App config (#23)

* feat: initial app config tf module

* feat: add keys and features to app config module

* fix: made key and feat props optional and minor updates

* chore: comment out deprecated_retention_policy

* fix: rename vnet variable for acr to hub

* feat: add app config hub deployment

* feat: add keys for app config to locals

* feat: add user assigned identities to app service and add roles to azconfig

* feat: update role on uid

* feat: remove unnecessary roles from azconfig

* feat: move app config to spoke and add 2nd config for prod

* feat: setup app config key names, remove app settings and add app config connection string

* Changes for Azure App Configuration

* fix: add app config uri to app deployment

* fix: deprecated args in azurerm v4

* change prefix for app config

* Change from connection string to endpoint for the App Config

* Database configuration set by service connector

* System assigned managed identity
---------

Co-authored-by: Isabelle Bersano <[email protected]>
Co-authored-by: Isabelle Bersano <[email protected]>
Co-authored-by: Adnan Khan <[email protected]>

Author: 3 people

apps/contoso-fiber/pom.xml

@@ -149,6 +149,11 @@
         <dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
+        </dependency>
+
+        <dependency>
+			<groupId>com.azure.spring</groupId>
+			<artifactId>spring-cloud-azure-appconfiguration-config-web</artifactId>
 		</dependency>
 
     </dependencies>

apps/contoso-fiber/src/main/java/com/contoso/cams/serviceplan/ServicePlanExceptionSimulator.java

@@ -1,19 +1,26 @@
 package com.contoso.cams.serviceplan;
 
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
 
 /*
  This utility class is used to simulate exceptions to test the CircuitBreaker and Retry implmentations
  based on the error rate set in the environment variable CONTOSO_RETRY_DEMO
  */
+
+@Component
 public class ServicePlanExceptionSimulator {
 
     private static int requestCount = 0;
 
+    @Value("${contoso.retry.demo}")
+    private String demo;
+
     /**
      * Check if exception should be thrown based on error rate
      */
-    public static void checkAndthrowExceptionIfEnabled() {
+    public void checkAndthrowExceptionIfEnabled() {
         int errorRate = getErrorRate();
 
         // if error rate = 0 then return
@@ -31,11 +38,11 @@ public static void checkAndthrowExceptionIfEnabled() {
      * 1 = fail request every time
      * 2 = fail request every 2nd time
      */
-    private static int getErrorRate() {
+    private int getErrorRate() {
         int errorRate = 0;
-        String retryDemo = System.getenv("CONTOSO_RETRY_DEMO");
-        if (!StringUtils.isEmpty(retryDemo)) {
-            errorRate = Integer.parseInt(retryDemo);
+    
+        if (!StringUtils.isEmpty(demo)) {
+            errorRate = Integer.parseInt(demo);
         }
         return errorRate;
     }

apps/contoso-fiber/src/main/java/com/contoso/cams/serviceplan/ServicePlanService.java

@@ -4,6 +4,7 @@
 import java.util.Optional;
 import java.util.stream.Collectors;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import com.contoso.cams.model.ServicePlan;
@@ -17,6 +18,9 @@ public class ServicePlanService {
 
     private final ServicePlanRepository planRepository;
 
+    @Autowired
+    private final ServicePlanExceptionSimulator servicePlanExceptionSimulator;
+
     public List<ServicePlanDto> getServicePlans() {
         List<ServicePlan> servicePlans = planRepository.findAll();
         List<ServicePlanDto> servicePlanDtos = servicePlans.stream()
@@ -29,7 +33,7 @@ public List<ServicePlanDto> getServicePlans() {
                 servicePlan.getIsDefault()))
             .collect(Collectors.toList());
 
-        ServicePlanExceptionSimulator.checkAndthrowExceptionIfEnabled(); 
+            servicePlanExceptionSimulator.checkAndthrowExceptionIfEnabled(); 
 
         return servicePlanDtos;
     }

apps/contoso-fiber/src/main/resources/application.properties

@@ -1,5 +1,8 @@
+## application name
+spring.application.name=contoso-fiber
+
 # Contoso Configuration
-contoso.retry.demo=0
+contoso.retry.demo=${CONTOSO_RETRY_DEMO}
 
