Merge pull request #5575 from dfe-analytical-services/dev

Merge Dev into Master.

Author: N-moh

.gitignore

@@ -73,6 +73,10 @@ useful-scripts/get_data_block_responses/results*
 
 src/GovUk.Education.ExploreEducationStatistics.Data.Seed/Files/
 
+## Infrastructure build artifacts
+
+infrastructure/templates/public-api/main.json
+
 ## Misc
 
 *.~lock*

infrastructure/templates/public-api/abbreviations.bicep

@@ -5,8 +5,7 @@ var abbreviations = {
   appManagedEnvironments: 'cae'
   // TODO - remove the "-flexibleserver" suffix and change the suffix of our PSQL instance to "-01"
   dBforPostgreSQLServers: 'psql-flexibleserver'
-  // 'fs' is non-standard - it should be 'share'
-  fileShare: 'fs'
+  fileShare: 'share'
   // 'ai' is non-standard - it should be 'appi'
   insightsComponents: 'ai'
   managedIdentityUserAssignedIdentities: 'id'

infrastructure/templates/public-api/application/public-api/publicApiDataProcessor.bicep

@@ -62,13 +62,13 @@ resource outboundVnetSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-0
   parent: vNet
 }
 
-resource inboundVnetSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
+resource privateEndpointsSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
   name: resourceNames.existingResources.subnets.dataProcessorPrivateEndpoints
   parent: vNet
 }
 
 // Deploy Data Processor Function.
-module dataProcessorFunctionAppModule '../../components/functionApp.bicep' = {
+module dataProcessorFunctionAppModule '../../components/durableFunctionApp.bicep' = {
   name: 'dataProcessorFunctionAppDeploy'
   params: {
     functionAppName: resourceNames.publicApi.dataProcessor
@@ -77,7 +77,10 @@ module dataProcessorFunctionAppModule '../../components/functionApp.bicep' = {
     location: location
     applicationInsightsKey: applicationInsightsKey
     subnetId: outboundVnetSubnet.id
-    privateEndpointSubnetId: inboundVnetSubnet.id
+    privateEndpoints: {
+      functionApp: privateEndpointsSubnet.id
+      storageAccounts: privateEndpointsSubnet.id
+    }
     publicNetworkAccessEnabled: true
     functionAppFirewallRules: functionAppFirewallRules
     entraIdAuthentication: {

infrastructure/templates/public-api/application/public-api/publicApiStorage.bicep

@@ -1,15 +1,15 @@
-import { ResourceNames, IpRange } from '../../types.bicep'
+import { ResourceNames, IpRange, PublicApiStorageAccountConfig } from '../../types.bicep'
 
 @description('Specifies common resource naming variables.')
 param resourceNames ResourceNames
 
 @description('Specifies the location for all resources.')
 param location string
 
-@description('Public API Storage : Size of the file share in GB.')
-param publicApiDataFileShareQuotaGbs int
+@description('Public API storage account and file share configuration.')
+param config PublicApiStorageAccountConfig
 
-@description('Public API Storage : Firewall rules.')
+@description('Firewall rules.')
 param storageFirewallRules IpRange[]
 
 @description('Specifies a set of tags with which to tag the resource in Azure.')
@@ -22,41 +22,29 @@ resource vNet 'Microsoft.Network/virtualNetworks@2023-11-01' existing = {
   name: resourceNames.existingResources.vNet
 }
 
-resource dataProcessorSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
-  name: resourceNames.existingResources.subnets.dataProcessor
+resource storagePrivateEndpointSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
+  name: resourceNames.existingResources.subnets.storagePrivateEndpoints
   parent: vNet
 }
 
