Merge branch 'main' into feat/add-idempotency-field

.azure/applications/graphql/main.bicep

@@ -61,6 +61,12 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01'
   name: containerAppEnvironmentName
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-graphql-identity'
+  location: location
+  tags: tags
+}
+
 var containerAppEnvVars = [
   {
     name: 'ASPNETCORE_ENVIRONMENT'
@@ -74,6 +80,10 @@ var containerAppEnvVars = [
     name: 'AZURE_APPCONFIG_URI'
     value: appConfiguration.properties.endpoint
   }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
 ]
 
 var port = 8080
@@ -157,22 +167,23 @@ module containerApp '../../modules/containerApp/main.bicep' = {
     probes: probes
     port: port
     scale: scale
+    userAssignedIdentityId: managedIdentity.id
   }
 }
 
 module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'keyVaultReaderAccessPolicy-${containerAppName}'
   params: {
     keyvaultName: environmentKeyVaultResource.name
-    principalIds: [containerApp.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 
 module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
   name: 'appConfigReaderAccessPolicy-${containerAppName}'
   params: {
     appConfigurationName: appConfigurationName
-    principalIds: [containerApp.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 

.azure/applications/sync-resource-policy-information-job/main.bicep

@@ -46,6 +46,12 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01'
   name: containerAppEnvironmentName
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-sync-rp-info-identity'
+  location: location
+  tags: tags
+}
+
 var containerAppEnvVars = [
   {
     name: 'Infrastructure__DialogDbConnectionString'
@@ -63,6 +69,10 @@ var containerAppEnvVars = [
     name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
     value: appInsightConnectionString
   }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
 ]
 
 // Base URL for accessing secrets in the Key Vault
@@ -94,6 +104,7 @@ module migrationJob '../../modules/containerAppJob/main.bicep' = {
     tags: tags
     cronExpression: jobSchedule
     args: 'sync-resource-policy-information'
+    userAssignedIdentityId: managedIdentity.id
   }
 }
 

.azure/applications/sync-subject-resource-mappings-job/main.bicep

@@ -46,6 +46,12 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01'
   name: containerAppEnvironmentName
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-sync-sr-mappings-identity'
+  location: location
+  tags: tags
+}
+
 var containerAppEnvVars = [
   {
     name: 'Infrastructure__DialogDbConnectionString'
@@ -63,6 +69,10 @@ var containerAppEnvVars = [
     name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
     value: appInsightConnectionString
   }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
 ]
 
 // Base URL for accessing secrets in the Key Vault
@@ -94,16 +104,17 @@ module migrationJob '../../modules/containerAppJob/main.bicep' = {
     tags: tags
     cronExpression: jobSchedule
     args: 'sync-subject-resource-mappings'
+    userAssignedIdentityId: managedIdentity.id
   }
 }
 
 module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'keyVaultReaderAccessPolicy-${name}'
   params: {
     keyvaultName: environmentKeyVaultName
-    principalIds: [migrationJob.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 
-output identityPrincipalId string = migrationJob.outputs.identityPrincipalId
+output identityPrincipalId string = managedIdentity.properties.principalId
 output name string = migrationJob.outputs.name

.azure/applications/web-api-eu/main.bicep

@@ -60,6 +60,12 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01'
   name: containerAppEnvironmentName
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-webapi-eu-identity'
+  location: location
+  tags: tags
+}
+
 var containerAppEnvVars = [
   {
     name: 'ASPNETCORE_ENVIRONMENT'
@@ -77,6 +83,10 @@ var containerAppEnvVars = [
     name: 'ASPNETCORE_URLS'
     value: 'http://+:8080'
   }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
 ]
 
 @description('The scaling configuration for the container app')
@@ -159,22 +169,23 @@ module containerApp '../../modules/containerApp/main.bicep' = {
     probes: probes
     revisionSuffix: revisionSuffix
     scale: scale
+    userAssignedIdentityId: managedIdentity.id
   }
 }
 
 module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'keyVaultReaderAccessPolicy-${containerAppName}'
   params: {
     keyvaultName: environmentKeyVaultResource.name
-    principalIds: [containerApp.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 
 module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
   name: 'appConfigReaderAccessPolicy-${containerAppName}'
   params: {
     appConfigurationName: appConfigurationName
-    principalIds: [containerApp.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 

.azure/applications/web-api-migration-job/main.bicep

@@ -34,11 +34,21 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01'
   name: containerAppEnvironmentName
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-migration-job-identity'
+  location: location
+  tags: tags
+}
+
 var containerAppEnvVars = [
   {
     name: 'Infrastructure__DialogDbConnectionString'
     secretRef: 'dbconnectionstring'
   }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
 ]
 
