Merge pull request #86 from baoduy/develop

Develop

package.json

@@ -59,8 +59,8 @@
     "@pulumi/azure-native": "^2.59.0",
     "@pulumi/azuread": "5.53.3",
     "@pulumi/pulumi": "^3.131.0",
-    "@pulumi/random": "^4.16.3",
-    "@pulumi/tls": "^5.0.4",
+    "@pulumi/random": "^4.16.4",
+    "@pulumi/tls": "^5.0.5",
     "netmask": "^2.0.2",
     "node-forge": "^1.3.1",
     "to-words": "^4.1.0"

src/AzAd/Identity.ts

@@ -9,12 +9,8 @@ import {
   ApplicationOptionalClaims,
   ApplicationRequiredResourceAccess,
 } from '@pulumi/azuread/types/input';
-import {
-  WithNamedType,
-  NamedWithVaultBasicArgs,
-  AdIdentityInfoWithInstance,
-} from '../types';
-import { addCustomSecret, addCustomSecrets } from '../KeyVault/CustomHelper';
+import { NamedWithVaultBasicArgs, AdIdentityInfoWithInstance } from '../types';
+import { addCustomSecret, addCustomSecrets } from '../KeyVault';
 import { getIdentitySecretNames } from './Helper';
 
 type PreAuthApplicationProps = {

src/Builder/ApimApiBuilder.ts

@@ -1,7 +1,7 @@
 import * as apim from '@pulumi/azure-native/apimanagement';
 import { enums } from '@pulumi/azure-native/types';
 import { Input, interpolate } from '@pulumi/pulumi';
-import { openApi } from '../Common';
+import { openApi, subscriptionId } from '../Common';
 import { ResourceInfo, WithDependsOn } from '../types';
 import ApimPolicyBuilder from './ApimPolicyBuilder';
 import {
@@ -162,6 +162,32 @@ export default class ApimApiBuilder
     });
   }
 
+  private buildApiDiagnostic({
+    apiId,
+    dependsOn,
+  }: { apiId: string } & WithDependsOn) {
+    new apim.ApiDiagnostic(
+      `apim-${apiId}-apiDiagnostic`,
+      {
+        serviceName: this.args.apimServiceName,
+        resourceGroupName: this.args.group.resourceGroupName,
+        apiId,
+        alwaysLog: apim.AlwaysLog.AllErrors,
+        httpCorrelationProtocol: 'W3C',
+        operationNameFormat: 'Url',
+        logClientIp: true,
+        verbosity: 'information',
+        loggerId: interpolate`/subscriptions/${subscriptionId}/resourceGroups/${this.args.group.resourceGroupName}/providers/Microsoft.ApiManagement/service/${this.args.apimServiceName}/loggers/${this.args.apimServiceName}-appInsight`,
+        diagnosticId: 'applicationinsights',
+        sampling: {
+          percentage: 100,
+          samplingType: apim.SamplingType.Fixed,
+        },
+      },
+      { dependsOn },
+    );
+  }
+
   private async buildApis() {
     const date = new Date();
     const tasks = Object.keys(this._apis).map(async (v) => {
@@ -237,6 +263,9 @@ export default class ApimApiBuilder
         );
       }
 
+      //Diagnostic
+      this.buildApiDiagnostic({ apiId: apiName, dependsOn: api });
+
       //Create Aoi Operations
       if ('operations' in apiProps) {
         this.buildOperations({

src/Builder/ApimBuilder.ts

@@ -1,6 +1,7 @@
 import * as types from './types';
 import { EnvRoleKeyTypes, ResourceInfo } from '../types';
 import * as apim from '@pulumi/azure-native/apimanagement';
+import { getSecretOutput, addCustomSecret } from '../KeyVault';
 import { naming, organization, subscriptionId, tenantId } from '../Common';
 import {
   ApimSignInSettingsResource,
@@ -93,6 +94,15 @@ class ApimBuilder
     this._proxyDomain = props;
     return this;
   }
+  public withProxyDomainIf(
+    condition: boolean,
+    props: types.ApimDomainBuilderType,
+  ): types.IApimBuilder {
+    if (condition) {
+      this.withProxyDomain(props);
+    }
+    return this;
+  }
   public withPublisher(
     props: types.ApimPublisherBuilderType,
   ): types.IApimBuilder {
@@ -128,8 +138,24 @@ class ApimBuilder
       });
     }
   }
+
+  private getCert(props: types.ApimCertBuilderType) {
+    if ('vaultCertName' in props) {
+      const cert = getSecretOutput({
+        name: props.vaultCertName,
+        vaultInfo: this.args.vaultInfo!,
+      });
+      return { encodedCertificate: cert.apply((c) => c!.value!) };
+    }
+
+    return {
+      encodedCertificate: props.certificate,
+      certificatePassword: props.certificatePassword,
+    };
+  }
+
   private buildAPIM() {
-    const { group, envRoles } = this.args;
+    const { group, envRoles, vaultInfo } = this.args;
 
