chore(graphql): Add deployment of GraphQL service and local development via docker-compose (#640)

- Adding new container app for GraphQL
- Refactor apim URL to be optional until we add GraphQL service to the
APIM
- Add graphql to docker-compose and an nginx ingress with a new nginx
config
- Remove explicit add of banana cake pop

## Related Issue(s)

#490

## Verification

- [ ] **Your** code builds clean without any errors or warnings
- [ ] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)

---------

Co-authored-by: Are Almaas <arealmaas@gmail.com>

Author: oskogstad

.azure/applications/graphql/main.bicep

@@ -0,0 +1,83 @@
+targetScope = 'resourceGroup'
+
+@minLength(3)
+param imageTag string
+@minLength(3)
+param environment string
+@minLength(3)
+param location string
+
+@minLength(3)
+@secure()
+param containerAppEnvironmentName string
+@minLength(3)
+@secure()
+param appInsightConnectionString string
+@minLength(5)
+@secure()
+param appConfigurationName string
+@minLength(3)
+@secure()
+param environmentKeyVaultName string
+
+var namePrefix = 'dp-be-${environment}'
+var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
+
+resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: appConfigurationName
+}
+
+resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' existing = {
+  name: containerAppEnvironmentName
+}
+
+var containerAppEnvVars = [
+  {
+    name: 'ASPNETCORE_ENVIRONMENT'
+    value: environment
+  }
+  {
+    name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+    value: appInsightConnectionString
+  }
+  {
+    name: 'AZURE_APPCONFIG_URI'
+    value: appConfiguration.properties.endpoint
+  }
+]
+
+resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: environmentKeyVaultName
+}
+
+var containerAppName = '${namePrefix}-graphql-ca'
+
+module containerApp '../../modules/containerApp/main.bicep' = {
+  name: containerAppName
+  params: {
+    name: containerAppName
+    image: '${baseImageUrl}graphql:${imageTag}'
+    location: location
+    envVariables: containerAppEnvVars
+    containerAppEnvId: containerAppEnvironment.id
+  }
+}
+
+module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'keyVaultReaderAccessPolicy-${containerAppName}'
+  params: {
+    keyvaultName: environmentKeyVaultResource.name
+    principalIds: [containerApp.outputs.identityPrincipalId]
+  }
+}
+
+module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
+  name: 'appConfigReaderAccessPolicy-${containerAppName}'
+  params: {
+    appConfigurationName: appConfigurationName
+    principalIds: [containerApp.outputs.identityPrincipalId]
+  }
+}
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName

.azure/applications/graphql/staging.bicepparam

@@ -0,0 +1,11 @@
+using './main.bicep'
+
+param environment = 'staging'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('APP_CONFIGURATION_NAME')

.azure/applications/graphql/test.bicepparam

@@ -0,0 +1,11 @@
+using './main.bicep'
+
+param environment = 'test'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('APP_CONFIGURATION_NAME')

.azure/modules/containerApp/main.bicep

@@ -3,7 +3,7 @@ param envVariables array = []
 param port int = 8080
 param name string
 param image string
-param apimIp string
+param apimIp string?
 
 param containerAppEnvId string
 
@@ -28,16 +28,20 @@ var probes = [
   }
 ]
 
+var ipSecurityRestrictions = empty(apimIp)
+  ? []
+  : [
+      {
+        name: 'apim'
+        action: 'Allow'
+        ipAddressRange: apimIp!
+      }
+    ]
+
 var ingress = {
   targetPort: port
   external: true
-  ipSecurityRestrictions: [
-    {
-      name: 'apim'
-      action: 'Allow'
-      ipAddressRange: apimIp
-    }
-  ]
+  ipSecurityRestrictions: ipSecurityRestrictions
 }
 
 resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {

.github/workflows/action-deploy-apps.yml

@@ -115,6 +115,7 @@ jobs:
         include:
           - name: web-api-eu
           - name: web-api-so
+          - name: graphql
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write

