Merge pull request #52 from pamelafox/infra

infra/core/host/appservice-appsettings.bicep

@@ -0,0 +1,17 @@
+metadata description = 'Updates app settings for an Azure App Service.'
+@description('The name of the app service resource within the current resource group scope')
+param name string
+
+@description('The app settings to be applied to the app service')
+@secure()
+param appSettings object
+
+resource appService 'Microsoft.Web/sites@2022-03-01' existing = {
+  name: name
+}
+
+resource settings 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'appsettings'
+  parent: appService
+  properties: appSettings
+}

infra/core/host/appservice.bicep

@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure App Service in an existing Azure App Service plan.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -23,6 +24,7 @@ param kind string = 'app,linux'
 param allowedOrigins array = []
 param alwaysOn bool = true
 param appCommandLine string = ''
+@secure()
 param appSettings object = {}
 param clientAffinityEnabled bool = false
 param enableOryxBuild bool = contains(kind, 'linux')
@@ -63,29 +65,49 @@ resource appService 'Microsoft.Web/sites@2022-03-01' = {
 
   identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
 
-  resource configAppSettings 'config' = {
-    name: 'appsettings'
-    properties: union(appSettings,
+  resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = {
+    name: 'ftp'
+    properties: {
+      allow: false
+    }
+  }
+
+  resource basicPublishingCredentialsPoliciesScm 'basicPublishingCredentialsPolicies' = {
+    name: 'scm'
+    properties: {
+      allow: false
+    }
+  }
+}
+
+// Updates to the single Microsoft.sites/web/config resources that need to be performed sequentially
+// sites/web/config 'appsettings'
+module configAppSettings 'appservice-appsettings.bicep' = {
+  name: '${name}-appSettings'
+  params: {
+    name: appService.name
+    appSettings: union(appSettings,
       {
         SCM_DO_BUILD_DURING_DEPLOYMENT: string(scmDoBuildDuringDeployment)
         ENABLE_ORYX_BUILD: string(enableOryxBuild)
       },
+      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true'} : {},
       !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
       !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
   }
+}
 
-  resource configLogs 'config' = {
-    name: 'logs'
-    properties: {
-      applicationLogs: { fileSystem: { level: 'Verbose' } }
-      detailedErrorMessages: { enabled: true }
-      failedRequestsTracing: { enabled: true }
-      httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
-    }
-    dependsOn: [
-      configAppSettings
-    ]
+// sites/web/config 'logs'
+resource configLogs 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'logs'
+  parent: appService
+  properties: {
+    applicationLogs: { fileSystem: { level: 'Verbose' } }
+    detailedErrorMessages: { enabled: true }
+    failedRequestsTracing: { enabled: true }
+    httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
   }
+  dependsOn: [configAppSettings]
 }
 
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {

infra/core/host/appserviceplan.bicep

@@ -1,3 +1,4 @@
+metadata description = 'Creates an Azure App Service plan.'
 param name string
 param location string = resourceGroup().location
 param tags object = {}
@@ -18,3 +19,4 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
 }
 
 output id string = appServicePlan.id
+output name string = appServicePlan.name

infra/core/host/container-app.bicep

@@ -1,77 +0,0 @@
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-param containerAppsEnvironmentName string = ''
-param containerName string = 'main'
-param containerRegistryName string = ''
-param env array = []
-param external bool = true
-param imageName string
-param keyVaultName string = ''
-param managedIdentity bool = !empty(keyVaultName)
-param targetPort int = 80
-
-@description('CPU cores allocated to a single container instance, e.g. 0.5')
-param containerCpuCoreCount string = '0.5'
-
-@description('Memory allocated to a single container instance, e.g. 1Gi')
-param containerMemory string = '1.0Gi'
-
-resource app 'Microsoft.App/containerApps@2022-03-01' = {
-  name: name
-  location: location
-  tags: tags
-  identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
-  properties: {
-    managedEnvironmentId: containerAppsEnvironment.id
-    configuration: {
-      activeRevisionsMode: 'single'
-      ingress: {
-        external: external
-        targetPort: targetPort
-        transport: 'auto'
-      }
-      secrets: [
-        {
-          name: 'registry-password'
-          value: containerRegistry.listCredentials().passwords[0].value
-        }
-      ]
-      registries: [
-        {
-          server: '${containerRegistry.name}.azurecr.io'
-          username: containerRegistry.name
-          passwordSecretRef: 'registry-password'
-        }
-      ]
-    }
-    template: {
-      containers: [
-        {
-          image: imageName
-          name: containerName
-          env: env
-          resources: {
-            cpu: json(containerCpuCoreCount)
-            memory: containerMemory
-          }
-        }
-      ]
-    }
-  }
-}
-
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' existing = {
-  name: containerAppsEnvironmentName
-}
-
-// 2022-02-01-preview needed for anonymousPullEnabled
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = {
-  name: containerRegistryName
-}
-
-output identityPrincipalId string = managedIdentity ? app.identity.principalId : ''
-output imageName string = imageName
-output name string = app.name
-output uri string = 'https://${app.properties.configuration.ingress.fqdn}'

