Merge pull request #5783 from dfe-analytical-services/dev

Merge Dev into Master

Author: N-moh

infrastructure/parameters/pre-prod.parameters.json

@@ -91,6 +91,9 @@
     },
     "immediatePublicationOfScheduledReleaseVersionsEnabled": {
       "value": true
+    },
+    "eventGridTopicsExist": {
+      "value": false
     }
   }
 }

infrastructure/parameters/prod.parameters.json

@@ -94,6 +94,9 @@
     },
     "maxStatsDbSizeBytes": {
       "value": 2199023255552
+    },
+    "eventGridTopicsExist": {
+      "value": false
     }
   }
 }

infrastructure/parameters/test.parameters.json

@@ -94,6 +94,9 @@
     },
     "immediatePublicationOfScheduledReleaseVersionsEnabled": {
       "value": true
+    },
+    "eventGridTopicsExist": {
+      "value": false
     }
   }
 }

infrastructure/templates/analytics/application/analyticsFunctionApp.bicep

@@ -26,8 +26,8 @@ param analyticsFileShareName string
 @description('The Application Insights connection string that is associated with this resource.')
 param applicationInsightsConnectionString string = ''
 
-@description('The cron schedule for the Public API queries consumer Function. Defaults to every half hour.')
-param publicApiQueryConsumerCron string
+@description('The cron schedule for the analytics consumer Function.')
+param analyticsRequestFilesConsumerCron string
 
 @description('Specifies whether or not the Analytics Function App already exists.')
 param functionAppExists bool
@@ -71,8 +71,8 @@ module functionAppModule '../../common/components/functionApp.bicep' = {
         value: fileShareMountPath
       }
       {
-        name: 'App__ConsumePublicApiQueriesCronSchedule'
-        value: publicApiQueryConsumerCron
+        name: 'App__ConsumeAnalyticsRequestFilesCronSchedule'
+        value: analyticsRequestFilesConsumerCron
       }
     ]
     functionAppExists: functionAppExists

infrastructure/templates/analytics/ci/jobs/deploy-infrastructure.yml

@@ -21,13 +21,8 @@ jobs:
           steps:
             - checkout: self
 
-            - task: AzureCLI@2
-              displayName: Install Bicep
-              inputs:
-                azureSubscription: ${{ parameters.serviceConnection }}
-                scriptType: bash
-                scriptLocation: inlineScript
-                inlineScript: az bicep install
+            - script: az upgrade --yes
+              displayName: Upgrade Azure CLI and extensions
 
             - template: ../tasks/deploy-bicep.yml
               parameters:

infrastructure/templates/analytics/ci/tasks/deploy-bicep.yml

@@ -26,6 +26,10 @@ steps:
       inlineScript: |
         set -e
 
+        # Workaround for AZ CLI 2.71.x breaks bicep deployments when using Azure Devops Agent
+        # See https://github.com/Azure/azure-cli/issues/31189
+        az config set bicep.use_binary_from_path=false
+
         az deployment group ${{ parameters.action }} \
           --name $(infraDeployName) \
           --resource-group $(resourceGroupName) \

infrastructure/templates/analytics/main.bicep

@@ -30,7 +30,7 @@ param analyticsFunctionAppExists bool = true
 param maintenanceIpRanges IpRange[] = []
 
 @description('The cron schedule for the Public API queries consumer Function. Defaults to every hour.')
-param publicApiQueryConsumerCron string = '0 0 * * * *'
+param analyticsRequestFilesConsumerCron string = '0 0 * * * *'
 
 var tagValues = union(resourceTags ?? {}, {
   Environment: environmentName
@@ -105,7 +105,7 @@ module analyticsFunctionAppModule 'application/analyticsFunctionApp.bicep' = {
     applicationInsightsConnectionString: applicationInsightsModule.outputs.applicationInsightsConnectionString
     analyticsStorageAccountName: analyticsStorageModule.outputs.storageAccountName
     analyticsFileShareName: analyticsStorageModule.outputs.fileShareName
-    publicApiQueryConsumerCron: publicApiQueryConsumerCron
+    analyticsRequestFilesConsumerCron: analyticsRequestFilesConsumerCron
     tagValues: tagValues
   }
 }

infrastructure/templates/analytics/parameters/main-dev.bicepparam

@@ -4,4 +4,4 @@ using '../main.bicep'
 param environmentName = 'Development'
 
 // On Dev, we will run the Function App every 10 minutes.
-param publicApiQueryConsumerCron = '0 */10 * * * *'
+param analyticsRequestFilesConsumerCron = '0 */10 * * * *'

infrastructure/templates/common/abbreviations.bicep

@@ -42,8 +42,9 @@ var abbreviations = {
   devicesProvisioningServicesCertificates: 'pcert'
   documentDBDatabaseAccounts: 'cosmos'
   eventGridDomains: 'evgd'
-  eventGridDomainsTopics: 'evgt'
-  eventGridEventSubscriptions: 'evgs'
+  eventGridSubscriptions: 'evgs'
+  eventGridTopics: 'evgt'
+  eventGridSystemTopics: 'evst'
   eventHubNamespaces: 'evhns'
   eventHubNamespacesEventHubs: 'evh'
   fileShare: 'share'

infrastructure/templates/common/builtInRoles.bicep

@@ -13,11 +13,11 @@ param storageAccountName string
 param containerNames array = []
 
