public static Output <string> SignedBlobReadUrl(ZipBlob blob, Account account) { return(Output .All <string>(account.Name, account.PrimaryConnectionString, blob.StorageContainerName, blob.Name) .Apply(async values => { string accountName = values[0]; string connectionString = values[1]; string containerName = values[2]; string blobName = values[3]; var sas = await Invokes.GetAccountBlobContainerSAS( new GetAccountBlobContainerSASArgs { ConnectionString = connectionString, ContainerName = containerName, Start = "2019-01-01", Expiry = "2100-01-01", Permissions = new GetAccountBlobContainerSASPermissionsArgs { Read = true, Write = false, Delete = false, List = false, Add = false, Create = false, }, } ); return $"https://{accountName}.blob.core.windows.net/{containerName}/{blobName}{sas.Sas}"; })); }
public ArchiveFunctionApp(string name, ArchiveFunctionAppArgs args, ResourceOptions?options = null) : base("examples:azure:ArchiveFunctionApp", name, options) { var opts = CustomResourceOptions.Merge(options, new CustomResourceOptions { Parent = this }); var storageAccount = new Account($"sa{args.Location}", new AccountArgs { ResourceGroupName = args.ResourceGroupName, Location = args.Location, AccountReplicationType = "LRS", AccountTier = "Standard", }, opts); var appServicePlan = new Plan($"asp-{args.Location}", new PlanArgs { ResourceGroupName = args.ResourceGroupName, Location = args.Location, Kind = "FunctionApp", Sku = new PlanSkuArgs { Tier = "Dynamic", Size = "Y1", }, }, opts); var container = new Container($"zips-{args.Location}", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private", }, opts); var blob = new ZipBlob($"zip-{args.Location}", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = container.Name, Type = "block", Content = args.Archive, }, opts); var codeBlobUrl = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount); args.AppSettings.Add("runtime", "dotnet"); args.AppSettings.Add("WEBSITE_RUN_FROM_PACKAGE", codeBlobUrl); var app = new FunctionApp($"app-{args.Location}", new FunctionAppArgs { ResourceGroupName = args.ResourceGroupName, Location = args.Location, AppServicePlanId = appServicePlan.Id, AppSettings = args.AppSettings, StorageConnectionString = storageAccount.PrimaryConnectionString, Version = "~2", }, opts); this.AppId = app.Id; }
static Task <int> Main() { return(Deployment.RunAsync(() => { var resourceGroup = new ResourceGroup("functions-rg"); var storageAccount = new Account("sa", new AccountArgs { ResourceGroupName = resourceGroup.Name, AccountReplicationType = "LRS", AccountTier = "Standard", }); var appServicePlan = new Plan("asp", new PlanArgs { ResourceGroupName = resourceGroup.Name, Kind = "FunctionApp", Sku = new PlanSkuArgs { Tier = "Dynamic", Size = "Y1", }, }); var container = new Container("zips", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private", }); var blob = new ZipBlob("zip", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = container.Name, Type = "block", Content = new FileArchive("./functions/bin/Debug/netcoreapp3.0/publish"), }); var codeBlobUrl = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount); var app = new FunctionApp("app", new FunctionAppArgs { ResourceGroupName = resourceGroup.Name, AppServicePlanId = appServicePlan.Id, AppSettings = { { "runtime", "dotnet" }, { "WEBSITE_RUN_FROM_PACKAGE", codeBlobUrl }, }, StorageConnectionString = storageAccount.PrimaryConnectionString, Version = "~3", }); return new Dictionary <string, object> { { "endpoint", Output.Format($"https://{app.DefaultHostname}/api/Hello?name=Pulumi") }, }; })); }
