From 2fc3acdc3902a747ba5995de678cacd33675dc16 Mon Sep 17 00:00:00 2001
From: James Gunn <james@gunn.io>
Date: Mon, 18 Dec 2023 16:36:40 +0000
Subject: [PATCH] Move shared config into a shared secret (#1010)

---
 .../src/TeachingRecordSystem.Api/Program.cs   |  8 ++++----
 ...cs => HostApplicationBuilderExtensions.cs} | 19 ++++++++-----------
 .../Extensions.cs                             |  4 +++-
 .../TeachingRecordSystem.Worker/Program.cs    |  8 ++++++--
 terraform/aks/app.tf                          | 17 ++++++++++-------
 5 files changed, 31 insertions(+), 25 deletions(-)
 rename TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/{ServiceCollectionExtensions.cs => HostApplicationBuilderExtensions.cs} (66%)

diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Api/Program.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Api/Program.cs
index d6d3aba52..e94562ad0 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Api/Program.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Api/Program.cs
@@ -179,12 +179,12 @@ public static void Main(string[] args)
             client.Timeout = TimeSpan.FromSeconds(30);
         });
 
-        builder.AddBlobStorage();
-
-        builder.AddDistributedLocks();
+        builder
+            .AddBlobStorage()
+            .AddDistributedLocks()
+            .AddIdentityApi();
 
         services.AddTrnGenerationApi(configuration);
-        services.AddIdentityApi(configuration, env);
         services.AddAccessYourTeachingQualificationsOptions(configuration, env);
         services.AddCertificateGeneration();
         services.AddCrmQueries();
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/ServiceCollectionExtensions.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/HostApplicationBuilderExtensions.cs
similarity index 66%
rename from TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/ServiceCollectionExtensions.cs
rename to TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/HostApplicationBuilderExtensions.cs
index 975400d40..cf4e1ea92 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/ServiceCollectionExtensions.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Services/GetAnIdentity/HostApplicationBuilderExtensions.cs
@@ -6,25 +6,22 @@
 
 namespace TeachingRecordSystem.Core.Services.GetAnIdentityApi;
 
-public static class ServiceCollectionExtensions
+public static class HostApplicationBuilderExtensions
 {
-    public static IServiceCollection AddIdentityApi(
-        this IServiceCollection services,
-        IConfiguration configuration,
-        IHostEnvironment environment)
+    public static IHostApplicationBuilder AddIdentityApi(this IHostApplicationBuilder builder)
     {
-        if (!environment.IsUnitTests() && !environment.IsEndToEndTests())
+        if (!builder.Environment.IsUnitTests() && !builder.Environment.IsEndToEndTests())
         {
-            services.AddOptions<GetAnIdentityOptions>()
-                .Bind(configuration.GetSection("GetAnIdentity"))
+            builder.Services.AddOptions<GetAnIdentityOptions>()
+                .Bind(builder.Configuration.GetSection("GetAnIdentity"))
                 .ValidateDataAnnotations()
                 .ValidateOnStart();
 
-            services
+            builder.Services
                 .AddTransient<ClientCredentialsBearerTokenDelegatingHandler>()
                 .AddHttpClient<ClientCredentialsBearerTokenDelegatingHandler>();
 
-            services
+            builder.Services
                 .AddHttpClient<IGetAnIdentityApiClient, GetAnIdentityApiClient>((sp, httpClient) =>
                 {
                     var options = sp.GetRequiredService<IOptions<GetAnIdentityOptions>>();
@@ -33,6 +30,6 @@ public static IServiceCollection AddIdentityApi(
                 .AddHttpMessageHandler<ClientCredentialsBearerTokenDelegatingHandler>();
         }
 
-        return services;
+        return builder;
     }
 }
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.ServiceDefaults/Extensions.cs b/TeachingRecordSystem/src/TeachingRecordSystem.ServiceDefaults/Extensions.cs
index 78c37dac3..d55fa9ba6 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.ServiceDefaults/Extensions.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.ServiceDefaults/Extensions.cs
@@ -27,7 +27,9 @@ public static IHostApplicationBuilder AddServiceDefaults(
 
         if (builder.Environment.IsProduction())
         {
-            builder.Configuration.AddJsonEnvironmentVariable("AppConfig");
+            builder.Configuration
+                .AddJsonEnvironmentVariable("AppConfig")
+                .AddJsonEnvironmentVariable("SharedConfig");
 
