pulumi-django-azure 1.0.0__py3-none-any.whl → 1.0.10__py3-none-any.whl

pulumi_django_azure/__init__.py

@@ -0,0 +1 @@
+from .django_deployment import DjangoDeployment  # noqa: F401

{pulumi-django-azure → pulumi_django_azure}/django_deployment.py

@@ -11,8 +11,10 @@ class DjangoDeployment(pulumi.ComponentResource):
     def __init__(
         self,
         name,
+        tenant_id: str,
         resource_group_name: pulumi.Input[str],
         vnet: azure.network.VirtualNetwork,
+        pgsql_sku: azure.dbforpostgresql.SkuArgs,
         pgsql_ip_prefix: str,
         appservice_ip_prefix: str,
         app_service_sku: azure.web.SkuDescriptionArgs,
@@ -20,11 +22,29 @@ class DjangoDeployment(pulumi.ComponentResource):
         cdn_host: Optional[str],
         opts=None,
     ):
+        """
+        Create a Django deployment.
+
+        :param name: The name of the deployment, will be used to name subresources.
+        :param tenant_id: The Entra tenant ID for the database authentication.
+        :param resource_group_name: The resource group name to create the resources in.
+        :param vnet: The virtual network to create the subnets in.
+        :param pgsql_sku: The SKU for the PostgreSQL server.
+        :param pgsql_ip_prefix: The IP prefix for the PostgreSQL subnet.
+        :param appservice_ip_prefix: The IP prefix for the app service subnet.
+        :param app_service_sku: The SKU for the app service plan.
+        :param storage_account_name: The name of the storage account. Should be unique across Azure.
+        :param cdn_host: A custom CDN host name (optional)
+        :param opts: The resource options
+        """
+
         super().__init__("pkg:index:DjangoDeployment", name, None, opts)
 
         # child_opts = pulumi.ResourceOptions(parent=self)
+        self._config = pulumi.Config()
 
         self._name = name
+        self._tenant_id = tenant_id
         self._rg = resource_group_name
         self._vnet = vnet
 
@@ -33,7 +53,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._cdn_host = self._create_cdn(custom_host=cdn_host)
 
         # PostgreSQL resources
-        self._create_database(ip_prefix=pgsql_ip_prefix)
+        self._create_database(sku=pgsql_sku, ip_prefix=pgsql_ip_prefix)
 
         # Subnet for the apps
         self._app_subnet = self._create_subnet(
@@ -128,7 +148,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             # Return the default CDN host name
             return self._cdn_endpoint.host_name
 
-    def _create_database(self, ip_prefix: str):
+    def _create_database(self, sku: azure.dbforpostgresql.SkuArgs, ip_prefix: str):
         # Create subnet for PostgreSQL
         subnet = self._create_subnet(
             name="pgsql",
@@ -159,15 +179,12 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._pgsql = azure.dbforpostgresql.Server(
             f"pgsql-{self._name}",
             resource_group_name=self._rg,
-            sku=azure.dbforpostgresql.SkuArgs(
-                name="Standard_B2s",
-                tier=azure.dbforpostgresql.SkuTier.BURSTABLE,
-            ),
+            sku=sku,
             version="16",
             auth_config=azure.dbforpostgresql.AuthConfigArgs(
                 password_auth=azure.dbforpostgresql.PasswordAuthEnum.DISABLED,
                 active_directory_auth=azure.dbforpostgresql.ActiveDirectoryAuthEnum.ENABLED,
-                tenant_id=config.require("tenant_id"),
+                tenant_id=self._tenant_id,
             ),
             storage=azure.dbforpostgresql.StorageArgs(storage_size_gb=32),
             network=azure.dbforpostgresql.NetworkArgs(
@@ -243,8 +260,6 @@ class DjangoDeployment(pulumi.ComponentResource):
                     # azure.web.NameValuePairArgs(name="WEBSITE_HTTPLOGGING_RETENTION_DAYS", value="7"),
                     # pgAdmin settings
                     azure.web.NameValuePairArgs(name="PGADMIN_DISABLE_POSTFIX", value="true"),
-                    azure.web.NameValuePairArgs(name="PGADMIN_AUTHENTICATION_SOURCES", value="['oauth2, 'internal']"),
-                    azure.web.NameValuePairArgs(name="PGADMIN_OAUTH2_NAME", value="azure"),
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_EMAIL", value="dbadmin@dbadmin.net"),
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_PASSWORD", value="dbadmin"),
                 ],
@@ -331,6 +346,104 @@ class DjangoDeployment(pulumi.ComponentResource):
                 host_name=host,
             )
 
