feat: add auth to store admin ACA, minor improvements

Signed-off-by: Kristina Devochko <[email protected]>

aca-revision-and-traffic-management/modules/aca-common.bicep

@@ -35,6 +35,12 @@ resource acaEnvironmentDiagnosticSettings 'Microsoft.Insights/diagnosticSettings
         enabled: true
       }
     ]
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
+      }
+    ]
   }
 }
 

aks-store-on-aca/main.bicep

@@ -178,8 +178,8 @@ module internal_apps 'modules/aca-internal-apps.bicep' = {
     location: location
     managedIdentityId: common.outputs.managedIdentityId  
     openAIDeploymentName: ai.outputs.openAIDeploymentName
-    openAIEndpoint: keyVaultACA.getSecret('cogaEndpoint')
-    openAIKey: keyVaultACA.getSecret('cogaKey')
+    openAIEndpointSecretUri: ai.outputs.openAIEndpointSecretUri
+    openAIKeySecretUri: ai.outputs.openAIKeySecretUri
     queueUsername: keyVaultCommon.getSecret('queue-username')
     queuePass: keyVaultCommon.getSecret('queue-password')
     subnetIpRange: network.outputs.acaSubnetIpRange
@@ -198,6 +198,9 @@ module public_apps 'modules/aca-public-apps.bicep' = {
     managedIdentityId: common.outputs.managedIdentityId
     orderServiceUri: internal_apps.outputs.orderServiceUri
     productServiceUri: internal_apps.outputs.productServiceUri
+    storeAdminAuthClientId: keyVaultCommon.getSecret('store-admin-auth-client-id')
+    storeAdminAuthClientSecret: keyVaultCommon.getSecret('store-admin-auth-client-secret')
+    storeAdminAuthTenantId: keyVaultCommon.getSecret('store-admin-auth-tenant-id')
     tags: tags
   }
 }

aks-store-on-aca/modules/aca-internal-apps.bicep

@@ -2,15 +2,11 @@ param environmentId string
 param location string
 param managedIdentityId string
 param openAIDeploymentName string
+param openAIEndpointSecretUri string
+param openAIKeySecretUri string
 param subnetIpRange string
 param tags object
 
-@secure()
-param openAIEndpoint string
-
-@secure()
-param openAIKey string
-
 @secure()
 param queueUsername string
 
@@ -485,7 +481,19 @@ resource aiservice 'Microsoft.App/containerApps@2023-05-02-preview' = {
             ipAddressRange:  subnetIpRange
           }
         ]
-      }  
+      }
+      secrets: [
+        {
+          name: 'openai-key-uri'
+          keyVaultUrl: openAIKeySecretUri
+          identity: managedIdentityId
+        }
+        {
+          name: 'openai-endpoint-uri'
+          keyVaultUrl: openAIEndpointSecretUri
+          identity: managedIdentityId
+        }
+      ]
     }
     template: {
       containers: [
@@ -507,11 +515,11 @@ resource aiservice 'Microsoft.App/containerApps@2023-05-02-preview' = {
             }
             {
               name: 'AZURE_OPENAI_ENDPOINT'
-              value: openAIEndpoint
+              secretRef: 'openai-endpoint-uri'
             }
             {
               name: 'OPENAI_API_KEY'
-              value: openAIKey
+              secretRef: 'openai-key-uri'
             }
           ]
           probes: [

aks-store-on-aca/modules/aca-public-apps.bicep

@@ -8,6 +8,15 @@ param orderServiceUri string
 param productServiceUri string
 param tags object
 
+@secure()
+param storeAdminAuthClientId string
+
+@secure()
+param storeAdminAuthClientSecret string
+
+@secure()
+param storeAdminAuthTenantId string
+
 /* Due to hard-coded URLs and port numbers in the NGINX configuration in the original source code, instead of opening up additional unused ports in Azure Container Apps to support this
  * NGINX configuration is overriden in a way that would work more natively for Azure Container Apps. NGINX configuration files for store-front and store-admin apps are stored in .conf files in the current folder.
 */
@@ -158,6 +167,10 @@ resource storeadmin 'Microsoft.App/containerApps@2023-05-02-preview' = {
           name: 'nginx-conf'
           value: storeAdminNginxConf
         }
+        {
+          name: 'microsoft-provider-authentication-secret'
+          value: storeAdminAuthClientSecret
+        }
       ]
     }
     template: {
@@ -246,5 +259,38 @@ resource storeadmin 'Microsoft.App/containerApps@2023-05-02-preview' = {
   tags: tags
 }
 
+@description('This resource enables authentication for the Store Admin application using Microsoft Entra ID as the identity provider and information about existing application registration.')
+resource storeAdminAuthConfig 'Microsoft.App/containerApps/authConfigs@2023-11-02-preview' = {
+  name: 'current' // required name
+  parent: storeadmin  
+  properties: {
+    globalValidation: {
+      redirectToProvider: 'azureactivedirectory'
+      unauthenticatedClientAction: 'RedirectToLoginPage'
+    }
+    httpSettings: {
+      requireHttps: true
+    }
+    identityProviders: {
+      azureActiveDirectory: {
+        enabled: true
+        registration: {
+          clientId: storeAdminAuthClientId
+          clientSecretSettingName: 'microsoft-provider-authentication-secret'
+          openIdIssuer: 'https://sts.windows.net/${storeAdminAuthTenantId}/v2.0'
+        }
+        validation: {
+          allowedAudiences: [
+            'api://${storeAdminAuthClientId}'
+          ]
+        }
+      }
+    }
+    platform: {
+      enabled: true
+    }
+  }
+}
+
 output storeFrontUri string = 'https://${storefront.properties.configuration.ingress.fqdn}'
 output storeAdminUri string = 'https://${storeadmin.properties.configuration.ingress.fqdn}'

aks-store-on-aca/modules/ai.bicep

@@ -109,3 +109,5 @@ resource cognitiveAccountEndpoint 'Microsoft.KeyVault/vaults/secrets@2022-07-01'
 }
 
 output openAIDeploymentName string = cognitiveAccountDeploymentGpt35Turbo.name
+output openAIKeySecretUri string = openAIKeySecret.properties.secretUri
+output openAIEndpointSecretUri string = cognitiveAccountEndpoint.properties.secretUri