First working version

reindervdw-cmi · reindervdw-cmi · commit 16bd71deedc6 · 2025-12-03T11:06:22.000-05:00
diff --git a/dev/main.tf b/dev/main.tf
@@ -30,6 +30,8 @@ module "dev_environment" {
   database_name            = "ctk"
   acr_id                   = data.terraform_remote_state.shared.outputs.acr_id
   acr_login_server         = data.terraform_remote_state.shared.outputs.acr_login_server
+  acr_admin_username = data.terraform_remote_state.shared.outputs.acr_admin_username
+  acr_admin_password = data.terraform_remote_state.shared.outputs.acr_admin_password
   webapp_image_tag         = var.webapp_image_tag
   cloai_service_image_tag  = var.cloai_service_image_tag
   ctk_functions_image_tag  = var.ctk_functions_image_tag
diff --git a/justfile b/justfile
@@ -9,6 +9,10 @@ plan env=default_env *args='':
 apply env=default_env *args='':
     terraform -chdir="./{{env}}" apply {{args}}
 
+plapply env=default_env:
+    just plan {{env}} --out ./{{env}}.plan
+    just apply {{env}} ./{{env}}.plan
+
 destroy env=default_env *args='':
     terraform -chdir="./{{env}}" destroy {{args}}
 
diff --git a/modules/active_directory_app_registration/main.tf b/modules/active_directory_app_registration/main.tf
@@ -0,0 +1,35 @@
+data "azuread_client_config" "current" {}
+
+resource "azuread_application" "app" {
+  display_name = var.display_name
+  owners       = [data.azuread_client_config.current.object_id]
+
+  web {
+    redirect_uris = var.redirect_uris
+    implicit_grant {
+      access_token_issuance_enabled = false
+      id_token_issuance_enabled     = true
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "azuread_service_principal" "sp" {
+  client_id = azuread_application.app.client_id
+  owners    = [data.azuread_client_config.current.object_id]
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "azuread_application_password" "secret" {
+  application_id = azuread_application.app.id
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
diff --git a/modules/active_directory_app_registration/outputs.tf b/modules/active_directory_app_registration/outputs.tf
@@ -0,0 +1,12 @@
+output "client_id" {
+  value = azuread_application.app.client_id
+}
+
+output "client_secret" {
+  value     = azuread_application_password.secret.value
+  sensitive = true
+}
+
+output "tenant_id" {
+  value = data.azuread_client_config.current.tenant_id
+}
diff --git a/modules/active_directory_app_registration/vars.tf b/modules/active_directory_app_registration/vars.tf
@@ -0,0 +1,10 @@
+variable "display_name" {
+  description = "The display name for the application."
+  type        = string
+}
+
+variable "redirect_uris" {
+  description = "A set of redirect URIs for the application."
+  type        = list(string)
+  default     = []
+}
diff --git a/modules/container_apps/cloai_service/main.tf b/modules/container_apps/cloai_service/main.tf
@@ -1,5 +1,5 @@
 resource "azurerm_container_app" "cloai_service" {
-  name                         = format("ca-cloai-service-%s-%s", var.project_name, var.environment_name)
+  name                         = format("ca-%s-%s-cloai-service", var.project_name, var.environment_name)
   container_app_environment_id = var.container_app_environment_id
   resource_group_name          = var.resource_group_name
   revision_mode                = "Single"
@@ -17,10 +17,21 @@ resource "azurerm_container_app" "cloai_service" {
     type = "SystemAssigned"
   }
 
+  registry {
+    server               = var.acr_login_server
+    username             = var.acr_admin_username
+    password_secret_name = "acr-admin-password"
+  }
+
+  secret {
+    name  = "acr-admin-password"
+    value = var.acr_admin_password
+  }
+
   template {
     container {
-      name   = format("ca-cloai-service-%s-%s", var.project_name, var.environment_name)
-      image  = "${var.acr_login_server}/cloai-service:${var.image_tag}"
+      name   = format("ca-%s-%s-cloai-service", var.project_name, var.environment_name)
+      image  = "${var.acr_login_server}/childmindresearch/cloai-service:${var.image_tag}"
       cpu    = 1
       memory = "2Gi"
 