static Task <int> Main() { return(Deployment.RunAsync(() => { // Create an Azure Resource Group var resourceGroup = new ResourceGroup("doaw20-rg"); // Create an Azure Storage Account var storageAccount = new Account("doaw20st", new AccountArgs { ResourceGroupName = resourceGroup.Name, AccountReplicationType = "LRS", AccountTier = "Standard", //EnableHttpsTrafficOnly = true }); var appServicePlan = new Plan("doaw20-asp", new PlanArgs { ResourceGroupName = resourceGroup.Name, Kind = "FunctionApp", Sku = new PlanSkuArgs { Tier = "Dynamic", Size = "Y1" } }); var container = new Container("zips", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private" }); var blob = new ZipBlob("zip", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = container.Name, Type = "block", Content = new FileArchive("../HelloFunc/bin/Debug/netcoreapp3.1/publish") }); var codeBlobUrl = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount); var app = new FunctionApp("doaw20-app", new FunctionAppArgs { ResourceGroupName = resourceGroup.Name, AppServicePlanId = appServicePlan.Id, AppSettings = { { "runtime", "dotnet" }, { "WEBSITE_RUN_FROM_PACKAGE", codeBlobUrl } }, StorageConnectionString = storageAccount.PrimaryConnectionString, Version = "~3" }); // Export the connection string for the storage account return new Dictionary <string, object?> { { "connectionString", storageAccount.PrimaryConnectionString }, { "endpoint", Output.Format($"https://{app.DefaultHostname}/api/HelloPulumi?name=DevOps@Work20") } }; })); }
static Task <int> Main() { return(Deployment.RunAsync(async() => { var resourceGroup = new ResourceGroup("keyvault-rg"); // Create a storage account for Blobs var storageAccount = new Account("storage", new AccountArgs { ResourceGroupName = resourceGroup.Name, AccountReplicationType = "LRS", AccountTier = "Standard", }); // The container to put our files into var storageContainer = new Container("files", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private", }); // Azure SQL Server that we want to access from the application var administratorLoginPassword = new RandomPassword("password", new RandomPasswordArgs { Length = 16, Special = true }).Result; var sqlServer = new SqlServer("sqlserver", new SqlServerArgs { ResourceGroupName = resourceGroup.Name, // The login and password are required but won't be used in our application AdministratorLogin = "******", AdministratorLoginPassword = administratorLoginPassword, Version = "12.0", }); // Azure SQL Database that we want to access from the application var database = new Database("db", new DatabaseArgs { ResourceGroupName = resourceGroup.Name, ServerName = sqlServer.Name, RequestedServiceObjectiveName = "S0", }); // The connection string that has no credentials in it: authertication will come through MSI var connectionString = Output.Format($"Server=tcp:{sqlServer.Name}.database.windows.net;Database={database.Name};"); // A file in Blob Storage that we want to access from the application var textBlob = new Blob("text", new BlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = storageContainer.Name, Type = "block", Source = "./README.md", }); // A plan to host the App Service var appServicePlan = new Plan("asp", new PlanArgs { ResourceGroupName = resourceGroup.Name, Kind = "App", Sku = new PlanSkuArgs { Tier = "Basic", Size = "B1", }, }); // ASP.NET deployment package var blob = new ZipBlob("zip", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = storageContainer.Name, Type = "block", Content = new FileArchive("./webapp/bin/Debug/netcoreapp2.2/publish"), }); var clientConfig = await Pulumi.Azure.Core.Invokes.GetClientConfig(); var tenantId = clientConfig.TenantId; var currentPrincipal = clientConfig.ObjectId; // Key Vault to store secrets (e.g. Blob URL with SAS) var vault = new KeyVault("vault", new KeyVaultArgs { ResourceGroupName = resourceGroup.Name, SkuName = "standard", TenantId = tenantId, AccessPolicies = { new KeyVaultAccessPoliciesArgs { TenantId = tenantId, // The current principal has to be granted permissions to Key Vault so that it can actually add and then remove // secrets to/from the Key Vault. Otherwise, 'pulumi up' and 'pulumi destroy' operations will fail. ObjectId = currentPrincipal, SecretPermissions ={ "delete", "get", "list", "set" }, } }, }); // Put the URL of the zip Blob to KV var secret = new Secret("deployment-zip", new SecretArgs { KeyVaultId = vault.Id, Value = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount), }); var secretUri = Output.Format($"{secret.VaultUri}secrets/{secret.Name}/{secret.Version}"); // The