terraforming

MarkJamesHoward · MarkJamesHoward · commit 7b10fe4ac7ad · 2026-02-14T18:13:56.000+13:00
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
@@ -45,7 +45,10 @@
       "Bash(az storage container create:*)",
       "Bash(terraform import:*)",
       "Bash(terraform plan:*)",
-      "Bash(terraform apply:*)"
+      "Bash(terraform apply:*)",
+      "Bash(nslookup:*)",
+      "Bash(dig:*)",
+      "Bash(terraform force-unlock:*)"
     ]
   }
 }
diff --git a/.github/workflows/publish-dashboard.yml b/.github/workflows/publish-dashboard.yml
@@ -46,7 +46,9 @@ jobs:
         run: |
           cp package.json dist/
           cp package-lock.json dist/
-          cd dist && npm ci --omit=dev
+          cd dist
+          npm pkg set scripts.start="node server/entry.mjs"
+          npm ci --omit=dev
 
       - name: Login to Azure
         uses: azure/login@v2
diff --git a/infra/.gitignore b/infra/.gitignore
@@ -2,3 +2,4 @@
 .terraform/
 *.tfstate
 *.tfstate.backup
+*.tfvars
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
diff --git a/infra/app-service-api.tf b/infra/app-service-api.tf
@@ -11,22 +11,21 @@ resource "azurerm_linux_web_app" "tgit_api" {
   }
 }
 
-# TODO: Uncomment after App Services are created
-# # Custom domain
-# resource "azurerm_app_service_custom_hostname_binding" "tgit_api" {
-#   hostname            = "api.tgit.app"
-#   app_service_name    = azurerm_linux_web_app.tgit_api.name
-#   resource_group_name = azurerm_resource_group.tgit.name
-# }
-#
-# # Managed SSL certificate
-# resource "azurerm_app_service_managed_certificate" "tgit_api" {
-#   custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_api.id
-# }
-#
-# # Bind the certificate to the custom domain
-# resource "azurerm_app_service_certificate_binding" "tgit_api" {
-#   hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_api.id
-#   certificate_id      = azurerm_app_service_managed_certificate.tgit_api.id
-#   ssl_state           = "SniEnabled"
-# }
+# Custom domain
+resource "azurerm_app_service_custom_hostname_binding" "tgit_api" {
+  hostname            = "api.tgit.app"
+  app_service_name    = azurerm_linux_web_app.tgit_api.name
+  resource_group_name = azurerm_resource_group.tgit.name
+}
+
+# Managed SSL certificate
+resource "azurerm_app_service_managed_certificate" "tgit_api" {
+  custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_api.id
+}
+
+# Bind the certificate to the custom domain
+resource "azurerm_app_service_certificate_binding" "tgit_api" {
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_api.id
+  certificate_id      = azurerm_app_service_managed_certificate.tgit_api.id
+  ssl_state           = "SniEnabled"
+}
diff --git a/infra/app-service-dashboard.tf b/infra/app-service-dashboard.tf
@@ -15,28 +15,39 @@ resource "azurerm_linux_web_app" "tgit" {
   service_plan_id     = azurerm_service_plan.tgit.id
 
   site_config {
+    app_command_line = "node server/entry.mjs"
+
     application_stack {
       node_version = "20-lts"
     }
   }
+
+  app_settings = {
+    "HOST"             = "0.0.0.0"
+    "COSMOS_ENDPOINT"  = azurerm_cosmosdb_account.tgit.endpoint
+    "COSMOS_KEY"       = azurerm_cosmosdb_account.tgit.primary_key
+    "COSMOS_DATABASE"  = "tgit-dashboard"
+    "WEBAUTHN_RP_NAME" = var.webauthn_rp_name
+    "WEBAUTHN_RP_ID"   = var.webauthn_rp_id
+    "WEBAUTHN_ORIGIN"  = var.webauthn_origin
+  }
 }
 
