diff --git a/aca-revision-and-traffic-management/modules/aca-common.bicep b/aca-revision-and-traffic-management/modules/aca-common.bicep index 5fb89fc..043c29d 100644 --- a/aca-revision-and-traffic-management/modules/aca-common.bicep +++ b/aca-revision-and-traffic-management/modules/aca-common.bicep @@ -35,6 +35,12 @@ resource acaEnvironmentDiagnosticSettings 'Microsoft.Insights/diagnosticSettings enabled: true } ] + metrics: [ + { + category: 'AllMetrics' + enabled: true + } + ] } } diff --git a/aks-store-on-aca/main.bicep b/aks-store-on-aca/main.bicep index 973d185..15a7e37 100644 --- a/aks-store-on-aca/main.bicep +++ b/aks-store-on-aca/main.bicep @@ -178,8 +178,8 @@ module internal_apps 'modules/aca-internal-apps.bicep' = { location: location managedIdentityId: common.outputs.managedIdentityId openAIDeploymentName: ai.outputs.openAIDeploymentName - openAIEndpoint: keyVaultACA.getSecret('cogaEndpoint') - openAIKey: keyVaultACA.getSecret('cogaKey') + openAIEndpointSecretUri: ai.outputs.openAIEndpointSecretUri + openAIKeySecretUri: ai.outputs.openAIKeySecretUri queueUsername: keyVaultCommon.getSecret('queue-username') queuePass: keyVaultCommon.getSecret('queue-password') subnetIpRange: network.outputs.acaSubnetIpRange @@ -198,6 +198,9 @@ module public_apps 'modules/aca-public-apps.bicep' = { managedIdentityId: common.outputs.managedIdentityId orderServiceUri: internal_apps.outputs.orderServiceUri productServiceUri: internal_apps.outputs.productServiceUri + storeAdminAuthClientId: keyVaultCommon.getSecret('store-admin-auth-client-id') + storeAdminAuthClientSecret: keyVaultCommon.getSecret('store-admin-auth-client-secret') + storeAdminAuthTenantId: keyVaultCommon.getSecret('store-admin-auth-tenant-id') tags: tags } } diff --git a/aks-store-on-aca/modules/aca-internal-apps.bicep b/aks-store-on-aca/modules/aca-internal-apps.bicep index 5ec71b2..c6fae76 100644 --- a/aks-store-on-aca/modules/aca-internal-apps.bicep +++ b/aks-store-on-aca/modules/aca-internal-apps.bicep @@ -2,15 +2,11 @@ param environmentId string param location string param managedIdentityId string param openAIDeploymentName string +param openAIEndpointSecretUri string +param openAIKeySecretUri string param subnetIpRange string param tags object -@secure() -param openAIEndpoint string - -@secure() -param openAIKey string - @secure() param queueUsername string @@ -485,7 +481,19 @@ resource aiservice 'Microsoft.App/containerApps@2023-05-02-preview' = { ipAddressRange: subnetIpRange } ] - } + } + secrets: [ + { + name: 'openai-key-uri' + keyVaultUrl: openAIKeySecretUri + identity: managedIdentityId + } + { + name: 'openai-endpoint-uri' + keyVaultUrl: openAIEndpointSecretUri + identity: managedIdentityId + } + ] } template: { containers: [ @@ -507,11 +515,11 @@ resource aiservice 'Microsoft.App/containerApps@2023-05-02-preview' = { } { name: 'AZURE_OPENAI_ENDPOINT' - value: openAIEndpoint + secretRef: 'openai-endpoint-uri' } { name: 'OPENAI_API_KEY' - value: openAIKey + secretRef: 'openai-key-uri' } ] probes: [ diff --git a/aks-store-on-aca/modules/aca-public-apps.bicep b/aks-store-on-aca/modules/aca-public-apps.bicep index c09a25c..8813fca 100644 --- a/aks-store-on-aca/modules/aca-public-apps.bicep +++ b/aks-store-on-aca/modules/aca-public-apps.bicep @@ -8,6 +8,15 @@ param orderServiceUri string param productServiceUri string param tags object +@secure() +param storeAdminAuthClientId string + +@secure() +param storeAdminAuthClientSecret string + +@secure() +param storeAdminAuthTenantId string + /* Due to hard-coded URLs and port numbers in the NGINX configuration in the original source code, instead of opening up additional unused ports in Azure Container Apps to support this * NGINX configuration is overriden in a way that would work more natively for Azure Container Apps. NGINX configuration files for store-front and store-admin apps are stored in .conf files in the current folder. */ @@ -158,6 +167,10 @@ resource storeadmin 'Microsoft.App/containerApps@2023-05-02-preview' = { name: 'nginx-conf' value: storeAdminNginxConf } + { + name: 'microsoft-provider-authentication-secret' + value: storeAdminAuthClientSecret + } ] } template: { @@ -246,5 +259,38 @@ resource storeadmin 'Microsoft.App/containerApps@2023-05-02-preview' = { tags: tags } +@description('This resource enables authentication for the Store Admin application using Microsoft Entra ID as the identity provider and information about existing application registration.') +resource storeAdminAuthConfig 'Microsoft.App/containerApps/authConfigs@2023-11-02-preview' = { + name: 'current' // required name + parent: storeadmin + properties: { + globalValidation: { + redirectToProvider: 'azureactivedirectory' + unauthenticatedClientAction: 'RedirectToLoginPage' + } + httpSettings: { + requireHttps: true + } + identityProviders: { + azureActiveDirectory: { + enabled: true + registration: { + clientId: storeAdminAuthClientId + clientSecretSettingName: 'microsoft-provider-authentication-secret' + openIdIssuer: 'https://sts.windows.net/${storeAdminAuthTenantId}/v2.0' + } + validation: { + allowedAudiences: [ + 'api://${storeAdminAuthClientId}' + ] + } + } + } + platform: { + enabled: true + } + } +} + output storeFrontUri string = 'https://${storefront.properties.configuration.ingress.fqdn}' output storeAdminUri string = 'https://${storeadmin.properties.configuration.ingress.fqdn}' diff --git a/aks-store-on-aca/modules/ai.bicep b/aks-store-on-aca/modules/ai.bicep index a16fd68..fdbe5ad 100644 --- a/aks-store-on-aca/modules/ai.bicep +++ b/aks-store-on-aca/modules/ai.bicep @@ -109,3 +109,5 @@ resource cognitiveAccountEndpoint 'Microsoft.KeyVault/vaults/secrets@2022-07-01' } output openAIDeploymentName string = cognitiveAccountDeploymentGpt35Turbo.name +output openAIKeySecretUri string = openAIKeySecret.properties.secretUri +output openAIEndpointSecretUri string = cognitiveAccountEndpoint.properties.secretUri