application hosted in App Service var app = new AppService("app", new AppServiceArgs { ResourceGroupName = resourceGroup.Name, AppServicePlanId = appServicePlan.Id, // A system-assigned managed service identity to be used for authentication and authorization to the SQL Database and the Blob Storage Identity = new AppServiceIdentityArgs { Type = "SystemAssigned" }, AppSettings = { // Website is deployed from a URL read from the Key Vault { "WEBSITE_RUN_FROM_ZIP", Output.Format($"@Microsoft.KeyVault(SecretUri={secretUri})") }, // Note that we simply provide the URL without SAS or keys { "StorageBlobUrl", textBlob.Url }, }, ConnectionStrings = { new AppServiceConnectionStringsArgs { Name = "db", Type = "SQLAzure", Value = connectionString, }, }, }); // Work around a preview issue https://github.com/pulumi/pulumi-azure/issues/192 var principalId = app.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111"); // Grant App Service access to KV secrets var policy = new AccessPolicy("app-policy", new AccessPolicyArgs { KeyVaultId = vault.Id, TenantId = tenantId, ObjectId = principalId, SecretPermissions = { "get" }, }); // Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app) var sqlAdmin = new ActiveDirectoryAdministrator("adadmin", new ActiveDirectoryAdministratorArgs { ResourceGroupName = resourceGroup.Name, TenantId = tenantId, ObjectId = principalId, Login = "******", ServerName = sqlServer.Name, }); // Grant access from App Service to the container in the storage var blobPermission = new Assignment("readblob", new AssignmentArgs { PrincipalId = principalId, Scope = Output.Format($"{storageAccount.Id}/blobServices/default/containers/{storageContainer.Name}"), RoleDefinitionName = "Storage Blob Data Reader", }); // Add SQL firewall exceptions var firewallRules = app.OutboundIpAddresses.Apply( ips => ips.Split(",").Select( ip => new FirewallRule($"FR{ip}", new FirewallRuleArgs { ResourceGroupName = resourceGroup.Name, StartIpAddress = ip, EndIpAddress = ip, ServerName = sqlServer.Name, }) ).ToList()); return new Dictionary <string, object> { { "endpoint", Output.Format($"https://{app.DefaultSiteHostname}") }, }; })); }
static Task <int> Main() { return(Deployment.RunAsync(() => { // Create an Azure Resource Group var resourceGroup = new ResourceGroup("resourceGroup", new ResourceGroupArgs { Name = "pulumi" }); // Create an Azure Storage Account var storageAccount = new Account("storage", new AccountArgs { Name = "wwwcontainer", ResourceGroupName = resourceGroup.Name, AccountReplicationType = "LRS", AccountTier = "Standard", }); var appServicePlan = new Plan("asp", new PlanArgs { ResourceGroupName = resourceGroup.Name, Name = "website", Kind = "App", Sku = new PlanSkuArgs { Tier = "Basic", Size = "B1", }, }); var container = new Container("zips", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private", }); var blob = new ZipBlob("zip", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = container.Name, Type = "block", Content = new FileArchive(@"C:\code\ozcode\pulumiapp\pulumiapp\bin\Debug\netcoreapp3.1\publish"), }); var codeBlobUrl = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount); var config = new Config(); var username = config.Get("sqlAdmin") ?? "pulumi"; var password = config.RequireSecret("sqlPassword"); var sqlServer = new SqlServer("sql", new SqlServerArgs { Name = "pulumiserver", ResourceGroupName = resourceGroup.Name, AdministratorLogin = username, AdministratorLoginPassword = password, Version = "12.0", }); var database = new Database("db", new DatabaseArgs { Name = "pulumidatabase", ResourceGroupName = resourceGroup.Name, ServerName = sqlServer.Name, RequestedServiceObjectiveName = "S0", }); var app = new AppService("app", new AppServiceArgs { Name = "pulumiwebapp", ResourceGroupName = resourceGroup.Name, AppServicePlanId = appServicePlan.Id, AppSettings = { { "WEBSITE_RUN_FROM_PACKAGE", codeBlobUrl }, { "OzCode:Agent:Token", "76c0dff5-a7ba-415c-858f-b1bc1124a42c|73b8df28-4f14-468d-a978-918900c1736c" } },