+    def _add_webapp_comms(self, data_location: str, domains: list[str], suffix: str) -> azure.communication.CommunicationService:
+        email_service = azure.communication.EmailService(
+            f"comms-email-{suffix}",
+            resource_group_name=self._rg,
+            location="global",
+            data_location=data_location,
+        )
+
+        domain_resources = []
+        if domains:
+            # Add our own custom domains
+            for domain in domains:
+                safe_host = domain.replace(".", "-")
+                d = azure.communication.Domain(
+                    f"comms-email-domain-{suffix}-{safe_host}",
+                    resource_group_name=self._rg,
+                    location="global",
+                    domain_management=azure.communication.DomainManagement.CUSTOMER_MANAGED,
+                    domain_name=domain,
+                    email_service_name=email_service.name,
+                )
+                domain_resources.append(d.id.apply(lambda n: n))
+        else:
+            # Add an Azure managed domain
+            d = azure.communication.Domain(
+                f"comms-email-domain-{suffix}-azure",
+                resource_group_name=self._rg,
+                location="global",
+                domain_management=azure.communication.DomainManagement.AZURE_MANAGED,
+                domain_name="AzureManagedDomain",
+                email_service_name=email_service.name,
+            )
+            domain_resources.append(d.id.apply(lambda n: n))
+
+        # Create Communication Services and link the domains
+        comm_service = azure.communication.CommunicationService(
+            f"comms-{suffix}",
+            resource_group_name=self._rg,
+            location="global",
+            data_location=data_location,
+            linked_domains=domain_resources,
+        )
+
+        return comm_service
+
+    def _add_webapp_vault(self, administrators: list[str], suffix: str) -> azure.keyvault.Vault:
+        # Create a keyvault
+        vault = azure.keyvault.Vault(
+            f"vault-{suffix}",
+            resource_group_name=self._rg,
+            vault_name=f"vault-{suffix}",
+            properties=azure.keyvault.VaultPropertiesArgs(
+                tenant_id=self._tenant_id,
+                sku=azure.keyvault.SkuArgs(
+                    name=azure.keyvault.SkuName.STANDARD,
+                    family=azure.keyvault.SkuFamily.A,
+                ),
+                enable_rbac_authorization=True,
+            ),
+        )
+
+        # Find the Key Vault Administrator role
+        administrator_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
+                scope=scope,
+            )
+        )
+
+        # Add vault administrators
+        for a in administrators:
+            azure.authorization.RoleAssignment(
+                f"ra-{suffix}-vault-admin-{a}",
+                principal_id=a,
+                principal_type=azure.authorization.PrincipalType.USER,
+                role_definition_id=administrator_role.id,
+                scope=vault.id,
+            )
+
+        return vault
+
+    def _add_webapp_secret(self, vault: azure.keyvault.Vault, secret_name: str, config_secret_name: str, suffix: str):
+        secret = self._config.require_secret(config_secret_name)
+
+        # Normalize the secret name
+        secret_name = secret_name.replace("_", "-").lower()
+
+        # Create a secret in the vault
+        return azure.keyvault.Secret(
+            f"secret-{suffix}-{secret_name}",
+            resource_group_name=self._rg,
+            vault_name=vault.name,
+            secret_name=secret_name,
+            properties=azure.keyvault.SecretPropertiesArgs(
+                value=secret,
+            ),
+        )
+
     def _get_storage_account_access_keys(
         self, storage_account: azure.storage.StorageAccount
     ) -> Sequence[azure.storage.outputs.StorageAccountKeyResponse]:
@@ -340,15 +453,23 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param storage_account: The storage account
         :return: The access keys
         """
-
-        keys = azure.storage.list_storage_account_keys(
-            resource_group_name=self._rg,
-            account_name=storage_account.name,
+        keys = pulumi.Output.all(self._rg, storage_account.name).apply(
+            lambda args: azure.storage.list_storage_account_keys(
+                resource_group_name=args[0],
+                account_name=args[1],
+            )
         )
 
