pulumi-django-azure 1.0.10__py3-none-any.whl → 1.0.14__py3-none-any.whl

pulumi_django_azure/__init__.py

@@ -1 +1 @@
-from .django_deployment import DjangoDeployment  # noqa: F401
+from .django_deployment import DjangoDeployment, HostDefinition  # noqa: F401

pulumi_django_azure/django_deployment.py

@@ -1,10 +1,56 @@
-from typing import Optional, Sequence
+from collections.abc import Sequence
+from typing import Optional, Union
 
 import pulumi
 import pulumi_azure_native as azure
 import pulumi_random
 
 
+class HostDefinition:
+    """
+    A definition for a custom host name, optionally with a DNS zone.
+
+    :param host: The host name. If a zone is given, this is the relative host name.
+    :param zone: The DNS zone (optional).
+    :param identifier: An identifier for this host definition (optional).
+    """
+
+    def __init__(self, host: str, zone: Optional[azure.network.Zone] = None, identifier: Optional[str] = None):
+        self.host = host
+        self.zone = zone
+        self._identifier = identifier
+
+    @property
+    def identifier(self) -> str:
+        """
+        The identifier for this host definition.
+
+        :return: The identifier
+        """
+        if not self._identifier:
+            if self.zone:
+                raise ValueError(f"An identifier is required for the HostDefinition with host '{self.host}' ensure uniqueness.")
+            else:
+                # Use the host name as the identifier
+                return self.host.replace(".", "-")
+        else:
+            return self._identifier
+
+    @property
+    def full_host(self) -> pulumi.Output[str]:
+        """
+        The full host name, including the zone.
+
+        :return: The full host name
+        """
+        if not self.zone:
+            return pulumi.Output.concat(self.host)
+        elif self.host == "@":
+            return self.zone.name
+        else:
+            return pulumi.Output.concat(self.host, ".", self.zone.name)
+
+
 class DjangoDeployment(pulumi.ComponentResource):
     HEALTH_CHECK_PATH = "/health-check"
 
@@ -19,7 +65,9 @@ class DjangoDeployment(pulumi.ComponentResource):
         appservice_ip_prefix: str,
         app_service_sku: azure.web.SkuDescriptionArgs,
         storage_account_name: str,
-        cdn_host: Optional[str],
+        pgadmin_access_ip: Optional[Sequence[str]] = None,
+        pgadmin_dns_zone: Optional[azure.network.Zone] = None,
+        cdn_host: Optional[HostDefinition] = None,
         opts=None,
     ):
         """
@@ -34,7 +82,9 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param appservice_ip_prefix: The IP prefix for the app service subnet.
         :param app_service_sku: The SKU for the app service plan.
         :param storage_account_name: The name of the storage account. Should be unique across Azure.
-        :param cdn_host: A custom CDN host name (optional)
+        :param pgadmin_access_ip: The IP addresses to allow access to pgAdmin. If empty, all IP addresses are allowed.
+        :param pgadmin_dns_zone: The Azure DNS zone to a pgadmin DNS record in. (optional)
+        :param cdn_host: A custom CDN host name. (optional)
         :param opts: The resource options
         """
 
@@ -67,7 +117,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._app_service_plan = self._create_app_service_plan(sku=app_service_sku)
 
         # Create a pgAdmin app
-        self._create_pgadmin_app()
+        self._create_pgadmin_app(access_ip=pgadmin_access_ip, dns_zone=pgadmin_dns_zone)
 
     def _create_storage(self, account_name: str):
         # Create blob storage
@@ -85,7 +135,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             enable_https_traffic_only=True,
         )
 
-    def _create_cdn(self, custom_host: Optional[str]) -> pulumi.Output[str]:
+    def _create_cdn(self, custom_host: Optional[HostDefinition]) -> pulumi.Output[str]:
         """
         Create a CDN endpoint. If a host name is given, it will be used as the custom domain.
         Otherwise, the default CDN host name will be returned.
@@ -95,7 +145,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         """
 
