Added demo code to pulumi infra to make users in group a reader

Author: ProgrammerAL

update-conference-prague-2024/demo-code-feedback-system/infra/Builders/ApiBuilder.cs

@@ -14,6 +14,7 @@
 using Pulumi.AzureNative.Web;
 using Pulumi.AzureNative.Web.Inputs;
 
+using PulumiInfra.Builders.AzureResourceGroup;
 using PulumiInfra.Config;
 
 using AzureNative = Pulumi.AzureNative;
@@ -28,7 +29,7 @@ public record FunctionInfra(WebApp WebApp, Output<string> HttpsEndpoint);
 
 public record ApiBuilder(
     GlobalConfig GlobalConfig,
-    ResourceGroup ResourceGroup,
+    AzureResourceGroupInfrasatructure ResourceGroupInfra,
     PersistentStorageResources PersistenceResources)
 {
     public ApiResources Build()
@@ -44,7 +45,7 @@ private ApiResources.ServiceStorageInfra GenerateStorageInfrastructure()
     {
         var storageAccount = new StorageAccount("funcsstorage", new StorageAccountArgs
         {
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             Sku = new AzureNative.Storage.Inputs.SkuArgs
             {
                 Name = AzureNative.Storage.SkuName.Standard_LRS,
@@ -66,15 +67,15 @@ private ApiResources.ServiceStorageInfra GenerateStorageInfrastructure()
         {
             AccountName = storageAccount.Name,
             PublicAccess = PublicAccess.None,
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
         });
 
         var functionsBlob = new Blob("functions-blob", new BlobArgs
         {
             AccountName = storageAccount.Name,
             ContainerName = functionsContainer.Name,
             AccessTier = BlobAccessTier.Hot,
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             Source = new FileArchive(GlobalConfig.ApiConfig.FunctionsPackagePath),
             BlobName = "functions.zip",
         });
@@ -90,7 +91,7 @@ private ApiResources.FunctionInfra GenerateFunctionsInfrastructure(ApiResources.
         //Create the App Service Plan
         var appServicePlan = new AppServicePlan("functions-app-service-plan", new AppServicePlanArgs
         {
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             Kind = "Linux",
             Sku = new SkuDescriptionArgs
             {
@@ -162,7 +163,7 @@ private ApiResources.FunctionInfra GenerateFunctionsInfrastructure(ApiResources.
         var webApp = new WebApp("functions-app", new WebAppArgs
         {
             Kind = "FunctionApp",
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             ServerFarmId = appServicePlan.Id,
             HttpsOnly = true,
             SiteConfig = functionAppSiteConfig,

update-conference-prague-2024/demo-code-feedback-system/infra/Builders/AzureResourceGroup/AzureResourceGroupInfrasatructure.cs

@@ -0,0 +1,21 @@
+using Pulumi.AzureAD;
+using Pulumi.AzureNative.Resources;
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+using static PulumiInfra.Builders.AzureResourceGroup.AzureResourceGroupInfrasatructure;
+
+namespace PulumiInfra.Builders.AzureResourceGroup;
+
+public record AzureResourceGroupInfrasatructure(
+    ResourceGroupInfrastructure ResourceGroupInfra,
+    AdGroupInfrastructure AdGroupInfra)
+{
+    public record ResourceGroupInfrastructure(ResourceGroup ResourceGroup);
+    public record AdGroupInfrastructure(Group Group, string GroupName, ImmutableArray<GroupMember> GroupMembers);
+}

update-conference-prague-2024/demo-code-feedback-system/infra/Builders/AzureResourceGroup/AzureResourceGroupStackBuilder.cs

