restructure, rm init container and more

.azure/applications/web-api-eu/main.bicep

@@ -2,46 +2,26 @@ targetScope = 'resourceGroup'
 
 param imageTag string
 param gitSha string
-
 param environment string
 param location string
 
-// todo: this needs to be output from infrastructure.bicep and overkill with both id and name here lawl
 param containerAppEnvironmentId string
-
-param environmentKeyVaultName string
-
 // todo: refactor to something else
 param appInsightConnectionString string
-
-// appConfiguration.outputs.name
 param appConfigurationName string
 
 @secure()
-param sourceKeyVaultSubscriptionId string
-@secure()
-param sourceKeyVaultResourceGroup string
-@secure()
-param sourceKeyVaultName string
-
-var secrets = {
-  sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId
-  sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup
-  sourceKeyVaultName: sourceKeyVaultName
-}
+param environmentKeyVaultName string
 
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
 
-// todo: can we mount the environment variables from app configuration directly?
-
-// todo: add bicepparam file
-
 // todo: solve this some other way pls
 resource appConfig 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
   name: '${namePrefix}-appConfiguration'
 }
 
+// todo: can we mount the environment variables from app configuration directly?
 var containerAppEnvVars = [
   {
     name: 'ASPNETCORE_ENVIRONMENT'
@@ -65,18 +45,10 @@ var containerAppEnvVars = [
   }
 ]
 
-resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: secrets.sourceKeyVaultName
-  scope: az.resourceGroup(secrets.sourceKeyVaultSubscriptionId, secrets.sourceKeyVaultResourceGroup)
-}
-
 resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: environmentKeyVaultName
-  scope: az.resourceGroup(secrets.sourceKeyVaultSubscriptionId, secrets.sourceKeyVaultResourceGroup)
 }
 
-// todo: split the module into two. One for the migration job and one for the app itself
-
 var containerAppName = '${namePrefix}-webapi-eu-ca'
 
 module containerApp '../../modules/containerApp/main.bicep' = {
@@ -85,14 +57,9 @@ module containerApp '../../modules/containerApp/main.bicep' = {
   params: {
     name: containerAppName
     image: '${baseImageUrl}webapi:${imageTag}'
-    initContainerimage: '${baseImageUrl}migration-verifier:${imageTag}'
     location: location
     envVariables: containerAppEnvVars
-    migrationVerifierPrincipalAppId: srcKeyVaultResource.getSecret('MigrationVerificationInitContainerPrincipalAppId')
-    migrationVerifierPrincipalPassword: srcKeyVaultResource.getSecret('MigrationVerificationInitContainerPrincipalPassword')
     containerAppEnvId: containerAppEnvironmentId
-    // todo: get from input
-    migrationJobName: '${namePrefix}-migration-job'
   }
 }
 
@@ -111,3 +78,6 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole
     principalIds: [ containerApp.outputs.identityPrincipalId ]
   }
 }
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName

.azure/applications/web-api-eu/test.bicepparam

@@ -5,14 +5,8 @@ param location = 'norwayeast'
 param gitSha = readEnvironmentVariable('GIT_SHA', '')
 param imageTag = readEnvironmentVariable('IMAGE_TAG', '')
 
-param containerAppEnvironmentId = readEnvironmentVariable('CONTAINER_APP_ENVIRONMENT_ID', '')
-
-param appInsightConnectionString = readEnvironmentVariable('APP_INSIGHTS_CONNECTION_STRING', '')
-
-param appConfigurationName = readEnvironmentVariable('APP_CONFIGURATION_NAME', '')
-
 // secrets
-param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID', '')
-param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP', '')
-param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME', '')
 param environmentKeyVaultName = readEnvironmentVariable('ENVIRONMENT_KEY_VAULT_NAME', '')
+param containerAppEnvironmentId = readEnvironmentVariable('CONTAINTER_APP_ENVIRONMENT_ID', '')
+param appInsightConnectionString = readEnvironmentVariable('APP_INSIGHTS_CONNECTION_STRING', '')
+param appConfigurationName = readEnvironmentVariable('APP_CONFIGURATION_NAME', '')

