Merge pull request #5166 from dfe-analytical-services/dev-into-master

Merging dev into master

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "dotnet-ef": {
-      "version": "8.0.4",
+      "version": "8.0.7",
       "commands": [
         "dotnet-ef"
       ]

.nvmrc

@@ -1 +1 @@
-20.14.0
+20.16.0

Pipfile

@@ -8,7 +8,7 @@ robotframework = "~=6.1.1"
 robotframework-seleniumlibrary = "~=6.1.0"
 requests = "~=2.31.0"
 python-dotenv = "~=1.0.0"
-robotframework-pabot = "~=2.16.0"
+robotframework-pabot = "~=2.17.0"
 pytz = "~=2023.3"
 beautifulsoup4 = "~=4.12.2"
 robotframework-tidy = "~=4.4.0"

azure-pipelines-ui-tests.dfe.yml

@@ -6,6 +6,7 @@ schedules:
     include:
     - dev
   always: true
+
 pr: none
 
 name: $(date:yyyyMMdd)$(rev:.r)

azure-pipelines.dfe.yml

@@ -10,7 +10,7 @@ variables:
   BuildConfiguration: 'Release'
   IsBranchDeployable: ${{ containsValue(parameters.DeployBranches, variables['Build.SourceBranchName']) }}
   CI: true
-  NODE_VERSION: 20.14.0
+  NODE_VERSION: 20.16.0
   AcrServiceConnection: s101d-datahub-spn-ees-dfe-gov-uk-docker-managed-service-connection
 
 trigger:

docker/public-api/api/Dockerfile

@@ -1,6 +1,6 @@
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 WORKDIR /App
-
+ENV ASPNETCORE_ENVIRONMENT=Production
 EXPOSE 8080
 
 COPY . .

docker/public-frontend/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20.14.0-alpine AS base
+FROM node:20.16.0-alpine AS base
 
 ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"

infrastructure/templates/datafactory/components/db-maintenance-template.json

@@ -78,7 +78,7 @@
             "type": "SqlServerStoredProcedure",
             "dependsOn": [],
             "policy": {
-              "timeout": "0.12:00:00",
+              "timeout": "0.16:00:00",
               "retry": 0,
               "retryIntervalInSeconds": 30,
               "secureOutput": false,
@@ -114,7 +114,7 @@
               }
             ],
             "policy": {
-              "timeout": "0.12:00:00",
+              "timeout": "0.00:10:00",
               "retry": 0,
               "retryIntervalInSeconds": 30,
               "secureOutput": false,
@@ -164,7 +164,7 @@
               }
             ],
             "policy": {
-              "timeout": "0.12:00:00",
+              "timeout": "0.00:10:00",
               "retry": 0,
               "retryIntervalInSeconds": 30,
               "secureOutput": false,
@@ -180,7 +180,7 @@
               },
               "body": {
                 "channel": "[parameters('slackAlertsChannel')]",
-                "text": "Data Factory Failure!",
+                "text": "Data Factory Failure! Stored procedure may still be running!",
                 "attachments": [
                   {
                     "color": "warning",
@@ -286,7 +286,7 @@
               }
             ],
             "policy": {
-              "timeout": "0.12:00:00",
+              "timeout": "0.00:10:00",
               "retry": 0,
               "retryIntervalInSeconds": 30,
               "secureOutput": false,
@@ -336,7 +336,7 @@
               }
             ],
             "policy": {
-              "timeout": "0.12:00:00",
+              "timeout": "0.00:10:00",
               "retry": 0,
               "retryIntervalInSeconds": 30,
               "secureOutput": false,

infrastructure/templates/public-api/components/functionApp.bicep

@@ -355,11 +355,12 @@ var keyVaultPrincipalIds = userAssignedManagedIdentityParams != null
   ? [userAssignedManagedIdentityParams!.principalId]
   : [functionApp.identity.principalId, stagingSlot.identity.principalId]
 