@@ -0,0 +1,85 @@
+using Pulumi;
+
+using System;
+using System.Threading.Tasks;
+using System.Linq;
+
+using Pulumi.AzureNative.Resources;
+
+
+using AzureNative = Pulumi.AzureNative;
+using static PulumiInfra.Builders.AzureResourceGroup.AzureResourceGroupInfrasatructure;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using PulumiInfra.Builders.AzureResourceGroup;
+using PulumiInfra.Config;
+using Pulumi.AzureAD;
+using PulumiInfra.Utilities;
+
+public record AzureResourceGroupStackBuilder(
+    GlobalConfig GlobalConfig)
+{
+    public AzureResourceGroupInfrasatructure GenerateResources()
+    {
+        var resourceGroupInfra = GenerateResourceGroup();
+        var adGroupsInfra = GenerateAdGroup(resourceGroupInfra);
+
+        AssignRbacAccess(resourceGroupInfra, adGroupsInfra);
+
+        return new AzureResourceGroupInfrasatructure(resourceGroupInfra, adGroupsInfra);
+    }
+
+    private ResourceGroupInfrastructure GenerateResourceGroup()
+    {
+        var resourceGroup = new ResourceGroup(GlobalConfig.ApiConfig.ResourceGroupName, new ResourceGroupArgs
+        {
+            Location = GlobalConfig.ApiConfig.Location,
+            Tags = new InputMap<string> {
+                { "environment", GlobalConfig.ServiceConfig.Environment },
+                { "service-version", GlobalConfig.ServiceConfig.Version }
+            }
+        });
+
+        return new ResourceGroupInfrastructure(resourceGroup);
+    }
+
+    private AdGroupInfrastructure GenerateAdGroup(ResourceGroupInfrastructure resourceGroupInfra)
+    {
+        var group = new Group(GlobalConfig.ResourceUsersConfig.GroupName, new GroupArgs
+        {
+            DisplayName = GlobalConfig.ResourceUsersConfig.GroupName,
+            Description = resourceGroupInfra.ResourceGroup.Name.Apply(x => $"Users with access to resources in Resource Group {x}. Generally have access to 'read' the resources, but sometimes the ability to also 'write'."),
+            SecurityEnabled = true,
+            PreventDuplicateNames = true,
+        });
+
+        var groupMembers = new List<GroupMember>();
+        foreach (var user in GlobalConfig.ResourceUsersConfig.Users)
+        {
+            var sanitizedUserName = user.DisplayName.Replace(" ", "-");
+            var memberName = $"{GlobalConfig.ResourceUsersConfig.GroupName}-{sanitizedUserName}";
+
+            var groupMember = new GroupMember(memberName, new()
+            {
+                GroupObjectId = group.Id,
+                MemberObjectId = user.ObjectId
+            });
+
+            groupMembers.Add(groupMember);
+        }
+
+        return new AdGroupInfrastructure(group, GlobalConfig.ResourceUsersConfig.GroupName, groupMembers.ToImmutableArray());
+    }
+
+    private void AssignRbacAccess(ResourceGroupInfrastructure resourceGroupInfra, AdGroupInfrastructure adGroupsInfra)
+    {
+        //Assign group to be able to read everything in the resource group
+        _ = new AzureNative.Authorization.RoleAssignment("arcade-device-management-resource-group-reader-role-assignment", new AzureNative.Authorization.RoleAssignmentArgs
+        {
+            PrincipalId = adGroupsInfra.Group.Id,
+            PrincipalType = AzureNative.Authorization.PrincipalType.Group,
+            RoleDefinitionId = AzureAdRoleIdUtilities.GenerateAzureReaderRoleId(GlobalConfig.ApiConfig.ClientConfig.SubscriptionId),
+            Scope = resourceGroupInfra.ResourceGroup.Id
+        });
+    }
+}

update-conference-prague-2024/demo-code-feedback-system/infra/Builders/PersistentStorageBuilder.cs

@@ -13,6 +13,7 @@
 using Pulumi.AzureNative.Resources;
 using Pulumi.AzureNative.Storage;
 