         return keys.keys
 
-    def add_database_administrator(self, object_id: str, user_name: str, tenant_id: str):
+    def add_database_administrator(self, object_id: str, user_name: str):
+        """
+        Add an Entra ID as database administrator.
+
+        :param object_id: The object ID of the user
+        :param user_name: The user name (user@example.com)
+        """
+
         azure.dbforpostgresql.Administrator(
             # Must be random but a GUID
             f"pgsql-admin-{user_name.replace('@', '_')}-{self._name}",
@@ -357,7 +478,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             object_id=object_id,
             principal_name=user_name,
             principal_type=azure.dbforpostgresql.PrincipalType.USER,
-            tenant_id=tenant_id,
+            tenant_id=self._tenant_id,
         )
 
     def add_django_website(
@@ -368,7 +489,30 @@ class DjangoDeployment(pulumi.ComponentResource):
         repository_branch: str,
         website_hosts: list[str],
         django_settings_module: str,
-    ):
+        environment_variables: dict[str, str] = {},
+        secrets: dict[str, str] = {},
+        comms_data_location: Optional[str] = None,
+        comms_domains: Optional[list[str]] = [],
+        vault_administrators: Optional[list[str]] = [],
+    ) -> azure.web.WebApp:
+        """
+        Create a Django website with it's own database and storage containers.
+
+        :param name: The reference for the website, will be used to name subresources.
+        :param db_name: The name of the database to create.
+        :param repository_url: The URL of the Git repository.
+        :param repository_branch: The Git branch to deploy.
+        :param website_hosts: The list of custom host names for the website.
+        :param django_settings_module: The Django settings module to load.
+        :param environment_variables: A dictionary of environment variables to set.
+        :param secrets: A dictionary of secrets to store in the Key Vault and assign as environment variables.
+            The key is the name of the Pulumi secret, the value is the name of the environment variable
+            and the name of the secret in the Key Vault.
+        :param comms_data_location: The data location for the Communication Services (optional if you don't need it).
+        :param comms_domains: The list of custom domains for the E-mail Communication Services (optional).
+        :param vault_administrator: The principal ID of the vault administrator (optional).
+        """
+
         # Create a database
         db = azure.dbforpostgresql.Database(
             f"db-{name}",
@@ -395,9 +539,34 @@ class DjangoDeployment(pulumi.ComponentResource):
             container_name=f"{name}-static",
         )
 
+        # Communication Services (optional)
+        if comms_data_location:
+            comms = self._add_webapp_comms(comms_data_location, comms_domains, f"{name}-{self._name}")
+            # Add the service endpoint as environment variable
+            environment_variables["AZURE_COMMUNICATION_SERVICE_ENDPOINT"] = comms.host_name.apply(lambda host: f"https://{host}")
+        else:
+            comms = None
+
+        # Key Vault
+        vault = self._add_webapp_vault(vault_administrators, f"{name}-{self._name}")
+
+        # Add secrets
+        for config_name, env_name in secrets.items():
+            s = self._add_webapp_secret(vault, env_name, config_name, f"{name}-{self._name}")
+            environment_variables[f"{env_name}_SECRET_NAME"] = s.name
+
         # Create a Django Secret Key (random)
         secret_key = pulumi_random.RandomString(f"django-secret-{name}-{self._name}", length=50)
 
