cf94e860b54f528f5b3ea6af5cb5eb524 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:08:40 -0400 Subject: [PATCH 04/11] Remove Redis password from secrets and add a secret for the managed identity client id --- infra/terraform/secrets.tf | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/infra/terraform/secrets.tf b/infra/terraform/secrets.tf index 94f3dde..d7c66e5 100644 --- a/infra/terraform/secrets.tf +++ b/infra/terraform/secrets.tf @@ -94,10 +94,10 @@ resource "azurerm_key_vault_secret" "contoso_application_client_secret" { ] } -resource "azurerm_key_vault_secret" "contoso_cache_secret" { +resource "azurerm_key_vault_secret" "primary_redis_user_secret" { count = var.environment == "prod" ? 1 : 0 - name = "contoso-redis-password" - value = module.cache[0].cache_secret + name = "contoso-primary-redis-user-object-id" + value = azurerm_user_assigned_identity.primary_app_service_identity[0].client_id key_vault_id = module.hub_key_vault[0].vault_id depends_on = [ azurerm_role_assignment.kv_administrator_user_role_assignement @@ -128,6 +128,16 @@ resource "azurerm_key_vault_secret" "secondary_contoso_database_url" { ] } +resource "azurerm_key_vault_secret" "secondary_redis_user_secret" { + count = var.environment == "prod" ? 1 : 0 + name = "contoso-secondary-redis-user-object-id" + value = azurerm_user_assigned_identity.secondary_app_service_identity[0].client_id + key_vault_id = module.hub_key_vault[0].vault_id + depends_on = [ + azurerm_role_assignment.kv_administrator_user_role_assignement + ] +} + # Give the app access to the key vault secrets - https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#secret-scope-role-assignment resource azurerm_role_assignment app_keyvault_role_assignment { count = var.environment == "prod" ? 1 : 0 @@ -216,10 +226,10 @@ resource "azurerm_key_vault_secret" "dev_contoso_application_client_secret" { ] } -resource "azurerm_key_vault_secret" "dev_contoso_cache_secret" { +resource "azurerm_key_vault_secret" "dev_redis_user_secret" { count = var.environment == "dev" ? 1 : 0 - name = "contoso-redis-password" - value = module.dev-cache[0].cache_secret + name = "contoso-dev-redis-user-object-id" + value = azurerm_user_assigned_identity.dev_app_service_identity[0].client_id key_vault_id = module.dev_key_vault[0].vault_id depends_on = [ azurerm_role_assignment.dev_kv_administrator_user_role_assignement From 90d666b4258010ad0ba9f04d161b0a8ccd27bfd7 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:09:42 -0400 Subject: [PATCH 05/11] Assign the managed identity to the App Service. --- .../terraform/modules/app-service/main.tf | 9 +-- .../modules/app-service/variables.tf | 21 ++++++- infra/terraform/application.tf | 61 +++++++++++++------ 3 files changed, 66 insertions(+), 25 deletions(-) diff --git a/infra/shared/terraform/modules/app-service/main.tf b/infra/shared/terraform/modules/app-service/main.tf index abb0f96..b6ae064 100644 --- a/infra/shared/terraform/modules/app-service/main.tf +++ b/infra/shared/terraform/modules/app-service/main.tf @@ -48,7 +48,8 @@ resource "azurerm_linux_web_app" "application" { virtual_network_subnet_id = var.appsvc_subnet_id identity { - type = "SystemAssigned" + type = var.identity.type + identity_ids = var.identity.type == "SystemAssigned" ? [] : var.identity.identity_ids } tags = { @@ -107,9 +108,9 @@ resource "azurerm_linux_web_app" "application" { SPRING_CLOUD_AZURE_ACTIVE_DIRECTORY_CREDENTIAL_CLIENT_SECRET = var.contoso_webapp_options.contoso_active_directory_client_secret SPRING_CLOUD_AZURE_ACTIVE_DIRECTORY_PROFILE_TENANT_ID = var.contoso_webapp_options.contoso_active_directory_tenant_id - SPRING_DATA_REDIS_HOST = var.contoso_webapp_options.redis_host_name - SPRING_DATA_REDIS_PORT = var.contoso_webapp_options.redis_port - SPRING_DATA_REDIS_PASSWORD = var.contoso_webapp_options.redis_password + AZURE_CACHE_REDIS_HOST = var.contoso_webapp_options.redis_host_name + AZURE_CACHE_REDIS_PORT = var.contoso_webapp_options.redis_port + AZURE_CACHE_REDIS_CLIENT_ID = var.contoso_webapp_options.redis_user_client_id CONTOSO_RETRY_DEMO = "0" } diff --git a/infra/shared/terraform/modules/app-service/variables.tf b/infra/shared/terraform/modules/app-service/variables.tf index a978996..292c16d 100644 --- a/infra/shared/terraform/modules/app-service/variables.tf +++ b/infra/shared/terraform/modules/app-service/variables.tf @@ -59,6 +59,25 @@ variable "public_network_access_enabled" { description = "Should public network access be enabled for the Web App." } +variable "identity" { + type = object({ + type = string + identity_ids = optional(list(string)) + }) + + description = "The identity type and the list of identities ids" + + default = { + type = "SystemAssigned" + identity_ids = [] + } + + validation { + condition = contains(["SystemAssigned", "UserAssigned", "SystemAssigned, UserAssigned"], var.identity.type) + error_message = "Please, choose among one of the following identity types: SystemAssigned, UserAssigned or SystemAssigned, UserAssigned." + } +} + variable "contoso_webapp_options" { type = object({ contoso_active_directory_tenant_id = string @@ -71,7 +90,7 @@ variable "contoso_webapp_options" { redis_host_name = string redis_port = number - redis_password = string + redis_user_client_id = string }) description = "The options for the webapp" diff --git a/infra/terraform/application.tf b/infra/terraform/application.tf index 55c9d9d..5f97c18 100644 --- a/infra/terraform/application.tf +++ b/infra/terraform/application.tf @@ -22,16 +22,23 @@ module "application" { frontdoor_profile_uuid = module.frontdoor[0].resource_guid public_network_access_enabled = false + identity = { + type = "SystemAssigned, UserAssigned" + identity_ids = [ + azurerm_user_assigned_identity.primary_app_service_identity[0].id + ] + } + contoso_webapp_options = { - contoso_active_directory_tenant_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})" - contoso_active_directory_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_id[0].id})" - contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_secret[0].id})" - postgresql_database_url = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_url[0].id})" - postgresql_database_user = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin[0].id})" - postgresql_database_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin_password[0].id})" - redis_host_name = module.cache[0].cache_hostname - redis_port = module.cache[0].cache_ssl_port - redis_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_cache_secret[0].id})" + contoso_active_directory_tenant_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})" + contoso_active_directory_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_id[0].id})" + contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_secret[0].id})" + postgresql_database_url = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_url[0].id})" + postgresql_database_user = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin[0].id})" + postgresql_database_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin_password[0].id})" + redis_host_name = module.cache[0].cache_hostname + redis_port = module.cache[0].cache_ssl_port + redis_user_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.primary_redis_user_secret[0].id})" } } @@ -48,23 +55,30 @@ module "secondary_application" { location = var.secondary_location private_dns_resource_group = azurerm_resource_group.hub[0].name appsvc_subnet_id = module.secondary_spoke_vnet[0].subnets[local.app_service_subnet_name].id - private_endpoint_subnet_id = module.secondary_spoke_vnet[0].subnets[local.private_link_subnet_name].id + private_endpoint_subnet_id = module.secondary_spoke_vnet[0].subnets[local.private_link_subnet_name].id app_insights_connection_string = module.hub_app_insights[0].connection_string log_analytics_workspace_id = module.hub_app_insights[0].log_analytics_workspace_id frontdoor_host_name = module.frontdoor[0].host_name frontdoor_profile_uuid = module.frontdoor[0].resource_guid public_network_access_enabled = false + identity = { + type = "SystemAssigned, UserAssigned" + identity_ids = [ + azurerm_user_assigned_identity.secondary_app_service_identity[0].id + ] + } + contoso_webapp_options = { - contoso_active_directory_tenant_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})" - contoso_active_directory_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_id[0].id})" - contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_secret[0].id})" - postgresql_database_url = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.secondary_contoso_database_url[0].id})" - postgresql_database_user = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin[0].id})" - postgresql_database_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin_password[0].id})" - redis_host_name = module.secondary_cache[0].cache_hostname - redis_port = module.secondary_cache[0].cache_ssl_port - redis_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_cache_secret[0].id})" + contoso_active_directory_tenant_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_tenant_id[0].id})" + contoso_active_directory_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_id[0].id})" + contoso_active_directory_client_secret = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_application_client_secret[0].id})" + postgresql_database_url = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.secondary_contoso_database_url[0].id})" + postgresql_database_user = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin[0].id})" + postgresql_database_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.contoso_database_admin_password[0].id})" + redis_host_name = module.secondary_cache[0].cache_hostname + redis_port = module.secondary_cache[0].cache_ssl_port + redis_user_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.secondary_redis_user_secret[0].id})" } } @@ -92,6 +106,13 @@ module "dev_application" { frontdoor_profile_uuid = module.dev_frontdoor[0].resource_guid public_network_access_enabled = true + identity = { + type = "SystemAssigned, UserAssigned" + identity_ids = [ + azurerm_user_assigned_identity.dev_app_service_identity[0].id + ] + } + contoso_webapp_options = { contoso_active_directory_tenant_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_application_tenant_id[0].id})" contoso_active_directory_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_application_client_id[0].id})" @@ -101,6 +122,6 @@ module "dev_application" { postgresql_database_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_database_admin_password[0].id})" redis_host_name = module.dev-cache[0].cache_hostname redis_port = module.dev-cache[0].cache_ssl_port - redis_password = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_contoso_cache_secret[0].id})" + redis_user_client_id = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.dev_redis_user_secret[0].id})" } } From 7d16943375136a0fa4ce035082476b6beda48a3c Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:10:18 -0400 Subject: [PATCH 06/11] Update Azure Terraform provider version --- infra/terraform/versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/terraform/versions.tf b/infra/terraform/versions.tf index db30b3b..2d44055 100644 --- a/infra/terraform/versions.tf +++ b/infra/terraform/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.112.0" + version = "3.113.0" } azurecaf = { source = "aztfmod/azurecaf" From 1a18fb284e22fbe8a09df99a2b38cc41d708b08c Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Tue, 23 Jul 2024 09:11:04 -0400 Subject: [PATCH 07/11] CAMS application changes to support managed identity authentication for Azure Cache for Redis --- src/contoso-fiber/pom.xml | 17 ++++++++++++----- .../src/main/resources/application.properties | 4 ++++ 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/contoso-fiber/pom.xml b/src/contoso-fiber/pom.xml index fb2f5a8..2f47a70 100644 --- a/src/contoso-fiber/pom.xml +++ b/src/contoso-fiber/pom.xml @@ -6,7 +6,7 @@ org.springframework.boot spring-boot-starter-parent - 3.1.2 + 3.2.5 @@ -18,8 +18,8 @@ 17 - 5.5.0 - 2022.0.4 + 5.14.0 + 2023.0.2 @@ -71,6 +71,10 @@ org.springframework.boot spring-boot-starter-data-redis + + com.azure.spring + spring-cloud-azure-starter-data-redis-lettuce + org.springframework.session spring-session-data-redis @@ -100,12 +104,10 @@ nz.net.ultraq.thymeleaf thymeleaf-layout-dialect - 3.2.1 com.fasterxml.jackson.core jackson-databind - 2.15.2 @@ -123,6 +125,11 @@ spring-boot-starter-aop + + org.apache.commons + commons-lang3 + + diff --git a/src/contoso-fiber/src/main/resources/application.properties b/src/contoso-fiber/src/main/resources/application.properties index 05ceab1..3e439bf 100644 --- a/src/contoso-fiber/src/main/resources/application.properties +++ b/src/contoso-fiber/src/main/resources/application.properties @@ -5,6 +5,10 @@ spring.jpa.hibernate.ddl-auto=validate spring.cloud.azure.active-directory.enabled=true # Redis +spring.data.redis.host=${AZURE_CACHE_REDIS_HOST} +spring.data.redis.port=${AZURE_CACHE_REDIS_PORT} +spring.data.redis.azure.passwordless-enabled=true +spring.data.redis.azure.credential.client-id=${AZURE_CACHE_REDIS_CLIENT_ID} spring.data.redis.ssl.enabled=true # Spring Session to leverage Redis to back a web application’s HttpSession From 7ce81037a011eb693f3f3cda8c6c811177b6e809 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Wed, 24 Jul 2024 17:05:11 -0400 Subject: [PATCH 08/11] remove locale from URL --- infra/shared/terraform/modules/cache/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/shared/terraform/modules/cache/main.tf b/infra/shared/terraform/modules/cache/main.tf index 744c1ef..8d7afa2 100644 --- a/infra/shared/terraform/modules/cache/main.tf +++ b/infra/shared/terraform/modules/cache/main.tf @@ -24,7 +24,7 @@ resource "azurerm_redis_cache" "cache" { # public network access will be allowed for non-prod so devs can do integration testing while debugging locally public_network_access_enabled = var.environment == "prod" ? false : true - # https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-configure#default-redis-server-configuration + # https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure#default-redis-server-configuration