private static async Task <string> GetStorageAccountKey(string resourceGroupName, string accountName, int keyIndex)
{
var accountKeys = await ListStorageAccountKeys.InvokeAsync(new ListStorageAccountKeysArgs
{
ResourceGroupName = resourceGroupName,
AccountName = accountName
});
return(accountKeys.Keys[keyIndex].Value);
}
static async Task <string> GetStorageAccountPrimaryKey(string resourceGroupName, string accountName)
{
var accountKeys = await ListStorageAccountKeys.InvokeAsync(new ListStorageAccountKeysArgs
{
ResourceGroupName = resourceGroupName,
AccountName = accountName
});
return(accountKeys.Keys[0].Value);
}
private static Output <string> GetConnectionString(Input <string> resourceGroupName, Input <string> accountName)
{
// Retrieve the primary storage account key.
var storageAccountKeys = ListStorageAccountKeys.Invoke(new ListStorageAccountKeysInvokeArgs
{
ResourceGroupName = resourceGroupName,
AccountName = accountName
});
return(storageAccountKeys.Apply(keys =>
{
var primaryStorageKey = keys.Keys[0].Value;
// Build the connection string to the storage account.
return Output.Format($"DefaultEndpointsProtocol=https;AccountName={accountName};AccountKey={primaryStorageKey}");
}));
}
private static Output <string> GetConnectionString(Input <string> resourceGroupName, Input <string> accountName)
{
var storageAccountKeys = Output.All(resourceGroupName, accountName).Apply(t => ListStorageAccountKeys.InvokeAsync(new ListStorageAccountKeysArgs {
ResourceGroupName = t[0], AccountName = t[1]
}));
return(storageAccountKeys.Apply(keys => Output.Format($"DefaultEndpointsProtocol=https;AccountName={accountName};AccountKey={keys.Keys[0].Value};EndpointSuffix=core.windows.net")));
}
public AppStack()
{
var config = new Config();
var resourceGroup = new ResourceGroup("rotatesecretoneset-rg");
var sqlAdminLogin = config.Get("sqlAdminLogin") ?? "sqlAdmin";
var sqlAdminPassword = new RandomUuid("sqlPassword").Result;
var sqlServer = new Server("sqlServer", new ServerArgs
{
AdministratorLogin = sqlAdminLogin,
AdministratorLoginPassword = sqlAdminPassword,
ResourceGroupName = resourceGroup.Name,
Version = "12.0",
});
new FirewallRule("AllowAllWindowsAzureIps",
new FirewallRuleArgs
{
ServerName = sqlServer.Name,
ResourceGroupName = resourceGroup.Name,
StartIpAddress = "0.0.0.0",
EndIpAddress = "0.0.0.0",
});
var clientConfig = Output.Create(GetClientConfig.InvokeAsync());
var tenantId = clientConfig.Apply(c => c.TenantId);
var storageAccount = new StorageAccount("storageaccount", new StorageAccountArgs
{
Kind = "Storage",
ResourceGroupName = resourceGroup.Name,
Sku = new Storage.Inputs.SkuArgs
{
Name = "Standard_LRS"
},
});
var appInsights = new Component("appInsights", new ComponentArgs
{
RequestSource = "IbizaWebAppExtensionCreate",
ResourceGroupName = resourceGroup.Name,
ApplicationType = "web",
Kind = "web",
Tags =
{
//{ "[concat('hidden-link:', resourceId('Microsoft.Web/sites', parameters('functionAppName')))]", "Resource" },
},
});
var secretName = config.Get("secretName") ?? "sqlPassword";
var appService = new AppServicePlan("functionApp-appService", new AppServicePlanArgs
{
ResourceGroupName = resourceGroup.Name,
Sku = new SkuDescriptionArgs
{
Name = "Y1",
Tier = "Dynamic",
},
});
var storageKey = Output.Tuple(resourceGroup.Name, storageAccount.Name).Apply(v =>
{
var task = ListStorageAccountKeys.InvokeAsync(new ListStorageAccountKeysArgs {
AccountName = v.Item2, ResourceGroupName = v.Item1
});
return(Output.Create(task).Apply(t => t.Keys[0].Value));
});
var functionApp = new WebApp("functionApp", new WebAppArgs
{
Kind = "functionapp",
ResourceGroupName = resourceGroup.Name,
ServerFarmId = appService.Id,
Identity = new ManagedServiceIdentityArgs {
Type = ManagedServiceIdentityType.SystemAssigned
},
SiteConfig = new SiteConfigArgs
{
AppSettings =
{
new NameValuePairArgs
{
Name = "AzureWebJobsStorage",
Value = Output.Format($"DefaultEndpointsProtocol=https;AccountName={storageAccount.Name};AccountKey={storageKey}"),
},
new NameValuePairArgs
{
Name = "FUNCTIONS_EXTENSION_VERSION",
Value = "~3",
},
new NameValuePairArgs
{
Name = "FUNCTIONS_WORKER_RUNTIME",
Value = "dotnet",
},
new NameValuePairArgs
{
Name = "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
Value = Output.Format($"DefaultEndpointsProtocol=https;AccountName={storageAccount.Name};EndpointSuffix=core.windows.net;AccountKey={storageKey}"),
},
new NameValuePairArgs
{
Name = "WEBSITE_NODE_DEFAULT_VERSION",