+        # Convert environment variables to NameValuePairArgs
+        environment_variables = [
+            azure.web.NameValuePairArgs(
+                name=key,
+                value=value,
+            )
+            for key, value in environment_variables.items()
+        ]
+
         app = azure.web.WebApp(
             f"app-{name}-{self._name}",
             resource_group_name=self._rg,
@@ -408,6 +577,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
             https_only=True,
             site_config=azure.web.SiteConfigArgs(
+                app_command_line="cicd/startup.sh",
                 always_on=True,
                 health_check_path=self.HEALTH_CHECK_PATH,
                 ftps_state=azure.web.FtpsState.DISABLED,
@@ -419,12 +589,15 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="SCM_DO_BUILD_DURING_DEPLOYMENT", value="true"),
                     azure.web.NameValuePairArgs(name="PRE_BUILD_COMMAND", value="cicd/pre_build.sh"),
                     azure.web.NameValuePairArgs(name="POST_BUILD_COMMAND", value="cicd/post_build.sh"),
+                    azure.web.NameValuePairArgs(name="DISABLE_COLLECTSTATIC", value="true"),
                     azure.web.NameValuePairArgs(name="HEALTH_CHECK_PATH", value=self.HEALTH_CHECK_PATH),
                     # Django settings
-                    azure.web.NameValuePairArgs(name="DEBUG", value="true"),
+                    # azure.web.NameValuePairArgs(name="DEBUG", value="true"),
                     azure.web.NameValuePairArgs(name="DJANGO_SETTINGS_MODULE", value=django_settings_module),
                     azure.web.NameValuePairArgs(name="DJANGO_SECRET_KEY", value=secret_key.result),
                     azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=",".join(website_hosts)),
+                    # Vault settings
+                    azure.web.NameValuePairArgs(name="AZURE_KEY_VAULT", value=vault.name),
                     # Storage settings
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_ACCOUNT_NAME", value=self._storage_account.name),
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_STATICFILES", value=static_container.name),
@@ -435,6 +608,7 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="DB_HOST", value=self._pgsql.fully_qualified_domain_name),
                     azure.web.NameValuePairArgs(name="DB_NAME", value=db.name),
                     azure.web.NameValuePairArgs(name="DB_USER", value=f"{name}_managed_identity"),
+                    *environment_variables,
                 ],
             ),
         )
@@ -468,6 +642,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             f"{name}_deploy_ssh_key_url", app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1")
         )
 
+        # Find the role for Key Vault Secrets User
+        vault_access_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="4633458b-17de-408a-b874-0445c86b69e6",
+                scope=scope,
+            )
+        )
+
+        # Grant the app access to the vault
+        azure.authorization.RoleAssignment(
+            f"ra-{name}-vault-user",
+            principal_id=principal_id,
+            principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+            # Key Vault Secrets User
+            role_definition_id=vault_access_role.id,
+            scope=vault.id,
+        )
+
         # Find the role for Storage Blob Data Contributor
         storage_role = self._storage_account.id.apply(
             lambda scope: azure.authorization.get_role_definition(
@@ -476,10 +668,55 @@ class DjangoDeployment(pulumi.ComponentResource):
             )
         )
 
+        # Grant the app access to the storage account
         azure.authorization.RoleAssignment(
             f"ra-{name}-storage",
             principal_id=principal_id,
             principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
             role_definition_id=storage_role.id,
             scope=self._storage_account.id,
-        )
+        )
+
+        # Grant the app to send e-mails
+        if comms:
+            comms_role = comms.id.apply(
+                lambda scope: azure.authorization.get_role_definition(
+                    # Contributor
+                    role_definition_id="b24988ac-6180-42a0-ab88-20f7382dd24c",
+                    scope=scope,
+                )
+            )
+
+            azure.authorization.RoleAssignment(
+                f"ra-{name}-comms",
+                principal_id=principal_id,
+                principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+                role_definition_id=comms_role.id,
+                scope=comms.id,
+            )
+
+        # Create a CORS rules for this website
+        if website_hosts:
+            origins = [f"https://{host}" for host in website_hosts]
+        else:
+            origins = ["*"]
+
+        azure.storage.BlobServiceProperties(
+            f"sa-{name}-blob-properties",
+            resource_group_name=self._rg,
+            account_name=self._storage_account.name,
+            blob_services_name="default",
+            cors=azure.storage.CorsRulesArgs(
+                cors_rules=[
+                    azure.storage.CorsRuleArgs(
+                        allowed_headers=["*"],
+                        allowed_methods=["GET", "OPTIONS", "HEAD"],
+                        allowed_origins=origins,
+                        exposed_headers=["Access-Control-Allow-Origin"],
+                        max_age_in_seconds=86400,
+                    )
+                ]
+            ),
+        )
+
+        return app

