--wip-- [skip ci]

Author: oskogstad

.azure/appConfiguration/addReaderRoles.bicep

@@ -20,4 +20,3 @@ resource roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' =
 		principalType: 'ServicePrincipal'
 	}
 }]
-

.azure/applicationInsights/addReaderRoles.bicep

@@ -0,0 +1,22 @@
+param appInsightsName string
+param principalIds array
+
+resource appInsights 'Microsoft.Insights/components@2020-02-02' existing = {
+	name: appInsightsName
+}
+
+@description('This is the built-in Reader role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader')
+resource readerRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+}
+
+resource roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
+	scope: appInsights
+	name: guid(subscription().id, principalId, readerRole.id)
+	properties: {
+		roleDefinitionId: readerRole.id
+		principalId: principalId
+		principalType: 'ServicePrincipal'
+	}
+}]

.azure/containerApp/createExternal.bicep

@@ -99,8 +99,8 @@ var initContainers = [
         value: migrationJob.name
       }
       {
-          name: 'RESOURCE_GROUP_NAME'
-          value: resourceGroup().name
+        name: 'RESOURCE_GROUP_NAME'
+        value: resourceGroup().name
       }
     ])
   }]
@@ -129,13 +129,15 @@ var probes = [
 var ingress = {
   targetPort: port
   external: true
-  ipSecurityRestrictions: [
-    {
-      name: 'allow-apim-ip'
-      action: 'Allow'
-      ipAddressRange: apiManagementIp
-    }
-  ]
+  // #### TEMP
+  // ipSecurityRestrictions: [
+  //   {
+  //     name: 'allow-apim-ip'
+  //     action: 'Allow'
+  //     ipAddressRange: apiManagementIp
+  //   }
+  // ]
+  // #### TEMP
 }
 
 var webapiSoName = '${namePrefix}-webapi-so-ca'

.azure/deployBicep.ps1

@@ -53,9 +53,9 @@ AddMemberPath $paramsJson "parameters.environment.value" $environment
 # Format parameters to be used in az deployment sub create
 $formattedParamsJson = $paramsJson `
 	| ConvertTo-Json -Compress -Depth 100 `
-	# | % {$_ -replace "`"", "\`""} `
-	# | % {$_ -replace "`n", ""} `
-	# | % {$_ -replace "\s", ""}
+	| % {$_ -replace "`"", "\`""} `
+	| % {$_ -replace "`n", ""} `
+	| % {$_ -replace "\s", ""}
 
 # Deploy
 $deploymentOutputs = @( `

.azure/functionApp/appSettings.bicep

@@ -0,0 +1,13 @@
+param webAppName string
+param appSettings object
+param currentAppSettings object
+
+resource webApp 'Microsoft.Web/sites@2023-01-01' existing = {
+  name: webAppName
+}
+
+resource siteconfig 'Microsoft.Web/sites/config@2023-01-01' = {
+  parent: webApp
+  name: 'appsettings'
+  properties: union(currentAppSettings, appSettings)
+}

.azure/functionApp/slackNotifier.bicep

@@ -1,6 +1,7 @@
 param location string
 param applicationInsightsName string
 param namePrefix string
+param keyVaultName string
 
 // Storage account names only supports lower case and numbers
 var storageAccountName = '${replace(namePrefix, '-', '')}slacknotifiersa'
@@ -42,38 +43,33 @@ resource functionApp 'Microsoft.Web/sites@2023-01-01' = {
   }
   properties: {
     serverFarmId: applicationServicePlan.id
+    publicNetworkAccess: 'Enabled'
     siteConfig: {
-      appSettings: [
-        {
-          name: 'AzureWebJobsStorage'
-          value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
-        }
-        {
-          name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
-          value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
-        }
-        {
-          name: 'WEBSITE_CONTENTSHARE'
-          value: toLower(functionAppName)
-        }
-        {
-          name: 'FUNCTIONS_EXTENSION_VERSION'
-          value: '~4'
-        }
-        {
-          name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
-          value: applicationInsights.properties.InstrumentationKey
-        }
-        {
-          name: 'FUNCTIONS_WORKER_RUNTIME'
-          value: 'dotnet'
-        }
-      ]
+      // Setting/updating appSettings in separate module in order no not delete already deployed functions, see below
     }
     httpsOnly: true
   }
 }
 