@@ -30,7 +41,7 @@ resource "azurerm_container_app" "cloai_service" {
       }
 
       env {
-        name      = "CONFIG_JSON"
+        name        = "CONFIG_JSON"
         secret_name = "config-json"
       }
     }
diff --git a/modules/container_apps/cloai_service/vars.tf b/modules/container_apps/cloai_service/vars.tf
@@ -43,3 +43,14 @@ variable "acr_id" {
   type        = string
   description = "The ID of the Azure Container Registry."
 }
+
+variable "acr_admin_username" {
+  type        = string
+  description = "Admin username for the Azure Container Registry."
+}
+
+variable "acr_admin_password" {
+  type        = string
+  description = "Admin password for the Azure Container Registry."
+  sensitive   = true
+}
diff --git a/modules/container_apps/ctk_functions/main.tf b/modules/container_apps/ctk_functions/main.tf
@@ -1,5 +1,5 @@
 resource "azurerm_container_app" "ctk_functions" {
-  name                         = format("ca-ctk-functions-%s-%s", var.project_name, var.environment_name)
+  name                         = format("ca-%s-%s-ctk-functions", var.project_name, var.environment_name)
   container_app_environment_id = var.container_app_environment_id
   resource_group_name          = var.resource_group_name
   revision_mode                = "Single"
@@ -17,10 +17,20 @@ resource "azurerm_container_app" "ctk_functions" {
     type = "SystemAssigned"
   }
 
+  registry {
+    server               = var.acr_login_server
+    username             = var.acr_admin_username
+    password_secret_name = "acr-admin-password"
+  }
+
+  secret {
+    name  = "acr-admin-password"
+    value = var.acr_admin_password
+  }
   template {
     container {
-      name   = format("ca-ctk-functions-%s-%s", var.project_name, var.environment_name)
-      image  = "${var.acr_login_server}/ctk-functions:${var.image_tag}"
+      name   = format("ca-%s-ctk-functions-%s", var.project_name, var.environment_name)
+      image  = "${var.acr_login_server}/childmindresearch/ctk-functions:${var.image_tag}"
       cpu    = 1
       memory = "2Gi"
 
diff --git a/modules/container_apps/ctk_functions/vars.tf b/modules/container_apps/ctk_functions/vars.tf
@@ -90,3 +90,15 @@ variable "acr_id" {
   type        = string
   description = "The ID of the Azure Container Registry."
 }
+
+
+variable "acr_admin_username" {
+  type        = string
+  description = "Admin username for the Azure Container Registry."
+}
+
+variable "acr_admin_password" {
+  type        = string
+  description = "Admin password for the Azure Container Registry."
+  sensitive   = true
+}
diff --git a/modules/container_apps/languagetool/main.tf b/modules/container_apps/languagetool/main.tf
@@ -1,5 +1,5 @@
 resource "azurerm_container_app" "languagetool" {
-  name                         = format("ca-ctk-languagetool-%s-%s", var.project_name, var.environment_name)
+  name                         = format("ca-%s-%s-languagetool", var.project_name, var.environment_name)
   container_app_environment_id = var.container_app_environment_id
   resource_group_name          = var.resource_group_name
   revision_mode                = "Single"
@@ -15,7 +15,7 @@ resource "azurerm_container_app" "languagetool" {
 
   template {
     container {
-      name   = format("ca-ctk-languagetool-%s-%s", var.project_name, var.environment_name)
+      name   = format("ca-%s-languagetool-%s", var.project_name, var.environment_name)
       image  = "erikvl87/languagetool:6.5"
       cpu    = 1
       memory = "2Gi"
diff --git a/modules/container_apps/webapp/main.tf b/modules/container_apps/webapp/main.tf
@@ -1,12 +1,12 @@
 resource "azurerm_container_app" "webapp" {
-  name                         = format("ca-ctk-webapp-%s-%s", var.project_name, var.environment_name)
+  name                         = format("ca-%s-%s-webapp", var.project_name, var.environment_name)
   container_app_environment_id = var.container_app_environment_id
   resource_group_name          = var.resource_group_name
   revision_mode                = "Single"
 
   ingress {
     external_enabled = true
-    target_port      = 8000
+    target_port      = 3000
     traffic_weight {
       percentage      = 100
       latest_revision = true
@@ -17,10 +17,26 @@ resource "azurerm_container_app" "webapp" {
     type = "SystemAssigned"
   }
 