 // Reference an existing Storage Account.
-resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' existing = {
+resource storageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
   name: storageAccountName
 }
 
-resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-05-01' = {
+resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2024-01-01' = {
   name: blobServiceName
   parent: storageAccount
   properties: {
@@ -31,7 +31,7 @@ resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2023-05-01'
   }
 }
 
-resource blobContainer 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-05-01' = [for containerName in containerNames: {
+resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2024-01-01' = [for containerName in containerNames: {
   name: containerName
   parent: blobService
 }]

infrastructure/templates/common/components/blobService.bicep

@@ -0,0 +1,64 @@
+import { IpRange } from '../../types.bicep'
+
+@description('The resource name.')
+@minLength(3)
+@maxLength(50)
+param name string
+
+@description('Location for all resources.')
+param location string
+
+@description('A list IP network rules to allow access to the Search Service from specific public internet IP address ranges. These rules are applied only when \'publicNetworkAccess\' is \'Enabled\'.')
+param ipRules IpRange[] = []
+
+@description('Specifies whether to enable local authentication. Microsoft Entra access authentication is always enabled.')
+param localAuthenticationEnabled bool = false
+
+@description('Specifies whether traffic is allowed over the public interface.')
+@allowed([
+  'Disabled'
+  'Enabled'
+])
+param publicNetworkAccess string = 'Disabled'
+
+@description('Indicates whether the resource should have a system-assigned managed identity.')
+param systemAssignedIdentity bool = false
+
+@description('The name of a user-assigned managed identity to assign to the resource.')
+param userAssignedIdentityName string = ''
+
+@description('A set of tags with which to tag the resource in Azure')
+param tagValues object
+
+var identityType = systemAssignedIdentity
+  ? (!empty(userAssignedIdentityName) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned')
+  : (!empty(userAssignedIdentityName) ? 'UserAssigned' : 'None')
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' existing = if (!empty(userAssignedIdentityName)) {
+  name: userAssignedIdentityName
+}
+
+resource topic 'Microsoft.EventGrid/topics@2025-02-15' = {
+  name: name
+  location: location
+  identity: {
+    type: identityType
+    userAssignedIdentities: !empty(userAssignedIdentityName) ? { '${userAssignedIdentity.id}': {} } : null
+  }
+  properties: {
+    minimumTlsVersionAllowed: '1.2'
+    inputSchema: 'EventGridSchema'
+    publicNetworkAccess: publicNetworkAccess
+    inboundIpRules: [
+      for ipRule in ipRules: {
+        action: 'Allow'
+        ipMask: ipRule.cidr
+      }
+    ]
+    disableLocalAuth: !localAuthenticationEnabled
+    dataResidencyBoundary: 'WithinRegion'
+  }
+  tags: tagValues
+}
+
+output name string = topic.name

infrastructure/templates/common/components/event-grid/eventGridCustomTopic.bicep

@@ -0,0 +1,49 @@
+@description('The resource name.')
+@minLength(3)
+@maxLength(64)
+param name string
+
+@description('The Event Grid topic name associated with the subscription.')
+param topicName string
+
+@description('The name of the storage account that contains the queue that is the destination of the subscription.')
+param storageAccountName string
+
+@description('The name of the storage queue under the storage account that is the destination of the subscription.')
+param queueName string
+
+@description('A list of event types to include in the subscription. If not specified, all event types are included.')
+param includedEventTypes array = []
+
+resource topic 'Microsoft.EventGrid/topics@2025-02-15' existing = {
+  name: topicName
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
+  name: storageAccountName
+}
+
+resource eventSubscription 'Microsoft.EventGrid/topics/eventSubscriptions@2025-02-15' = {
+  parent: topic
+  name: name
+  properties: {
+    destination: {
+      properties: {
+        resourceId: storageAccount.id
+        queueName: queueName
+        queueMessageTimeToLiveInSeconds: 604800
+      }
+      endpointType: 'StorageQueue'
+    }
+    filter: {
+      enableAdvancedFilteringOnArrays: true
+      includedEventTypes: length(includedEventTypes) > 0 ? includedEventTypes : null
+    }
+    labels: []
+    eventDeliverySchema: 'EventGridSchema'
+    retryPolicy: {
+      maxDeliveryAttempts: 30
+      eventTimeToLiveInMinutes: 1440
+    }
+  }
+}

infrastructure/templates/common/components/event-grid/eventGridCustomTopicQueueSubscription.bicep

