feat: add web application configuration and Azure storage role assignments

Author: csharpfritz

AppHost/infra/web.tmpl.yaml

@@ -0,0 +1,56 @@
+api-version: 2024-02-02-preview
+location: {{ .Env.AZURE_LOCATION }}
+identity:
+  type: UserAssigned
+  userAssignedIdentities:
+    ? "{{ .Env.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID }}"
+    : {}
+properties:
+  environmentId: {{ .Env.AZURE_CONTAINER_APPS_ENVIRONMENT_ID }}
+  configuration:
+    activeRevisionsMode: single
+    runtime:
+      dotnet:
+        autoConfigureDataProtection: true
+    ingress:
+      external: true
+      targetPort: {{ targetPortOrDefault 8080 }}
+      transport: http
+      allowInsecure: false
+      customDomains:
+        - name: 'copilotthatjawn.com'
+          bindingType: 'SniEnabled'
+          certificateId: '/subscriptions/09153f92-3cbc-46f1-8872-1683749eda4b/resourceGroups/rg-copilotthatjawn/providers/Microsoft.App/managedEnvironments/cae-uanpydy4xv63a/managedCertificates/copilotthatjawn-com'
+        - name: 'www.copilotthatjawn.com'
+          bindingType: 'SniEnabled'
+          certificateId: '/subscriptions/09153f92-3cbc-46f1-8872-1683749eda4b/resourceGroups/rg-copilotthatjawn/providers/Microsoft.App/managedEnvironments/cae-uanpydy4xv63a/managedCertificates/www-copilotthatjawn-com'
+    registries:
+      - server: {{ .Env.AZURE_CONTAINER_REGISTRY_ENDPOINT }}
+        identity: {{ .Env.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID }}
+    secrets:
+      - name: connectionstrings--tables
+        value: '{{ .Env.AZURE_STORAGE_TABLEENDPOINT }}'
+  template:
+    containers:
+      - image: {{ .Image }}
+        name: web
+        env:
+          - name: AZURE_CLIENT_ID
+            value: {{ .Env.MANAGED_IDENTITY_CLIENT_ID }}
+          - name: ASPNETCORE_FORWARDEDHEADERS_ENABLED
+            value: "true"
+          - name: HTTP_PORTS
+            value: '{{ targetPortOrDefault 0 }}'
+          - name: OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EVENT_LOG_ATTRIBUTES
+            value: "true"
+          - name: OTEL_DOTNET_EXPERIMENTAL_OTLP_EMIT_EXCEPTION_LOG_ATTRIBUTES
+            value: "true"
+          - name: OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY
+            value: in_memory
+          - name: ConnectionStrings__tables
+            secretRef: connectionstrings--tables
+    scale:
+      minReplicas: 1
+tags:
+  azd-service-name: web
+  aspire-resource-name: web

AppHost/infra/web/web.tmpl.bicepparam

@@ -3,6 +3,8 @@ param location string = resourceGroup().location
 
 param azure_storage_outputs_name string
 
+param principalType string
+
 param principalId string
 
 resource azure_storage 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
@@ -14,7 +16,7 @@ resource azure_storage_StorageBlobDataContributor 'Microsoft.Authorization/roleA
   properties: {
     principalId: principalId
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
-    principalType: 'ServicePrincipal'
+    principalType: principalType
   }
   scope: azure_storage
 }
@@ -24,7 +26,7 @@ resource azure_storage_StorageTableDataContributor 'Microsoft.Authorization/role
   properties: {
     principalId: principalId
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
-    principalType: 'ServicePrincipal'
+    principalType: principalType
   }
   scope: azure_storage
 }
@@ -34,7 +36,7 @@ resource azure_storage_StorageQueueDataContributor 'Microsoft.Authorization/role
   properties: {
     principalId: principalId
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
-    principalType: 'ServicePrincipal'
+    principalType: principalType
   }
   scope: azure_storage
 }

…age/web-roles-azure-storage.module.bicep …e-roles/azure-storage-roles.module.bicepinfra/web-roles-azure-storage/web-roles-azure-storage.module.bicep renamed to infra/azure-storage-roles/azure-storage-roles.module.bicep infra/web-roles-azure-storage/web-roles-azure-storage.module.bicep renamed to infra/azure-storage-roles/azure-storage-roles.module.bicep

@@ -12,6 +12,7 @@ param location string
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
 
+
 var tags = {
   'azd-env-name': environmentName
 }
@@ -38,20 +39,14 @@ module azure_storage 'azure-storage/azure-storage.module.bicep' = {
     location: location
   }
 }
-module web_identity 'web-identity/web-identity.module.bicep' = {
-  name: 'web-identity'
-  scope: rg
-  params: {
-    location: location
-  }
-}
-module web_roles_azure_storage 'web-roles-azure-storage/web-roles-azure-storage.module.bicep' = {
-  name: 'web-roles-azure-storage'
+module azure_storage_roles 'azure-storage-roles/azure-storage-roles.module.bicep' = {
+  name: 'azure-storage-roles'
   scope: rg
   params: {
     azure_storage_outputs_name: azure_storage.outputs.name
     location: location
-    principalId: web_identity.outputs.principalId
+    principalId: resources.outputs.MANAGED_IDENTITY_PRINCIPAL_ID
+    principalType: 'ServicePrincipal'
   }
 }
 
@@ -65,5 +60,3 @@ output AZURE_CONTAINER_APPS_ENVIRONMENT_NAME string = resources.outputs.AZURE_CO
 output AZURE_CONTAINER_APPS_ENVIRONMENT_ID string = resources.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID
 output AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN string = resources.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN
 output AZURE_STORAGE_TABLEENDPOINT string = azure_storage.outputs.tableEndpoint
-output WEB_IDENTITY_CLIENTID string = web_identity.outputs.clientId
-output WEB_IDENTITY_ID string = web_identity.outputs.id