infra/core/host/container-apps-environment.bicep

@@ -1,26 +0,0 @@
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-param logAnalyticsWorkspaceName string
-
-resource containerAppsEnvironment 'Microsoft.App/managedEnvironments@2022-03-01' = {
-  name: name
-  location: location
-  tags: tags
-  properties: {
-    appLogsConfiguration: {
-      destination: 'log-analytics'
-      logAnalyticsConfiguration: {
-        customerId: logAnalyticsWorkspace.properties.customerId
-        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
-      }
-    }
-  }
-}
-
-resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
-  name: logAnalyticsWorkspaceName
-}
-
-output name string = containerAppsEnvironment.name

infra/core/host/container-apps.bicep

@@ -1,30 +0,0 @@
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-param containerAppsEnvironmentName string = ''
-param containerRegistryName string = ''
-param logAnalyticsWorkspaceName string = ''
-
-module containerAppsEnvironment 'container-apps-environment.bicep' = {
-  name: '${name}-container-apps-environment'
-  params: {
-    name: containerAppsEnvironmentName
-    location: location
-    tags: tags
-    logAnalyticsWorkspaceName: logAnalyticsWorkspaceName
-  }
-}
-
-module containerRegistry 'container-registry.bicep' = {
-  name: '${name}-container-registry'
-  params: {
-    name: containerRegistryName
-    location: location
-    tags: tags
-  }
-}
-
-output environmentName string = containerAppsEnvironment.outputs.name
-output registryLoginServer string = containerRegistry.outputs.loginServer
-output registryName string = containerRegistry.outputs.name

infra/core/host/container-registry.bicep

@@ -1,36 +0,0 @@
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-param adminUserEnabled bool = true
-param anonymousPullEnabled bool = false
-param dataEndpointEnabled bool = false
-param encryption object = {
-  status: 'disabled'
-}
-param networkRuleBypassOptions string = 'AzureServices'
-param publicNetworkAccess string = 'Enabled'
-param sku object = {
-  name: 'Basic'
-}
-param zoneRedundancy string = 'Disabled'
-
-// 2022-02-01-preview needed for anonymousPullEnabled
-resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
-  name: name
-  location: location
-  tags: tags
-  sku: sku
-  properties: {
-    adminUserEnabled: adminUserEnabled
-    anonymousPullEnabled: anonymousPullEnabled
-    dataEndpointEnabled: dataEndpointEnabled
-    encryption: encryption
-    networkRuleBypassOptions: networkRuleBypassOptions
-    publicNetworkAccess: publicNetworkAccess
-    zoneRedundancy: zoneRedundancy
-  }
-}
-
-output loginServer string = containerRegistry.properties.loginServer
-output name string = containerRegistry.name

