Split back-office into its own ACA container app with platform Easy Auth

Author: tjementum

.github/workflows/_deploy-infrastructure.yml

@@ -116,16 +116,16 @@ jobs:
             fi
 
             if [[ "${{ inputs.back_office_domain_name }}" != "" ]] && [[ "${{ inputs.back_office_domain_name }}" != "-" ]]; then
-              # Check if account-api already has the back-office custom domain configured
-              account_api_details=$(az containerapp show --name account-api --resource-group $CLUSTER_RESOURCE_GROUP_NAME 2>&1 || echo "")
-              account_api_custom_domains=$(echo "$account_api_details" | jq -r '.properties.configuration.ingress.customDomains // []')
+              # Check if back-office already has the back-office custom domain configured
+              back_office_details=$(az containerapp show --name back-office --resource-group $CLUSTER_RESOURCE_GROUP_NAME 2>&1 || echo "")
+              back_office_custom_domains=$(echo "$back_office_details" | jq -r '.properties.configuration.ingress.customDomains // []')
 
-              if [[ "$account_api_custom_domains" != "[]" ]] && [[ "$account_api_custom_domains" != "null" ]]; then
-                echo "$(date +"%Y-%m-%dT%H:%M:%S") Custom domain '${{ inputs.back_office_domain_name }}' is already configured correctly on account-api."
+              if [[ "$back_office_custom_domains" != "[]" ]] && [[ "$back_office_custom_domains" != "null" ]]; then
+                echo "$(date +"%Y-%m-%dT%H:%M:%S") Custom domain '${{ inputs.back_office_domain_name }}' is already configured correctly on back-office."
               else
                 echo "$(date +"%Y-%m-%dT%H:%M:%S") Please add the following DNS entries for the back-office hostname and then retry:"
                 echo "- A TXT record with the name 'asuid.${{ inputs.back_office_domain_name }}' and the value '$custom_domain_verification_id'."
-                echo "- A CNAME record with the Host name '${{ inputs.back_office_domain_name }}' that points to address 'account-api.$default_domain'."
+                echo "- A CNAME record with the Host name '${{ inputs.back_office_domain_name }}' that points to address 'back-office.$default_domain'."
               fi
             fi
           else

.gitignore

@@ -3,8 +3,9 @@
 ##
 ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
 
-# Bicep generated parameter files
+# Bicep generated artifacts
 cloud-infrastructure/cluster/main-cluster.parameters.json
+cloud-infrastructure/cluster/main-cluster.json
 
 # User-specific files
 *.rsuser

cloud-infrastructure/cluster/deploy-cluster.sh

@@ -93,18 +93,18 @@ then
     custom_domain_verification_id=$(echo "$env_details" | jq -r '.properties.customDomainConfiguration.customDomainVerificationId')
     default_domain=$(echo "$env_details" | jq -r '.properties.defaultDomain')
 
-    # Display instructions for setting up DNS entries. Both the user-facing domain (served by app-gateway)
-    # and the back-office domain (served by account-api directly, since EasyAuth runs at the platform layer)
-    # require their own asuid TXT + CNAME records. Print both when configured so the user can see every
-    # missing record at once instead of one per redeploy.
+    # Display instructions for setting up DNS entries. The user-facing domain is served by the app-gateway
+    # container, while the back-office domain is served by its own dedicated back-office container with
+    # platform-level Easy Auth. Print both when configured so the user can see every missing record at
+    # once instead of one per redeploy.
     echo -e "${RED}$(date +"%Y-%m-%dT%H:%M:%S") Please add the following DNS entries and then retry:${RESET}"
     if [[ -n "$DOMAIN_NAME" ]]; then
       echo -e "${RED}- A TXT record with the name 'asuid.$DOMAIN_NAME' and the value '$custom_domain_verification_id'.${RESET}"
       echo -e "${RED}- A CNAME record with the Host name '$DOMAIN_NAME' that points to address 'app-gateway.$default_domain'.${RESET}"
     fi
     if [[ -n "$BACK_OFFICE_DOMAIN_NAME" ]]; then
       echo -e "${RED}- A TXT record with the name 'asuid.$BACK_OFFICE_DOMAIN_NAME' and the value '$custom_domain_verification_id'.${RESET}"
-      echo -e "${RED}- A CNAME record with the Host name '$BACK_OFFICE_DOMAIN_NAME' that points to address 'account-api.$default_domain'.${RESET}"
+      echo -e "${RED}- A CNAME record with the Host name '$BACK_OFFICE_DOMAIN_NAME' that points to address 'back-office.$default_domain'.${RESET}"
     fi
     exit 1
   elif [[ $output == *"ERROR:"* ]]; then

cloud-infrastructure/cluster/main-cluster.bicep

@@ -169,6 +169,13 @@ var publicUrl = isCustomDomainSet
   : 'https://${appGatewayContainerAppName}.${containerAppsEnvironment.outputs.defaultDomainName}'
 var cdnUrl = publicUrl
 