-resource containerAppEnvironmentSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
-  name: resourceNames.existingResources.subnets.containerAppEnvironment
-  parent: vNet
-}
-
-resource publisherSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
-  name: resourceNames.existingResources.subnets.publisherFunction
-  parent: vNet
-}
-
-// TODO EES-5128 - add private endpoints to allow VNet traffic to go directly to Storage Account over the VNet.
-// Currently supported by subnet whitelisting and Storage service endpoints being enabled on the whitelisted subnets.
 module publicApiStorageAccountModule '../../components/storageAccount.bicep' = {
   name: 'publicApiStorageAccountDeploy'
   params: {
     location: location
     storageAccountName: resourceNames.publicApi.publicApiStorageAccount
-    allowedSubnetIds: [
-      dataProcessorSubnet.id
-      containerAppEnvironmentSubnet.id
-      publisherSubnet.id
-    ]
+    publicNetworkAccessEnabled: false
     firewallRules: storageFirewallRules
-    skuStorageResource: 'Standard_LRS'
+    sku: config.sku
+    kind: config.kind
     keyVaultName: resourceNames.existingResources.keyVault
     alerts: deployAlerts ? {
       availability: true
       latency: true
       alertsGroupName: resourceNames.existingResources.alertsGroup
     } : null
+    privateEndpointSubnetIds: {
+      file: storagePrivateEndpointSubnet.id
+    }
     tagValues: tagValues
   }
 }
@@ -65,9 +53,9 @@ module dataFilesFileShareModule '../../components/fileShare.bicep' = {
   name: 'fileShareDeploy'
   params: {
     fileShareName: resourceNames.publicApi.publicApiFileShare
-    fileShareQuotaGbs: publicApiDataFileShareQuotaGbs
+    fileShareQuotaGbs: config.fileShare.quotaGbs
     storageAccountName: publicApiStorageAccountModule.outputs.storageAccountName
-    fileShareAccessTier: 'TransactionOptimized'
+    fileShareAccessTier: config.fileShare.accessTier
     alerts: deployAlerts ? {
       availability: true
       latency: true

infrastructure/templates/public-api/application/shared/postgreSqlFlexibleServer.bicep

@@ -1,4 +1,4 @@
-import { ResourceNames, IpRange, PrincipalNameAndId } from '../../types.bicep'
+import { ResourceNames, IpRange, PrincipalNameAndId, PostgreSqlFlexibleServerConfig } from '../../types.bicep'
 
 @description('Specifies common resource naming variables.')
 param resourceNames ResourceNames
@@ -13,14 +13,8 @@ param adminName string
 @secure()
 param adminPassword string
 
-@description('SKU name.')
-param sku string = 'Standard_B1ms'
-
-@description('Storage Size in GB.')
-param storageSizeGB int = 32
-
-@description('Autogrow setting.')
-param autoGrowStatus string = 'Disabled'
+@description('Server configuration.')
+param serverConfig PostgreSqlFlexibleServerConfig
 
 @description('Firewall rules.')
 param firewallRules IpRange[] = []
@@ -31,9 +25,6 @@ param privateEndpointSubnetId string
 @description('An array of Entra ID admin principal names for this resource')
 param entraIdAdminPrincipals PrincipalNameAndId[] = []
 
-@description('Whether backups will be geo-redundant rather than zone-redundant')
-param geoRedundantBackupEnabled bool
-
 @description('Whether to create or update Azure Monitor alerts during this deploy')
 param deployAlerts bool
 
@@ -45,7 +36,7 @@ var formattedFirewallRules = map(firewallRules, rule => {
   cidr: rule.cidr
 })
 
-module postgreSqlServerModule '../../components/postgresqlDatabase.bicep' = {
+module postgreSqlServerModule '../../components/postgreSqlFlexibleServer.bicep' = {
   name: 'postgreSQLDatabaseDeploy'
   params: {
     databaseServerName: resourceNames.sharedResources.postgreSqlFlexibleServer
@@ -54,14 +45,10 @@ module postgreSqlServerModule '../../components/postgresqlDatabase.bicep' = {
     adminName: adminName
     adminPassword: adminPassword
     entraIdAdminPrincipals: entraIdAdminPrincipals
-    dbSkuName: sku
-    dbStorageSizeGB: storageSizeGB
-    dbAutoGrowStatus: autoGrowStatus
-    postgreSqlVersion: '16'
+    serverConfig: serverConfig
     firewallRules: formattedFirewallRules
     databaseNames: ['public_data']
     privateEndpointSubnetId: privateEndpointSubnetId
-    geoRedundantBackup: geoRedundantBackupEnabled ? 'Enabled' : 'Disabled'
     alerts: deployAlerts ? {
       availability: true
       queryTime: true
@@ -80,17 +67,6 @@ module postgreSqlServerModule '../../components/postgresqlDatabase.bicep' = {
   }
 }
 