+var appSettings = {
+    AzureWebJobsStorage: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'  
+    WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
+    WEBSITE_CONTENTSHARE: toLower(functionAppName)
+    FUNCTIONS_EXTENSION_VERSION: '~4'
+    APPINSIGHTS_INSTRUMENTATIONKEY: applicationInsights.properties.InstrumentationKey
+    Slack__WebhookUrl: '@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=Slack--Webhook--Url)'
+    FUNCTIONS_WORKER_RUNTIME: 'dotnet-isolated'
+}
+
+module updateAppSettings 'appSettings.bicep' = {
+  name: '${functionAppName}-appsettings'
+  params: {
+    webAppName: functionAppName
+    currentAppSettings: list(resourceId('Microsoft.Web/sites/config', functionAppName, 'appsettings'), '2023-01-01').properties
+    appSettings: appSettings
+  }
+}
+
 var defaultFunctionKey = listkeys('${functionApp.id}/host/default', '2023-01-01').functionKeys.default
 
 resource notifyDevTeam 'Microsoft.Insights/actionGroups@2023-01-01' = {
@@ -82,12 +78,22 @@ resource notifyDevTeam 'Microsoft.Insights/actionGroups@2023-01-01' = {
   properties: {
     enabled: true
     groupShortName: 'DevNotify'
+    // TEMP
+    webhookReceivers: [
+      {
+        name: 'WebHukTest'
+        serviceUri: 'https://webhook.site/16163247-af35-4d0d-a529-18ec3a780229'
+        useAadAuth: false
+        useCommonAlertSchema: true
+      }
+    ]
+    // TEMP
     azureFunctionReceivers: [
       {
         name: functionApp.properties.defaultHostName
         functionName: 'ForwardAlertToSlack'
         functionAppResourceId: functionApp.id
-        httpTriggerUrl: 'https://${functionApp.properties.defaultHostName}/api/ForwardAlertToSlack?code=${defaultFunctionKey}'
+        httpTriggerUrl: 'https://${functionApp.properties.defaultHostName}/api/forewardalerttoslack?code=${defaultFunctionKey}'
         useCommonAlertSchema: true
       }
     ]
@@ -102,10 +108,14 @@ resource exceptionOccuredAlertRule 'Microsoft.Insights/scheduledQueryRules@2023-
     evaluationFrequency: 'PT5M'
     windowSize: 'PT5M'
     scopes: [applicationInsights.id]
+    autoMitigate: false
+    targetResourceTypes: [
+      'microsoft.insights/components'
+    ]
     criteria: {
       allOf: [
         {
-          query: 'exceptions\n| summarize count = count() by environment = tostring(customDimensions.AspNetCoreEnvironment), problemId\n\n'
+          query: 'exceptions | summarize count = count() by environment = tostring(customDimensions.AspNetCoreEnvironment), problemId'
           operator: 'GreaterThan'
           threshold: 0
           timeAggregation: 'Count'
@@ -123,3 +133,5 @@ resource exceptionOccuredAlertRule 'Microsoft.Insights/scheduledQueryRules@2023-
     }
   }
 }
+
+output functionAppPrincipalId string = functionApp.identity.principalId

.azure/keyvault/copySecrets.bicep

@@ -33,4 +33,4 @@ module secrets 'upsertSecret.bicep' = [for key in environmentKeys: if (key.isEnv
         secretName: key.value
         secretValue: srcKeyVaultResource.getSecret(key.fullName)
     }
-}]
+}]

.azure/main.bicep

@@ -86,9 +86,9 @@ module postgresql 'postgreSql/create.bicep' = {
     }
 }
 
-module copySecrets 'keyvault/copySecrets.bicep' = {
+module copyEnvironmentSecrets 'keyvault/copySecrets.bicep' = {
 	scope: resourceGroup
-	name: 'copySecrets'
+	name: 'copyEnvironmentSecrets'
 	params: {
 		srcKeyVaultKeys: keyVault.source.keys
 		srcKeyVaultName: secrets.sourceKeyVaultName
@@ -99,13 +99,27 @@ module copySecrets 'keyvault/copySecrets.bicep' = {
 	}
 }
 