{pulumi_django_azure-1.0.0.dist-info → pulumi_django_azure-1.0.10.dist-info}/LICENSE

@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

{pulumi_django_azure-1.0.0.dist-info → pulumi_django_azure-1.0.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.0
+Version: 1.0.10
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -24,6 +24,7 @@ License: MIT License
         LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
         OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
         SOFTWARE.
+        
 Project-URL: Homepage, https://gitlab.com/MaartenUreel/pulumi-django-azure
 Keywords: django,pulumi,azure
 Classifier: License :: OSI Approved :: MIT License
@@ -44,9 +45,87 @@ To have a proper and secure environment, we need these components:
 * Storage account for media and static files
 * CDN endpoint in front with a domain name of our choosing
 * PostgreSQL server
+* Azure Communication Services to send e-mails
 * Webapp with multiple custom host names and managed SSL for the website itself
+* Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above.
+## Installation
+This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
+
+To use a specific branch in your project, add to pyproject.toml dependencies:
+```
+pulumi-django-azure = { git = "git@gitlab.com:MaartenUreel/pulumi-django-azure.git", branch = "dev" }
+```
+
+A simple project could look like this:
+```python
+import pulumi
+import pulumi_azure_native as azure
+from pulumi_django_azure import DjangoDeployment
+
+stack = pulumi.get_stack()
+config = pulumi.Config()
+
+
+# Create resource group
+rg = azure.resources.ResourceGroup(f"rg-{stack}")
+
+# Create VNet
+vnet = azure.network.VirtualNetwork(
+    f"vnet-{stack}",
+    resource_group_name=rg.name,
+    address_space=azure.network.AddressSpaceArgs(
+        address_prefixes=["10.0.0.0/16"],
+    ),
+)
+
+# Deploy the website and all its components
+django = DjangoDeployment(
+    stack,
+    tenant_id="abc123...",
+    resource_group_name=rg.name,
+    vnet=vnet,
+    pgsql_ip_prefix="10.0.10.0/24",
+    appservice_ip_prefix="10.0.20.0/24",
+    app_service_sku=azure.web.SkuDescriptionArgs(
+        name="B2",
+        tier="Basic",
+    ),
+    storage_account_name="mystorageaccount",
+    cdn_host="cdn.example.com",
+)
+
+django.add_django_website(
+    name="web",
+    db_name="mywebsite",
+    repository_url="git@gitlab.com:project/website.git",
+    repository_branch="main",
+    website_hosts=["example.com", "www.example.com"],
+    django_settings_module="mywebsite.settings.production",
+    comms_data_location="europe",
+    comms_domains=["mydomain.com"],
+)
+
+django.add_database_administrator(
+    object_id="a1b2c3....",
+    user_name="user@example.com",
+    tenant_id="a1b2c3....",
+)
+```
+
 ## Deployment steps
 
 1. Deploy without custom hosts (for CDN and websites)
@@ -57,6 +136,7 @@ To have a proper and secure environment, we need these components:
 6. Re-deploy with custom hosts
 7. Re-deploy once more to enable HTTPS on website domains
 8. Manually activate HTTPS on the CDN host
+9. Go to the e-mail communications service on Azure and configure DKIM, SPF,... for your custom domains.
 
 ## Custom domain name for CDN
 When deploying the first time, you will get a `cdn_cname` output. You need to create a CNAME to this domain before the deployment of the custom domain will succeed.
@@ -109,6 +189,55 @@ pgAdmin will be created with a default login:
 
 Best practice is to log in right away, create a user for yourself and delete this default user.
 