 ## email, queue, demo-load, demo-dead-letter
 contoso.suport-guide.request.service=${CONTOSO_SUPPORT_GUIDE_REQUEST_SERVICE}

apps/contoso-fiber/src/main/resources/bootstrap.properties

@@ -0,0 +1,2 @@
+spring.cloud.azure.appconfiguration.stores[0].endpoint=${APP_CONFIGURATION_ENDPOINT}
+spring.cloud.azure.appconfiguration.stores[0].selects[0].key-filter=/contoso-fiber/

infra/shared/terraform/modules/acr/main.tf

@@ -96,7 +96,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_a
   count                 = var.environment == "prod" ? 1 : 0
   name                  = "privatelink.azurecr.io"
   private_dns_zone_name = azurerm_private_dns_zone.dns_for_acr[0].name
-  virtual_network_id    = var.spoke_vnet_id
+  virtual_network_id    = var.hub_vnet_id
   resource_group_name   = var.resource_group
 }
 
@@ -118,4 +118,4 @@ resource "azurerm_private_endpoint" "acr_pe" {
     is_manual_connection           = false
     subresource_names              = ["registry"]
   }
-}
+}

infra/shared/terraform/modules/acr/variables.tf

@@ -49,8 +49,8 @@ variable "private_endpoint_subnet_id" {
   default     = null
 }
 
-variable "spoke_vnet_id" {
+variable "hub_vnet_id" {
   type        = string
   description = "The ID of the Spoke VNET"
   default     = null
-}
+}

infra/shared/terraform/modules/app-config/main.tf

@@ -0,0 +1,121 @@
+terraform {
+  required_providers {
+    azurecaf = {
+      source  = "aztfmod/azurecaf"
+      version = "1.2.26"
+    }
+  }
+}
+
+data "azuread_client_config" "current" {}
+
+# App Configuration naming convention using azurecaf_name module.
+resource "azurecaf_name" "azurerm_app_config" {
+  name          = var.application_name
+  resource_type = "azurerm_app_configuration"
+  suffixes      = [var.environment]
+}
+
+# Create Azure App Configuration
+
+resource "azurerm_app_configuration" "app_config" {
+  name                = azurecaf_name.azurerm_app_config.result
+  resource_group_name = var.resource_group
+  location            = var.location
+
+  sku = var.environment == "prod" ? "standard" : "free"
+
+  purge_protection_enabled = var.environment == "prod" ? true : false
+
+  public_network_access = var.environment == "prod" ? "Disabled" : "Enabled"
+
+  local_auth_enabled = var.environment == "prod" ? false : true
+
+  dynamic "replica" {
+    for_each = var.replica_location != null ? [var.replica_location] : []
+    content {
+      location = replica.value
+      name     = "AppConfig${var.environment}${replica.value}"
+    }
+  }
+}
+
+# Create App Configuration Features
+
+resource "azurerm_app_configuration_feature" "feature" {
+  for_each               = var.features != null ? { for idx, feature in var.features : idx => feature } : {}
+  configuration_store_id = azurerm_app_configuration.app_config.id
+  description            = each.value.description
+  name                   = each.value.name
+
+  enabled = each.value.enabled
+  locked  = each.value.locked
+  label   = each.value.label
+}
+
+# Create App Configuration Keys
+
+resource "azurerm_app_configuration_key" "key" {
+  for_each               = var.keys != null ? { for idx, key in var.keys : idx => key } : {}
+  configuration_store_id = azurerm_app_configuration.app_config.id
+  key                    = each.value.key
+  type                   = each.value.type
+  content_type           = each.value.type == "kv" ? each.value.content_type : null
+  value                  = each.value.type == "kv" ? each.value.value : null
+  vault_key_reference    = each.value.type == "vault" ? each.value.vault_key_reference : null
+  label                  = each.value.label
+  locked                 = each.value.locked
+}
+
+# Create role assignments
+
+resource "azurerm_role_assignment" "app_service_reader_user_role_assignment" {
+  principal_id         = var.app_service_identity_principal_id
+  role_definition_name = "App Configuration Data Reader"
+  scope                = azurerm_app_configuration.app_config.id
+}
+
+# For demo purposes, allow current user access to the app config
+# Note: when running as a service principal, this is also needed
+
+resource "azurerm_role_assignment" "azconfig_owner_user_role_assignment" {
+  scope                = azurerm_app_configuration.app_config.id
+  role_definition_name = "App Configuration Data Owner"
+  principal_id         = data.azuread_client_config.current.object_id
+}
+
+# Create Private DNS Zone and Endpoint for App Configuration
+
+resource "azurerm_private_dns_zone" "dns_for_azconfig" {
+  count               = var.environment == "prod" ? 1 : 0
+  name                = "privatelink.azconfig.io"
+  resource_group_name = var.resource_group
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_azconfig" {
+  count                 = var.environment == "prod" ? 1 : 0
+  name                  = "privatelink.azconfig.io"
+  private_dns_zone_name = azurerm_private_dns_zone.dns_for_azconfig[0].name
+  virtual_network_id    = var.spoke_vnet_id
+  resource_group_name   = var.resource_group
+}
+
+resource "azurerm_private_endpoint" "azconfig_pe" {
+  count               = var.environment == "prod" ? 1 : 0
+  name                = "private-endpoint-ac"
+  location            = var.location
+  resource_group_name = var.resource_group
+  subnet_id           = var.private_endpoint_subnet_id
+
+  private_dns_zone_group {
+    name                 = "privatednsazconfigzonegroup"
+    private_dns_zone_ids = [azurerm_private_dns_zone.dns_for_azconfig[0].id]
+  }
+
+  private_service_connection {
+    name                           = "peconnection-azconfig"
+    private_connection_resource_id = azurerm_app_configuration.app_config.id
+    is_manual_connection           = false
+    subresource_names              = ["configurationStores"]
+  }
+}

