refactor: iac deployment

Author: eoaksnes

.mise/config.toml

@@ -3,6 +3,30 @@ python = "3.14.4"
 node = { version = "24.14.1", postinstall = "mise tasks run tools:yarn" }
 pre-commit = "4.5.1"
 uv = "0.11.6"
+shellcheck = "0.10.0"
+
+[env]
+# Name for resource group, Azure resources, app registrations, and Docker image tags.
+# Lowercase alphanumeric and hyphens only. Change once when adopting this template.
+APPLICATION_NAME = "template-fastapi-react"
+
+# Entra ID security group whose members co-own the app registrations alongside the deployer.
+# Empty groups are rejected.
+APP_OWNERS_GROUP = "Team Hermes Radix Admin"
+
+# ServiceNow Business Application ID written to each app registration's
+# `serviceManagementReference` field. Required by Equinor compliance for
+# any app registration.
+SERVICE_MANAGEMENT_REFERENCE = "108392"
+
+# Azure subscription (name or id) all `iac:*` tasks deploy into.
+# The task aborts if `az account show` returns anything else.
+AZURE_SUBSCRIPTION = "R070-WellCoreDB"
+
+# Recipients for App Insights exception alerts (severity 1, 1-hour window).
+# JSON array of email addresses, e.g. '["a@equinor.com","b@equinor.com"]'.
+# "[]" disables alert delivery.
+ALERT_EMAIL_RECIPIENTS = "[]"
 
 [task_config]
 includes = [".mise/tasks/*.toml"]

.mise/tasks/iac.toml

@@ -0,0 +1,53 @@
+["iac:infra"]
+description = "Deploy Azure resources for an environment"
+dir = "{{config_root}}"
+raw = true
+usage = '''
+arg "<env>" help="Target environment (dev|test|prod)"
+flag "--dry-run" help="Run what-if; do not modify resources"
+'''
+run = '''
+source IaC/_lib.sh
+init_task "${usage_env:?}"
+require_config POSTGRES_DB_PASSWORD
+[[ "${usage_dry_run:-false}" == "true" ]] && DRY_RUN=--dry-run || DRY_RUN=
+deploy_bicep stack "$APPLICATION_NAME-$ENVIRONMENT-resources" \
+      IaC/main.bicep IaC/main.bicepparam \
+      $DRY_RUN
+'''
+
+["iac:appreg"]
+description = "Deploy app registrations and create the oauth2-proxy client secret"
+dir = "{{config_root}}"
+raw = true
+usage = '''
+arg "<env>" help="Target environment (dev|test|prod)"
+flag "--dry-run" help="Run what-if; do not modify resources"
+flag "--rotate" help="Generate a new oauth2-proxy client secret"
+'''
+run = '''
+source IaC/_lib.sh
+init_task "${usage_env:?}"
+require_config APP_OWNERS_GROUP
+require_config SERVICE_MANAGEMENT_REFERENCE
+require_active_app_developer_role
+[[ "${usage_dry_run:-false}" == "true" ]] && DRY_RUN=--dry-run || DRY_RUN=
+[[ "${usage_rotate:-false}"  == "true" ]] && ROTATE=--rotate   || ROTATE=
+export OWNER_OBJECT_IDS=$(resolve_owners)
+deploy_bicep sub "$APPLICATION_NAME-app-registration-$ENVIRONMENT" \
+       IaC/app-registration.bicep IaC/app-registration.bicepparam \
+       $DRY_RUN
+[[ -n "$DRY_RUN" ]] && exit 0
+create_oauth2_secret "$ENVIRONMENT" $ROTATE
+'''
+
+["iac:rotate-secret"]
+description = "Rotate the oauth2-proxy client secret"
+dir = "{{config_root}}"
+raw = true
+usage = 'arg "<env>" help="Target environment (dev|test|prod)"'
+run = '''
+source IaC/_lib.sh
+init_task "${usage_env:?}"
+create_oauth2_secret "$ENVIRONMENT" --rotate
+'''

.mise/tasks/lint.toml

@@ -21,10 +21,16 @@ run = [
     "mise run lint:web:typecheck",
 ]
 
+["lint:shell"]
+description = "Lint shell scripts with shellcheck"
+dir = "{{config_root}}"
+run = "shellcheck --shell=bash --external-sources IaC/*.sh"
+
 [lint]
 description = "Lint the entire project"
 run = [
     "mise fmt",
+    "mise run lint:shell",
     "mise run lint:api",
     "mise run lint:web",
 ]