+using PulumiInfra.Builders.AzureResourceGroup;
 using PulumiInfra.Config;
 
 using AzureNative = Pulumi.AzureNative;
@@ -26,7 +27,7 @@ public record PersistentStorageInfra(StorageAccount StorageAccount);
 
 public record PersistentStorageBuilder(
     GlobalConfig GlobalConfig,
-    ResourceGroup ResourceGroup)
+    AzureResourceGroupInfrasatructure ResourceGroupInfra)
 {
     public PersistentStorageResources Build()
     {
@@ -38,7 +39,7 @@ private PersistentStorageResources.PersistentStorageInfra GenerateStorageInfrast
     {
         var storageAccount = new StorageAccount("persistentstg", new StorageAccountArgs
         {
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             Sku = new AzureNative.Storage.Inputs.SkuArgs
             {
                 Name = AzureNative.Storage.SkuName.Standard_LRS,

update-conference-prague-2024/demo-code-feedback-system/infra/Builders/StaticSiteBuilder.cs

@@ -16,6 +16,7 @@
 using Pulumi.AzureNative.Web;
 using Pulumi.AzureNative.Web.Inputs;
 
+using PulumiInfra.Builders.AzureResourceGroup;
 using PulumiInfra.Config;
 using PulumiInfra.Utilities;
 
@@ -32,7 +33,7 @@ public record SiteStorageInfra(StorageAccount SiteStorageAccount, StorageAccount
 
 public record StaticSiteBuilder(
     GlobalConfig GlobalConfig,
-    ResourceGroup ResourceGroup,
+    AzureResourceGroupInfrasatructure ResourceGroupInfra,
     ApiResources ApiResources)
 {
     public StaticSiteResources Build()
@@ -45,7 +46,7 @@ private SiteStorageInfra GenerateSiteInfra()
     {
         var storageAccount = new StorageAccount("sitestorage", new StorageAccountArgs
         {
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             AllowBlobPublicAccess = true,
             Sku = new AzureNative.Storage.Inputs.SkuArgs
             {
@@ -65,7 +66,7 @@ private SiteStorageInfra GenerateSiteInfra()
 
         var siteStorageAccount = new StorageAccountStaticWebsite("staticsiteaccount", new StorageAccountStaticWebsiteArgs
         {
-            ResourceGroupName = ResourceGroup.Name,
+            ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
             IndexDocument = "index.html",
             Error404Document = "index.html",
             AccountName = storageAccount.Name
@@ -88,7 +89,7 @@ private SiteStorageInfra GenerateSiteInfra()
                     AccountName = storageAccount.Name,
                     ContainerName = "$web",
                     AccessTier = BlobAccessTier.Hot,
-                    ResourceGroupName = ResourceGroup.Name,
+                    ResourceGroupName = ResourceGroupInfra.ResourceGroupInfra.ResourceGroup.Name,
                     Source = new FileAsset(fullFilePath),
                     ContentType = FileUtilities.DetermineFileContentType(fullFilePath),
                     BlobName = relativeFilePath,

update-conference-prague-2024/demo-code-feedback-system/infra/Config/GlobalConfig.cs

@@ -12,7 +12,8 @@ namespace PulumiInfra.Config;
 public record GlobalConfig(
     ServiceConfig ServiceConfig,
     ApiConfig ApiConfig,
-    StaticSiteConfig StaticSiteConfig
+    StaticSiteConfig StaticSiteConfig,
+    ResourceUsersConfig ResourceUsersConfig
     )
 {
     public static async Task<GlobalConfig> LoadAsync(Pulumi.Config config)
@@ -35,7 +36,8 @@ public static async Task<GlobalConfig> LoadAsync(Pulumi.Config config)
         return new GlobalConfig(
             ServiceConfig: config.RequireObject<ServiceConfigDto>("service-config").GenerateValidConfigObject(),
             ApiConfig: apiConfig.GenerateValidConfigObject(),
-            StaticSiteConfig: staticSiteConfig.GenerateValidConfigObject()
+            StaticSiteConfig: staticSiteConfig.GenerateValidConfigObject(),
+            ResourceUsersConfig: config.RequireObject<ResourceUsersConfigDto>("resource-users-config").GenerateValidConfigObject()
             );
     }
 }

update-conference-prague-2024/demo-code-feedback-system/infra/Config/ResourceUsersConfig.cs

