feat: add developer Redis access via infra pipeline

mjhoffmeister · mjhoffmeister · commit d4bb1a76a7b3 · 2026-01-20T16:03:59.000-06:00
- Add developer_principal_id input to infra.yml workflow
- Add conditional Redis access policy for local debugging
- Load appsettings.Development.local.json for local dev config
- Include full stack trace in error logging for debugging
- Add app-logs to gitignore
diff --git a/.github/workflows/infra.yml b/.github/workflows/infra.yml
@@ -19,6 +19,11 @@ on:
           - plan
           - apply
           - destroy
+      developer_principal_id:
+        description: 'Azure AD Object ID for developer Redis access (optional, for local debugging)'
+        required: false
+        default: ''
+        type: string
 
 permissions:
   id-token: write
@@ -27,6 +32,7 @@ permissions:
 env:
   TF_VAR_github_repository: ${{ github.repository }}
   TF_VAR_github_environment: ${{ inputs.environment }}
+  TF_VAR_developer_principal_id: ${{ inputs.developer_principal_id }}
   ARM_USE_OIDC: true
   ARM_USE_AZUREAD: true
   # State storage settings
diff --git a/.gitignore b/.gitignore
@@ -95,3 +95,5 @@ yarn-error.log*
 # Publish output
 publish/
 wwwroot/_framework/
+app-logs/
+app-logs.zip
diff --git a/infra/terraform/appservice.tf b/infra/terraform/appservice.tf
@@ -119,6 +119,35 @@ resource "azapi_update_resource" "app_service_auth" {
   }
 }
 
+# Configure App Service logging
+resource "azapi_update_resource" "app_service_logs" {
+  type        = "Microsoft.Web/sites/config@2024-04-01"
+  resource_id = "${azapi_resource.app_service.id}/config/logs"
+
+  body = {
+    properties = {
+      applicationLogs = {
+        fileSystem = {
+          level = "Information"
+        }
+      }
+      detailedErrorMessages = {
+        enabled = true
+      }
+      failedRequestsTracing = {
+        enabled = true
+      }
+      httpLogs = {
+        fileSystem = {
+          enabled        = true
+          retentionInDays = 7
+          retentionInMb  = 35
+        }
+      }
+    }
+  }
+}
+
 # Role assignments for App Service managed identity
 
 # Search Index Data Reader
diff --git a/infra/terraform/redis.tf b/infra/terraform/redis.tf
@@ -64,3 +64,25 @@ resource "azapi_resource" "redis_app_access" {
 
   depends_on = [azapi_resource.app_service]
 }
+
+# Redis access assignment for developer identity (local debugging)
+# Only created if developer_principal_id is specified
+resource "azapi_resource" "redis_developer_access" {
+  count     = var.developer_principal_id != "" ? 1 : 0
+  type      = "Microsoft.Cache/redisEnterprise/databases/accessPolicyAssignments@2025-04-01"
+  name      = "developeraccess"
+  parent_id = azapi_resource.redis_database.id
+
+  schema_validation_enabled = false
+
+  body = {
+    properties = {
+      accessPolicyName = "default"
+      user = {
+        objectId = var.developer_principal_id
+      }
+    }
+  }
+
+  depends_on = [azapi_resource.redis_database]
+}
diff --git a/infra/terraform/variables.tf b/infra/terraform/variables.tf
@@ -29,6 +29,12 @@ variable "github_environment" {
   default     = "demo"
 }
 
+variable "developer_principal_id" {
+  description = "Azure AD Object ID of developer for local debugging access (optional)"
+  type        = string
+  default     = ""
+}
+
 # Local values for consistent naming
 locals {
   resource_prefix = "${var.project_name}-${var.environment}"
diff --git a/src/backend/HealthPlanChat.WebApi/Middleware/SafeErrorHandlingMiddleware.cs b/src/backend/HealthPlanChat.WebApi/Middleware/SafeErrorHandlingMiddleware.cs
@@ -55,8 +55,10 @@ public async Task InvokeAsync(HttpContext context)
         }
         catch (Exception ex)
         {
-            // Log exception type and correlation info, but NOT the message (may contain user data)
+            // Log exception type and correlation info
+            // NOTE: In development, log full exception for debugging
             _logger.LogError(
+                ex, // Include full exception for stack trace
                 "Unhandled exception. Type: {ExceptionType}, Path: {Path}, TraceId: {TraceId}",
                 ex.GetType().Name,
                 context.Request.Path,
diff --git a/src/backend/HealthPlanChat.WebApi/Program.cs b/src/backend/HealthPlanChat.WebApi/Program.cs
@@ -8,6 +8,12 @@
 
 var builder = WebApplication.CreateBuilder(args);
 
+// Add optional local configuration override (gitignored, for local dev with real Azure resources)
+builder.Configuration.AddJsonFile(
+    $"appsettings.{builder.Environment.EnvironmentName}.local.json",
+    optional: true,
+    reloadOnChange: true);
+
 // Bind configuration sections
 builder.Services.Configure<AppOptions>(builder.Configuration.GetSection(AppOptions.SectionKey));
 builder.Services.Configure<RetrievalOptions>(builder.Configuration.GetSection(RetrievalOptions.SectionKey));

Original file line number	Diff line number	Diff line change
`@@ -55,8 +55,10 @@ public async Task InvokeAsync(HttpContext context)`
`55`	`55`	`}`
`56`	`56`	`catch (Exception ex)`
`57`	`57`	`{`
`58`		`- // Log exception type and correlation info, but NOT the message (may contain user data)`
	`58`	`+ // Log exception type and correlation info`
	`59`	`+ // NOTE: In development, log full exception for debugging`
`59`	`60`	`_logger.LogError(`
	`61`	`+ ex, // Include full exception for stack trace`
`60`	`62`	`"Unhandled exception. Type: {ExceptionType}, Path: {Path}, TraceId: {TraceId}",`
`61`	`63`	`ex.GetType().Name,`
`62`	`64`	`context.Request.Path,`