infra/shared/terraform/modules/app-config/outputs.tf

@@ -0,0 +1,9 @@
+output "azconfig_name" {
+  value       = azurerm_app_configuration.app_config.name
+  description = "The Azure App Configuration Name."
+}
+
+output "azconfig_uri" {
+  value       = azurerm_app_configuration.app_config.endpoint
+  description = "The Azure App Configuration URI."
+}

infra/shared/terraform/modules/app-config/variables.tf

@@ -0,0 +1,84 @@
+variable "resource_group" {
+  type        = string
+  description = "The resource group"
+}
+
+variable "environment" {
+  type        = string
+  description = "The environment (dev, test, prod...)"
+  default     = "dev"
+}
+
+variable "location" {
+  type        = string
+  description = "The Azure region where all resources in this example should be created"
+}
+
+variable "application_name" {
+  type        = string
+  description = "The name of your application"
+}
+
+variable "aca_identity_principal_id" {
+  type        = string
+  description = "The principal id of the identity of the container app"
+}
+
+variable "features" {
+  type = list(object({
+    description = optional(string)
+    name        = string
+    enabled     = optional(bool, false)
+    locked      = optional(bool, false)
+    label       = optional(string)
+  }))
+  default = null
+
+  description = "The features to create in the App Configuration"
+}
+
+variable "keys" {
+  type = list(object({
+    key                 = string
+    content_type        = optional(string)
+    label               = optional(string)
+    value               = optional(string)
+    locked              = optional(bool)
+    type                = optional(string, "kv")
+    vault_key_reference = optional(string)
+  }))
+  default = []
+
+  validation {
+    condition = alltrue([
+      for k in var.keys :
+      (k.type == "kv" && k.value != null) || (k.type == "vault" && k.vault_key_reference != null)
+    ])
+    error_message = "Type must be kv or vault. If vault, vault_key_reference must be set. If kv, value must be set."
+  }
+
+  description = "The keys to create in the App Configuration"
+}
+
+variable "replica_location" {
+  type        = string
+  description = "The location of the replica"
+  default     = null
+}
+
+variable "private_endpoint_subnet_id" {
+  type        = string
+  description = "The ID of the subnet where the private endpoint should be created"
+  default     = null
+}
+
+variable "spoke_vnet_id" {
+  type        = string
+  description = "The ID of the Spoke VNET"
+  default     = null
+}
+
+variable "app_service_identity_principal_id" {
+  type        = string
+  description = "The User Assigned identity id of the App Service"
+}