@@ -0,0 +1,36 @@
+using Pulumi.AzureAD.Outputs;
+
+using PulumiInfra.Utilities;
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Diagnostics.CodeAnalysis;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace PulumiInfra.Config;
+public record ResourceUsersConfig(
+    string GroupName,
+    ImmutableArray<GetUsersUserResult> Users);
+
+public class ResourceUsersConfigDto : ConfigDtoBase<ResourceUsersConfig>
+{
+    public string? GroupName { get; set; }
+    public string?[]? Users { get; set; }
+
+    public override ResourceUsersConfig GenerateValidConfigObject()
+    {
+        if (!string.IsNullOrWhiteSpace(GroupName)
+            && Users != null && Users.All(x => !string.IsNullOrWhiteSpace(x)))
+        {
+            var userEmails = Users.ToImmutableArray();
+            var users = AzureUtilities.LoadUsersFromAzureAd(userEmails);
+
+            return new(GroupName, users);
+        }
+
+        throw new Exception($"{GetType().Name} has invalid config");
+    }
+}

update-conference-prague-2024/demo-code-feedback-system/infra/Program.cs

@@ -12,18 +12,16 @@
     var pulumiConfig = new Config();
     var globalConfig = await GlobalConfig.LoadAsync(pulumiConfig);
 
-    var resourceGroup = new ResourceGroup(globalConfig.ApiConfig.ResourceGroupName, new ResourceGroupArgs
-    {
-        Location = globalConfig.ApiConfig.Location
-    });
+    var resourceGroupBuilder = new AzureResourceGroupStackBuilder(globalConfig);
+    var resourceGroupResources = resourceGroupBuilder.GenerateResources();
 
-    var persistentStorageBuilder = new PersistentStorageBuilder(globalConfig, resourceGroup);
+    var persistentStorageBuilder = new PersistentStorageBuilder(globalConfig, resourceGroupResources);
     var persistenceResources = persistentStorageBuilder.Build();
 
-    var apiBuilder = new ApiBuilder(globalConfig, resourceGroup, persistenceResources);
+    var apiBuilder = new ApiBuilder(globalConfig, resourceGroupResources, persistenceResources);
     var apiResources = apiBuilder.Build();
 
-    var staticSiteBuilder = new StaticSiteBuilder(globalConfig, resourceGroup, apiResources);
+    var staticSiteBuilder = new StaticSiteBuilder(globalConfig, resourceGroupResources, apiResources);
     var staticSiteResources = staticSiteBuilder.Build();
 
     return new Dictionary<string, object?>

update-conference-prague-2024/demo-code-feedback-system/infra/Pulumi.dev.yaml

@@ -6,4 +6,8 @@ config:
   update-conf-2024:service-config: 
     Version: dev-version-123
     Environment: dev
-  pulumi:template: azure-csharp
+  update-conf-2024:resource-users-config:
+    GroupName: dev-users
+    Users:
+    - [email protected]
+pulumi:template: azure-csharp

update-conference-prague-2024/demo-code-feedback-system/infra/PulumiInfra.csproj

@@ -8,6 +8,7 @@
 	<LangVersion>latest</LangVersion><EnableNETAnalyzers>true</EnableNETAnalyzers><EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild></PropertyGroup>
 
 	<ItemGroup>
+		<PackageReference Include="Pulumi.AzureAD" Version="6.0.1" />
 		<PackageReference Include="Pulumi" Version="3.67.1" />
 		<PackageReference Include="Pulumi.AzureNative" Version="2.64.3" />
 	</ItemGroup>