Commit 802762e
authored
Fix Postgres infrastructure and JWT token issuer configuration (#865)
### Summary & Motivation
Clean up PostgreSQL infrastructure provisioning and fix JWT token
signing to use the actual deployment domain.
- Move Entra ID admin provisioning for PostgreSQL into Bicep, replacing
the separate `add-postgres-admin.sh` shell script that ran as a
post-deployment step. The admin is now declared as a resource on the
flexible server, removing the need for a separate post-deployment script
- Fix cosmetic type mismatch for the tenant id column in the account
initial migration where the C# generic type was `string` but the column
type is `bigint`, corrected to `long`
- Use the custom domain (e.g., `https://your-domain.com`) as the JWT
token issuer and audience instead of a hardcoded value. The previous
`iss` and `aud` claims were not a valid URL, which caused JWT signature
verification to fail on tools like jwt.io. The domain is now passed from
the cluster deployment into the Key Vault module, falling back to a
hardcoded value when no custom domain is configured
### Downstream projects
The JWT issuer/audience change only takes effect when a custom domain is
configured before the first deployment. Bicep does not overwrite
existing Key Vault secrets, so existing deployments will keep the old
values. To update an existing deployment, run the following from the
Azure Portal Cloud Shell (Bash):
```bash
az account set --subscription <subscription-id>
VAULT_NAME="<key-vault-name>"
DOMAIN="https://your-domain.com"
USER_ID=$(az ad signed-in-user show --query id -o tsv)
VAULT_ID=$(az keyvault show --name "$VAULT_NAME" --query id -o tsv)
MY_IP=$(curl -s ifconfig.me)
az role assignment create --role "Key Vault Secrets Officer" --assignee "$USER_ID" --scope "$VAULT_ID"
az keyvault network-rule add --name "$VAULT_NAME" --ip-address "$MY_IP/32"
echo "Waiting 60 seconds for RBAC propagation..."
sleep 60
az keyvault secret set --vault-name "$VAULT_NAME" --name authentication-token-issuer --value "$DOMAIN"
az keyvault secret set --vault-name "$VAULT_NAME" --name authentication-token-audience --value "$DOMAIN"
az keyvault network-rule remove --name "$VAULT_NAME" --ip-address "$MY_IP/32"
az role assignment delete --role "Key Vault Secrets Officer" --assignee "$USER_ID" --scope "$VAULT_ID"
```
The Key Vault name matches the cluster resource group name.
### Checklist
- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessaryFile tree
8 files changed
+27
-25
lines changed- .github/workflows
- application/account/Core/Database/Migrations
- cloud-infrastructure
- cluster
- modules
8 files changed
+27
-25
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
79 | 79 | | |
80 | 80 | | |
81 | 81 | | |
| 82 | + | |
82 | 83 | | |
83 | 84 | | |
84 | 85 | | |
| |||
144 | 145 | | |
145 | 146 | | |
146 | 147 | | |
| 148 | + | |
147 | 149 | | |
148 | 150 | | |
149 | 151 | | |
| |||
161 | 163 | | |
162 | 164 | | |
163 | 165 | | |
164 | | - | |
165 | | - | |
166 | | - | |
167 | 166 | | |
168 | 167 | | |
169 | 168 | | |
| |||
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
| 29 | + | |
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
| |||
This file was deleted.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
| 32 | + | |
32 | 33 | | |
33 | 34 | | |
34 | 35 | | |
| |||
105 | 106 | | |
106 | 107 | | |
107 | 108 | | |
108 | | - | |
109 | 109 | | |
110 | 110 | | |
111 | 111 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
18 | 21 | | |
19 | 22 | | |
20 | 23 | | |
| |||
101 | 104 | | |
102 | 105 | | |
103 | 106 | | |
| 107 | + | |
104 | 108 | | |
105 | 109 | | |
106 | 110 | | |
| |||
153 | 157 | | |
154 | 158 | | |
155 | 159 | | |
| 160 | + | |
156 | 161 | | |
157 | 162 | | |
158 | 163 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
16 | 17 | | |
17 | 18 | | |
18 | 19 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
| 8 | + | |
8 | 9 | | |
9 | 10 | | |
10 | 11 | | |
| |||
119 | 120 | | |
120 | 121 | | |
121 | 122 | | |
| 123 | + | |
| 124 | + | |
122 | 125 | | |
123 | 126 | | |
124 | 127 | | |
125 | 128 | | |
126 | | - | |
| 129 | + | |
127 | 130 | | |
128 | 131 | | |
129 | 132 | | |
130 | 133 | | |
131 | 134 | | |
132 | 135 | | |
133 | 136 | | |
134 | | - | |
| 137 | + | |
135 | 138 | | |
136 | 139 | | |
137 | 140 | | |
| |||
Lines changed: 12 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
| |||
44 | 46 | | |
45 | 47 | | |
46 | 48 | | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
47 | 59 | | |
48 | 60 | | |
49 | 61 | | |
| |||
0 commit comments