Updated resource provisioning script with creation of app registration for our function app, where the client id is automatically set in the appsettings of said function using config set

Author: hvalfangst

README.md

@@ -1,10 +1,11 @@
 # Static web app invoking Azure functions
 
-Static web app built with the React framework. The [application](client/src/App.js) allows users to upload CSV files to a storage blob via an HTTP-triggered function.
-The uploaded files are then processed by a blob-triggered function, which stores the results in a separate container. Aforementioned functions
-are present in the [function_app.py](hvalfangst_function/function_app.py) python script - which is the main entrypoint of our Azure Function App instance.
+This [static web app](client/src/App.js), built with the React framework, enables users to upload CSV files containing demographic and financial data about individuals to a designated storage blob (**in**) via an HTTP-triggered Azure Function. 
+Once uploaded, a blob-triggered Azure Function processes the files to calculate correlations between various variables, such as experience, state, gender, and income. The computed statistics are then stored in a separate storage blob (**out**). 
+These functions are implemented in the python script [function_app.py](hvalfangst_function/function_app.py); which is the main entrypoint of our Azure Function App instance.
 
-A pipeline has been set up to deploy the function app and the static web app to Azure using GitHub Actions. The pipeline is triggered by a push to the main branch or by manually running the workflow.
+A branch-triggered pipeline has been set up to deploy the function app and the static web app to Azure using a GitHub Actions Workflow [script](.github/workflows/deploy_to_azure.yml). A service principal has been created as part of the resource provisioning script, which is used
+to authenticate our requests in said pipeline script. It is therefore important to set the associated GitHub secrets in the repository settings.
 
 
 
@@ -18,8 +19,8 @@ A pipeline has been set up to deploy the function app and the static web app to
 
 ## Allocate resources
 
-The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources specified in a
-[Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep) template [file](infra/main.bicep).
+The shell script [allocate_resources](infra/allocate_resources.sh) creates Azure resources using the Azure CLI and a
+[Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview?tabs=bicep) template [file](infra/main.bicep). 
 
 It will create the following hierarchy of resources:
 