-resource maxPreparedTransactionsConfig 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2022-12-01' = {
-  name: '${resourceNames.sharedResources.postgreSqlFlexibleServer}/max_prepared_transactions'
-  properties: {
-    value: '100'
-    source: 'user-override'
-  }
-  dependsOn: [
-    postgreSqlServerModule
-  ]
-}
-
 var managedIdentityConnectionStringTemplate = postgreSqlServerModule.outputs.managedIdentityConnectionStringTemplate
 
 var dataProcessorPsqlConnectionStringSecretKey = 'ees-publicapi-data-processor-connectionstring-publicdatadb'

infrastructure/templates/public-api/application/shared/privateDnsZones.bicep

@@ -27,8 +27,42 @@ module sitesPrivateDnsZoneModule '../../components/privateDnsZone.bicep' = {
   }
 }
 
-output postgreSqlPrivateDnsZoneId string = postgreSqlPrivateDnsZoneModule.outputs.privateDnsZoneId
-output postgreSqlPrivateDnsZoneName string = postgreSqlPrivateDnsZoneModule.outputs.privateDnsZoneName
+// Set up a Private DNS zone for handling private endpoints for Storage Account File Services.
+module fileServicePrivateDnsZoneModule '../../components/privateDnsZone.bicep' = {
+  name: 'fileServicePrivateDnsZoneDeploy'
+  params: {
+    zoneType: 'fileService'
+    vnetName: resourceNames.existingResources.vNet
+    tagValues: tagValues
+  }
+}
+
+// Set up a Private DNS zone for handling private endpoints for Storage Account Blob Storage.
+module blobStoragePrivateDnsZoneModule '../../components/privateDnsZone.bicep' = {
+  name: 'blobStoragePrivateDnsZoneDeploy'
+  params: {
+    zoneType: 'blobStorage'
+    vnetName: resourceNames.existingResources.vNet
+    tagValues: tagValues
+  }
+}
 
-output sitesPrivateDnsZoneId string = sitesPrivateDnsZoneModule.outputs.privateDnsZoneId
-output sitesPrivateDnsZoneName string = sitesPrivateDnsZoneModule.outputs.privateDnsZoneName
+// Set up a Private DNS zone for handling private endpoints for Storage Account Queues.
+module queuePrivateDnsZoneModule '../../components/privateDnsZone.bicep' = {
+  name: 'queuePrivateDnsZoneDeploy'
+  params: {
+    zoneType: 'queue'
+    vnetName: resourceNames.existingResources.vNet
+    tagValues: tagValues
+  }
+}
+
+// Set up a Private DNS zone for handling private endpoints for Storage Account Table Storage.
+module tableStoragePrivateDnsZoneModule '../../components/privateDnsZone.bicep' = {
+  name: 'tableStoragePrivateDnsZoneDeploy'
+  params: {
+    zoneType: 'tableStorage'
+    vnetName: resourceNames.existingResources.vNet
+    tagValues: tagValues
+  }
+}

infrastructure/templates/public-api/application/shared/virtualNetwork.bicep

@@ -44,6 +44,11 @@ resource appGatewaySubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01'
   parent: vNet
 }
 
+resource storageAccountPrivateEndpointSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' existing = {
+  name: subnets.storagePrivateEndpoints
+  parent: vNet
+}
+
 @description('The fully qualified Azure resource ID of the virtual network')
 output vnetId string = resourceId('Microsoft.Network/VirtualNetworks', resourceNames.existingResources.vNet)
 
@@ -103,3 +108,6 @@ output psqlFlexibleServerSubnetEndIpAddress string = parseCidr(psqlFlexibleServe
 