infra/core/host/functions.bicep

@@ -1,82 +0,0 @@
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-// Reference Properties
-param applicationInsightsName string = ''
-param appServicePlanId string
-param keyVaultName string = ''
-param managedIdentity bool = !empty(keyVaultName)
-param storageAccountName string
-
-// Runtime Properties
-@allowed([
-  'dotnet', 'dotnetcore', 'dotnet-isolated', 'node', 'python', 'java', 'powershell', 'custom'
-])
-param runtimeName string
-param runtimeNameAndVersion string = '${runtimeName}|${runtimeVersion}'
-param runtimeVersion string
-
-// Function Settings
-@allowed([
-  '~4', '~3', '~2', '~1'
-])
-param extensionVersion string = '~4'
-
-// Microsoft.Web/sites Properties
-param kind string = 'functionapp,linux'
-
-// Microsoft.Web/sites/config
-param allowedOrigins array = []
-param alwaysOn bool = true
-param appCommandLine string = ''
-param appSettings object = {}
-param clientAffinityEnabled bool = false
-param enableOryxBuild bool = contains(kind, 'linux')
-param functionAppScaleLimit int = -1
-param linuxFxVersion string = runtimeNameAndVersion
-param minimumElasticInstanceCount int = -1
-param numberOfWorkers int = -1
-param scmDoBuildDuringDeployment bool = true
-param use32BitWorkerProcess bool = false
-
-module functions 'appservice.bicep' = {
-  name: '${name}-functions'
-  params: {
-    name: name
-    location: location
-    tags: tags
-    allowedOrigins: allowedOrigins
-    alwaysOn: alwaysOn
-    appCommandLine: appCommandLine
-    applicationInsightsName: applicationInsightsName
-    appServicePlanId: appServicePlanId
-    appSettings: union(appSettings, {
-        AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storage.name};AccountKey=${storage.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
-        FUNCTIONS_EXTENSION_VERSION: extensionVersion
-        FUNCTIONS_WORKER_RUNTIME: runtimeName
-      })
-    clientAffinityEnabled: clientAffinityEnabled
-    enableOryxBuild: enableOryxBuild
-    functionAppScaleLimit: functionAppScaleLimit
-    keyVaultName: keyVaultName
-    kind: kind
-    linuxFxVersion: linuxFxVersion
-    managedIdentity: managedIdentity
-    minimumElasticInstanceCount: minimumElasticInstanceCount
-    numberOfWorkers: numberOfWorkers
-    runtimeName: runtimeName
-    runtimeVersion: runtimeVersion
-    runtimeNameAndVersion: runtimeNameAndVersion
-    scmDoBuildDuringDeployment: scmDoBuildDuringDeployment
-    use32BitWorkerProcess: use32BitWorkerProcess
-  }
-}
-
-resource storage 'Microsoft.Storage/storageAccounts@2021-09-01' existing = {
-  name: storageAccountName
-}
-
-output identityPrincipalId string = managedIdentity ? functions.outputs.identityPrincipalId : ''
-output name string = functions.outputs.name
-output uri string = functions.outputs.uri

infra/core/host/staticwebapp.bicep

@@ -1,21 +0,0 @@
-param name string
-param location string = resourceGroup().location
-param tags object = {}
-
-param sku object = {
-  name: 'Free'
-  tier: 'Free'
-}
-
-resource web 'Microsoft.Web/staticSites@2022-03-01' = {
-  name: name
-  location: location
-  tags: tags
-  sku: sku
-  properties: {
-    provider: 'Custom'
-  }
-}
-
-output name string = web.name
-output uri string = 'https://${web.properties.defaultHostname}'

infra/main.bicep

@@ -52,7 +52,7 @@ module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
     version: '14'
     administratorLogin: postgresAdminUser
     administratorLoginPassword: postgresAdminPassword
-    databaseNames: [ postgresDatabaseName ]
+    databaseNames: [postgresDatabaseName]
     allowAzureIPsFirewall: true
   }
 }
@@ -136,15 +136,17 @@ var secrets = [
 ]
 
 @batchSize(1)
-module keyVaultSecrets './core/security/keyvault-secret.bicep' = [for secret in secrets: {
-  name: 'keyvault-secret-${secret.name}'
-  scope: resourceGroup
-  params: {
-    keyVaultName: keyVault.outputs.name
-    name: secret.name
-    secretValue: secret.value
+module keyVaultSecrets './core/security/keyvault-secret.bicep' = [
+  for secret in secrets: {
+    name: 'keyvault-secret-${secret.name}'
+    scope: resourceGroup
+    params: {
+      keyVaultName: keyVault.outputs.name
+      name: secret.name
+      secretValue: secret.value
+    }
   }
-}]
+]
 
 module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
   name: 'loganalytics'
@@ -158,4 +160,4 @@ module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
 
 output WEB_URI string = 'https://${web.outputs.uri}'
 output AZURE_LOCATION string = location
-output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name
+output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name