+// Back-office is reachable on its custom domain when set, else on the auto-generated ACA FQDN. Both code
+// paths must agree on the same hostname for Easy Auth redirect URLs and for the application's host-aware
+// routing (HostScopedSinglePageApp, BackOffice__Host, Hostnames__BackOffice).
+var backOfficeHost = backOfficeDomainName != ''
+  ? backOfficeDomainName
+  : 'back-office.${containerAppsEnvironment.outputs.defaultDomainName}'
+
 // Account
 
 var accountIdentityName = '${clusterResourceGroupName}-account'
@@ -268,7 +275,7 @@ var accountApiEnvironmentVariables = concat(accountEnvironmentVariables, [
   }
   {
     name: 'BackOffice__Host'
-    value: backOfficeDomainName
+    value: backOfficeHost
   }
   {
     name: 'BackOffice__GroupId'
@@ -321,26 +328,55 @@ module accountApi '../modules/container-app.bicep' = {
     userAssignedIdentityName: accountIdentityName
     ingress: true
     hasProbesEndpoint: true
-    additionalDomainName: backOfficeDomainName
-    external: backOfficeDomainName != ''
+    external: false
     revisionSuffix: revisionSuffix
     environmentVariables: accountApiEnvironmentVariables
   }
   dependsOn: [accountWorkers]
 }
 
-module accountApiAuthConfig '../modules/container-app-auth-config.bicep' = if (backOfficeDomainName != '' && backOfficeEntraClientId != '') {
-  name: '${clusterResourceGroupName}-account-api-auth-config'
+// Back-office runs the same image as account-api on a separate external container app. Easy Auth is bound here
+// only (RedirectToLoginPage), so account-api can stay internal-only and reachable solely through AppGateway.
+module backOffice '../modules/container-app.bicep' = {
+  name: '${clusterResourceGroupName}-back-office-container-app'
+  scope: clusterResourceGroup
+  params: {
+    name: 'back-office'
+    location: location
+    tags: tags
+    clusterResourceGroupName: clusterResourceGroupName
+    containerAppsEnvironmentId: containerAppsEnvironment.outputs.environmentId
+    containerAppsEnvironmentName: containerAppsEnvironment.outputs.name
+    containerRegistryName: containerRegistryName
+    containerImageName: 'account-api'
+    containerImageTag: accountVersion
+    cpu: '0.1'
+    memory: '0.2Gi'
+    minReplicas: 0
+    maxReplicas: 1
+    userAssignedIdentityName: accountIdentityName
+    ingress: true
+    hasProbesEndpoint: true
+    additionalDomainName: backOfficeDomainName
+    external: true
+    revisionSuffix: revisionSuffix
+    environmentVariables: accountApiEnvironmentVariables
+  }
+  dependsOn: [accountApi]
+}
+
+module backOfficeAuthConfig '../modules/container-app-auth-config.bicep' = if (backOfficeEntraClientId != '') {
+  name: '${clusterResourceGroupName}-back-office-auth-config'
   scope: clusterResourceGroup
   params: {
-    containerAppName: 'account-api'
+    containerAppName: 'back-office'
     tenantId: subscription().tenantId
     clientId: backOfficeEntraClientId
     allowedExternalRedirectUrls: [
-      'https://${backOfficeDomainName}/.auth/login/aad/callback'
+      'https://${backOfficeHost}/.auth/login/aad/callback'
     ]
   }
-  dependsOn: [accountApi]
+  dependsOn: [backOffice]
 }
 
 // Main
@@ -546,7 +582,7 @@ module appGateway '../modules/container-app.bicep' = {
       }
       {
         name: 'Hostnames__BackOffice'
-        value: backOfficeDomainName
+        value: backOfficeHost
       }
     ]
   }

cloud-infrastructure/modules/container-app-auth-config.bicep

@@ -15,7 +15,7 @@ resource authConfig 'Microsoft.App/containerApps/authConfigs@2025-10-02-preview'
       enabled: true
     }
     globalValidation: {
-      unauthenticatedClientAction: 'AllowAnonymous'
+      unauthenticatedClientAction: 'RedirectToLoginPage'
     }
     identityProviders: {
       azureActiveDirectory: {