+  registry {
+    server               = var.acr_login_server
+    username             = var.acr_admin_username
+    password_secret_name = "acr-admin-password"
+  }
+
+  secret {
+    name  = "acr-admin-password"
+    value = var.acr_admin_password
+  }
+
+  secret {
+    name  = "microsoft-provider-authentication-secret"
+    value = var.azure_ad_client_secret
+  }
+
   template {
     container {
-      name   = format("ca-ctk-webapp-%s-%s", var.project_name, var.environment_name)
-      image  = "${var.acr_login_server}/ctk-webapp:${var.image_tag}"
+      name   = format("ca-%s-%s-webapp", var.project_name, var.environment_name)
+      image  = "${var.acr_login_server}/childmindresearch/ctk-webapp:${var.image_tag}"
       cpu    = 1
       memory = "2Gi"
 
@@ -60,7 +76,7 @@ resource "azurerm_container_app" "webapp" {
       }
 
       env {
-        name = "BODY_SIZE_LIMIT"
+        name  = "BODY_SIZE_LIMIT"
         value = "5M"
       }
     }
@@ -109,4 +125,5 @@ resource "azapi_resource_action" "my_app_auth" {
       }
     }
   }
-}
+}
+
diff --git a/modules/container_apps/webapp/vars.tf b/modules/container_apps/webapp/vars.tf
@@ -76,6 +76,12 @@ variable "azure_ad_client_id" {
   description = "Azure AD application (client) ID for SSO."
 }
 
+variable "azure_ad_client_secret" {
+  type        = string
+  description = "Azure AD application (client) secret for SSO."
+  sensitive   = true
+}
+
 variable "azure_ad_tenant_id" {
   type        = string
   description = "Azure AD tenant ID."
@@ -85,3 +91,14 @@ variable "acr_id" {
   type        = string
   description = "The ID of the Azure Container Registry."
 }
+
+variable "acr_admin_username" {
+  type        = string
+  description = "Admin username for the Azure Container Registry."
+}
+
+variable "acr_admin_password" {
+  type        = string
+  description = "Admin password for the Azure Container Registry."
+  sensitive   = true
+}
diff --git a/modules/container_registry/outputs.tf b/modules/container_registry/outputs.tf
@@ -7,3 +7,14 @@ output "container_registry_login_server" {
     description = "The login server URL of the Azure Container Registry."
     value       = azurerm_container_registry.acr.login_server
 }
+
+output "admin_username" {
+    description = "The admin username for the Azure Container Registry."
+    value       = azurerm_container_registry.acr.admin_username
+}
+
+output "admin_password" {
+    description = "The admin password for the Azure Container Registry."
+    value       = azurerm_container_registry.acr.admin_password
+    sensitive   = true
+}
diff --git a/modules/cosmos_postgres/main.tf b/modules/cosmos_postgres/main.tf
@@ -17,25 +17,6 @@ resource "azurerm_cosmosdb_postgresql_cluster" "cluster" {
   }
 }
 