.github/workflows/action-publish.yml

@@ -27,6 +27,8 @@ jobs:
         include:
           - dockerfile: ./src/Digdir.Domain.Dialogporten.WebApi/Dockerfile
             imageName: webapi
+          - dockerfile: ./src/Digdir.Domain.Dialogporten.GraphQL/Dockerfile
+            imageName: graphql
           - dockerfile: ./src/Digdir.Domain.Dialogporten.Service/Dockerfile
             imageName: service
           - dockerfile: ./src/Digdir.Domain.Dialogporten.ChangeDataCapture/Dockerfile

docker-compose.yml

@@ -5,9 +5,9 @@ services:
   dialogporten-webapi-ingress:
     image: nginx:1.25.4
     ports:
-      - "7214:80"
+      - "7217:80"
     volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-webapi.conf:/etc/nginx/nginx.conf
     depends_on:
       - dialogporten-webapi
     restart: always
@@ -36,3 +36,37 @@ services:
     volumes:
       - ./.aspnet/https:/https
 
+  dialogporten-graphql-ingress:
+    image: nginx:1.25.4
+    ports:
+      - "7215:80"
+    volumes:
+      - ./nginx-graphql.conf:/etc/nginx/nginx.conf
+    depends_on:
+      - dialogporten-graphql
+    restart: always
+
+  dialogporten-graphql:
+    scale: 1
+    ports:
+      - "7220:8080"
+    build:
+      context: .
+      dockerfile: src/Digdir.Domain.Dialogporten.GraphQL/Dockerfile
+    restart: always
+    depends_on:
+      dialogporten-postgres:
+        condition: service_healthy
+      dialogporten-redis:
+        condition: service_healthy
+      dialogporten-migrations:
+        condition: service_completed_successfully
+    environment:
+      - Infrastructure:Redis:ConnectionString=dialogporten-redis:6379
+      - Infrastructure:DialogDbConnectionString=${DB_CONNECTION_STRING}
+      - Application:Dialogporten:BaseUri=http://localhost:7214
+      - Serilog__WriteTo__0__Name=Console
+      - Serilog__MinimumLevel__Default=Debug
+      - ASPNETCORE_ENVIRONMENT=Development
+    volumes:
+      - ./.aspnet/https:/https

nginx-graphql.conf

@@ -0,0 +1,21 @@
+# this nginx config is for the load balancer: dialogporten-graphql-ingress in docker-compose.yml
+events {}
+
+http {
+    upstream graphql {
+        least_conn;
+        server dialogporten-graphql:8080;
+    }
+
+    server {
+        listen 80;
+
+        location / {
+            proxy_pass http://graphql;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+}

nginx.conf nginx-webapi.conf

@@ -0,0 +1,27 @@
+FROM mcr.microsoft.com/dotnet/aspnet:8.0.3@sha256:9470bf16cb8566951dfdb89d49a4de73ceb31570b3cdb59059af44fe53b19547 AS base
+WORKDIR /app
+EXPOSE 8080
+
+FROM mcr.microsoft.com/dotnet/sdk:8.0.204@sha256:7861b15f318949cf9214d9ad5382b680a0e22e3b8673180707aa0c594ab75656 AS build
+WORKDIR /src
+# Main project
+COPY ["src/Digdir.Domain.Dialogporten.GraphQL/Digdir.Domain.Dialogporten.GraphQL.csproj", "src/Digdir.Domain.Dialogporten.GraphQL/"]
+# Dependencies
+COPY ["src/Digdir.Domain.Dialogporten.Application/Digdir.Domain.Dialogporten.Application.csproj", "src/Digdir.Domain.Dialogporten.Application/"]
+COPY ["src/Digdir.Domain.Dialogporten.Domain/Digdir.Domain.Dialogporten.Domain.csproj", "src/Digdir.Domain.Dialogporten.Domain/"]
+COPY ["src/Digdir.Library.Entity.Abstractions/Digdir.Library.Entity.Abstractions.csproj", "src/Digdir.Library.Entity.Abstractions/"]
+COPY ["src/Digdir.Library.Entity.EntityFrameworkCore/Digdir.Library.Entity.EntityFrameworkCore.csproj", "src/Digdir.Library.Entity.EntityFrameworkCore/"]
+COPY ["src/Digdir.Domain.Dialogporten.Infrastructure/Digdir.Domain.Dialogporten.Infrastructure.csproj", "src/Digdir.Domain.Dialogporten.Infrastructure/"]
+# Restore project
+RUN dotnet restore "src/Digdir.Domain.Dialogporten.GraphQL/Digdir.Domain.Dialogporten.GraphQL.csproj"
+# Copy source
+COPY ["src/", "."]
+# Publish
+WORKDIR "/src/Digdir.Domain.Dialogporten.GraphQL"
+RUN dotnet publish "Digdir.Domain.Dialogporten.GraphQL.csproj" -c Release -o /app/publish /p:UseAppHost=false
+
+FROM base AS final
+WORKDIR /app
+USER $APP_UID
+COPY --from=build /app/publish .
+ENTRYPOINT ["dotnet", "Digdir.Domain.Dialogporten.GraphQL.dll"]

