feat(service): deploy application in container apps (#1303)

<!--- Provide a general summary of your changes in the Title above -->

## Description

<!--- Describe your changes in detail -->

- Added Service in all environments in container app. Using webapi for
now until Service is ready
- Added user assigned identity instead of using the created managed
identity created by the container app to avoid potential race
conditions. This should be required eventually for all container apps.
Making it optional for now.

## Related Issue(s)

- #1301

## Verification

- [ ] **Your** code builds clean without any errors or warnings
- [ ] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Introduced a new infrastructure configuration for deploying a
container application in Azure.
- Added support for multiple environments (production, staging, test)
with dynamic parameter management.
- Enhanced identity management for the container app, allowing for
user-assigned identities.

- **Bug Fixes**
- Improved health probe configurations for better application
monitoring.

- **Documentation**
- Updated workflow to include deployment capabilities for the new
service component.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: arealmaas

.azure/applications/service/main.bicep

@@ -0,0 +1,161 @@
+targetScope = 'resourceGroup'
+
+@description('The tag of the image to be used')
+@minLength(3)
+param imageTag string
+
+@description('The environment for the deployment')
+@minLength(3)
+param environment string
+
+@description('The location where the resources will be deployed')
+@minLength(3)
+param location string
+
+@description('The suffix for the revision of the container app')
+@minLength(3)
+param revisionSuffix string
+
+@description('CPU and memory resources for the container app')
+param resources object?
+
+@description('The name of the container app environment')
+@minLength(3)
+@secure()
+param containerAppEnvironmentName string
+
+@description('The connection string for Application Insights')
+@minLength(3)
+@secure()
+param appInsightConnectionString string
+
+@description('The name of the App Configuration store')
+@minLength(5)
+param appConfigurationName string
+
+@description('The name of the Key Vault for the environment')
+@minLength(3)
+param environmentKeyVaultName string
+
+var namePrefix = 'dp-be-${environment}'
+var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
+var tags = {
+  Environment: environment
+  Product: 'Dialogporten'
+}
+
+resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: appConfigurationName
+}
+
+resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
+  name: containerAppEnvironmentName
+}
+
+var containerAppEnvVars = [
+  {
+    name: 'ASPNETCORE_ENVIRONMENT'
+    value: environment
+  }
+  {
+    name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+    value: appInsightConnectionString
+  }
+  {
+    name: 'AZURE_APPCONFIG_URI'
+    value: appConfiguration.properties.endpoint
+  }
+  {
+    name: 'ASPNETCORE_URLS'
+    value: 'http://+:8080'
+  }
+]
+
+resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: environmentKeyVaultName
+}
+
+var serviceName = 'service'
+
+var containerAppName = '${namePrefix}-${serviceName}'
+
+var port = 8080
+
+var probes = [
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Liveness'
+    httpGet: {
+      path: '/health/liveness'
+      port: port
+    }
+  }
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Readiness'
+    httpGet: {
+      path: '/health/readiness'
+      port: port
+    }
+  }
+  {
+    periodSeconds: 5
+    initialDelaySeconds: 2
+    type: 'Startup'
+    httpGet: {
+      path: '/health/startup'
+      port: port
+    }
+  }
+]
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-service-identity'
+  location: location
+  tags: tags
+}
+
+module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
+  name: 'keyVaultReaderAccessPolicy-${containerAppName}'
+  params: {
+    keyvaultName: environmentKeyVaultResource.name
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
+  name: 'appConfigReaderAccessPolicy-${containerAppName}'
+  params: {
+    appConfigurationName: appConfigurationName
+    principalIds: [managedIdentity.properties.principalId]
+  }
+}
+
+module containerApp '../../modules/containerApp/main.bicep' = {
+  name: containerAppName
+  params: {
+    name: containerAppName
+    // todo: make this dynamic based on service name. Using webapi for now.
+    // image: '${baseImageUrl}${serviceName}:${imageTag}'
+    image: '${baseImageUrl}webapi:${imageTag}'
+    location: location
+    envVariables: containerAppEnvVars
+    containerAppEnvId: containerAppEnvironment.id
+    tags: tags
+    resources: resources
+    probes: probes
+    port: port
+    revisionSuffix: revisionSuffix
+    userAssignedIdentityId: managedIdentity.id
+    // TODO: Once all container apps use user-assigned identities, remove this comment and ensure userAssignedIdentityId is always provided
+  }
+  dependsOn: [
+    keyVaultReaderAccessPolicy
+    appConfigReaderAccessPolicy
+  ]
+}
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName

.azure/applications/service/prod.bicepparam

@@ -0,0 +1,12 @@
+using './main.bicep'
+
+param environment = 'prod'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')

.azure/applications/service/staging.bicepparam

@@ -0,0 +1,12 @@
+using './main.bicep'
+
+param environment = 'staging'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')

.azure/applications/service/test.bicepparam

@@ -0,0 +1,12 @@
+using './main.bicep'
+
+param environment = 'test'
+param location = 'norwayeast'
+param imageTag = readEnvironmentVariable('IMAGE_TAG')
+param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')
+
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
+param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
+param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
+param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')

.azure/modules/containerApp/main.bicep

@@ -31,6 +31,10 @@ param revisionSuffix string
 @description('The probes for the container app')
 param probes array = []
 
+// TODO: Refactor to make userAssignedIdentityId a required parameter once all container apps use user-assigned identities
+@description('The ID of the user-assigned managed identity (optional)')
+param userAssignedIdentityId string = ''
+
 // Container app revision name does not allow '.' character
 var cleanedRevisionSuffix = replace(revisionSuffix, '.', '-')
 
@@ -50,12 +54,19 @@ var ingress = {
   ipSecurityRestrictions: ipSecurityRestrictions
 }
 
+var identityConfig = empty(userAssignedIdentityId) ? {
+  type: 'SystemAssigned'
+} : {
+  type: 'UserAssigned'
+  userAssignedIdentities: {
+    '${userAssignedIdentityId}': {}
+  }
+}
+
 resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   name: name
   location: location
-  identity: {
-    type: 'SystemAssigned'
-  }
+  identity: identityConfig
   properties: {
     configuration: {
       ingress: ingress
@@ -81,6 +92,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
   tags: tags
 }
 
-output identityPrincipalId string = containerApp.identity.principalId
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(userAssignedIdentityId)) {
+  name: last(split(userAssignedIdentityId, '/'))
+}
+
+output identityPrincipalId string = empty(userAssignedIdentityId) ? containerApp.identity.principalId : managedIdentity.properties.principalId
 output name string = containerApp.name
 output revisionName string = containerApp.properties.latestRevisionName

.github/workflows/workflow-deploy-apps.yml

@@ -145,6 +145,7 @@ jobs:
           - name: web-api-eu
           - name: web-api-so
           - name: graphql
+          - name: service
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write