diff --git a/.github/actions/scan-vulnerabilities/action.yaml b/.github/actions/scan-vulnerabilities/action.yaml
index cf711d17..786b1b80 100644
--- a/.github/actions/scan-vulnerabilities/action.yaml
+++ b/.github/actions/scan-vulnerabilities/action.yaml
@@ -52,6 +52,7 @@ runs:
echo "${SCAN_RESULTS}" | grep -i "${SEVERITY}" || echo "No ${SEVERITY} vulnerabilities found."
} | tee -a "vulnerabilities/${VULNERABILITIES_SUMMARY_LOGFILE}"
done
+
- name: Upload vulnerabilities report
uses: actions/upload-artifact@v4
with:
diff --git a/.github/workflows/stage-3-build.yaml b/.github/workflows/stage-3-build.yaml
index 52421f55..7192255d 100644
--- a/.github/workflows/stage-3-build.yaml
+++ b/.github/workflows/stage-3-build.yaml
@@ -255,16 +255,14 @@ jobs:
name: Aggregate reports
runs-on: ubuntu-latest
needs: [build-and-push, containers-to-build]
- env:
- PR_NUM_TAG: ${{ needs.containers-to-build.outputs.pr_num_tag }}
steps:
- name: Get all artifacts
uses: actions/download-artifact@v4
with:
- path: reports-${{ needs.containers-to-build.outputs.pr_num_tag }}
+ path: aggregated-reports
- name: Aggregate reports
uses: actions/upload-artifact@v4
with:
name: aggregated-reports-${{ needs.containers-to-build.outputs.pr_num_tag }}
- path: reports-${{ needs.containers-to-build.outputs.pr_num_tag }}
+ path: aggregated-reports
\ No newline at end of file
diff --git a/infrastructure/modules/acme-certificate/README.md b/infrastructure/modules/acme-certificate/README.md
index 535de2ae..5cca1fe9 100644
--- a/infrastructure/modules/acme-certificate/README.md
+++ b/infrastructure/modules/acme-certificate/README.md
@@ -9,9 +9,9 @@ A Terraform module to obtain a publicly trusted SSL certificate from the Let's E
- Automates [DNS-01 challenges](https://letsencrypt.org/docs/challenge-types/) via the [Lego azuredns](https://go-acme.github.io/lego/dns/azuredns/) provider.
- Handles Lego's requirement for authoritative NS records on the leaf zone. e.g. if you need a certificate for `www.private.example.com` but only have a zone for `example.com`, you can use CNAME redirection (see examples below).
- CNAME redirection of DNS challenge records, including optional creation of corresponding CNAMEs in Azure Private DNS zones to satisfy Lego's local checks (wildcards supported).
-- Stores certificates in Azure Key Vault as Certificate objects.
+- Stores the issued certificate in Azure Key Vault as a Certificate object.
- Also stores the certificate as a `.pfx` file in a base64-encoded Key Vault Secret with a strong randomised password, for compatibility with consumers that cannot use Certificate objects.
-- Supports multiple subscriptions (e.g. hub/spoke models).
+- Supports multiple subscriptions (e.g. hub/spoke solution designs).
- Supports multiple Azure regions.
## Example Usage
diff --git a/infrastructure/modules/container-app-environment/tfdocs.md b/infrastructure/modules/container-app-environment/tfdocs.md
index 9d4e453d..c6afa968 100644
--- a/infrastructure/modules/container-app-environment/tfdocs.md
+++ b/infrastructure/modules/container-app-environment/tfdocs.md
@@ -42,7 +42,7 @@ Default: `"UK South"`
### [private\_dns\_zone\_rg\_name](#input\_private\_dns\_zone\_rg\_name)
-Description: Name of the hub resource group where the private DNS zone is located. This is only required if adding custom DNS records, for instance when hosting container apps with an HTTP ingress..
+Description: Name of the hub resource group where the private DNS zone is located. This is only required if adding custom DNS records, for instance when hosting container apps with an HTTP ingress.