IaC/_lib.sh

@@ -0,0 +1,165 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+set -euo pipefail
+
+readonly DEFAULT_LOCATION="norwayeast"
+readonly PLACEHOLDER_VALUE="REPLACE_ME"
+readonly RBAC_DEPLOY_ACTION="Microsoft.Resources/deployments/write"
+readonly REQUIRED_DIR_ROLE="Application Developer"
+readonly ARM_API_VERSION="2022-04-01"
+
+: "${LOCATION:=$DEFAULT_LOCATION}"
+
+die()  { printf 'ERROR (%s): %s\n' "${FUNCNAME[1]:-_lib}" "$*" >&2; exit 1; }
+warn() { printf 'WARN  (%s): %s\n' "${FUNCNAME[1]:-_lib}" "$*" >&2; }
+info() { printf '[%s] %s\n'        "${FUNCNAME[1]:-_lib}" "$*"; }
+
+require_config() {
+    local var=$1 val=${!1:-}
+    [[ -n "$val" && "$val" != "$PLACEHOLDER_VALUE" ]] \
+        || die "$var is not configured. Edit .mise/config.toml."
+}
+
+ensure_login() {
+    require_config AZURE_SUBSCRIPTION
+    az account show >/dev/null 2>&1 || az login >/dev/null
+    require_subscription
+    require_active_subscription_role
+}
+
+init_task() {
+    export ENVIRONMENT="${1:?environment required (dev|test|prod)}"
+    require_environment
+    ensure_login
+    require_config APPLICATION_NAME
+}
+
+require_subscription() {
+    local active_id active_name
+    active_id=$(az account show --query 'id' -o tsv)
+    active_name=$(az account show --query 'name' -o tsv)
+    if [[ "$active_name" != "$AZURE_SUBSCRIPTION" && "$active_id" != "$AZURE_SUBSCRIPTION" ]]; then
+        warn "active='$active_name' ($active_id), expected='$AZURE_SUBSCRIPTION'"
+        die  "wrong subscription. Run: az account set --subscription '$AZURE_SUBSCRIPTION'"
+    fi
+    export AZURE_SUBSCRIPTION_ID="$active_id"
+}
+
+require_environment() {
+    case "${ENVIRONMENT:-}" in
+        dev|test|prod) ;;
+        *) die "ENVIRONMENT must be dev|test|prod (got '${ENVIRONMENT:-}')" ;;
+    esac
+}
+
+require_active_subscription_role() {
+    local sub=${AZURE_SUBSCRIPTION_ID:?require_subscription must run first}
+    local perms has
+
+    perms=$(az rest --method GET \
+        --url "https://management.azure.com/subscriptions/$sub/providers/Microsoft.Authorization/permissions?api-version=$ARM_API_VERSION" \
+        2>/dev/null) || perms='{"value":[]}'
+
+    # shellcheck disable=SC2016
+    local jq_filter='
+        def covers(p; a):
+            (p == "*") or (p == a) or
+            (p | endswith("/*") and (a | startswith(p[:-1])));
+        [ .value[]?
+          | select(any(.actions[]?;    covers(.; $action)))
+          | select(all(.notActions[]?; covers(.; $action) | not))
+        ] | length'
+    has=$(jq -r --arg action "$RBAC_DEPLOY_ACTION" "$jq_filter" <<<"$perms")
+    [[ "${has:-0}" -gt 0 ]] && return 0
+    cat >&2 <<EOF
+ERROR (require_active_subscription_role): no Owner or Contributor RBAC role is
+active on subscription '$AZURE_SUBSCRIPTION'. Activate one via PIM:
+  https://portal.azure.com → Privileged Identity Management → My roles →
+  Azure resources → Owner or Contributor → Activate (scope: $sub)
+then re-run this task.
+EOF
+    exit 1
+}
+
+require_active_app_developer_role() {
+    local roles
+    roles=$(az rest --method GET \
+        --url 'https://graph.microsoft.com/v1.0/me/memberOf' \
+        --query "value[?\"@odata.type\"=='#microsoft.graph.directoryRole'].displayName" \
+        -o tsv)
+    grep -qFx "$REQUIRED_DIR_ROLE" <<<"$roles" || {
+        cat >&2 <<EOF
+ERROR (require_active_app_developer_role): the '$REQUIRED_DIR_ROLE' Entra ID directory role is
+not active. Activate it via PIM (https://portal.azure.com → Privileged
+Identity Management → My roles → Microsoft Entra roles → $REQUIRED_DIR_ROLE
+→ Activate) and re-run this task.
+Active directory roles: ${roles:-(none)}
+EOF
+        exit 1
+    }
+}
+
+resolve_owners() {
+    local me members count
+    me=$(az ad signed-in-user show --query id -o tsv)
+    members=$(az ad group member list --group "$APP_OWNERS_GROUP" --query '[].id' -o json)
+    count=$(jq 'length' <<<"$members")
+    [[ "$count" -gt 0 ]] || die \
+        "group '$APP_OWNERS_GROUP' has no members; refusing to register apps with only the signed-in user as owner."
+    jq -c --arg me "$me" 'if index($me) then . else [$me] + . end' <<<"$members"
+}
+
+deploy_bicep() {
+    local kind=$1 name=$2 tmpl=$3 params=$4 mode=${5:-apply}
+    case "$mode" in
+        --validate)
+            az bicep build --file "$tmpl" --stdout >/dev/null
+            info "validated $tmpl"
+            return
+            ;;
+        --dry-run)
+            az deployment sub what-if --name "$name" --location "$LOCATION" \
+                --template-file "$tmpl" --parameters "$params" \
+                --exclude-change-types Ignore NoChange \
+                --result-format FullResourcePayloads
+            return
+            ;;
+    esac
+    case "$kind" in
+        stack)
+            az stack sub create --name "$name" --location "$LOCATION" \
+                --template-file "$tmpl" --parameters "$params" \
+                --tags "application=$APPLICATION_NAME" \
+                       "environment=$ENVIRONMENT" "managedBy=bicep" \
+                --action-on-unmanage detachAll \
+                --deny-settings-mode denyWriteAndDelete --yes
+            ;;
+        sub)
+            az deployment sub create --name "$name" --location "$LOCATION" \
+                --template-file "$tmpl" --parameters "$params"
+            ;;
+        *)  die "unknown kind '$kind' (expected stack|sub)" ;;
+    esac
+}
+
+create_oauth2_secret() {
+    local env=$1 rotate=${2:-} display app_id cred existing out
+    display="$APPLICATION_NAME-oauth2-$env"
+    app_id=$(az ad app list --display-name "$display" --query '[0].appId' -o tsv)
+    [[ -n "$app_id" ]] || die "app '$display' not found."
+    cred="oauth2-proxy ($display)"
+    existing=$(az ad app credential list --id "$app_id" \
+        --query "[?displayName=='$cred'].hint" -o tsv)
+    if [[ -n "$existing" && "$rotate" != "--rotate" ]]; then
+        info "secret '$cred' exists (hint: ${existing}***). Pass --rotate to generate a new one."
+        return 0
+    fi
+    out="secrets/OAUTH2_CLIENT_SECRET_$env.txt"
+    (
+        umask 077
+        mkdir -p secrets
+        az ad app credential reset --id "$app_id" --append \
+            --display-name "$cred" --years 1 --query password -o tsv > "$out"
+    )
+    info "wrote $out"
+}