         # Put CDN in front
-        cdn = azure.cdn.Profile(
+        self._cdn_profile = azure.cdn.Profile(
             f"cdn-{self._name}",
             resource_group_name=self._rg,
             location="global",
@@ -125,7 +175,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             ],
             is_http_allowed=False,
             is_https_allowed=True,
-            profile_name=cdn.name,
+            profile_name=self._cdn_profile.name,
             origin_host_header=endpoint_origin,
             origins=[azure.cdn.DeepCreatedOriginArgs(name="origin-storage", host_name=endpoint_origin)],
             query_string_caching_behavior=azure.cdn.QueryStringCachingBehavior.IGNORE_QUERY_STRING,
@@ -135,15 +185,41 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         # Add custom domain if given
         if custom_host:
-            azure.cdn.CustomDomain(
-                f"cdn-custom-domain-{self._name}",
-                resource_group_name=self._rg,
-                profile_name=cdn.name,
-                endpoint_name=self._cdn_endpoint.name,
-                host_name=custom_host,
-            )
+            if custom_host.zone:
+                # Create a DNS record for the custom host in the given zone
+                rs = azure.network.RecordSet(
+                    f"cdn-cname-{self._name}",
+                    resource_group_name=self._rg,
+                    zone_name=custom_host.zone.name,
+                    relative_record_set_name=custom_host.host,
+                    record_type="CNAME",
+                    ttl=3600,
+                    target_resource=azure.network.SubResourceArgs(
+                        id=self._cdn_endpoint.id,
+                    ),
+                )
+
+                azure.cdn.CustomDomain(
+                    f"cdn-custom-domain-{self._name}",
+                    resource_group_name=self._rg,
+                    profile_name=self._cdn_profile.name,
+                    endpoint_name=self._cdn_endpoint.name,
+                    host_name=custom_host.full_host,
+                    opts=pulumi.ResourceOptions(depends_on=rs),
+                )
 
-            return custom_host
+                return custom_host.full_host
+            else:
+                # Add custom hostname without a zone
+                azure.cdn.CustomDomain(
+                    f"cdn-custom-domain-{self._name}",
+                    resource_group_name=self._rg,
+                    profile_name=self._cdn_profile.name,
+                    endpoint_name=self._cdn_endpoint.name,
+                    host_name=custom_host.host,
+                )
+
+                return custom_host.host
         else:
             # Return the default CDN host name
             return self._cdn_endpoint.host_name
@@ -200,7 +276,11 @@ class DjangoDeployment(pulumi.ComponentResource):
         pulumi.export("pgsql_host", self._pgsql.fully_qualified_domain_name)
 
     def _create_subnet(
-        self, name, prefix, delegation_service: Optional[str] = None, service_endpoints: Sequence[str] = []
+        self,
+        name,
+        prefix,
+        delegation_service: Optional[str] = None,
+        service_endpoints: Sequence[str] = [],
     ) -> azure.network.Subnet:
         """
         Generic method to create a subnet with a delegation.
@@ -239,7 +319,22 @@ class DjangoDeployment(pulumi.ComponentResource):
             sku=sku,
         )
 
-    def _create_pgadmin_app(self):
+    def _create_pgadmin_app(self, access_ip: Optional[Sequence[str]] = None, dns_zone: Optional[azure.network.Zone] = None):
+        # Determine the IP restrictions
+        ip_restrictions = []
+        default_restriction = azure.web.DefaultAction.ALLOW
+        if access_ip:
+            default_restriction = azure.web.DefaultAction.DENY
+
+            for ip in access_ip:
+                ip_restrictions.append(
+                    azure.web.IpSecurityRestrictionArgs(
+                        action="Allow",
+                        ip_address=ip,
+                        priority=300,
+                    )
+                )
+
         # The app itself
         app = azure.web.WebApp(
             f"app-pgadmin-{self._name}",
@@ -255,7 +350,10 @@ class DjangoDeployment(pulumi.ComponentResource):
                 linux_fx_version="DOCKER|dpage/pgadmin4",
                 health_check_path="/misc/ping",
                 app_settings=[
-                    azure.web.NameValuePairArgs(name="DOCKER_REGISTRY_SERVER_URL", value="https://index.docker.io/v1"),
+                    azure.web.NameValuePairArgs(
+                        name="DOCKER_REGISTRY_SERVER_URL",
+                        value="https://index.docker.io/v1",
+                    ),
                     azure.web.NameValuePairArgs(name="DOCKER_ENABLE_CI", value="true"),
                     # azure.web.NameValuePairArgs(name="WEBSITE_HTTPLOGGING_RETENTION_DAYS", value="7"),
                     # pgAdmin settings
@@ -263,6 +361,9 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_EMAIL", value="dbadmin@dbadmin.net"),
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_PASSWORD", value="dbadmin"),
                 ],
+                # IP restrictions
+                ip_security_restrictions_default_action=default_restriction,
+                ip_security_restrictions=ip_restrictions,
             ),
         )
 