Type: `string`
diff --git a/infrastructure/modules/function-app/main.tf b/infrastructure/modules/function-app/main.tf
index 797f1ca7..bd5f2074 100644
--- a/infrastructure/modules/function-app/main.tf
+++ b/infrastructure/modules/function-app/main.tf
@@ -21,8 +21,8 @@ resource "azurerm_linux_function_app" "function_app" {
# }
identity {
- type = "SystemAssigned, UserAssigned"
- identity_ids = var.assigned_identity_ids
+ type = length(var.assigned_identity_ids) > 0 ? "SystemAssigned, UserAssigned" : "SystemAssigned"
+ identity_ids = length(var.assigned_identity_ids) > 0 ? var.assigned_identity_ids : null
}
site_config {
@@ -75,6 +75,11 @@ resource "azurerm_linux_function_app" "function_app" {
storage_uses_managed_identity = var.storage_uses_managed_identity
tags = var.tags
+
+ # To prevent Terraform removing 'hidden-link:' tagging created automatically by AzureRM
+ lifecycle {
+ ignore_changes = [tags]
+ }
}
/* --------------------------------------------------------------------------------------------------
diff --git a/infrastructure/modules/function-app/tfdocs.md b/infrastructure/modules/function-app/tfdocs.md
index 35b9a54b..675f8ad1 100644
--- a/infrastructure/modules/function-app/tfdocs.md
+++ b/infrastructure/modules/function-app/tfdocs.md
@@ -10,12 +10,6 @@ Description: The login server for the Azure Container Registry.
Type: `string`
-### [acr\_mi\_client\_id](#input\_acr\_mi\_client\_id)
-
-Description: The Managed Identity Id for the Azure Container Registry.
-
-Type: `any`
-
### [ai\_connstring](#input\_ai\_connstring)
Description: The App Insights connection string.
@@ -40,18 +34,6 @@ Description: The ID of the AppServicePlan.
Type: `string`
-### [assigned\_identity\_ids](#input\_assigned\_identity\_ids)
-
-Description: The list of User Assigned Identity IDs to assign to the Function App.
-
-Type: `list(string)`
-
-### [cont\_registry\_use\_mi](#input\_cont\_registry\_use\_mi)
-
-Description: Should connections for Azure Container Registry use Managed Identity.
-
-Type: `any`
-
### [function\_app\_name](#input\_function\_app\_name)
Description: Name of the Function App
@@ -145,6 +127,14 @@ Type: `bool`
The following input variables are optional (have default values):
+### [acr\_mi\_client\_id](#input\_acr\_mi\_client\_id)
+
+Description: The Managed Identity Id for the Azure Container Registry.
+
+Type: `any`
+
+Default: `null`
+
### [always\_on](#input\_always\_on)
Description: Should the Function App be always on. Override standard default.
@@ -161,6 +151,22 @@ Type: `map`
Default: `{}`
+### [assigned\_identity\_ids](#input\_assigned\_identity\_ids)
+
+Description: The list of User Assigned Identity IDs to assign to the Function App.
+
+Type: `list(string)`
+
+Default: `[]`
+
+### [cont\_registry\_use\_mi](#input\_cont\_registry\_use\_mi)
+
+Description: Should connections for Azure Container Registry use Managed Identity.
+
+Type: `bool`
+
+Default: `false`
+
### [cors\_allowed\_origins](#input\_cors\_allowed\_origins)
Description: n/a
diff --git a/infrastructure/modules/function-app/variables.tf b/infrastructure/modules/function-app/variables.tf
index 29a21624..bb49329b 100644
--- a/infrastructure/modules/function-app/variables.tf
+++ b/infrastructure/modules/function-app/variables.tf
@@ -5,6 +5,7 @@ variable "acr_login_server" {
variable "acr_mi_client_id" {
description = "The Managed Identity Id for the Azure Container Registry."
+ default = null
}
variable "ai_connstring" {
@@ -41,10 +42,12 @@ variable "asp_id" {
variable "assigned_identity_ids" {
type = list(string)
description = "The list of User Assigned Identity IDs to assign to the Function App."
+ default = []
}
variable "cont_registry_use_mi" {
description = "Should connections for Azure Container Registry use Managed Identity."
+ default = false
}
variable "cors_allowed_origins" {
diff --git a/infrastructure/modules/service-bus-subscription/tfdocs.md b/infrastructure/modules/service-bus-subscription/tfdocs.md
index 9b776604..87d847c4 100644
--- a/infrastructure/modules/service-bus-subscription/tfdocs.md
+++ b/infrastructure/modules/service-bus-subscription/tfdocs.md
@@ -16,12 +16,6 @@ Description: The name of the Service Bus namespace.
Type: `string`
-### [resource\_group\_name](#input\_resource\_group\_name)
-
-Description: The name of the resource group containing the Service Bus namespace.
