Use environment in IaC

.azure/applications/api/main.bicep

@@ -1,4 +1,4 @@
-targetScope = 'resourceGroup'
+targetScope = 'subscription'
 
 @minLength(3)
 param imageTag string
@@ -14,62 +14,77 @@ param sourceKeyVaultName string
 @secure()
 param keyVaultUrl string
 
-@secure()
-param client_id string
-@secure()
-param tenant_id string
 @secure()
 param namePrefix string
 
-var baseImageUrl = 'ghcr.io/altinn/altinn-correspondence'
+var image = 'ghcr.io/altinn/altinn-correspondence:${imageTag}'
 var containerAppName = '${namePrefix}-app'
 
-resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: '${namePrefix}-app-identity'
+var resourceGroupName = '${namePrefix}-rg'
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
+  name: resourceGroupName
   location: location
 }
 
+module appIdentity '../../modules/identity/create.bicep' = {
+  name: 'appIdentity'
+  scope: resourceGroup
+  params: {
+    namePrefix: namePrefix
+    location: location
+  }
+}
+
+module addContributorAccess '../../modules/identity/addContributorAccess.bicep' = {
+  name: 'appDeployToAzureAccess'
+  params: {
+    userAssignedIdentityPrincipalId: appIdentity.outputs.principalId
+  }
+}
+
 module keyVaultReaderAccessPolicyUserIdentity '../../modules/keyvault/addReaderRoles.bicep' = {
   name: 'kvreader-${namePrefix}-app'
+  scope: resourceGroup
   params: {
     keyvaultName: sourceKeyVaultName
-    tenantId: userAssignedIdentity.properties.tenantId
-    principalIds: [userAssignedIdentity.properties.principalId]
+    tenantId: appIdentity.outputs.tenantId
+    principalIds: [appIdentity.outputs.principalId]
   }
 }
 
 module databaseAccess '../../modules/postgreSql/AddAdministrationAccess.bicep' = {
   name: 'databaseAccess'
+  scope: resourceGroup
   dependsOn: [
     keyVaultReaderAccessPolicyUserIdentity // Timing issue
   ]
   params: {
-    tenantId: userAssignedIdentity.properties.tenantId
-    principalId: userAssignedIdentity.properties.principalId
-    appName: userAssignedIdentity.name
+    tenantId: appIdentity.outputs.tenantId
+    principalId: appIdentity.outputs.principalId
+    appName: appIdentity.name
     namePrefix: namePrefix
   }
 }
 
 resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: sourceKeyVaultName
+  scope: resourceGroup
 }
 
 module containerApp '../../modules/containerApp/main.bicep' = {
   name: containerAppName
+  scope: resourceGroup
   dependsOn: [keyVaultReaderAccessPolicyUserIdentity, databaseAccess]
   params: {
     namePrefix: namePrefix
-    image: '${baseImageUrl}:${imageTag}'
+    image: image
     location: location
     environment: environment
-    client_id: client_id
-    tenant_id: tenant_id
     subscription_id: subscription().subscriptionId
-    principal_id: userAssignedIdentity.id
+    principal_id: appIdentity.outputs.id
     platform_base_url: platform_base_url
     keyVaultUrl: keyVaultUrl
-    userIdentityClientId: userAssignedIdentity.properties.clientId
+    userIdentityClientId: appIdentity.outputs.clientId
     containerAppEnvId: keyvault.getSecret('container-app-env-id')
   }
 }

.azure/applications/api/params.bicepparam

@@ -3,10 +3,8 @@ using './main.bicep'
 param namePrefix = readEnvironmentVariable('NAME_PREFIX')
 param location = 'norwayeast'
 param imageTag = readEnvironmentVariable('IMAGE_TAG')
-param platform_base_url = 'https://platform.tt02.altinn.no/'
+param platform_base_url = readEnvironmentVariable('PLATFORM_BASE_URL')
 param environment = readEnvironmentVariable('ENVIRONMENT')
 // secrets
 param sourceKeyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
 param keyVaultUrl = readEnvironmentVariable('KEY_VAULT_URL')
-param client_id = readEnvironmentVariable('CLIENT_ID')
-param tenant_id = readEnvironmentVariable('TENANT_ID')

