refactor: iac deployment

Author: eoaksnes

.mise/config.toml

@@ -4,6 +4,19 @@ node = { version = "24.14.1", postinstall = "mise tasks run tools:yarn" }
 pre-commit = "4.5.1"
 uv = "0.11.6"
 
+[env]
+# Application name, used for naming resources and app registrations. Change to your application name.
+APPLICATION_NAME = "template-fastapi-react"
+# Entra group that should be added as owner to the app registration.
+# Required for iac:deploy:appreg. Change to your team's owners group or leave empty to be prompted by iac:deploy:appreg.
+ENTRA_APP_OWNERS_GROUP = ""
+# ServiceNow Business Application ID. Required by Equinor IAM compliance for
+# production app registrations. Leave empty to be prompted by iac:deploy:appreg.
+SERVICE_MANAGEMENT_REFERENCE = ""
+# Guard against accidental deploys into the wrong subscription. Compared against
+# the active subscription's name and id.
+EXPECTED_SUBSCRIPTION = ""
+
 [task_config]
 includes = [".mise/tasks/*.toml"]
 

IaC/app-registration.bicep

@@ -29,6 +29,7 @@ param productionHostnames string[] = []
 
 var apiAccessScopeId = guid('api-access-${applicationName}')
 var adminRoleId = guid('admin-role-${applicationName}')
+var defaultRoleId = guid('default-role-${applicationName}')
 
 var productionRedirectUris = [for host in productionHostnames: 'https://${host}/oauth2/callback']
 var productionSwaggerRedirectUris = [for host in productionHostnames: 'https://${host}/api/docs/oauth2-redirect']
@@ -93,11 +94,19 @@ resource apiApp 'Microsoft.Graph/applications@v1.0' = {
     ]
   }
   appRoles: [
+    {
+      id: defaultRoleId
+      allowedMemberTypes: ['User']
+      description: 'Default User Role'
+      displayName: 'default'
+      isEnabled: true
+      value: 'default'
+    }
     {
       id: adminRoleId
-      allowedMemberTypes: ['User', 'Application']
-      description: '${applicationName} administrators.'
-      displayName: 'Admin'
+      allowedMemberTypes: ['User']
+      description: 'Administrator Role'
+      displayName: 'admin'
       isEnabled: true
       value: 'admin'
     }
@@ -167,6 +176,24 @@ resource oauth2App 'Microsoft.Graph/applications@v1.0' = {
       ]
     }
   ]
+  appRoles: [
+    {
+      id: defaultRoleId
+      allowedMemberTypes: ['User']
+      description: 'Default User Role'
+      displayName: 'default'
+      isEnabled: true
+      value: 'default'
+    }
+    {
+      id: adminRoleId
+      allowedMemberTypes: ['User']
+      description: 'Administrator Role'
+      displayName: 'admin'
+      isEnabled: true
+      value: 'admin'
+    }
+  ]
 }
 
 resource oauth2AppSP 'Microsoft.Graph/servicePrincipals@v1.0' = {

IaC/deploy-app-registration.sh

@@ -1,6 +1,6 @@
 targetScope='subscription'
 
-@allowed([ 'dev', 'staging', 'prod' ])
+@allowed([ 'dev', 'test', 'prod' ])
 param environment string
 @description('Specifies the location for resources.')
 param resourceGroupLocation string = 'norwayeast'