You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Updated resource provisioning script with creation and assignment of Oauth roles associated with app registrations governing our function app and static website
Copy file name to clipboardExpand all lines: README.md
+54-2Lines changed: 54 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,6 +6,9 @@ Once the CSV has been uploaded to the storage blob, another, blob-triggered Azur
6
6
The computed statistics are then stored in a new blob container, which is used to serve the results to the user.
7
7
These two functions are defined in the python script [function_app.py](hvalfangst_function/function_app.py) - which is the main entrypoint of our Azure Function App instance.
8
8
9
+
The SPA is protected with Oauth2.0 authorization code flow with PKCE and OIDC. The user is redirected to the Azure AD login page, where they must authenticate before being redirected back to the SPA.
10
+
11
+
9
12
The associated Azure infrastructure is deployed with a script (more on that below).
10
13
11
14
A branch-triggered pipeline has been set up to deploy our code to the respective Azure resources using a GitHub Actions Workflows [script](.github/workflows/deploy_to_azure.yml).
@@ -24,7 +27,7 @@ Thus, deploying the website is simply a matter of uploading the static files to
24
27
25
28
## Allocate resources
26
29
27
-
The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI and a
30
+
The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI in conjunction with a
It will create the following hierarchy of resources:
@@ -47,6 +50,26 @@ graph TD
47
50
B -->|Contains| F
48
51
```
49
52
53
+
## Registrations
54
+
In addition to the resources listed above, the script will also create a **service principal** and two Microsoft Entra ID **app registrations.**
55
+
56
+
### Service Principal for GitHub Actions
57
+
The service principal has been assigned contributor role to our resource group, which is sufficient in order to deploy the static web app to the storage blob.
58
+
It has been assigned a federated credential configured to work with this repository as it is utilized in our CI/CD [GitHub Actions Workflow script](.github/workflows/deploy_to_azure.yml).
59
+
60
+
### App Registration for Azure Function App
61
+
62
+
Exposes the scopes **Csv.Writer** and **Csv.Reader** under URI **api://hvalfangst-function-app**
63
+
64
+
65
+
66
+
### App Registration for SPA
67
+
68
+
Has a redirect URI configured to the static web app's URL and the permissions **Csv.Writer** and the OIDC ones.
69
+
70
+
71
+
72
+
50
73
## GitHub secrets
51
74
Four secrets are required in order for the GitHub Actions Workflow script to deploy the code to the Azure resources.
52
75
As may be observed in the [script](.github/workflows/deploy_to_azure.yml), these are:
@@ -56,4 +79,33 @@ As may be observed in the [script](.github/workflows/deploy_to_azure.yml), these
56
79
-**AZURE_TENANT_ID**: Used to authenticate the service principal in order to deploy the static web app
57
80
-**PUBLISH_PROFILE**: Used to deploy our two functions to the Azure Function App
58
81
59
-
82
+
83
+
84
+
## Usage
85
+
After provisioning resources, setting up secrets, and pushing the code to the repository, one
86
+
may access the static web app by navigating to the following URL:
0 commit comments