.azure/applications/migration/main.bicep

@@ -5,10 +5,6 @@ param appVersion string
 @secure()
 param keyVaultUrl string
 @secure()
-param client_id string
-@secure()
-param tenant_id string
-@secure()
 param keyVaultName string
 @minLength(3)
 param environment string
@@ -66,8 +62,6 @@ var containerAppEnvVars = [
   { name: 'AzureResourceManagerOptions__SubscriptionId', value: subscription().subscriptionId }
   { name: 'AzureResourceManagerOptions__Location', value: 'norwayeast' }
   { name: 'AzureResourceManagerOptions__Environment', value: environment }
-  { name: 'AzureResourceManagerOptions__ClientId', value: client_id }
-  { name: 'AzureResourceManagerOptions__TenantId', value: tenant_id }
   { name: 'AzureResourceManagerOptions__ApplicationResourceGroupName', value: '${namePrefix}-rg' }
   { name: 'AZURE_CLIENT_ID', value: userAssignedIdentity.properties.clientId }
 ]
@@ -93,7 +87,7 @@ resource containerAppEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview'
   name: containerAppEnvName
 }
 
-module containerAppJob '../../modules/containerAppJob/main.bicep' = {
+module containerAppJob '../../modules/migrationJob/main.bicep' = {
   name: containerAppJobName
   dependsOn: [
     addKeyvaultRead

.azure/applications/migration/params.bicepparam

@@ -6,5 +6,3 @@ param keyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
 param keyVaultUrl = readEnvironmentVariable('KEY_VAULT_URL')
 param namePrefix = readEnvironmentVariable('NAME_PREFIX')
 param appVersion = readEnvironmentVariable('APP_VERSION')
-param client_id = readEnvironmentVariable('CLIENT_ID')
-param tenant_id = readEnvironmentVariable('TENANT_ID')

.azure/infrastructure/main.bicep

@@ -8,8 +8,6 @@ param sourceKeyVaultName string
 @secure()
 param tenantId string
 @secure()
-param object_id string
-@secure()
 param test_client_id string
 param environment string
 @secure()
@@ -26,13 +24,6 @@ param postgresSku PostgresSku
 
 var resourceGroupName = '${namePrefix}-rg'
 
-var secrets = [
-  {
-    name: 'deploy-id'
-    value: object_id
-  }
-]
-
 // Create resource groups
 resource resourceGroup 'Microsoft.Resources/resourceGroups@2023-07-01' = {
   name: '${namePrefix}-rg'
@@ -48,20 +39,10 @@ module environmentKeyVault '../modules/keyvault/create.bicep' = {
     sku: keyVaultSku
     tenant_id: tenantId
     environment: environment
-    object_id: object_id
     test_client_id: test_client_id
   }
 }
 
-module keyvaultSecrets '../modules/keyvault/upsertSecrets.bicep' = {
-  scope: resourceGroup
-  name: 'secrets'
-  params: {
-    secrets: secrets
-    sourceKeyvaultName: environmentKeyVault.outputs.name
-  }
-}
-
 // #####################################################
 // Create resources with dependencies to other resources
 // #####################################################

.azure/infrastructure/params.bicepparam

@@ -7,7 +7,6 @@ param environment = readEnvironmentVariable('ENVIRONMENT')
 // secrets
 param correspondencePgAdminPassword = readEnvironmentVariable('CORRESPONDENCE_PG_ADMIN_PASSWORD')
 param tenantId = readEnvironmentVariable('TENANT_ID')
-param object_id = readEnvironmentVariable('CLIENT_ID')
 param test_client_id = readEnvironmentVariable('TEST_CLIENT_ID')
 param sourceKeyVaultName = readEnvironmentVariable('KEY_VAULT_NAME')
 param migrationsStorageAccountName = readEnvironmentVariable('MIGRATION_STORAGE_ACCOUNT_NAME')

.azure/modules/containerApp/main.bicep

@@ -8,10 +8,6 @@ param platform_base_url string
 @secure()
 param subscription_id string
 @secure()
-param client_id string
-@secure()
-param tenant_id string
-@secure()
 param principal_id string
 @secure()
 param keyVaultUrl string
@@ -38,8 +34,6 @@ var containerAppEnvVars = [
   { name: 'AzureResourceManagerOptions__SubscriptionId', value: subscription_id }
   { name: 'AzureResourceManagerOptions__Location', value: 'norwayeast' }
   { name: 'AzureResourceManagerOptions__Environment', value: environment }
-  { name: 'AzureResourceManagerOptions__ClientId', value: client_id }
-  { name: 'AzureResourceManagerOptions__TenantId', value: tenant_id }
   { name: 'AzureResourceManagerOptions__ApplicationResourceGroupName', value: '${namePrefix}-rg' }
   { name: 'AZURE_CLIENT_ID', value: userIdentityClientId }
   {

.azure/modules/identity/addContributorAccess.bicep

@@ -0,0 +1,13 @@
+targetScope = 'subscription'
+
+param userAssignedIdentityPrincipalId string
+
+var roleDefinitionResourceId = 'b24988ac-6180-42a0-ab88-20f7382dd24c' // Contributor role
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, userAssignedIdentityPrincipalId, roleDefinitionResourceId)
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionResourceId)
+    principalId: userAssignedIdentityPrincipalId
+    principalType: 'ServicePrincipal'
+  }
+}