@@ -274,6 +375,50 @@ class DjangoDeployment(pulumi.ComponentResource):
             share_name="pgadmin",
         )
 
+        if dns_zone:
+            # Create a DNS record for the pgAdmin app
+            cname = azure.network.RecordSet(
+                f"dns-cname-pgadmin-{self._name}",
+                resource_group_name=self._rg,
+                zone_name=dns_zone.name,
+                relative_record_set_name="pgadmin",
+                record_type="CNAME",
+                ttl=3600,
+                cname_record=azure.network.CnameRecordArgs(
+                    cname=app.default_host_name,
+                ),
+            )
+
+            # For the certificate validation to work
+            txt_validation = azure.network.RecordSet(
+                f"dns-txt-pgadmin-{self._name}",
+                resource_group_name=self._rg,
+                zone_name=dns_zone.name,
+                relative_record_set_name="asuid.pgadmin",
+                record_type="TXT",
+                ttl=3600,
+                txt_records=[
+                    azure.network.TxtRecordArgs(
+                        value=[app.custom_domain_verification_id],
+                    )
+                ],
+            )
+
+            # Add custom hostname
+            self._add_webapp_host(
+                app=app,
+                host=dns_zone.name.apply(lambda name: f"pgadmin.{name}"),
+                suffix=self._name,
+                depends_on=[cname, txt_validation],
+                identifier="pgadmin",
+            )
+
+            # Export the custom hostname
+            pulumi.export("pgadmin_url", dns_zone.name.apply(lambda name: f"https://pgadmin.{name}"))
+        else:
+            # Export the default hostname
+            pulumi.export("pgadmin_url", app.default_host_name.apply(lambda host: f"https://{host}"))
+
         # Mount the storage container
         azure.web.WebAppAzureStorageAccounts(
             f"app-pgadmin-mount-{self._name}",
@@ -290,9 +435,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             },
         )
 
-        pulumi.export("pgadmin_url", app.default_host_name.apply(lambda host: f"https://{host}"))
+    def _get_existing_web_app_host_name_binding(self, resource_group_name: str, app_name: str, host_name: str):
+        try:
+            return azure.web.get_web_app_host_name_binding(
+                resource_group_name=resource_group_name,
+                name=app_name,
+                host_name=host_name,
+            )
+        except Exception:
+            return None
 
-    def _add_webapp_host(self, app: azure.web.WebApp, host: str, suffix: str):
+    def _add_webapp_host(
+        self,
+        app: azure.web.WebApp,
+        host: Union[str, pulumi.Input[str]],
+        suffix: str,
+        identifier: str,
+        depends_on: Optional[Sequence[pulumi.Resource]] = None,
+    ):
         """
         Because of a circular dependency, we need to create the certificate and the binding in two steps.
         First we create a binding without a certificate,
@@ -305,48 +465,93 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param app: The web app
         :param host: The host name
         :param suffix: A suffix to make the resource name unique
+        :param depend_on: The resource to depend on (optional)
         """
 
-        safe_host = host.replace(".", "-")
+        if not depends_on:
+            depends_on = []
 
-        try:
-            # Retrieve the existing binding - this will throw an exception if it doesn't exist
-            azure.web.get_web_app_host_name_binding(
-                resource_group_name=app.resource_group,
-                name=app.name,
-                host_name=host,
+        # Retrieve the existing binding (None if it doesn't exist)
+        existing_binding = pulumi.Output.all(app.resource_group, app.name, host).apply(
+            lambda args: self._get_existing_web_app_host_name_binding(
+                resource_group_name=args[0],
+                app_name=args[1],
+                host_name=args[2],
             )
+        )
 