Value = "~10",
},
new NameValuePairArgs
{
Name = "APPINSIGHTS_INSTRUMENTATIONKEY",
Value = appInsights.InstrumentationKey,
},
},
},
});
var functionAppSourceControl = new WebAppSourceControl("functionApp-sourceControl",
new WebAppSourceControlArgs
{
Name = functionApp.Name,
IsManualIntegration = true,
Branch = "main",
RepoUrl = config.Get("functionAppRepoURL") ?? "https://github.com/Azure-Samples/KeyVault-Rotation-SQLPassword-Csharp.git",
ResourceGroupName = resourceGroup.Name,
});
var webAppAppService = new AppServicePlan("webApp-appService", new AppServicePlanArgs
{
ResourceGroupName = resourceGroup.Name,
Sku = new SkuDescriptionArgs
{
Name = "F1",
},
});
var webApp = new WebApp("webApp", new WebAppArgs
{
Kind = "app",
ResourceGroupName = resourceGroup.Name,
ServerFarmId = webAppAppService.Id,
Identity = new ManagedServiceIdentityArgs {
Type = ManagedServiceIdentityType.SystemAssigned
},
});
var keyVault = new Vault("keyVault", new VaultArgs
{
Properties = new VaultPropertiesArgs
{
AccessPolicies =
{
new AccessPolicyEntryArgs
{
TenantId = tenantId,
ObjectId = functionApp.Identity.Apply(i => i !.PrincipalId),
Permissions = new PermissionsArgs
{
Secrets ={ "get", "list", "set" },
},
},
public FunctionApp(string name, FunctionAppArgs args, ComponentResourceOptions?options = null)
: base("infra:functionapp", name, options)
{
var opts = new CustomResourceOptions {
Parent = this
};
var appStorage = new StorageAccount(name.Replace("-", ""), new StorageAccountArgs
{
ResourceGroupName = args.ResourceGroupName,
Sku = new SkuArgs
{
Name = SkuName.Standard_LRS,
},
Kind = Pulumi.AzureNative.Storage.Kind.StorageV2,
});
var appServicePlan = new AppServicePlan(name, new AppServicePlanArgs
{
ResourceGroupName = args.ResourceGroupName,
Location = args.Location,
Kind = "FunctionApp",
Sku = new SkuDescriptionArgs
{
Tier = "Dynamic",
Name = "Y1"
}
}, opts);
var container = new BlobContainer("code-container", new BlobContainerArgs
{
AccountName = appStorage.Name,
PublicAccess = PublicAccess.None,
ResourceGroupName = args.ResourceGroupName,
});
var blob = new Blob($"zip-{DateTime.UtcNow:ddMMyyyyhhmmss}", new BlobArgs
{
AccountName = appStorage.Name,
ContainerName = container.Name,
ResourceGroupName = args.ResourceGroupName,
Type = BlobType.Block,
Source = new FileArchive("../publish")
});
var appInsights = new Component("appInsights", new ComponentArgs
{
ApplicationType = ApplicationType.Web,
Kind = "web",
ResourceGroupName = args.ResourceGroupName,
});
var codeBlobUrl = SignedBlobReadUrl(blob, container, appStorage, args.ResourceGroupName);
var accountKeys = Output.Tuple(args.ResourceGroupName, appStorage.Name)
.Apply(p => ListStorageAccountKeys.InvokeAsync(new ListStorageAccountKeysArgs
{
ResourceGroupName = p.Item1,
AccountName = p.Item2
}));
var storageConnectionString =
Output.Format(
$"DefaultEndpointsProtocol=https;AccountName={appStorage.Name};AccountKey={accountKeys.Apply(a => a.Keys[0].Value)}");
var app = new WebApp(name, new WebAppArgs
{
Kind = "FunctionApp",
ResourceGroupName = args.ResourceGroupName,
ServerFarmId = appServicePlan.Id,
SiteConfig = new SiteConfigArgs
{
AppSettings = new[]
{
new NameValuePairArgs
{
Name = "APPLICATIONINSIGHTS_CONNECTION_STRING",
Value = Output.Format($"InstrumentationKey={appInsights.InstrumentationKey}"),
},
new NameValuePairArgs
{
Name = "FUNCTIONS_EXTENSION_VERSION",
Value = "~3"
},
new NameValuePairArgs
{
Name = "FUNCTIONS_WORKER_RUNTIME",
Value = "dotnet-isolated"
},
new NameValuePairArgs {
Name = "WEBSITE_RUN_FROM_PACKAGE",
Value = codeBlobUrl,
},
new NameValuePairArgs
{
Name = "AzureWebJobsStorage",
Value = GetConnectionString(args.ResourceGroupName, appStorage.Name)
}
}
}
});
var slotConfigNames = new WebAppSlotConfigurationNames(name, new WebAppSlotConfigurationNamesArgs {
Name = app.Name,
ResourceGroupName = args.ResourceGroupName,
AppSettingNames = { "FUNCTIONS_WORKER_RUNTIME", "FUNCTIONS_EXTENSION_VERSION" }
});
var stagingSlot = new WebAppSlot($"{name}-slot", new WebAppSlotArgs()
{
Name = app.Name,
Slot = "staging",
ResourceGroupName = args.ResourceGroupName,
SiteConfig = new SiteConfigArgs
{
AppSettings = new[]
{
new NameValuePairArgs
{
Name = "WEBSITE_ADD_SITENAME_BINDINGS_IN_APPHOST_CONFIG",
Value = "1"
},
new NameValuePairArgs
{
Name = "WEBSITE_SWAP_WARMUP_PING_PATH",
Value = "/helloworld"
}
}
},
});
this.AppName = app.Name;
this.AppId = app.Id;
this.DefaultHostname = app.DefaultHostName;
}