+module copyCrossEnvironmentSecrets 'keyvault/copySecrets.bicep' = {
+	scope: resourceGroup
+	name: 'copyCrossEnvironmentSecrets'
+	params: {
+		srcKeyVaultKeys: keyVault.source.keys
+		srcKeyVaultName: secrets.sourceKeyVaultName
+		srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
+		srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
+		destKeyVaultName: keyVaultModule.outputs.name
+		secretPrefix: 'dialogporten--any--'
+	}
+}
+
 module slackNotifier 'functionApp/slackNotifier.bicep' = {
     name: 'slackNotifier'
     scope: resourceGroup
     params: {
         location: location
-        applicationInsightsName: appInsights.outputs.appInsightsName
+        keyVaultName: keyVaultModule.outputs.name
         namePrefix: namePrefix
+        applicationInsightsName: appInsights.outputs.appInsightsName
     }
 }
 
@@ -185,6 +199,15 @@ module appConfigReaderAccessPolicy 'appConfiguration/addReaderRoles.bicep' = {
     }
 }
 
+module appInsightsReaderAccessPolicy 'applicationInsights/addReaderRoles.bicep' = {
+    scope: resourceGroup
+    name: 'appInsightsReaderAccessPolicy'
+    params: {
+        appInsightsName: appInsights.outputs.appInsightsName
+        principalIds: [slackNotifier.outputs.functionAppPrincipalId]
+    }
+}
+
 module appConfigConfigurations 'appConfiguration/upsertKeyValue.bicep' = {
     scope: resourceGroup
     name: 'AppConfig_Add_DialogDbConnectionString'
@@ -201,7 +224,7 @@ module keyVaultReaderAccessPolicy 'keyvault/addReaderRoles.bicep' = {
     name: 'keyVaultReaderAccessPolicy'
     params: {
         keyvaultName: keyVaultModule.outputs.name
-        principalIds: containerAppsPrincipals
+        principalIds: concat(containerAppsPrincipals, [slackNotifier.outputs.functionAppPrincipalId])
     }
 }
 

src/Digdir.Tool.Dialogporten.SlackNotifier/External/AppInsights/IAppInsightsClient.cs

@@ -34,7 +34,14 @@ public async Task<AppInsightsQueryResponseDto[]> QueryAppInsights(AzureAlertDto
             })
             .Select(_httpClient.SendAsync);
         var responses = await Task.WhenAll(requests);
-        var typedResponses = await Task.WhenAll(responses.Select(x => x.Content.ReadFromJsonAsync<AppInsightsQueryResponseDto>()));
+
+        foreach (var httpResponseMessage in responses)
+        {
+            httpResponseMessage.EnsureSuccessStatusCode();
+        }
+
+        var typedResponses = await Task.WhenAll(responses.Select(x =>
+            x.Content.ReadFromJsonAsync<AppInsightsQueryResponseDto>(cancellationToken: cancellationToken)));
         return typedResponses!;
     }
-}
+}

src/Digdir.Tool.Dialogporten.SlackNotifier/README.md

@@ -27,10 +27,10 @@ HTTP POST [Slack_Webhook_Url]
 3. Start the function app
 4. Send a log alert v2 format to the app
 
-The configured url does'nt have to be an actual slack workflow webhook url. It could point to an online webhook tester like https://webhook.site or a homemade webhook tester on your local machine.
+The configured url doesn't have to be an actual slack workflow webhook url. It could point to an online webhook tester like https://webhook.site or a homemade webhook tester on your local machine.
 
 ### Get a valid log alert v2 request
-This function app uses the links in the incoming alerts request to fetch data. Threrfore the requests are app instance and time specific. The provided example request is most likly to be invalid by the time this article is read. Do the following to get a valid request: 
+This function app uses the links in the incoming alerts request to fetch data. Therefore the requests are app instance and time specific. The provided example request is most likely to be invalid by the time this article is read. Do the following to get a valid request: 
 1. Go to https://webhook.site and copy your unique url
 2. Add the url as a webhook action of the azure action group 
 3. Trigger the alert
@@ -96,4 +96,4 @@ Example log alert v2 request:
   }
 }
 
-```
+```