             builder.Services.Configure<ForwardedHeadersOptions>(options =>
             {
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Worker/Program.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Worker/Program.cs
index ebb869c4a..77851cad9 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Worker/Program.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Worker/Program.cs
@@ -9,6 +9,7 @@
 using TeachingRecordSystem.Core.Infrastructure.Configuration;
 using TeachingRecordSystem.Core.Jobs;
 using TeachingRecordSystem.Core.Services.DqtReporting;
+using TeachingRecordSystem.Core.Services.GetAnIdentityApi;
 using TeachingRecordSystem.Core.Services.Notify;
 using TeachingRecordSystem.Core.Services.TrnGenerationApi;
 using TeachingRecordSystem.Core.Services.TrsDataSync;
@@ -21,7 +22,9 @@
 
 if (builder.Environment.IsProduction())
 {
-    builder.Configuration.AddJsonEnvironmentVariable("AppConfig");
+    builder.Configuration
+        .AddJsonEnvironmentVariable("AppConfig")
+        .AddJsonEnvironmentVariable("SharedConfig");
 }
 
 builder.ConfigureLogging();
@@ -35,7 +38,8 @@
     .AddHangfire()
     .AddBackgroundJobs()
     .AddBackgroundWorkScheduler()
-    .AddEmail();
+    .AddEmail()
+    .AddIdentityApi();
 
 var crmServiceClient = new ServiceClient(builder.Configuration.GetRequiredValue("ConnectionStrings:Crm"))
 {
diff --git a/terraform/aks/app.tf b/terraform/aks/app.tf
index 7ef11b2b5..e5d610db5 100644
--- a/terraform/aks/app.tf
+++ b/terraform/aks/app.tf
@@ -54,10 +54,10 @@ module "api_application_configuration" {
   secret_key_vault_short = "api"
 
   config_variables = {
-    SENTRY_ENVIRONMENT              = var.environment_name
+    DataProtectionKeysContainerName = azurerm_storage_container.keys.name
     DistributedLockContainerName    = azurerm_storage_container.locks.name
     RecurringJobs__Enabled          = var.run_recurring_jobs
-    DataProtectionKeysContainerName = azurerm_storage_container.keys.name
+    SENTRY_ENVIRONMENT              = var.environment_name
   }
 
   secret_variables = {
@@ -66,6 +66,7 @@ module "api_application_configuration" {
     ConnectionStrings__Redis              = module.redis.connection_string
     StorageConnectionString               = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.app_storage.name};AccountKey=${azurerm_storage_account.app_storage.primary_access_key}"
     Sentry__Dsn                           = module.infrastructure_secrets.map.SENTRY-DSN
+    SharedConfig                          = module.infrastructure_secrets.map.SharedConfig
   }
 }
 
@@ -104,16 +105,17 @@ module "ui_application_configuration" {
   secret_key_vault_short = "ui"
 
   config_variables = {
-    SENTRY_ENVIRONMENT              = var.environment_name
     DataProtectionKeysContainerName = azurerm_storage_container.keys.name
+    SENTRY_ENVIRONMENT              = var.environment_name
   }
 
   secret_variables = {
     ApplicationInsights__ConnectionString = azurerm_application_insights.app.connection_string
     ConnectionStrings__DefaultConnection  = module.postgres.dotnet_connection_string
     ConnectionStrings__Redis              = "${module.redis.connection_string},defaultDatabase=1"
-    StorageConnectionString               = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.app_storage.name};AccountKey=${azurerm_storage_account.app_storage.primary_access_key}"
     Sentry__Dsn                           = module.infrastructure_secrets.map.SENTRY-DSN
+    SharedConfig                          = module.infrastructure_secrets.map.SharedConfig
+    StorageConnectionString               = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.app_storage.name};AccountKey=${azurerm_storage_account.app_storage.primary_access_key}"
   }
 }
 
@@ -151,17 +153,18 @@ module "worker_application_configuration" {
   secret_key_vault_short = "worker"
 
   config_variables = {
-    SENTRY_ENVIRONMENT           = var.environment_name
     DistributedLockContainerName = azurerm_storage_container.locks.name
     DqtReporting__RunService     = var.run_dqt_reporting_service
+    SENTRY_ENVIRONMENT           = var.environment_name
   }
 
   secret_variables = {
     ApplicationInsights__ConnectionString     = azurerm_application_insights.app.connection_string
     ConnectionStrings__DefaultConnection      = module.postgres.dotnet_connection_string
-    StorageConnectionString                   = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.app_storage.name};AccountKey=${azurerm_storage_account.app_storage.primary_access_key}"
-    Sentry__Dsn                               = module.infrastructure_secrets.map.SENTRY-DSN
     DqtReporting__ReportingDbConnectionString = local.reporting_db_connection_string
+    Sentry__Dsn                               = module.infrastructure_secrets.map.SENTRY-DSN
+    StorageConnectionString                   = "DefaultEndpointsProtocol=https;AccountName=${azurerm_storage_account.app_storage.name};AccountKey=${azurerm_storage_account.app_storage.primary_access_key}"
+    SharedConfig                              = module.infrastructure_secrets.map.SharedConfig
   }
 }