+## Azure OAuth2 / Django Social Auth
+If you want to set up login with Azure, which would make sense since you are in the ecosystem, you need to create an App Registration in Entra ID, create a secret and then register these settings in your stack:
+```
+pulumi config set --secret --path 'mywebsite_social_auth_azure.key' secret_ID
+pulumi config set --secret --path 'mywebsite_social_auth_azure.secret' secret_value
+pulumi config set --secret --path 'mywebsite_social_auth_azure.tenant_id' directory_tenant_id
+pulumi config set --secret --path 'mywebsite_social_auth_azure.client_id' application_id
+```
+
+Then in your Django deployment, pass to the `add_django_website` command:
+```
+secrets={
+    "mywebsite_social_auth_azure": "AZURE_OAUTH",
+},
+```
+
+The value will be automatically stored in the vault where the application has access to.
+The environment variable will be suffixed with `_SECRET_NAME`.
+
+Then, in your application, retrieve this data from the vault, e.g.:
+```python
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+# Azure credentials
+azure_credential = DefaultAzureCredential()
+
+# Azure Key Vault
+AZURE_KEY_VAULT = env("AZURE_KEY_VAULT")
+AZURE_KEY_VAULT_URI = f"https://{AZURE_KEY_VAULT}.vault.azure.net"
+azure_key_vault_client = SecretClient(vault_url=AZURE_KEY_VAULT_URI, credential=azure_credential)
+
+# Social Auth settings
+oauth_secret = azure_key_vault_client.get_secret(env("AZURE_OAUTH_SECRET_NAME"))
+oauth_secret = json.loads(oauth_secret.value)
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = oauth_secret["client_id"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = oauth_secret["secret"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = oauth_secret["tenant_id"]
+SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
+SOCIAL_AUTH_POSTGRES_JSONFIELD = True
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.azuread_tenant.AzureADTenantOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+```
+
+And of course add the login button somewhere, following Django Social Auth instructions.
+
 ## Automate deployments
 When using a service like GitLab, you can configure a Webhook to fire upon a push to your branch.
 

pulumi_django_azure-1.0.10.dist-info/RECORD

@@ -0,0 +1,7 @@
+pulumi_django_azure/__init__.py,sha256=tXTvPfr8-Nll5cjMyY9yj_0z_PQ0XAcxihzHRCES-hU,63
+pulumi_django_azure/django_deployment.py,sha256=SgMLoQ2Jwm8anADzrEjVhtfJVAJrYJYFoaOL9bDZngE,30275
+pulumi_django_azure-1.0.10.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
+pulumi_django_azure-1.0.10.dist-info/METADATA,sha256=rAAqdkW9F0I0OWn7XQA2fHKIpqxmJDQWx39TmH0FEnc,11083
+pulumi_django_azure-1.0.10.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+pulumi_django_azure-1.0.10.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
+pulumi_django_azure-1.0.10.dist-info/RECORD,,

{pulumi_django_azure-1.0.0.dist-info → pulumi_django_azure-1.0.10.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.42.0)
+Generator: bdist_wheel (0.43.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

pulumi_django_azure-1.0.10.dist-info/top_level.txt

@@ -0,0 +1 @@
+pulumi_django_azure

pulumi_django_azure-1.0.0.dist-info/RECORD

@@ -1,7 +0,0 @@
-pulumi-django-azure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-pulumi-django-azure/django_deployment.py,sha256=GaQCEEKN8VSxFl7dmGN7dzCST7RPMkeamPJH3im2Be4,20162
-pulumi_django_azure-1.0.0.dist-info/LICENSE,sha256=z4HD1y8njTvCggIu-d4Nt_Ha_lkNXUqJt1TeFhmQL-Y,1086
-pulumi_django_azure-1.0.0.dist-info/METADATA,sha256=Rt0oQyqTtmou0hL3_zPALHh6enZWERrkz8uklKLPMIA,6206
-pulumi_django_azure-1.0.0.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-pulumi_django_azure-1.0.0.dist-info/top_level.txt,sha256=1VBZjtWWLt9__5oAjjq4zj96rfdE79Kr1ve8F38aVNc,20
-pulumi_django_azure-1.0.0.dist-info/RECORD,,

pulumi_django_azure-1.0.0.dist-info/top_level.txt

@@ -1 +0,0 @@
-pulumi-django-azure