-# TODO: Uncomment after App Services are created
-# # Custom domain
-# resource "azurerm_app_service_custom_hostname_binding" "tgit_dashboard" {
-#   hostname            = "tgit.app"
-#   app_service_name    = azurerm_linux_web_app.tgit.name
-#   resource_group_name = azurerm_resource_group.tgit.name
-# }
-#
-# # Managed SSL certificate
-# resource "azurerm_app_service_managed_certificate" "tgit_dashboard" {
-#   custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_dashboard.id
-# }
-#
-# # Bind the certificate to the custom domain
-# resource "azurerm_app_service_certificate_binding" "tgit_dashboard" {
-#   hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_dashboard.id
-#   certificate_id      = azurerm_app_service_managed_certificate.tgit_dashboard.id
-#   ssl_state           = "SniEnabled"
-# }
+# Custom domain
+resource "azurerm_app_service_custom_hostname_binding" "tgit_dashboard" {
+  hostname            = "tgit.app"
+  app_service_name    = azurerm_linux_web_app.tgit.name
+  resource_group_name = azurerm_resource_group.tgit.name
+}
+
+# Managed SSL certificate
+resource "azurerm_app_service_managed_certificate" "tgit_dashboard" {
+  custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_dashboard.id
+}
+
+# Bind the certificate to the custom domain
+resource "azurerm_app_service_certificate_binding" "tgit_dashboard" {
+  hostname_binding_id = azurerm_app_service_custom_hostname_binding.tgit_dashboard.id
+  certificate_id      = azurerm_app_service_managed_certificate.tgit_dashboard.id
+  ssl_state           = "SniEnabled"
+}
diff --git a/infra/main.tf b/infra/main.tf
@@ -1,5 +1,16 @@
 # Create the TGit resource group
 resource "azurerm_resource_group" "tgit" {
   location = "newzealandnorth"
-  name     = "TGit_terraform"
+  name     = "TGit"
+}
+
+# Grant the GitHub deploy SP contributor access to the resource group
+data "azuread_service_principal" "deploy" {
+  display_name = "VisualGit-TerraformUser"
+}
+
+resource "azurerm_role_assignment" "deploy_contributor" {
+  scope                = azurerm_resource_group.tgit.id
+  role_definition_name = "Contributor"
+  principal_id         = data.azuread_service_principal.deploy.object_id
 }
diff --git a/infra/providers.tf b/infra/providers.tf
@@ -1,7 +1,7 @@
 terraform {
 
   backend "azurerm" {
-    resource_group_name  = "TGit_terraform"
+    resource_group_name  = "TGit-State"
     storage_account_name = "tgitterraformstate"
     container_name       = "tfstate"
     key                  = "terraform.tfstate"
@@ -12,6 +12,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = "~>4.0"
     }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~>3.0"
+    }
     random = {
       source  = "hashicorp/random"
       version = "~>3.0"
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -0,0 +1,14 @@
+variable "webauthn_rp_name" {
+  description = "WebAuthn Relying Party display name"
+  type        = string
+}
+
+variable "webauthn_rp_id" {
+  description = "WebAuthn Relying Party ID (domain)"
+  type        = string
+}
+
+variable "webauthn_origin" {
+  description = "WebAuthn expected origin URL"
+  type        = string
+}

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,10 @@`
`45`	`45`	`"Bash(az storage container create:*)",`
`46`	`46`	`"Bash(terraform import:*)",`
`47`	`47`	`"Bash(terraform plan:*)",`
`48`		`- "Bash(terraform apply:*)"`
	`48`	`+ "Bash(terraform apply:*)",`
	`49`	`+ "Bash(nslookup:*)",`
	`50`	`+ "Bash(dig:*)",`
	`51`	`+ "Bash(terraform force-unlock:*)"`
`49`	`52`	`]`
`50`	`53`	`}`
`51`	`54`	`}`