Merge dev PR

terraform/application/app.tf

@@ -23,7 +23,7 @@ resource "azurerm_linux_web_app" "this" {
     use_32_bit_worker = false
     always_on         = true
     application_stack {
-      python_version = "3.8"
+      python_version = "3.9"
     }
     app_command_line = "gunicorn icenet_app.app:app"
   }
@@ -32,7 +32,8 @@ resource "azurerm_linux_web_app" "this" {
     "ICENET_AUTH_LIST"        = "/data/auth_list.json"
     "ICENET_DATA_LOCATION"    = "/data"
 #    "ENABLE_ORYX_BUILD"              = "true"
-#    "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
+    "SCM_DO_BUILD_DURING_DEPLOYMENT" = "true"
+    "DOCKER_ENABLE_CI" = "true"
   }
 
   storage_account {
@@ -44,6 +45,18 @@ resource "azurerm_linux_web_app" "this" {
     mount_path    = "/data"
   }
 
+  logs {
+    application_logs {
+      file_system_level = "Information"
+    }
+    http_logs {
+      file_system {
+        retention_in_days = 7
+        retention_in_mb = 100
+      }
+    }
+  }
+
   tags = local.tags
 }
 

terraform/backend.tf

@@ -6,7 +6,7 @@ terraform {
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "=3.59.0"
+      version = "=3.90.0"
     }
     null = {
       source  = "hashicorp/null"

terraform/forecast_processor/functions.tf

@@ -121,6 +121,13 @@ resource "azurerm_linux_function_app" "this" {
     # enabled which mounts over the contents of the container.
     # https://github.com/Azure/azure-functions-docker/issues/642
     "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
+    # Use an SAS Token with Blob read/list access
+    "AZURE_STORAGE_SAS_TOKEN" = var.storage_sas_token
+    # Use a service principal with blob read/list access (use either SAS token or service principal)
+    #"AZURE_CLIENT_ID" = var.service_principal_client_id
+    #"AZURE_CLIENT_SECRET" = var.service_principal_secret_val
+    #"AZURE_TENANT_ID" = var.tenant_id
+    #"AZURE_SUBSCRIPTION_ID" = var.subscription_id
   }
   identity {
     type          = "SystemAssigned"
@@ -140,29 +147,11 @@ resource "azurerm_linux_function_app" "this" {
   }
 }
 
-resource "azurerm_role_definition" "app_data_read" {
-  description        = "Allows for read access to Azure Storage blob containers and data"
-  name               = "${local.app_name}-role-read-forecast-data"
-  scope              = var.data_storage_account.id
-
-  permissions {
-      actions          = [
-          "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-          "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
-      ]
-      data_actions     = [
-          "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-      ]
-      not_actions      = []
-      not_data_actions = []
-  }
-}
-
-resource "azurerm_role_assignment" "app_data_read_assoc" {
-  scope              = var.data_storage_account.id
-  role_definition_id = azurerm_role_definition.app_data_read.role_definition_resource_id
-  principal_id       = azurerm_linux_function_app.this.identity.0.principal_id
-}
+#resource "azurerm_role_assignment" "storage_blob_data_reader_assoc" {
+#  scope              = var.data_storage_account.id
+#  role_definition_name = "Storage Blob Data Reader"
+#  principal_id       = azurerm_linux_function_app.this.identity.0.principal_id
+#}
 
 #resource "azurerm_private_endpoint" "event_proc_endpoint" {
 #  name                = "pvt-${var.project_name}-event-processing"

terraform/forecast_processor/variables.tf

@@ -53,6 +53,32 @@ variable "default_tags" {
     default = {}
 }
 
+variable "subscription_id" {
+  description = "Which Azure subscription to build in"
+  type        = string
+}
+variable "tenant_id" {
+  description = "Which Azure tenant to build in"
+  type        = string
+}
+variable "storage_sas_token" {
+  description = "Blob storage SAS token"
+  type        = string
+  sensitive   = true
+}
+variable "service_principal_client_id" {
+  description = "The special client/app ID, generated service principal for read/list blob storage access"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+variable "service_principal_secret_val" {
+  description = "Secret value of above service principal"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
 # Local variables
 locals {
   tags = merge(

terraform/main.tf

@@ -101,6 +101,11 @@ module "forecast_processor" {
   notification_email           = var.notification_email
   sendfrom_email               = var.sendfrom_email
   dns_zone                     = module.network.dns_zone
+  storage_sas_token            = var.storage_sas_token
+  service_principal_client_id  = var.service_principal_client_id
+  service_principal_secret_val = var.service_principal_secret_val
+  tenant_id                    = var.tenant_id
+  subscription_id              = var.subscription_id
 }
 
 module "web" {

terraform/variables.tf

@@ -15,6 +15,23 @@ variable "tenant_id" {
   description = "Which Azure tenant to build in"
   type        = string
 }
+variable "storage_sas_token" {
+  description = "Blob storage SAS token"
+  type        = string
+  sensitive   = true
+}
+variable "service_principal_client_id" {
+  description = "The special client/app ID, generated service principal for read/list blob storage access"
+  type        = string
+  default     = null
+  sensitive   = true
+}
+variable "service_principal_secret_val" {
+  description = "Secret value of above service principal"
+  type        = string
+  default     = null
+  sensitive   = true
+}
 
 # These have sensible defaults
 variable "domain_name" {