@@ -41,20 +42,11 @@ graph TD
     B -->|Contains| F
 ```
 
-## Deallocate resources
-
-The shell script [deallocate_resources](infra/deallocate_resources.sh) deletes our Azure resources.
-
-# CI/CD
-
-A CI/CD pipeline for deploying our [Function App](hvalfangst_function/function_app.py) to Azure has been set up using a GitHub Actions workflows [script](.github/workflows/deploy_to_azure.yml). The pipeline is either triggered by a push to the main branch or by manually running the workflow. 
-In order for the pipeline to work, the following secrets must be set in the repository settings:
-
-![img.png](img.png)
-
-The associated values of the aforementioned secret can be retrieved from the Azure portal, under our deployed Function App.
-Click on the **Get publish profile** button and copy/paste the file content into the secret value field.
-
-![img_1.png](img_1.png)
-
+## GitHub secrets
+As touched upon earlier, the GitHub secret **AZURE_CREDENTIALS** must be set in the repository settings. This secret comprises a JSON object containing the service principal credentials.
+It is generated by the Azure CLI command `az ad sp create-for-rbac`, which
+was executed as part of our [resource provisioning script](infra/allocate_resources.sh). The resulting terminal output of said command needs to be copy/pasted to the secret field.
+Again, it is used to authenticate our requests in the [GitHub Actions Workflow script](.github/workflows/deploy_to_azure.yml) as contributor access to the resource group is necessary
+in order to deploy our function and static web app. There are many ways to do this, but this is obviously a simple example.
 
+![img_2.png](img_2.png)

img_2.png

@@ -1,21 +1,23 @@
 #!/bin/bash
 
-# Define colors for console output
+# Colors for console output
 GREEN="\e[32m"
 RED="\e[31m"
 BLUE="\e[34m"
 CYAN="\e[36m"
 YELLOW="\e[33m"
 RESET="\e[0m"
 
-# Variables
-SUBSCRIPTION_ID=$(az account show --query id --output tsv)
+# Constants
 RESOURCE_GROUP="hvalfangstresourcegroup"
 STORAGE_ACCOUNT_NAME="hvalfangststorageaccount"
 FUNCTION_APP_NAME="hvalfangstlinuxfunctionapp"
 LOCATION="westeurope"
 BICEP_FILE="infra/main.bicep"
 
+# Set environment variable to prevent path conversion in MSYS (https://github.com/Azure/azure-cli/blob/dev/doc/use_cli_with_git_bash.md#auto-translation-of-resource-ids)
+export MSYS_NO_PATHCONV=1;
+
 # Function to handle errors
 handle_error() {
     echo -e "${RED}Error occurred in script at line: ${BASH_LINENO[0]}. Exiting...${RESET}"
@@ -25,7 +27,7 @@ handle_error() {
 # Set trap to catch errors and execute handle_error
 trap 'handle_error' ERR
 
-# Check if logged in to Azure
+# Check if you are logged in to Azure
 echo -e "${YELLOW}Checking if logged in to Azure...${RESET}"
 az account show
 
@@ -34,9 +36,13 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
+# Variables retrieved from Azure CLI
+SUBSCRIPTION_ID=$(az account show --query id --output tsv)
+TENANT_ID=$(az account show --query tenantId --output tsv)
+
 # Create Resource Group
-echo -e "${YELLOW}Creating resource group $RESOURCE_GROUP in $LOCATION ${RESET}"
-az group create --name $RESOURCE_GROUP --location $LOCATION
+echo -e "${YELLOW}Creating resource group ${RESOURCE_GROUP} in ${LOCATION} ${RESET}"
+az group create --name ${RESOURCE_GROUP} --location ${LOCATION}
 if [ $? -ne 0 ]; then
     echo -e "${RED}Failed to create resource group.${RESET}"
     exit 1
@@ -51,13 +57,15 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
+# Create service principal used by GitHub Actions, the returned JSON is stored as secret in the GitHub repository
 echo -e "${YELLOW}Creating service principal...${RESET}"
-az ad sp create-for-rbac --name hvalfangst --role contributor --scopes /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP --sdk-auth
+az ad sp create-for-rbac --name hvalfangst-github-actions-sp --role contributor --scopes /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}
 if [ $? -ne 0 ]; then
     echo -e "${RED}Failed to create service principal.${RESET}"
     exit 1
 fi
 
+# Set up our storage container to serve static website with default index and 404 page
 echo -e "${YELLOW}Setting up static website...${RESET}"
 az storage blob service-properties update \
   --account-name ${STORAGE_ACCOUNT_NAME} \
@@ -69,12 +77,36 @@ if [ $? -ne 0 ]; then
     exit 1
 fi
 
+# Set up CORS for our Function App, which is used for our HTTP-triggered function
 echo -e "${YELLOW}Setting up CORS for function app...${RESET}"
-az functionapp cors add --name ${FUNCTION_APP_NAME} --resource-group $RESOURCE_GROUP --allowed-origins http://localhost:3000
-az functionapp cors add --name ${FUNCTION_APP_NAME} --resource-group $RESOURCE_GROUP --allowed-origins https://hvalfangststorageaccount.z6.web.core.windows.net
+az functionapp cors add --name ${FUNCTION_APP_NAME} --resource-group ${RESOURCE_GROUP} --allowed-origins http://localhost:3000
+az functionapp cors add --name ${FUNCTION_APP_NAME} --resource-group ${RESOURCE_GROUP} --allowed-origins https://hvalfangststorageaccount.z6.web.core.windows.net
 if [ $? -ne 0 ]; then
     echo -e "${RED}Failed to set up CORS for function app.${RESET}"
     exit 1
 fi
 
-echo -e "${GREEN}All resources have been provisioned.${RESET}"
+# Set up app registration for function app
+echo -e "${YELLOW}Setting up app registration for function app...${RESET}"
+FUNCTION_APP_CLIENT_ID=$(az ad app create \
+  --display-name "hvalfangst-function-app" \
+  --query appId -o tsv)
+
+if [ $? -ne 0 ] || [ -z "$FUNCTION_APP_CLIENT_ID" ]; then
+    echo -e "${RED}Failed to set up app registration or retrieve the app ID.${RESET}"
+    exit 1
+fi
+
+# Set up app settings for the function app
+echo -e "${YELLOW}Setting up app settings for function app...${RESET}"
+az functionapp config appsettings set \
+    --name ${FUNCTION_APP_NAME} \
+    --resource-group ${RESOURCE_GROUP} \
+    --settings TENANT_ID=${TENANT_ID} FUNCTION_APP_CLIENT_ID=${FUNCTION_APP_CLIENT_ID}
+if [ $? -ne 0 ]; then
+    echo -e "${RED}Failed to set up app settings for function app.${RESET}"
+    exit 1
+fi
+
+
+echo -e "${GREEN}All resources have been provisioned.${RESET}"