.azure/applications/web-api-migration-job/main.bicep

@@ -5,7 +5,6 @@ param imageTag string
 param environment string
 param location string
 
-// todo: this needs to be output from infrastructure.bicep 
 param containerAppEnvironmentId string
 
 @secure()

.azure/applications/web-api-so/main.bicep

@@ -2,47 +2,26 @@ targetScope = 'resourceGroup'
 
 param imageTag string
 param gitSha string
-
 param environment string
 param location string
 
-// todo: this needs to be output from infrastructure.bicep and overkill with both id and name here lawl
 param containerAppEnvironmentId string
-
 // todo: refactor to something else
 param appInsightConnectionString string
-
-// appConfiguration.outputs.name
 param appConfigurationName string
 
 @secure()
 param environmentKeyVaultName string
 
-@secure()
-param sourceKeyVaultSubscriptionId string
-@secure()
-param sourceKeyVaultResourceGroup string
-@secure()
-param sourceKeyVaultName string
-
-var secrets = {
-  sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId
-  sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup
-  sourceKeyVaultName: sourceKeyVaultName
-}
-
 var namePrefix = 'dp-be-${environment}'
 var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
 
-// todo: can we mount the environment variables from app configuration directly?
-
-// todo: add bicepparam file
-
 // todo: solve this some other way pls
 resource appConfig 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
   name: '${namePrefix}-appConfiguration'
 }
 
+// todo: can we mount the environment variables from app configuration directly?
 var containerAppEnvVars = [
   {
     name: 'ASPNETCORE_ENVIRONMENT'
@@ -66,18 +45,10 @@ var containerAppEnvVars = [
   }
 ]
 
-resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-  name: secrets.sourceKeyVaultName
-  scope: az.resourceGroup(secrets.sourceKeyVaultSubscriptionId, secrets.sourceKeyVaultResourceGroup)
-}
-
 resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: environmentKeyVaultName
-  scope: az.resourceGroup(secrets.sourceKeyVaultSubscriptionId, secrets.sourceKeyVaultResourceGroup)
 }
 
-// todo: split the module into two. One for the migration job and one for the app itself
-
 var containerAppName = '${namePrefix}-webapi-so-ca'
 
 module containerApp '../../modules/containerApp/main.bicep' = {
@@ -86,14 +57,9 @@ module containerApp '../../modules/containerApp/main.bicep' = {
   params: {
     name: containerAppName
     image: '${baseImageUrl}webapi:${imageTag}'
-    initContainerimage: '${baseImageUrl}migration-verifier:${imageTag}'
     location: location
     envVariables: containerAppEnvVars
-    migrationVerifierPrincipalAppId: srcKeyVaultResource.getSecret('MigrationVerificationInitContainerPrincipalAppId')
-    migrationVerifierPrincipalPassword: srcKeyVaultResource.getSecret('MigrationVerificationInitContainerPrincipalPassword')
     containerAppEnvId: containerAppEnvironmentId
-    // todo: get from input
-    migrationJobName: '${namePrefix}-migration-job'
   }
 }
 
@@ -112,3 +78,6 @@ module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRole
     principalIds: [ containerApp.outputs.identityPrincipalId ]
   }
 }
+
+output name string = containerApp.outputs.name
+output revisionName string = containerApp.outputs.revisionName

.azure/applications/web-api-so/test.bicepparam

@@ -5,14 +5,8 @@ param location = 'norwayeast'
 param gitSha = readEnvironmentVariable('GIT_SHA', '')
 param imageTag = readEnvironmentVariable('IMAGE_TAG', '')
 
+// secrets
+param environmentKeyVaultName = readEnvironmentVariable('ENVIRONMENT_KEY_VAULT_NAME', '')
 param containerAppEnvironmentId = readEnvironmentVariable('CONTAINTER_APP_ENVIRONMENT_ID', '')
-
 param appInsightConnectionString = readEnvironmentVariable('APP_INSIGHTS_CONNECTION_STRING', '')
-
 param appConfigurationName = readEnvironmentVariable('APP_CONFIGURATION_NAME', '')
-
-// secrets
-param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID', '')
-param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP', '')
-param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME', '')
-param environmentKeyVaultName = readEnvironmentVariable('ENVIRONMENT_KEY_VAULT_NAME', '')