     const sku = {
       name: this._sku!.sku,
@@ -141,8 +167,8 @@ class ApimBuilder
     this._apimInstance = new apim.ApiManagementService(
       this._instanceName,
       {
-        serviceName: this._instanceName,
         ...group,
+        serviceName: this._instanceName,
         publisherEmail: this._publisher!.publisherEmail,
         publisherName: this._publisher!.publisherName ?? organization,
         notificationSenderEmail:
@@ -153,26 +179,29 @@ class ApimBuilder
         sku,
 
         certificates: [
-          ...this._rootCerts.map((c) => ({
-            encodedCertificate: c.certificate,
-            certificatePassword: c.certificatePassword,
-            storeName: 'Root',
-          })),
-          ...this._caCerts.map((c) => ({
-            encodedCertificate: c.certificate,
-            certificatePassword: c.certificatePassword,
-            storeName: 'CertificateAuthority',
-          })),
+          ...this._rootCerts.map((c) => {
+            const crt = this.getCert(c);
+            return {
+              ...crt,
+              storeName: 'Root',
+            };
+          }),
+          ...this._caCerts.map((c) => {
+            const crt = this.getCert(c);
+            return {
+              ...crt,
+              storeName: 'CertificateAuthority',
+            };
+          }),
         ],
 
         enableClientCertificate: true,
         hostnameConfigurations: this._proxyDomain
           ? [
               {
+                ...this.getCert(this._proxyDomain),
                 type: 'Proxy',
                 hostName: this._proxyDomain.domain,
-                encodedCertificate: this._proxyDomain.certificate,
-                certificatePassword: this._proxyDomain.certificatePassword,
                 negotiateClientCertificate: false,
                 defaultSslBinding: false,
               },
@@ -257,6 +286,16 @@ class ApimBuilder
     if (this._envRoleType && envRoles) {
       envRoles.addIdentity(this._envRoleType, this._apimInstance.identity);
     }
+
+    if (vaultInfo) {
+      addCustomSecret({
+        name: `${this._instanceName}-host`,
+        value: this._proxyDomain?.domain ?? this._apimInstance.gatewayUrl,
+        contentType: `APIM ${this._instanceName}`,
+        dependsOn: this._apimInstance,
+        vaultInfo,
+      });
+    }
   }
 
   private buildEntraID() {
@@ -346,7 +385,8 @@ class ApimBuilder
     });
   }
   private buildInsightLog() {
-    if (!this.args.logInfo?.appInsight) return;
+    const { logInfo } = this.args;
+    if (!logInfo?.appInsight) return;
     //App Insight Logs
     new apim.Logger(
       `${this._instanceName}-insight`,
@@ -356,11 +396,11 @@ class ApimBuilder
 
         loggerType: apim.LoggerType.ApplicationInsights,
         description: 'App Insight Logger',
-        loggerId: randomUuId(this._instanceName!).result,
-        resourceId: this.args.logInfo.appInsight.id,
+        loggerId: `${this._instanceName}-appInsight`,
+        resourceId: logInfo!.appInsight.id,
         credentials: {
           //This credential will be added to NameValue automatically.
-          instrumentationKey: this.args.logInfo?.appInsight.instrumentationKey!,
+          instrumentationKey: logInfo!.appInsight.instrumentationKey!,
         },
       },
       { dependsOn: this._apimInstance },

src/Builder/ApimPolicyBuilder.ts

@@ -55,6 +55,13 @@ export default class ApimPolicyBuilder implements types.IApimPolicyBuilder {
     return this;
   }
 