-resource "azurerm_private_endpoint" "cosmos_postgres" {
-  name                = format("pe-cosmos-pg-%s-%s", var.project_name, var.environment_name)
-  location            = var.region_name
-  resource_group_name = var.resource_group_name
-  subnet_id           = var.database_subnet_id
-
-  private_service_connection {
-    name                           = "cosmos-postgres-connection"
-    private_connection_resource_id = azurerm_cosmosdb_postgresql_cluster.cluster.id
-    is_manual_connection           = false
-    subresource_names              = ["coordinator"]
-  }
-
-  private_dns_zone_group {
-    name                 = "cosmos-postgres-dns-zone-group"
-    private_dns_zone_ids = [azurerm_private_dns_zone.cosmos_postgres.id]
-  }
-}
-
 resource "azurerm_private_dns_zone" "cosmos_postgres" {
   name                = "privatelink.postgres.cosmos.azure.com"
   resource_group_name = var.resource_group_name
diff --git a/modules/cosmos_postgres/vars.tf b/modules/cosmos_postgres/vars.tf
@@ -67,7 +67,7 @@ variable "node_count" {
 variable "node_storage_quota_in_mb" {
   type        = number
   description = "Storage quota in MB for each worker node."
-  default     = 32768
+  default     = 524288
 }
 
 variable "node_vcores" {
diff --git a/modules/environment/main.tf b/modules/environment/main.tf
@@ -83,13 +83,24 @@ module "languagetool" {
   container_app_environment_id = module.container_app_environment.container_app_environment_id
 }
 
+module "active_directory_app_registration" {
+  source       = "../active_directory_app_registration"
+  display_name = "ad-${var.project_name}-webapp-${var.environment_name}"
+  redirect_uris = [
+    "https://ca-${var.project_name}-${var.environment_name}-webapp.${module.container_app_environment.default_domain}/.auth/login/aad/callback",
+    "https://cliniciantoolkit.childmind.org/.auth/login/aad/callback"
+  ]
+}
+
 module "webapp" {
   source                       = "../container_apps/webapp"
   resource_group_name          = module.resource_group.name
   project_name                 = var.project_name
   environment_name             = var.environment_name
   container_app_environment_id = module.container_app_environment.container_app_environment_id
   acr_login_server             = var.acr_login_server
+  acr_admin_username           = var.acr_admin_username
+  acr_admin_password           = var.acr_admin_password
   acr_id                       = var.acr_id
   languagetool_url             = "https://${module.languagetool.fqdn}"
   image_tag                    = var.webapp_image_tag
@@ -99,8 +110,9 @@ module "webapp" {
   postgres_user                = module.cosmos_postgres.administrator_login
   postgres_password            = module.cosmos_postgres.administrator_password
   azure_blob_account_name      = module.storage_account.storage_account_name
-  azure_ad_client_id           = var.azure_ad_client_id
-  azure_ad_tenant_id           = var.azure_ad_tenant_id
+  azure_ad_client_id           = module.active_directory_app_registration.client_id
+  azure_ad_client_secret       = module.active_directory_app_registration.client_secret
+  azure_ad_tenant_id           = module.active_directory_app_registration.tenant_id
   location                     = var.region_name
 }
 
@@ -111,6 +123,8 @@ module "cloai_service" {
   environment_name             = var.environment_name
   container_app_environment_id = module.container_app_environment.container_app_environment_id
   acr_login_server             = var.acr_login_server
+  acr_admin_username           = var.acr_admin_username
+  acr_admin_password           = var.acr_admin_password
   acr_id                       = var.acr_id
   image_tag                    = var.cloai_service_image_tag
   config_json_secret_id        = "${module.key_vault.vault_uri}secrets/cloai-service-config-json"
@@ -125,6 +139,8 @@ module "ctk_functions" {
   container_app_environment_id           = module.container_app_environment.container_app_environment_id
   acr_login_server                       = var.acr_login_server
   acr_id                                 = var.acr_id
+  acr_admin_username                     = var.acr_admin_username
+  acr_admin_password                     = var.acr_admin_password
   image_tag                              = var.ctk_functions_image_tag
   postgres_host                          = module.cosmos_postgres.host
   postgres_port                          = module.cosmos_postgres.port
diff --git a/modules/environment/vars.tf b/modules/environment/vars.tf
diff --git a/modules/key_vault/main.tf b/modules/key_vault/main.tf
diff --git a/prod/.terraform.lock.hcl b/prod/.terraform.lock.hcl
diff --git a/prod/main.tf b/prod/main.tf
diff --git a/prod/vars.tf b/prod/vars.tf
diff --git a/shared/outputs.tf b/shared/outputs.tf