 @description('The fully qualified Azure resource ID of the App Gateway Subnet.')
 output appGatewaySubnetRef string = appGatewaySubnet.id
+
+@description('The fully qualified Azure resource ID of the Public API Storage Account Private Endpoint Subnet.')
+output storageAccountPrivateEndpointSubnetRef string = storageAccountPrivateEndpointSubnet.id

infrastructure/templates/public-api/ci/jobs/deploy-data-processor.yml

@@ -24,7 +24,7 @@ jobs:
             - template: ../tasks/bicep-output-variables.yml
               parameters:
                 serviceConnection: ${{ parameters.serviceConnection }}
-
+                
             # We do config updates out of Bicep template so we can implement slot swapping.
             # Changes are first deployed to the staging slot and combined with a fresh
             # code deploy prior to being swapped with the production slot.
@@ -66,18 +66,17 @@ jobs:
                     --settings \
                       "[email protected](VaultName=$(keyVaultName); SecretName=$(dataProcessorPsqlConnectionStringSecretKey))"
 
-            # TODO EES-5128
-            # Retry deploying the Function App in order to allow the staging slot the time to
-            # fully restart after config and network settings have been updated prior to deploy.
-            #
-            # Deploying prematurely results in a 500 from the deployment endpoint until the
-            # endpoint is ready to accept the deployment request.
-            #
-            # In the future it would be preferable to have a health check Function that can
-            # check the site is ready, but we need to add the Service Principal to allowed
-            # Client IDs / Identities that can access the Function App. The Service Principal
-            # that is performing the deploy can be accessed by using the `addSpnToEnvironment`
-            # config option in the task definition and using the $(servicePrincipalId) variable.
+            - template: ../tasks/wait-for-endpoint-success.yml
+              parameters:
+                serviceConnection: ${{ parameters.serviceConnection }}
+                displayName: Checking that staging slot is healthy after updating appsettings
+                maxAttempts: 20
+                accessTokenScope: $(dataProcessorAppRegistrationClientId)
+                endpoint: $(dataProcessorFunctionAppStagingUrl)/api/HealthCheck
+                # We allow 404s because if this is the first time the Function App is being deployed, there won't be any
+                # deployed code yet in the staging slot.
+                allow404s: true
+
             - task: AzureCLI@2
               displayName: Deploy to staging slot
               retryCountOnTaskFailure: 10

infrastructure/templates/public-api/ci/jobs/deploy-infrastructure.yml

@@ -44,21 +44,12 @@ jobs:
                 deployAlerts: false
                 dataProcessorExists: false
 
-            - task: AzureCLI@2
-              displayName: Check if Data Processor Function App exists
-              inputs:
-                azureSubscription: ${{ parameters.serviceConnection }}
-                scriptType: bash
-                scriptLocation: inlineScript
-                inlineScript: |
-                  set -e
-                  dataProcessorExists=`az functionapp list --resource-group $(resourceGroupName) --query "[?name=='$(dataProcessorFunctionAppName)']" | jq '. != []'`
-      
-                  if [[ "$dataProcessorExists" == "true" ]]; then
-                    echo "Data Processor Function App exists"
-                  fi
-      
-                  echo "##vso[task.setvariable variable=dataProcessorExists;]$dataProcessorExists"
+            - template: ../tasks/check-function-app-exists.yml
+              parameters:
+                serviceConnection: ${{ parameters.serviceConnection }}
+                resourceGroupName: $(resourceGroupName)
+                functionAppName: $(dataProcessorFunctionAppName)
+                variableName: dataProcessorExists
 
             - template: ../tasks/deploy-bicep.yml
               parameters:

infrastructure/templates/public-api/ci/tasks/check-function-app-exists.yml

@@ -0,0 +1,26 @@
+parameters:
+  - name: serviceConnection
+    type: string
+  - name: resourceGroupName
+    type: string    
+  - name: functionAppName
+    type: string
+  - name: variableName
+    type: string
+
+steps:
+  - task: AzureCLI@2
+    displayName: Check if ${{ parameters.functionAppName }} exists
+    inputs:
+      azureSubscription: ${{ parameters.serviceConnection }}
+      scriptType: bash
+      scriptLocation: inlineScript
+      inlineScript: |
+        set -e
+        functionAppExists=`az functionapp list --resource-group ${{ parameters.resourceGroupName }} --query "[?name=='${{ parameters.functionAppName }}']" | jq '. != []'`
+
+        if [[ "$functionAppExists" == "true" ]]; then
+          echo "${{ parameters.functionAppName }} exists"
+        fi
+
+        echo "##vso[task.setvariable variable=${{ parameters.variableName }};]$functionAppExists"