redis_configuration { enable_authentication = true active_directory_authentication_enabled = true From 4a3316c505c7201dacf77d603c164b6b726dccf9 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Wed, 24 Jul 2024 17:16:32 -0400 Subject: [PATCH 09/11] remove URL reference to the wrong Redis Configuration --- infra/shared/terraform/modules/cache/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infra/shared/terraform/modules/cache/main.tf b/infra/shared/terraform/modules/cache/main.tf index 8d7afa2..353127c 100644 --- a/infra/shared/terraform/modules/cache/main.tf +++ b/infra/shared/terraform/modules/cache/main.tf @@ -24,7 +24,6 @@ resource "azurerm_redis_cache" "cache" { # public network access will be allowed for non-prod so devs can do integration testing while debugging locally public_network_access_enabled = var.environment == "prod" ? false : true - # https://learn.microsoft.com/azure/azure-cache-for-redis/cache-configure#default-redis-server-configuration redis_configuration { enable_authentication = true active_directory_authentication_enabled = true From a57b05c6c9568145853dc1c40938c0112e42c6d7 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Fri, 26 Jul 2024 16:56:26 -0400 Subject: [PATCH 10/11] Set the access policy for the current user to Data Contributor --- infra/terraform/cache.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infra/terraform/cache.tf b/infra/terraform/cache.tf index 5878dd7..dab0285 100644 --- a/infra/terraform/cache.tf +++ b/infra/terraform/cache.tf @@ -19,7 +19,7 @@ resource "azurerm_redis_cache_access_policy_assignment" "primary_current_user" { count = var.environment == "prod" ? 1 : 0 name = "primarycurrentuser" redis_cache_id = module.cache[0].cache_id - access_policy_name = "Data Owner" + access_policy_name = "Data Contributor" object_id = data.azuread_client_config.current.object_id object_id_alias = "currentuser" } @@ -56,7 +56,7 @@ resource "azurerm_redis_cache_access_policy_assignment" "secondary_current_user" count = var.environment == "prod" ? 1 : 0 name = "secondarycurrentuser" redis_cache_id = module.secondary_cache[0].cache_id - access_policy_name = "Data Owner" + access_policy_name = "Data Contributor" object_id = data.azuread_client_config.current.object_id object_id_alias = "currentuser" } @@ -93,7 +93,7 @@ resource "azurerm_redis_cache_access_policy_assignment" "dev_current_user" { count = var.environment == "dev" ? 1 : 0 name = "devcurrentuser" redis_cache_id = module.dev-cache[0].cache_id - access_policy_name = "Data Owner" + access_policy_name = "Data Contributor" object_id = data.azuread_client_config.current.object_id object_id_alias = "currentuser" } From ca304324dd18b7e101c8ceaad751290eef17da38 Mon Sep 17 00:00:00 2001 From: Nick Dalalelis Date: Fri, 9 Aug 2024 12:32:45 -0400 Subject: [PATCH 11/11] update azure provider version --- infra/terraform/cache.tf | 3 +++ infra/terraform/versions.tf | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/infra/terraform/cache.tf b/infra/terraform/cache.tf index dab0285..72704a1 100644 --- a/infra/terraform/cache.tf +++ b/infra/terraform/cache.tf @@ -32,6 +32,7 @@ resource "azurerm_redis_cache_access_policy_assignment" "app_user" { object_id = azurerm_user_assigned_identity.primary_app_service_identity[0].principal_id object_id_alias = azurerm_user_assigned_identity.primary_app_service_identity[0].principal_id + # Ensure that the current user has been created before creating the app user depends_on = [ azurerm_redis_cache_access_policy_assignment.primary_current_user ] @@ -69,6 +70,7 @@ resource "azurerm_redis_cache_access_policy_assignment" "secondary_app_user" { object_id = azurerm_user_assigned_identity.secondary_app_service_identity[0].principal_id object_id_alias = azurerm_user_assigned_identity.secondary_app_service_identity[0].principal_id + # Ensure that the current user has been created before creating the app user depends_on = [ azurerm_redis_cache_access_policy_assignment.secondary_current_user ] @@ -106,6 +108,7 @@ resource "azurerm_redis_cache_access_policy_assignment" "dev_app_user" { object_id = azurerm_user_assigned_identity.dev_app_service_identity[0].principal_id object_id_alias = azurerm_user_assigned_identity.dev_app_service_identity[0].principal_id + # Ensure that the current user has been created before creating the app user depends_on = [ azurerm_redis_cache_access_policy_assignment.dev_current_user ] diff --git a/infra/terraform/versions.tf b/infra/terraform/versions.tf index 2d44055..53ce061 100644 --- a/infra/terraform/versions.tf +++ b/infra/terraform/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "3.113.0" + version = "3.114.0" } azurecaf = { source = "aztfmod/azurecaf"