.azure/modules/identity/create.bicep

@@ -0,0 +1,12 @@
+@secure()
+param namePrefix string
+param location string
+
+resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: '${namePrefix}-app-identity'
+  location: location
+}
+output id string = userAssignedIdentity.id
+output clientId string = userAssignedIdentity.properties.clientId
+output principalId string = userAssignedIdentity.properties.principalId
+output tenantId string = userAssignedIdentity.properties.tenantId

.azure/modules/keyvault/create.bicep

@@ -5,8 +5,6 @@ param environment string
 param tenant_id string
 @secure()
 param test_client_id string
-@secure()
-param object_id string
 @export()
 type Sku = {
   name: 'standard'
@@ -25,20 +23,6 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
     tenantId: tenant_id
     accessPolicies: environment == 'test'
       ? [
-          {
-            applicationId: null
-            tenantId: tenant_id
-            objectId: object_id
-
-            permissions: {
-              keys: []
-              secrets: [
-                'Get'
-                'List'
-              ]
-              certificates: []
-            }
-          }
           {
             applicationId: null
             tenantId: tenant_id
@@ -54,22 +38,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
             }
           }
         ]
-      : [
-          {
-            applicationId: null
-            tenantId: tenant_id
-            objectId: object_id
-
-            permissions: {
-              keys: []
-              secrets: [
-                'Get'
-                'List'
-              ]
-              certificates: []
-            }
-          }
-        ]
+      : []
   }
 }
 

.azure/modules/postgreSql/AddAdministrationAccess.bicep

@@ -3,10 +3,10 @@ param tenantId string
 param appName string
 param namePrefix string
 
-resource database 'Microsoft.DBforPostgreSQL/flexibleServers@2022-03-08-preview' existing = {
+resource database 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' existing = {
   name: '${namePrefix}-pgflex'
 }
-resource databaseAccess 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-03-08-preview' = {
+resource databaseAccess 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = {
   name: principalId
   parent: database
   properties: {

.azure/modules/postgreSql/create.bicep

@@ -103,14 +103,13 @@ module adoConnectionString '../keyvault/upsertSecret.bicep' = {
   }
 }
 
-resource databaseAccess 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-03-08-preview' =
-  if (environment == 'test') {
-    name: test_client_id
-    parent: postgres
-    dependsOn: [allowAzureAccess] // Needs to depend on allowAzureAccess to avoid updating at the same time
-    properties: {
-      principalType: 'Group'
-      tenantId: tenantId
-      principalName: 'Altinn-30-Correspondence-Test-Developers'
-    }
+resource databaseAccess 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2022-12-01' = if (environment == 'test') {
+  name: test_client_id
+  parent: postgres
+  dependsOn: [allowAzureAccess] // Needs to depend on allowAzureAccess to avoid updating at the same time
+  properties: {
+    principalType: 'Group'
+    tenantId: tenantId
+    principalName: 'Altinn-30-Correspondence-Test-Developers'
   }
+}

.github/actions/check-for-changes/action.yml

@@ -0,0 +1,44 @@
+name: "Check for file changes"
+
+description: "Analyses repository to see what is changed since last commit"
+
+outputs:
+  hasAzureChanges:
+    description: "Azure related files changed"
+    value: ${{ steps.check-for-changes.outputs.azure_any_changed }}
+  hasBackendChanges:
+    description: "Backend related files changed"
+    value: ${{ steps.check-for-changes.outputs.backend_any_changed }}
+  hasMigrationChanges:
+    description: "Migration related files changed"
+    value: ${{ steps.check-for-changes.outputs.migrations_any_changed }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        # fetch-depth needs to be 0 in cases where we want to fetch changes since previous tag for example
+        fetch-depth: 0
+
+    - uses: tj-actions/changed-files@v42
+      id: filter
+      with:
+        files_yaml: |
+          azure:
+            - '.github/**/*'
+            - '.azure/infrastructure/**/*'
+            - '.azure/modules/**/*'
+          backend:
+            - 'src/**/*'
+            - 'Test/**/*'
+          migrations: 
+            - 'src/Altinn.Correspondence.Persistence/Migrations/*'
+    - name: List results
+      id: list-results
+      shell: bash
+      run: |
+        echo "Azure related files changed: ${{ steps.check-for-changes.outputs.azure_any_changed }}"
+        echo "Backend related files changed: ${{ steps.check-for-changes.outputs.backend_any_changed }}"
+        echo "Migration related files changed: ${{ steps.check-for-changes.outputs.migrations_any_changed }}"