-module functionAppKeyVaultAccessPolicy 'keyVaultAccessPolicy.bicep' = {
-  name: '${functionAppName}FunctionAppKeyVaultAccessPolicy'
+module functionAppKeyVaultRoleAssignments 'keyVaultRoleAssignment.bicep' = {
+  name: '${functionAppName}FunctionAppKeyVaultRoleAssignment'
   params: {
     keyVaultName: keyVaultName
     principalIds: keyVaultPrincipalIds
+    role: 'Secrets User'
   }
 }
 
@@ -457,7 +458,7 @@ module functionAppSlotSettings 'appServiceSlotConfig.bicep' = {
     azureFileShares: azureFileShares
   }
   dependsOn: [
-    functionAppKeyVaultAccessPolicy
+    functionAppKeyVaultRoleAssignments
     slot1FileShare
     slot2FileShare
   ]

infrastructure/templates/public-api/components/keyVaultRoleAssignment.bicep

@@ -0,0 +1,38 @@
+@description('Specifies the name of the Key Vault.')
+param keyVaultName string
+
+@description('Specifies the id of the service principals that should inherit this Key Vault policy')
+param principalIds string[]
+
+@description('Specifies the Key Vault role to assign to the service principals. See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles for possible roles to support here.')
+@allowed([
+  'Secrets User'
+])
+param role string
+
+@description('See https://docs.microsoft.com/azure/role-based-access-control/built-in-roles for possible roles to support here.')
+var roleIds = {
+
+  'Secrets User': '4633458b-17de-408a-b874-0445c86b69e6'
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+@description('Look up the built-in role definition')
+resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: roleIds[role]
+}
+
+@description('Grant the service principals the key vault role')
+resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
+  scope: keyVault
+  name: guid(resourceGroup().id, principalId, roleDefinition.id)
+  properties: {
+    roleDefinitionId: roleDefinition.id
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}]

infrastructure/templates/public-api/deploy-stage-template.yml

@@ -101,7 +101,7 @@ stages:
                   --resource-group $(resourceGroupName) \
                   --slot staging \
                   --settings \
-                    "CoreStorage[email protected](VaultName=$(keyVaultName); SecretName=$(coreStorageConnectionStringSecretKey))" \
+                    "AppSettings__PrivateStorageConnectionString[email protected](VaultName=$(keyVaultName); SecretName=$(coreStorageConnectionStringSecretKey))" \
                     "AZURE_CLIENT_ID=$(dataProcessorFunctionAppManagedIdentityClientId)" \
                     "DataFiles__BasePath=$(dataFilesFileShareMountPath)"
 

infrastructure/templates/public-api/main.bicep

@@ -98,6 +98,7 @@ var containerAppEnvironmentNameSuffix = '01'
 var dataFilesFileShareMountName = 'public-api-fileshare-mount'
 var dataFilesFileShareMountPath = '/data/public-api-data'
 var publicApiStorageAccountName = '${subscription}eespapisa'
+var appGatewayManagedIdentityName = '${subscription}-ees-id-agw-01'
 
 var tagValues = union(resourceTags ?? {}, {
   Environment: environmentName
@@ -387,6 +388,20 @@ module dataProcessorFunctionAppModule 'components/functionApp.bicep' = {
   }
 }
 
+// TODO EES-5407 - incorporate this change with the automating of the app gateway creation.
+resource appGatewayManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: appGatewayManagedIdentityName
+}
+
+module appGatewayKeyVaultRoleAssignments 'components/keyVaultRoleAssignment.bicep' = {
+  name: 'appGatewayKeyVaultRoleAssignment'
+  params: {
+    keyVaultName: keyVaultName
+    principalIds: [appGatewayManagedIdentity.properties.principalId]
+    role: 'Secrets User'
+  }
+}
+
 var dataProcessorPsqlConnectionStringSecretKey = 'ees-publicapi-data-processor-connectionstring-publicdatadb'
 
 module storeDataProcessorPsqlConnectionString 'components/keyVaultSecret.bicep' = {