public static Dictionary <string, object> Run() { var resourceGroup = new ResourceGroup("dotnet-rg", new ResourceGroupArgs { Location = "West Europe" }); var cosmosapp = new CosmosApp("capp", new CosmosAppArgs { ResourceGroupName = resourceGroup.Name, Locations = new[] { resourceGroup.Location }, }); var storageAccount = new Account("sa", new AccountArgs { ResourceGroupName = resourceGroup.Name, AccountReplicationType = "LRS", AccountTier = "Standard", }); var appServicePlan = new Plan("asp", new PlanArgs { ResourceGroupName = resourceGroup.Name, Kind = "App", Sku = new PlanSkuArgs { Tier = "Basic", Size = "B1", }, }); var container = new Container("c", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private", }); var blob = new ZipBlob("zip", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = container.Name, Type = "block", Content = new FileArchive("wwwroot"), }); var codeBlobUrl = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount); //var username = "******"; // TODO: Pulumi.Config //var password = "******"; //var sqlServer = new SqlServer("sql", new SqlServerArgs //{ // ResourceGroupName = resourceGroup.Name, // AdministratorLogin = username, // AdministratorLoginPassword = password, // Version = "12.0", //}); //var database = new Database("db", new DatabaseArgs //{ // ResourceGroupName = resourceGroup.Name, // ServerName = sqlServer.Name, // RequestedServiceObjectiveName = "S0", //}); var app = new AppService("app", new AppServiceArgs { ResourceGroupName = resourceGroup.Name, AppServicePlanId = appServicePlan.Id, AppSettings = { { "WEBSITE_RUN_FROM_ZIP", codeBlobUrl }, }, //ConnectionStrings = new[] //{ // new AppService.ConnectionStringArgs // { // Name = "db", // Type = "SQLAzure", // Value = Output.All<string>(sqlServer.Name, database.Name).Apply(values => // { // return $"Server= tcp:${values[0]}.database.windows.net;initial catalog=${values[1]};userID=${username};password=${password};Min Pool Size=0;Max Pool Size=30;Persist Security Info=true;"; // }), // }, //}, }); return(new Dictionary <string, object> { { "endpoint", app.DefaultSiteHostname }, }); }
static Task <int> Main(string[] args) { return(Deployment.RunAsync(() => { var resourceGroup = new ResourceGroup("appservice-rg"); var storageAccount = new Account("sa", new AccountArgs { ResourceGroupName = resourceGroup.Name, AccountReplicationType = "LRS", AccountTier = "Standard", }); var appServicePlan = new Plan("asp", new PlanArgs { ResourceGroupName = resourceGroup.Name, Kind = "App", Sku = new PlanSkuArgs { Tier = "Basic", Size = "B1", }, }); var container = new Container("zips", new ContainerArgs { StorageAccountName = storageAccount.Name, ContainerAccessType = "private", }); var blob = new ZipBlob("zip", new ZipBlobArgs { StorageAccountName = storageAccount.Name, StorageContainerName = container.Name, Type = "block", Content = new FileArchive("wwwroot"), }); var codeBlobUrl = SharedAccessSignature.SignedBlobReadUrl(blob, storageAccount); var config = new Config(); var username = config.Get("sqlAdmin") ?? "pulumi"; var password = config.RequireSecret("sqlPassword"); var sqlServer = new SqlServer("sql", new SqlServerArgs { ResourceGroupName = resourceGroup.Name, AdministratorLogin = username, AdministratorLoginPassword = password, Version = "12.0", }); var database = new Database("db", new DatabaseArgs { ResourceGroupName = resourceGroup.Name, ServerName = sqlServer.Name, RequestedServiceObjectiveName = "S0", }); var app = new AppService("app", new AppServiceArgs { ResourceGroupName = resourceGroup.Name, AppServicePlanId = appServicePlan.Id, AppSettings = { { "WEBSITE_RUN_FROM_PACKAGE", codeBlobUrl }, }, ConnectionStrings = { new AppServiceConnectionStringsArgs { Name = "db", Type = "SQLAzure", Value = Output.Tuple <string, string, string>(sqlServer.Name, database.Name, password).Apply(t => { (string server, string database, string pwd) = t; return $"Server= tcp:{server}.database.windows.net;initial catalog={database};userID={username};password={pwd};Min Pool Size=0;Max Pool Size=30;Persist Security Info=true;"; }), }, }, });