-            # Create a managed certificate
-            # This will work because the binding exists actually
-            certificate = azure.web.Certificate(
-                f"cert-{suffix}-{safe_host}",
-                resource_group_name=self._rg,
-                server_farm_id=app.server_farm_id,
-                canonical_name=host,
-                host_names=[host],
-            )
+        # Create an inline function that we will invoke through the Output.apply lambda
+        def _create_binding_with_cert(existing_binding):
+            if existing_binding:
+                # Create a managed certificate
+                # This will work because the binding exists actually
+                certificate = azure.web.Certificate(
+                    f"cert-{suffix}-{identifier}",
+                    resource_group_name=self._rg,
+                    server_farm_id=app.server_farm_id,
+                    canonical_name=host,
+                    host_names=[host],
+                    opts=pulumi.ResourceOptions(depends_on=depends_on),
+                )
 
-            # Create a new binding, replacing the old one,
-            # with the certificate
-            azure.web.WebAppHostNameBinding(
-                f"host-binding-{suffix}-{safe_host}",
-                resource_group_name=self._rg,
-                name=app.name,
-                host_name=host,
-                ssl_state=azure.web.SslState.SNI_ENABLED,
-                thumbprint=certificate.thumbprint,
-            )
-        except Exception:
-            # Create a binding without a certificate
-            azure.web.WebAppHostNameBinding(
-                f"host-binding-{suffix}-{safe_host}",
+                # Create a new binding, replacing the old one,
+                # with the certificate
+                azure.web.WebAppHostNameBinding(
+                    f"host-binding-{suffix}-{identifier}",
+                    resource_group_name=self._rg,
+                    name=app.name,
+                    host_name=host,
+                    ssl_state=azure.web.SslState.SNI_ENABLED,
+                    thumbprint=certificate.thumbprint,
+                    opts=pulumi.ResourceOptions(depends_on=depends_on),
+                )
+
+            else:
+                # Create a binding without a certificate
+                azure.web.WebAppHostNameBinding(
+                    f"host-binding-{suffix}-{identifier}",
+                    resource_group_name=self._rg,
+                    name=app.name,
+                    host_name=host,
+                    opts=pulumi.ResourceOptions(depends_on=depends_on),
+                )
+
+        existing_binding.apply(_create_binding_with_cert)
+
+    def _create_comms_dns_records(self, suffix, host: HostDefinition, records: dict) -> list[azure.network.RecordSet]:
+        created_records = []
+
+        # Domain validation and SPF record (one TXT record with multiple values)
+        r = azure.network.RecordSet(
+            f"dns-comms-{suffix}-{host.identifier}-domain",
+            resource_group_name=self._rg,
+            zone_name=host.zone.name,
+            relative_record_set_name="@",
+            record_type="TXT",
+            ttl=3600,
+            txt_records=[
+                azure.network.TxtRecordArgs(value=[records["domain"]["value"]]),
+                azure.network.TxtRecordArgs(value=[records["s_pf"]["value"]]),
+            ],
+        )
+        created_records.append(r)
+
+        # DKIM records (two CNAME records)
+        for record in ("d_kim", "d_kim2"):
+            r = azure.network.RecordSet(
+                f"dns-comms-{suffix}-{host.identifier}-{record}",
                 resource_group_name=self._rg,
-                name=app.name,
-                host_name=host,
+                zone_name=host.zone.name,
+                relative_record_set_name=records[record]["name"],
+                record_type="CNAME",
+                ttl=records[record]["ttl"],
+                cname_record=azure.network.CnameRecordArgs(cname=records[record]["value"]),
             )
+            created_records.append(r)
+
+        return created_records
 
