Merge pull request #5105 from dfe-analytical-services/dev

Merge dev into master
dfe-analytical-services · Jul 29, 2024 · b1aa0f2 · b1aa0f2
2 parents 37a0d48 + 823fbff
commit b1aa0f2
Show file tree

Hide file tree

Showing 326 changed files with 20,107 additions and 5,499 deletions.
diff --git a/.gitignore b/.gitignore
@@ -12,7 +12,8 @@
 bin
 obj
 /data/ees-mssql
-/data/public-api-db
+/data/public-api-db/*
+!/data/public-api-db/00-init.sh
 /data/public-api-data
 dfe-meta.db
 

diff --git a/data/public-api-db/00-init.sh b/data/public-api-db/00-init.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    /*
+     * Create application user roles.
+     */
+    CREATE ROLE app_public_data_api WITH LOGIN PASSWORD 'password';
+    CREATE ROLE app_public_data_processor WITH LOGIN PASSWORD 'password';
+    CREATE ROLE app_admin WITH LOGIN PASSWORD 'password';
+    CREATE ROLE app_publisher WITH LOGIN PASSWORD 'password';
+
+    /*
+     * Grant the app_public_data_api role privileges to create new objects which it will own on the public schema.
+     */
+    GRANT CREATE ON SCHEMA public TO app_public_data_api;
+
+    /*
+     * Create a public_data_read_write group role which can be granted to user roles requiring read and write privileges on public schema objects.
+     */
+    CREATE ROLE public_data_read_write WITH NOLOGIN;
+
+    /*
+     * Allow the public_data_read_write group role to access objects in the public schema.
+     * This does not include the permissions to read (i.e. `SELECT`) or modify (i.e. `INSERT`, `UPDATE`, `DELETE`) the content of those objects.
+     */
+    GRANT USAGE ON SCHEMA public TO public_data_read_write;
+
+    /*
+     * Grant privileges to the public_data_read_write group role for all tables and sequences in the public schema subsequently created by app_public_data_api.
+     */
+    ALTER DEFAULT PRIVILEGES FOR ROLE app_public_data_api IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES ON TABLES TO public_data_read_write;
+    ALTER DEFAULT PRIVILEGES FOR ROLE app_public_data_api IN SCHEMA public GRANT SELECT, UPDATE ON SEQUENCES TO public_data_read_write;
+
+    /*
+     * Grant membership of the public_data_read_write group role to the application user roles.
+     */
+    GRANT public_data_read_write TO app_public_data_api;
+    GRANT public_data_read_write TO app_public_data_processor;
+    GRANT public_data_read_write TO app_admin;
+    GRANT public_data_read_write TO app_publisher;
+EOSQL
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,7 +1,6 @@
-version: "3"
 services:
   data-storage:
-    image: mcr.microsoft.com/azure-storage/azurite:3.27.0
+    image: mcr.microsoft.com/azure-storage/azurite:3.31.0
     ports:
       - "10000:10000"
       - "10001:10001"

diff --git a/infrastructure/templates/public-api/main.bicep b/infrastructure/templates/public-api/main.bicep
@@ -309,27 +309,6 @@ module apiContainerAppModule 'components/containerApp.bicep' = if (deployContain
         name: 'DataFiles__BasePath'
         value: dataFilesFileShareMountPath
       }
-      {
-        // This property informs the Container App of the name of the Admin's system-assigned identity.
-        // It uses this to grant permissions to the Admin user in order for it to be able to access
-        // tables in the "public_data" database successfully.
-        name: 'AdminAppServiceIdentityName'
-        value: adminAppServiceFullName
-      }
-      {
-        // This property informs the Container App of the name of the Data Processor's system-assigned identity.
-        // It uses this to grant permissions to the Data Processor user in order for it to be able to access
-        // tables in the "public_data" database successfully.
-        name: 'DataProcessorFunctionAppIdentityName'
-        value: dataProcessorFunctionAppManagedIdentity.name
-      }
-      {
-        // This property informs the Container App of the name of the Publisher's system-assigned identity.
-        // It uses this to grant permissions to the Publisher user in order for it to be able to access
-        // tables in the "public_data" database successfully.
-        name: 'PublisherFunctionAppIdentityName'
-        value: publisherFunctionAppFullName
-      }
     ]
     tagValues: tagValues
   }