+  public setBaseUrlIf(
+    condition: boolean,
+    props: types.ApimBaseUrlType,
+  ): types.IApimPolicyBuilder {
+    if (condition) this.setBaseUrl(props);
+    return this;
+  }
   public setHeader(props: types.ApimSetHeaderType): types.IApimPolicyBuilder {
     let rs = `\t<set-header name="${props.name}" exists-action="${props.type}">`;
     if (props.value) {
@@ -234,7 +241,7 @@ export default class ApimPolicyBuilder implements types.IApimPolicyBuilder {
     return this;
   }
 
-  public forwardToServiceBus(
+  public forwardToBus(
     props: types.ApimForwardToServiceBusType,
   ): types.IApimPolicyBuilder {
     this.authIdentity({
@@ -243,9 +250,11 @@ export default class ApimPolicyBuilder implements types.IApimPolicyBuilder {
       resource: 'https://servicebus.azure.net',
       ignoreError: false,
     });
+
     this.setBaseUrl({
       url: `https://${props.serviceBusName}.servicebus.windows.net`,
     });
+
     this.rewriteUri({ template: `${props.topicOrQueueName}/messages` });
     if (props.brokerProperties) {
       Object.keys(props.brokerProperties).forEach((key) =>
@@ -259,6 +268,14 @@ export default class ApimPolicyBuilder implements types.IApimPolicyBuilder {
     return this;
   }
 
+  public forwardToBusIf(
+    condition: boolean,
+    props: types.ApimForwardToServiceBusType,
+  ): types.IApimPolicyBuilder {
+    if (condition) this.forwardToBus(props);
+    return this;
+  }
+
   public setResponseHeaders(
     props: types.ApimSetHeaderType,
   ): types.IApimPolicyBuilder {

src/Builder/VnetBuilder.ts

@@ -89,6 +89,7 @@ class VnetBuilder
     this._ipType = type;
     return this;
   }
+
   public withPublicIPFrom(id: Input<string>): IGatewayFireWallBuilder {
     this._finalIpAddressIds.push(id);
     this._ipType = 'existing';

src/Builder/types/apimBuilder.ts

@@ -5,6 +5,8 @@ import {
   EnvRoleKeyTypes,
   PrivateLinkPropsType,
   ResourceInfo,
+  CertType,
+  VaultCertType,
   WithEnvRoles,
   WithLogInfo,
 } from '../../types';
@@ -38,10 +40,8 @@ export type ApimPublisherBuilderType = {
 /**
  * Type for configuring certificates for APIM.
  */
-export type ApimCertBuilderType = {
-  certificate: Input<string>;
-  certificatePassword?: Input<string>;
-};
+
+export type ApimCertBuilderType = CertType | VaultCertType;
 
 /**
  * Type for configuring domain and certificates for APIM.
@@ -174,6 +174,10 @@ export interface IApimBuilder extends IBuilder<ResourceInfo>, IApimAuthBuilder {
    * @returns The APIM builder instance.
    */
   withProxyDomain(props: ApimDomainBuilderType): IApimBuilder;
+  withProxyDomainIf(
+    condition: boolean,
+    props: ApimDomainBuilderType,
+  ): IApimBuilder;
 
   // withInsightLog(props: AppInsightInfo): IApimBuilder;
 

src/Builder/types/apimPolicyBuilder.ts

@@ -162,6 +162,7 @@ export interface IApimPolicyBuilder {
    * @returns The policy builder instance.
    */
   setBaseUrl(props: ApimBaseUrlType): IApimPolicyBuilder;
+  setBaseUrlIf(condition: boolean, props: ApimBaseUrlType): IApimPolicyBuilder;
 
   /**
    * Sets a header.
@@ -242,7 +243,11 @@ export interface IApimPolicyBuilder {
    */
   verifyClientCert(props: ApimClientCertType): IApimPolicyBuilder;
 
-  forwardToServiceBus(props: ApimForwardToServiceBusType): IApimPolicyBuilder;
+  forwardToBus(props: ApimForwardToServiceBusType): IApimPolicyBuilder;
+  forwardToBusIf(
+    condition: boolean,
+    props: ApimForwardToServiceBusType,
+  ): IApimPolicyBuilder;
 
   setResponseHeaders(props: ApimSetHeaderType): IApimPolicyBuilder;
 

src/Builder/types/sqlBuilder.ts

@@ -35,7 +35,7 @@ export type SqlBuilderAuthOptionsType = Omit<
 /**
  * Arguments for defining a SQL database.
  */
-export type SqlDbBuilderType = {
+export type SqlDbBuilderType = WithLockable & {
   /**
    * The name of the database.
    */