.azure/modules/containerApp/main.bicep

@@ -1,54 +1,11 @@
 param location string
-param initContainerimage string
 param envVariables array = []
 param port int = 8080
 param name string
 param image string
 
 param containerAppEnvId string
 
-// todo: do we need this here? 🤔
-param migrationJobName string
-
-@secure()
-param migrationVerifierPrincipalPassword string
-@secure()
-param migrationVerifierPrincipalAppId string
-
-// todo: refactor out the init containers & env variables
-var initContainers = [
-  {
-    name: '${name}-init'
-    image: initContainerimage
-    env: concat(envVariables,
-      [
-        {
-          name: 'AZURE_TENANT_ID'
-          value: subscription().tenantId
-        }
-        {
-          name: 'SUBSCRIPTION_ID'
-          value: subscription().subscriptionId
-        }
-        {
-          name: 'AZURE_CLIENT_ID'
-          value: migrationVerifierPrincipalAppId
-        }
-        {
-          name: 'AZURE_CLIENT_SECRET'
-          value: migrationVerifierPrincipalPassword
-        }
-        {
-          name: 'MIGRATION_JOB_NAME'
-          value: migrationJobName
-        }
-        {
-          name: 'RESOURCE_GROUP_NAME'
-          value: resourceGroup().name
-        }
-      ])
-  } ]
-
 var probes = [
   {
     periodSeconds: 5
@@ -93,7 +50,6 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
         minReplicas: 1
         maxReplicas: 1 // temp disable scaling for outbox scheduling
       }
-      initContainers: initContainers
       containers: [
         {
           name: name
@@ -111,3 +67,4 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
 
 output identityPrincipalId string = containerApp.identity.principalId
 output name string = containerApp.name
+output revisionName string = containerApp.properties.latestRevisionName

.github/tools/migrationVerifier.sh

@@ -0,0 +1,62 @@
+# todo: we might rename this into something more generic, as it can be used for any job execution
+if [ -z "$1" ]; then
+  echo "Usage: $0 <job-name>"
+  exit 1
+fi
+
+if [ -z "$2" ]; then
+  echo "Usage: $0 <resource-group-name>"
+  exit 1
+fi
+
+# todo: use something else than git sha to target the job execution
+if [ -z "$3" ]; then
+  echo "Usage: $0 <git-sha>"
+  exit 1
+fi
+
+job_name="$1"
+resource_group="$2"
+git_sha="$3"
+query_filter="[?properties.template.containers[?contains(image, '$git_sha')]].{name: name, status: properties.status} | [0]"
+
+verify_migration() {
+  local current_job_execution
+
+  current_job_execution=$(az containerapp job execution list -n "$job_name" -g "$resource_group" --query "$query_filter" 2>/dev/null)
+
+  if [ -z "$current_job_execution" ]; then
+      echo "No job execution found for migration $job_name"
+      return 1
+  fi
+
+  current_job_execution_name=$(echo $json_output | jq -r '.name')
+  current_job_execution_status=$(echo $json_output | jq -r '.status')
+
+  echo "Job execution state for job $job_name status:"
+  echo "-----------------------------"
+  echo "Name: $current_job_execution_name"
+  echo "Running status: $current_job_execution_status"
+  echo " "
+
+  # Check job execution status
+  if [[ $current_job_execution_status == "Succeeded"]]; then
+    return 0  # OK!
+  else
+    return 1  # Not OK!
+  fi
+}
+
+attempt=1
+
+# Loop until verified (GitHub action will do a timeout)
+while true; do
+  if verify_migration; then
+    echo "Migration $job_name has succeeded"
+    break
+  else
+    echo "Attempt $attempt: Waiting for migration $job_name ..."
+    sleep 10 # Sleep for 10 seconds
+    attempt=$((attempt+1))
+  fi
+done