IaC/app-registration.bicep

@@ -29,6 +29,7 @@ param productionHostnames string[] = []
 
 var apiAccessScopeId = guid('api-access-${applicationName}')
 var adminRoleId = guid('admin-role-${applicationName}')
+var defaultRoleId = guid('default-role-${applicationName}')
 
 var productionRedirectUris = [for host in productionHostnames: 'https://${host}/oauth2/callback']
 var productionSwaggerRedirectUris = [for host in productionHostnames: 'https://${host}/api/docs/oauth2-redirect']
@@ -93,11 +94,19 @@ resource apiApp 'Microsoft.Graph/applications@v1.0' = {
     ]
   }
   appRoles: [
+    {
+      id: defaultRoleId
+      allowedMemberTypes: ['User']
+      description: 'Default User Role'
+      displayName: 'default'
+      isEnabled: true
+      value: 'default'
+    }
     {
       id: adminRoleId
-      allowedMemberTypes: ['User', 'Application']
-      description: '${applicationName} administrators.'
-      displayName: 'Admin'
+      allowedMemberTypes: ['User']
+      description: 'Administrator Role'
+      displayName: 'admin'
       isEnabled: true
       value: 'admin'
     }
@@ -167,6 +176,24 @@ resource oauth2App 'Microsoft.Graph/applications@v1.0' = {
       ]
     }
   ]
+  appRoles: [
+    {
+      id: defaultRoleId
+      allowedMemberTypes: ['User']
+      description: 'Default User Role'
+      displayName: 'default'
+      isEnabled: true
+      value: 'default'
+    }
+    {
+      id: adminRoleId
+      allowedMemberTypes: ['User']
+      description: 'Administrator Role'
+      displayName: 'admin'
+      isEnabled: true
+      value: 'admin'
+    }
+  ]
 }
 
 resource oauth2AppSP 'Microsoft.Graph/servicePrincipals@v1.0' = {

IaC/app-registration.bicepparam

@@ -0,0 +1,9 @@
+using './app-registration.bicep'
+
+var env = readEnvironmentVariable('ENVIRONMENT')
+
+param applicationName = readEnvironmentVariable('APPLICATION_NAME')
+param environment = env
+param ownerObjectIds = json(readEnvironmentVariable('OWNER_OBJECT_IDS', '[]'))
+param serviceManagementReference = readEnvironmentVariable('SERVICE_MANAGEMENT_REFERENCE')
+param productionHostnames = env == 'prod' ? ['template-fastapi-react.equinor.com'] : []