diff --git a/infrastructure/templates/template.json b/infrastructure/templates/template.json
@@ -1045,12 +1045,10 @@
     "dataSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('dataSubnetName'))]",
     "publicApiDataProcessorSubnetName": "[concat(parameters('subscription'), '-', parameters('environment'), '-papi-snet-fa-processor')]",
     "publicApiDataProcessorSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('publicApiDataProcessorSubnetName'))]",
+    "publicApiDataProcessorPlinkSubnetName": "[concat(parameters('subscription'), '-', parameters('environment'), '-papi-snet-fa-processor-plink')]",
     "containerAppEnvironmentSubnetName": "[concat(parameters('subscription'), '-', parameters('environment'), '-snet-cae-01')]",
-    "containerAppEnvironmentSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('containerAppEnvironmentSubnetName'))]",
     "applicationGatewaySubnetName": "[concat(parameters('subscription'), '-', parameters('environment'), '-snet-agw-01')]",
-    "applicationGatewaySubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('applicationGatewaySubnetName'))]",
     "psqlFlexibleServerSubnetName": "[concat(parameters('subscription'), '-', parameters('environment'), '-snet-psql-flexibleserver')]",
-    "psqlFlexibleServerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vNetName'), variables('psqlFlexibleServerSubnetName'))]",
     "sqlAllowedSubnets": [
       {
         "name": "admin",
@@ -1105,6 +1103,8 @@
     "ees-notifier-templateid-release-published-superseded-subscribers": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-notifier-templateid-release-published-superseded-subscribers')]",
     "ees-notifier-templateid-subscription-confirmation": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-notifier-templateid-subscription-confirmation')]",
     "ees-notifier-templateid-subscription-verification": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-notifier-templateid-subscription-verification')]",
+    "ees-notifier-templateid-api-subscription-confirmation": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-notifier-templateid-api-subscription-confirmation')]",
+    "ees-notifier-templateid-api-subscription-verification": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-notifier-templateid-api-subscription-verification')]",
 
     "ees-openidconnect-clientid": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-openidconnect-clientid')]",
     "ees-openidconnect-clientsecret": "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), 'ees-openidconnect-clientsecret')]",
@@ -2889,7 +2889,9 @@
         "GovUkNotify:EmailTemplates:ReleasePublishedId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-release-published'), '2018-02-14').secretUriWithVersion, ')')]",
         "GovUkNotify:EmailTemplates:ReleasePublishedSupersededSubscribersId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-release-published-superseded-subscribers'), '2018-02-14').secretUriWithVersion, ')')]",
         "GovUkNotify:EmailTemplates:SubscriptionConfirmationId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-subscription-confirmation'), '2018-02-14').secretUriWithVersion, ')')]",
-        "GovUkNotify:EmailTemplates:SubscriptionVerificationId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-subscription-verification'), '2018-02-14').secretUriWithVersion, ')')]"
+        "GovUkNotify:EmailTemplates:SubscriptionVerificationId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-subscription-verification'), '2018-02-14').secretUriWithVersion, ')')]",
+        "GovUkNotify:EmailTemplates:ApiSubscriptionConfirmationId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-api-subscription-confirmation'), '2018-02-14').secretUriWithVersion, ')')]",
+        "GovUkNotify:EmailTemplates:ApiSubscriptionVerificationId": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('ees-notifier-templateid-api-subscription-verification'), '2018-02-14').secretUriWithVersion, ')')]"
       }
     },
     {
@@ -3507,6 +3509,12 @@
               ]
             }
           },
+          {
+            "name": "[variables('publicApiDataProcessorPlinkSubnetName')]",
+            "properties": {
+              "addressPrefix": "10.0.7.0/24"
+            }
+          },
           {
             "name": "[variables('containerAppEnvironmentSubnetName')]",
             "properties": {