 // https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-functions-deployment#example-1
@@ -62,16 +72,17 @@ module migrationJob '../../modules/containerAppJob/main.bicep' = {
     environmentVariables: containerAppEnvVars
     secrets: secrets
     tags: tags
+    userAssignedIdentityId: managedIdentity.id
   }
 }
 
 module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'keyVaultReaderAccessPolicy-${name}'
   params: {
     keyvaultName: environmentKeyVaultName
-    principalIds: [migrationJob.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 
-output identityPrincipalId string = migrationJob.outputs.identityPrincipalId
+output identityPrincipalId string = managedIdentity.properties.principalId
 output name string = migrationJob.outputs.name

.azure/applications/web-api-so/main.bicep

@@ -88,6 +88,12 @@ resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01'
   name: containerAppEnvironmentName
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-webapi-so-identity'
+  location: location
+  tags: tags
+}
+
 var containerAppEnvVars = [
   {
     name: 'ASPNETCORE_ENVIRONMENT'
@@ -105,6 +111,10 @@ var containerAppEnvVars = [
     name: 'ASPNETCORE_URLS'
     value: 'http://+:8080'
   }
+  {
+    name: 'AZURE_CLIENT_ID'
+    value: managedIdentity.properties.clientId
+  }
 ]
 
 resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
@@ -160,22 +170,23 @@ module containerApp '../../modules/containerApp/main.bicep' = {
     port: port
     revisionSuffix: revisionSuffix
     scale: scale
+    userAssignedIdentityId: managedIdentity.id
   }
 }
 
 module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'keyVaultReaderAccessPolicy-${containerAppName}'
   params: {
     keyvaultName: environmentKeyVaultResource.name
-    principalIds: [containerApp.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 
 module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
   name: 'appConfigReaderAccessPolicy-${containerAppName}'
   params: {
     appConfigurationName: appConfigurationName
-    principalIds: [containerApp.outputs.identityPrincipalId]
+    principalIds: [managedIdentity.properties.principalId]
   }
 }
 

.azure/modules/containerApp/main.bicep

@@ -58,9 +58,9 @@ param scale Scale = {
   rules: []
 }
 
-// TODO: Refactor to make userAssignedIdentityId a required parameter once all container apps use user-assigned identities
-@description('The ID of the user-assigned managed identity (optional)')
-param userAssignedIdentityId string = ''
+@description('The ID of the user-assigned managed identity')
+@minLength(1)
+param userAssignedIdentityId string
 
 // Container app revision name does not allow '.' character
 var cleanedRevisionSuffix = replace(revisionSuffix, '.', '-')
@@ -81,19 +81,19 @@ var ingress = {
   ipSecurityRestrictions: ipSecurityRestrictions
 }
 
-var identityConfig = empty(userAssignedIdentityId) ? {
-  type: 'SystemAssigned'
-} : {
-  type: 'UserAssigned'
-  userAssignedIdentities: {
-    '${userAssignedIdentityId}': {}
-  }
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: last(split(userAssignedIdentityId, '/'))
 }
 
 resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: name
   location: location
-  identity: identityConfig
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${userAssignedIdentityId}': {}
+    }
+  }
   properties: {
     configuration: {
       ingress: ingress
@@ -116,10 +116,6 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   tags: tags
 }
 
-resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(userAssignedIdentityId)) {
-  name: last(split(userAssignedIdentityId, '/'))
-}
-
-output identityPrincipalId string = empty(userAssignedIdentityId) ? containerApp.identity.principalId : managedIdentity.properties.principalId
+output identityPrincipalId string = managedIdentity.properties.principalId
 output name string = containerApp.name
 output revisionName string = containerApp.properties.latestRevisionName

.azure/modules/containerAppJob/main.bicep

@@ -25,6 +25,10 @@ param cronExpression string = ''
 @description('The container args for the job (optional)')
 param args string = ''
 
+@description('The ID of the user-assigned managed identity')
+@minLength(1)
+param userAssignedIdentityId string
+
 var isScheduled = !empty(cronExpression)
 
 var scheduledJobProperties = {
@@ -42,11 +46,18 @@ var manualJobProperties = {
   }
 }
 
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: last(split(userAssignedIdentityId, '/'))
+}
+
 resource job 'Microsoft.App/jobs@2024-03-01' = {
   name: name
   location: location
   identity: {
-    type: 'SystemAssigned'
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${userAssignedIdentityId}': {}
+    }
   }
   properties: {
     configuration: union(
@@ -72,5 +83,5 @@ resource job 'Microsoft.App/jobs@2024-03-01' = {
   tags: tags
 }
 
-output identityPrincipalId string = job.identity.principalId
+output identityPrincipalId string = managedIdentity.properties.principalId
 output name string = job.name

.env

@@ -5,3 +5,8 @@ POSTGRES_DB=dialogporten
 DB_CONNECTION_STRING=Server=dialogporten-postgres;Port=5432;Database=${POSTGRES_DB};User ID=${POSTGRES_USER};Password=${POSTGRES_PASSWORD};
 
 COMPOSE_PROJECT_NAME=digdir
+
+# OTEL
+OTEL_NAMESPACE=dialogporten-local
+OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4318
+OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf