From 13e5e4759f9f9a40f56969239f78087bc8fdd2c7 Mon Sep 17 00:00:00 2001
From: eugene <eugenetham1994@gmail.com>
Date: Mon, 26 Aug 2024 19:07:17 +0800
Subject: [PATCH 1/3] fix: tf container app

---
 infra/Terraform/container-app.tf | 97 ++++++++++++++++++++------------
 1 file changed, 62 insertions(+), 35 deletions(-)

diff --git a/infra/Terraform/container-app.tf b/infra/Terraform/container-app.tf
index 34d1d66..57771df 100644
--- a/infra/Terraform/container-app.tf
+++ b/infra/Terraform/container-app.tf
@@ -13,7 +13,11 @@ locals {
 }
 
 # [Use multiple provisoners to run multiple commands in local exec](https://tinyurl.com/mrjw6rkf)
-resource "null_resource" "build_docker_image" {
+resource "null_resource" "publish_docker_image" {
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+
   provisioner "local-exec" {
     environment = {
       "IMAGE" = "${local.image}"
@@ -41,37 +45,60 @@ resource "null_resource" "build_docker_image" {
   depends_on = [azurerm_container_registry.acr]
 }
 
-# resource "azurerm_container_app_environment" "env" {
-#   name                       = "ca-env-storeonwheels-prod-sea"
-#   location                   = azurerm_resource_group.rg.location
-#   resource_group_name        = azurerm_resource_group.rg.name
-#   log_analytics_workspace_id = azurerm_log_analytics_workspace.analytics.id
-# }
-
-# resource "azurerm_container_app" "app" {
-#   name                         = "ca-storeonwheels-prod-sea"
-#   container_app_environment_id = azurerm_container_app_environment.env.id
-#   resource_group_name          = azurerm_resource_group.rg.name
-#   revision_mode                = "Single"
-
-#   template {
-#     container {
-#       name   = "storeonwheelsserver"
-#       image  = "${azurerm_container_registry.acr.login_server}/${local.image}"
-#       cpu    = 0.5
-#       memory = "1Gi"
-#     }
-#   }
-
-#   ingress {
-#     allow_insecure_connections = false
-#     external_enabled           = true
-#     target_port                = 4000
-#     # ws connection not distributed to message queues yet
-#     traffic_weight {
-#       percentage = 100
-#     }
-#   }
-
-#   depends_on = [null_resource.push_docker_image]
-# }
+resource "azurerm_container_app_environment" "env" {
+  name                       = "ca-env-storeonwheels-prod-sea"
+  location                   = azurerm_resource_group.rg.location
+  resource_group_name        = azurerm_resource_group.rg.name
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.analytics.id
+
+  depends_on = [null_resource.publish_docker_image]
+}
+
+resource "azurerm_user_assigned_identity" "uami" {
+  name                = "uami-storeonwheels-prod-sea"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+
+  depends_on = [null_resource.publish_docker_image]
+}
+
+resource "azurerm_role_assignment" "acr_pull" {
+  principal_id   = azurerm_user_assigned_identity.uami.principal_id
+  role_definition_name = "AcrPull"
+  scope          = azurerm_container_registry.acr.id
+}
+
+resource "azurerm_container_app" "app" {
+  name                         = "ca-storeonwheels-prod-sea"
+  container_app_environment_id = azurerm_container_app_environment.env.id
+  resource_group_name          = azurerm_resource_group.rg.name
+  revision_mode                = "Single"
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [
+      azurerm_user_assigned_identity.uami.id
+    ]
+  }
+
+  # needed for authentication
+  template {
+    container {
+      name   = "storeonwheelsserver"
+      image  = "${azurerm_container_registry.acr.login_server}/${local.image}"
+      cpu    = 0.5
+      memory = "1Gi"
+    }
+  }
+
+  ingress {
+    allow_insecure_connections = false
+    external_enabled           = true
+    target_port                = 4000
+    # ws connection not distributed to message queues yet
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
+    }
+  }
+}

From cc18b197e903b71cbf663d8a6e85dada57ecf2a0 Mon Sep 17 00:00:00 2001
From: eugene <eugenetham1994@gmail.com>
Date: Mon, 26 Aug 2024 21:50:48 +0800
Subject: [PATCH 2/3] fix: container app auth

---
 infra/Terraform/container-app.tf | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/infra/Terraform/container-app.tf b/infra/Terraform/container-app.tf
index 57771df..9c343d8 100644
--- a/infra/Terraform/container-app.tf
+++ b/infra/Terraform/container-app.tf
@@ -63,9 +63,9 @@ resource "azurerm_user_assigned_identity" "uami" {
 }
 
 resource "azurerm_role_assignment" "acr_pull" {
-  principal_id   = azurerm_user_assigned_identity.uami.principal_id
+  principal_id         = azurerm_user_assigned_identity.uami.principal_id
   role_definition_name = "AcrPull"
-  scope          = azurerm_container_registry.acr.id
+  scope                = azurerm_container_registry.acr.id
 }
 
 resource "azurerm_container_app" "app" {
@@ -74,14 +74,21 @@ resource "azurerm_container_app" "app" {
   resource_group_name          = azurerm_resource_group.rg.name
   revision_mode                = "Single"
 
+  # needed for authentication when pulling from private ACR
+  registry {
+    server   = azurerm_container_registry.acr.login_server
+    identity = azurerm_user_assigned_identity.uami.id
+  }
+
+  # needed for container app to access other Microsoft Entra protected resources
+  # https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet
   identity {
-    type = "UserAssigned"
+    type = "SystemAssigned, UserAssigned"
     identity_ids = [
       azurerm_user_assigned_identity.uami.id
     ]
   }
 
-  # needed for authentication
   template {
     container {
       name   = "storeonwheelsserver"

From a1865bfe5aea4052cd3004821e3429fae6c7a065 Mon Sep 17 00:00:00 2001
From: eugene <eugenetham1994@gmail.com>
Date: Wed, 28 Aug 2024 19:16:20 +0800
Subject: [PATCH 3/3] fix: container apps

---
 infra/Terraform/container-app.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/infra/Terraform/container-app.tf b/infra/Terraform/container-app.tf
index 9c343d8..d1bcc74 100644
--- a/infra/Terraform/container-app.tf
+++ b/infra/Terraform/container-app.tf
@@ -74,7 +74,8 @@ resource "azurerm_container_app" "app" {
   resource_group_name          = azurerm_resource_group.rg.name
   revision_mode                = "Single"
 
-  # needed for authentication when pulling from private ACR
+  # needed for authentication when pulling from private ACR 
+  # https://azureway.cloud/azure-container-apps-creating-using-terraform-part-1/
   registry {
     server   = azurerm_container_registry.acr.login_server
     identity = azurerm_user_assigned_identity.uami.id
@@ -83,7 +84,7 @@ resource "azurerm_container_app" "app" {
   # needed for container app to access other Microsoft Entra protected resources
   # https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=portal%2Cdotnet
   identity {
-    type = "SystemAssigned, UserAssigned"
+    type = "UserAssigned"
     identity_ids = [
       azurerm_user_assigned_identity.uami.id
     ]