-
-Type: `string`
-
### [service\_bus\_namespace\_id](#input\_service\_bus\_namespace\_id)
Description: The ID of the Service Bus namespace resource for role assignment scope.
@@ -34,7 +28,7 @@ Description: The name of the Service Bus subscription.
Type: `string`
-### [topic\_name](#input\_topic\_name)
+### [topic\_id](#input\_topic\_id)
Description: The name of the Service Bus topic.
@@ -52,14 +46,6 @@ Type: `number`
Default: `10`
-### [tags](#input\_tags)
-
-Description: A map of tags to assign to the subscription.
-
-Type: `map(string)`
-
-Default: `{}`
-
## Resources
diff --git a/infrastructure/modules/service-bus/tfdocs.md b/infrastructure/modules/service-bus/tfdocs.md
index 2deb6b24..4ea7a456 100644
--- a/infrastructure/modules/service-bus/tfdocs.md
+++ b/infrastructure/modules/service-bus/tfdocs.md
@@ -132,8 +132,16 @@ The following outputs are exported:
Description: n/a
+### [namespace\_name](#output\_namespace\_name)
+
+Description: n/a
+
### [servicebus\_connection\_string](#output\_servicebus\_connection\_string)
+Description: n/a
+
+### [topic\_ids](#output\_topic\_ids)
+
Description: n/a
## Resources
diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
index 0a79ce47..84dd6d16 100644
--- a/infrastructure/modules/storage/main.tf
+++ b/infrastructure/modules/storage/main.tf
@@ -30,6 +30,14 @@ resource "azurerm_storage_container" "container" {
container_access_type = each.value.container_access_type
}
+resource "azurerm_storage_queue" "queue" {
+ for_each = var.queues != null ? toset(var.queues) : toset([])
+
+ name = each.value
+ storage_account_name = azurerm_storage_account.storage_account.name
+}
+
+
/* --------------------------------------------------------------------------------------------------
Private Endpoint Configuration
-------------------------------------------------------------------------------------------------- */
diff --git a/infrastructure/modules/storage/tfdocs.md b/infrastructure/modules/storage/tfdocs.md
index 876f811a..5019dd1e 100644
--- a/infrastructure/modules/storage/tfdocs.md
+++ b/infrastructure/modules/storage/tfdocs.md
@@ -6,7 +6,7 @@ The following input variables are required:
### [containers](#input\_containers)
-Description: Definition of Containers configuration
+Description: Definition of Storage Containers configuration
Type:
@@ -115,6 +115,14 @@ Type: `bool`
Default: `false`
+### [queues](#input\_queues)
+
+Description: List of Storage Queues to create.
+
+Type: `list(string)`
+
+Default: `[]`
+
### [rbac\_roles](#input\_rbac\_roles)
Description: List of RBAC roles to assign to the Storage Account.
@@ -213,4 +221,5 @@ The following resources are used by this module:
- [azurerm_storage_account.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) (resource)
- [azurerm_storage_container.container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) (resource)
+- [azurerm_storage_queue.queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) (resource)
- [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) (data source)
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
index 7fd977a7..427263eb 100644
--- a/infrastructure/modules/storage/variables.tf
+++ b/infrastructure/modules/storage/variables.tf
@@ -44,7 +44,7 @@ variable "blob_properties_versioning_enabled" {
}
variable "containers" {
- description = "Definition of Containers configuration"
+ description = "Definition of Storage Containers configuration"
type = map(object({
container_name = string
container_access_type = string
@@ -98,6 +98,12 @@ variable "public_network_access_enabled" {
default = false
}
+variable "queues" {
+ description = "List of Storage Queues to create."
+ type = list(string)
+ default = []
+}
+
variable "rbac_roles" {
description = "List of RBAC roles to assign to the Storage Account."
type = list(string)
diff --git a/scripts/deployments/get-docker-names.sh b/scripts/deployments/get-docker-names.sh
index 0fcfc0a4..8632700b 100644
--- a/scripts/deployments/get-docker-names.sh
+++ b/scripts/deployments/get-docker-names.sh
@@ -141,7 +141,7 @@ done
if [ ${#non_matched_changes[@]} -ne 0 ]; then
# Remove duplicates (non-matched items across several compose files)
- unique_changes=("$(printf "%s\n" "${non_matched_changes[@]}" | sort -u)")
+ mapfile -t unique_changes < <(printf "%s\n" "${non_matched_changes[@]}" | sort -u)
warning_message=$(
cat <