-    def _add_webapp_comms(self, data_location: str, domains: list[str], suffix: str) -> azure.communication.CommunicationService:
+    def _add_webapp_comms(self, data_location: str, domains: list[HostDefinition], suffix: str) -> azure.communication.CommunicationService:
         email_service = azure.communication.EmailService(
             f"comms-email-{suffix}",
             resource_group_name=self._rg,
@@ -355,30 +560,37 @@ class DjangoDeployment(pulumi.ComponentResource):
         )
 
         domain_resources = []
-        if domains:
-            # Add our own custom domains
-            for domain in domains:
-                safe_host = domain.replace(".", "-")
-                d = azure.communication.Domain(
-                    f"comms-email-domain-{suffix}-{safe_host}",
-                    resource_group_name=self._rg,
-                    location="global",
-                    domain_management=azure.communication.DomainManagement.CUSTOMER_MANAGED,
-                    domain_name=domain,
-                    email_service_name=email_service.name,
-                )
-                domain_resources.append(d.id.apply(lambda n: n))
-        else:
-            # Add an Azure managed domain
+        comm_dependencies = []
+
+        # Add our own custom domains
+        for domain in domains:
             d = azure.communication.Domain(
-                f"comms-email-domain-{suffix}-azure",
+                f"comms-email-domain-{suffix}-{domain.identifier}",
                 resource_group_name=self._rg,
                 location="global",
-                domain_management=azure.communication.DomainManagement.AZURE_MANAGED,
-                domain_name="AzureManagedDomain",
+                domain_management=azure.communication.DomainManagement.CUSTOMER_MANAGED,
+                domain_name=domain.full_host,
                 email_service_name=email_service.name,
             )
-            domain_resources.append(d.id.apply(lambda n: n))
+
+            if domain.zone:
+                # Create DNS records in the managed zone
+                comm_dependencies = pulumi.Output.all(suffix, domain, d.verification_records).apply(
+                    lambda args: self._create_comms_dns_records(suffix=args[0], host=args[1], records=args[2])
+                )
+
+            domain_resources.append(d.id)
+
+        # Add an Azure managed domain
+        d = azure.communication.Domain(
+            f"comms-email-domain-{suffix}-azure",
+            resource_group_name=self._rg,
+            location="global",
+            domain_management=azure.communication.DomainManagement.AZURE_MANAGED,
+            domain_name="AzureManagedDomain",
+            email_service_name=email_service.name,
+        )
+        domain_resources.append(d.id)
 
         # Create Communication Services and link the domains
         comm_service = azure.communication.CommunicationService(
@@ -387,16 +599,25 @@ class DjangoDeployment(pulumi.ComponentResource):
             location="global",
             data_location=data_location,
             linked_domains=domain_resources,
+            opts=pulumi.ResourceOptions(depends_on=comm_dependencies),
         )
 
         return comm_service
 
     def _add_webapp_vault(self, administrators: list[str], suffix: str) -> azure.keyvault.Vault:
-        # Create a keyvault
+        # Create a keyvault with a random suffix to make the name unique
+        random_suffix = pulumi_random.RandomString(
+            f"vault-suffix-{suffix}",
+            # Total length is 24, so deduct the length of the suffix
+            length=(24 - 7 - len(suffix)),
+            special=False,
+            upper=False,
+        )
+
         vault = azure.keyvault.Vault(
             f"vault-{suffix}",
             resource_group_name=self._rg,
-            vault_name=f"vault-{suffix}",
+            vault_name=random_suffix.result.apply(lambda r: f"vault-{suffix}-{r}"),
             properties=azure.keyvault.VaultPropertiesArgs(
                 tenant_id=self._tenant_id,
                 sku=azure.keyvault.SkuArgs(
@@ -407,27 +628,35 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
         )
 
-        # Find the Key Vault Administrator role
-        administrator_role = vault.id.apply(
-            lambda scope: azure.authorization.get_role_definition(
-                role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
-                scope=scope,
-            )
-        )
-
         # Add vault administrators
-        for a in administrators:
-            azure.authorization.RoleAssignment(
-                f"ra-{suffix}-vault-admin-{a}",
-                principal_id=a,
-                principal_type=azure.authorization.PrincipalType.USER,
-                role_definition_id=administrator_role.id,
-                scope=vault.id,
+        if administrators:
+            # Find the Key Vault Administrator role
+            administrator_role = vault.id.apply(
+                lambda scope: azure.authorization.get_role_definition(
+                    role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
+                    scope=scope,
+                )
             )
 