src/Digdir.Domain.Dialogporten.GraphQL/Dockerfile

@@ -92,34 +92,28 @@ static void BuildAndRun(string[] args)
             .AddSorting()
             .RegisterDbContext<DialogDbContext>()
             .AddQueryType<DialogQueries>()
-            .Services
+        .Services
 
-        // Auth
-        .AddDialogportenAuthentication(builder.Configuration)
-        .AddAuthorization();
+    // Auth
+    .AddDialogportenAuthentication(builder.Configuration)
+    .AddAuthorization();
 
     var app = builder.Build();
 
     app.UseJwtSchemeSelector();
     app.UseAuthentication();
     app.UseAuthorization();
 
-    if (app.Environment.IsDevelopment())
-    {
-        // GUI endpoint
-        app.MapBananaCakePop("/bcp");
-    }
-
     app.MapGraphQL()
-        .RequireAuthorization()
-        .WithOptions(new GraphQLServerOptions
+    .RequireAuthorization()
+    .WithOptions(new GraphQLServerOptions
+    {
+        EnableSchemaRequests = true,
+        Tool =
         {
-            EnableSchemaRequests = true,
-            Tool =
-            {
-                Enable = false
-            }
-        });
+            Enable = true
+        }
+    });
 
     app.Run();
 }

src/Digdir.Domain.Dialogporten.GraphQL/Program.cs

@@ -0,0 +1,73 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "Infrastructure": {
+    "Redis": {
+      "Enabled": true,
+      "ConnectionString": "TODO: Add to local secrets"
+    },
+    "DialogDbConnectionString": "TODO: Add to local secrets",
+    // Settings from appsettings.json, environment variables or other configuration providers.
+    // The first three are always mandatory for all client definitions types
+    "Maskinporten": {
+      // 1. Valid values are test and prod
+      "Environment": "test",
+      // 2. Client Id/integration as configured in Maskinporten
+      "ClientId": "TODO: Add to local secrets",
+      // 3. Scope(s) requested, space seperated. Must be provisioned on supplied client id.
+      "Scope": "altinn:events.publish altinn:events.publish.admin altinn:register/partylookup.admin altinn:authorization:pdp",
+      // --------------------------
+      // Any additional settings are specific for the selected client definition type.
+      // See below for examples using other types.
+      "EncodedJwk": "TODO: Add to local secrets"
+    },
+    "Altinn": {
+      "BaseUri": "https://platform.tt02.altinn.no/",
+      "EventsBaseUri": "Secret webhook sink URL in source key vault",
+      "SubscriptionKey": "TODO: Add to local secrets"
+    }
+  },
+  "Application": {
+    "Dialogporten": {
+      "BaseUri": "https://altinn-dev-api.azure-api.net/dialogporten",
+      "Ed25519KeyPairs": {
+        "Primary": {
+          "Kid": "TODO: Add to local secrets",
+          "PrivateComponent": "TODO: Add to local secrets",
+          "PublicComponent": "TODO: Add to local secrets"
+        },
+        "Secondary": {
+          "Kid": "TODO: Add to local secrets",
+          "PrivateComponent": "TODO: Add to local secrets",
+          "PublicComponent": "TODO: Add to local secrets"
+        }
+      }
+    }
+  },
+  "GraphQl": {
+    "Authentication": {
+      "JwtBearerTokenSchemas": [
+        {
+          "Name": "Maskinporten",
+          "WellKnown": "https://test.maskinporten.no/.well-known/oauth-authorization-server/"
+        },
+        {
+          "Name": "MaskinportenAuxiliary",
+          "WellKnown": "https://ver2.maskinporten.no/.well-known/oauth-authorization-server/"
+        },
+        {
+          "Name": "Altinn",
+          "WellKnown": "https://platform.tt02.altinn.no/authentication/api/v1/openid/.well-known/openid-configuration"
+        },
+        {
+          "Name": "Idporten",
+          "WellKnown": "https://test.idporten.no/.well-known/openid-configuration"
+        }
+      ]
+    }
+  }
+}