@@ -0,0 +1,33 @@
+import { abbreviations } from '../../abbreviations.bicep'
+import { buildFullyQualifiedTopicName } from '../../functions.bicep'
+import { IpRange } from '../../types.bicep'
+
+@description('Resource prefix for all resources.')
+param resourcePrefix string
+
+@description('Location for all resources.')
+param location string
+
+@description('A list of IP network rules to allow access to the resource from specific public internet IP address ranges.')
+param ipRules IpRange[]
+
+@description('Specifies a set of tags with which to tag the resource in Azure.')
+param tagValues object
+
+@description('A list of custom topic names to create.')
+@minLength(1)
+param customTopicNames string[]
+
+module eventGridCustomTopicModule 'eventGridCustomTopic.bicep' = [
+  for (topicName, index) in customTopicNames: {
+    name: 'eventGridCustomTopicModuleDeploy-${index}'
+    params: {
+      name: buildFullyQualifiedTopicName(resourcePrefix, topicName)
+      location: location
+      ipRules: ipRules
+      publicNetworkAccess: 'Enabled'
+      systemAssignedIdentity: true
+      tagValues: tagValues
+    }
+  }
+]

infrastructure/templates/common/components/event-grid/eventGridMessaging.bicep

@@ -0,0 +1,35 @@
+@description('Specifies the id of the principal to which the role is assigned.')
+param principalId string
+
+@description('Specifies whether the principal is a user, a group, or a service principal.')
+@allowed([
+  'User'
+  'Group'
+  'ServicePrincipal'
+])
+param principalType string = 'ServicePrincipal'
+
+@description('Specifies the role definition id\'s to assign to the principal.')
+param roleDefinitionId string
+
+@description('Specifies the name of the Event Grid topic to which the role assignment is scoped.')
+param topicName string
+
+resource topic 'Microsoft.EventGrid/topics@2025-02-15' existing = {
+  name: topicName
+}
+
+resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: roleDefinitionId
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: topic
+  name: guid(topic.id, principalId, roleDefinition.id)
+  properties: {
+    principalId: principalId
+    principalType: principalType
+    roleDefinitionId: roleDefinition.id
+  }
+}

infrastructure/templates/common/components/event-grid/eventGridTopicRoleAssignment.bicep

@@ -77,12 +77,8 @@ param allowedOrigins array = []
 @description('Specifies an optional URL for Azure to use to monitor the health of this resource')
 param healthCheckPath string?
 
-@description('An existing Managed Identity\'s Resource Id with which to associate this Function App.')
-param userAssignedManagedIdentityParams {
-  id: string
-  name: string
-  principalId: string
-}?
+@description('The name of a user-assigned managed identity to assign to the resource.')
+param userAssignedIdentityName string = ''
 
 @description('Specifies the SKU for the Function App hosting plan.')
 param sku object
@@ -126,17 +122,6 @@ var firewallRules = [
   }
 ]
 
-var identity = userAssignedManagedIdentityParams != null
-  ? {
-      type: 'UserAssigned'
-      userAssignedIdentities: {
-        '${userAssignedManagedIdentityParams!.id}': {}
-      }
-    }
-  : {
-      type: 'SystemAssigned'
-    }
-
 var storageAlerts = alerts != null
   ? {
       availability: alerts!.storageAccountAvailability
@@ -158,6 +143,12 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: keyVaultName
 }
 
+var identityType = !empty(userAssignedIdentityName) ? 'SystemAssigned, UserAssigned' : 'SystemAssigned'
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30' existing = if (!empty(userAssignedIdentityName)) {
+  name: userAssignedIdentityName
+}
+
 module appServicePlanModule '../../public-api/components/appServicePlan.bicep' = {
   name: '${appServicePlanName}ModuleDeploy'
   params: {
@@ -210,7 +201,10 @@ resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
   name: functionAppName
   location: location
   kind: (operatingSystem == 'Linux' ? 'functionapp,linux' : 'functionapp')
-  identity: identity
+  identity: {
+    type: identityType
+    userAssignedIdentities: !empty(userAssignedIdentityName) ? { '${userAssignedIdentity.id}': {} } : null
+  }
   properties: {
     containerSize: instanceMemoryMB
     reserved: operatingSystem == 'Linux'
@@ -313,7 +307,7 @@ resource azureStorageAccountsConfig 'Microsoft.Web/sites/config@2023-12-01' = if
 module keyVaultRoleAssignmentModule '../../public-api/components/keyVaultRoleAssignment.bicep' = {
   name: '${functionAppName}KeyVaultRoleAssignmentModuleDeploy'
   params: {
-    principalIds: userAssignedManagedIdentityParams != null ? [userAssignedManagedIdentityParams!.principalId] : [functionApp.identity.principalId]
+    principalIds: [functionApp.identity.principalId]
     keyVaultName: keyVault.name
     role: 'Secrets User'
   }
@@ -411,3 +405,5 @@ module expectedHttpStatusCodeAlerts '../../public-api/components/alerts/dynamicM
 
 output name string = functionApp.name
 output url string = 'https://${functionApp.name}.azurewebsites.net'
+output functionAppIdentityPrincipalId string = functionApp.identity.principalId
+output storageAccountName string = storageAccountModule.outputs.storageAccountName