-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapp-service-api.bicep
More file actions
124 lines (110 loc) · 3.54 KB
/
app-service-api.bicep
File metadata and controls
124 lines (110 loc) · 3.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
// ---------------------------------------------------------------------------
// app-service-api.bicep — Java 17 App Service for Spring Boot API
// ---------------------------------------------------------------------------
@description('Name of the API App Service.')
param name string
@description('Azure region.')
param location string
@description('Resource ID of the App Service Plan.')
param appServicePlanId string
@description('API app registration client ID from Entra ID.')
param apiClientId string
@description('Microsoft Entra ID tenant ID.')
param tenantId string
@description('Storage account name for evidence blobs.')
param storageAccountName string
@description('Application Insights connection string.')
param appInsightsConnectionString string
@description('Allowed origin for CORS (typically the SPA App Service URL).')
param allowedOrigin string
@description('Resource ID of the subnet for App Service Regional VNet integration. Empty string disables integration.')
param virtualNetworkSubnetId string = ''
@description('Resource tags.')
param tags object = {}
var enableVnetIntegration = !empty(virtualNetworkSubnetId)
resource apiApp 'Microsoft.Web/sites@2023-12-01' = {
name: name
location: location
tags: tags
identity: {
type: 'SystemAssigned'
}
properties: {
serverFarmId: appServicePlanId
httpsOnly: true
virtualNetworkSubnetId: enableVnetIntegration ? virtualNetworkSubnetId : null
publicNetworkAccess: 'Enabled'
siteConfig: {
linuxFxVersion: 'JAVA|17-java17'
alwaysOn: true
ftpsState: 'Disabled'
minTlsVersion: '1.2'
vnetRouteAllEnabled: enableVnetIntegration
appSettings: [
{
name: 'WEBSITES_PORT'
value: '8080'
}
{
name: 'SPRING_PROFILES_ACTIVE'
value: 'prod'
}
{
name: 'SPRING_CLOUD_AZURE_ACTIVE_DIRECTORY_CREDENTIAL_CLIENT_ID'
value: apiClientId
}
{
name: 'SPRING_CLOUD_AZURE_ACTIVE_DIRECTORY_PROFILE_TENANT_ID'
value: tenantId
}
{
name: 'SPRING_CLOUD_AZURE_ACTIVE_DIRECTORY_APP_ID_URI'
value: 'api://${apiClientId}'
}
{
name: 'JWT_ISSUER_URI'
value: '${environment().authentication.loginEndpoint}${tenantId}/v2.0'
}
{
name: 'JWT_AUDIENCE'
value: 'api://${apiClientId},${apiClientId}'
}
{
name: 'AZURE_TENANT_ID'
value: tenantId
}
{
name: 'AZURE_STORAGE_ACCOUNT_NAME'
value: storageAccountName
}
{
name: 'AZURE_STORAGE_CONTAINER_NAME'
value: 'evidence'
}
{
name: 'CORS_ALLOWED_ORIGINS'
value: allowedOrigin
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsightsConnectionString
}
{
// Force all outbound traffic through the VNet (so the storage
// call resolves via the privatelink.dfs.core.windows.net DNS zone).
name: 'WEBSITE_VNET_ROUTE_ALL'
value: enableVnetIntegration ? '1' : '0'
}
{
// Honour Azure Private DNS for the integrated VNet.
name: 'WEBSITE_DNS_SERVER'
value: '168.63.129.16'
}
]
}
}
}
@description('Default hostname of the API App Service.')
output hostname string = apiApp.properties.defaultHostName
@description('Principal ID of the system-assigned Managed Identity.')
output principalId string = apiApp.identity.principalId