+            # Actual administrator roles
+            for a in administrators:
+                azure.authorization.RoleAssignment(
+                    f"ra-{suffix}-vault-admin-{a}",
+                    principal_id=a,
+                    principal_type=azure.authorization.PrincipalType.USER,
+                    role_definition_id=administrator_role.id,
+                    scope=vault.id,
+                )
+
         return vault
 
-    def _add_webapp_secret(self, vault: azure.keyvault.Vault, secret_name: str, config_secret_name: str, suffix: str):
+    def _add_webapp_secret(
+        self,
+        vault: azure.keyvault.Vault,
+        secret_name: str,
+        config_secret_name: str,
+        suffix: str,
+    ):
         secret = self._config.require_secret(config_secret_name)
 
         # Normalize the secret name
@@ -487,13 +716,13 @@ class DjangoDeployment(pulumi.ComponentResource):
         db_name: str,
         repository_url: str,
         repository_branch: str,
-        website_hosts: list[str],
+        website_hosts: list[HostDefinition],
         django_settings_module: str,
-        environment_variables: dict[str, str] = {},
-        secrets: dict[str, str] = {},
+        environment_variables: Optional[dict[str, str]] = None,
+        secrets: Optional[dict[str, str]] = None,
         comms_data_location: Optional[str] = None,
-        comms_domains: Optional[list[str]] = [],
-        vault_administrators: Optional[list[str]] = [],
+        comms_domains: Optional[list[HostDefinition]] = None,
+        vault_administrators: Optional[list[str]] = None,
     ) -> azure.web.WebApp:
         """
         Create a Django website with it's own database and storage containers.
@@ -541,7 +770,11 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         # Communication Services (optional)
         if comms_data_location:
+            if not comms_domains:
+                comms_domains = []
+
             comms = self._add_webapp_comms(comms_data_location, comms_domains, f"{name}-{self._name}")
+
             # Add the service endpoint as environment variable
             environment_variables["AZURE_COMMUNICATION_SERVICE_ENDPOINT"] = comms.host_name.apply(lambda host: f"https://{host}")
         else:
@@ -567,6 +800,8 @@ class DjangoDeployment(pulumi.ComponentResource):
             for key, value in environment_variables.items()
         ]
 
+        allowed_hosts = pulumi.Output.concat(*[pulumi.Output.concat(host.full_host, ",") for host in website_hosts])
+
         app = azure.web.WebApp(
             f"app-{name}-{self._name}",
             resource_group_name=self._rg,
@@ -595,15 +830,23 @@ class DjangoDeployment(pulumi.ComponentResource):
                     # azure.web.NameValuePairArgs(name="DEBUG", value="true"),
                     azure.web.NameValuePairArgs(name="DJANGO_SETTINGS_MODULE", value=django_settings_module),
                     azure.web.NameValuePairArgs(name="DJANGO_SECRET_KEY", value=secret_key.result),
-                    azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=",".join(website_hosts)),
+                    azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=allowed_hosts),
                     # Vault settings
                     azure.web.NameValuePairArgs(name="AZURE_KEY_VAULT", value=vault.name),
                     # Storage settings
-                    azure.web.NameValuePairArgs(name="AZURE_STORAGE_ACCOUNT_NAME", value=self._storage_account.name),
-                    azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_STATICFILES", value=static_container.name),
+                    azure.web.NameValuePairArgs(
+                        name="AZURE_STORAGE_ACCOUNT_NAME",
+                        value=self._storage_account.name,
+                    ),
+                    azure.web.NameValuePairArgs(
+                        name="AZURE_STORAGE_CONTAINER_STATICFILES",
+                        value=static_container.name,
+                    ),
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_MEDIA", value=media_container.name),
                     # CDN
                     azure.web.NameValuePairArgs(name="CDN_HOST", value=self._cdn_host),
+                    azure.web.NameValuePairArgs(name="CDN_PROFILE", value=self._cdn_profile.name),
+                    azure.web.NameValuePairArgs(name="CDN_ENDPOINT", value=self._cdn_endpoint.name),
                     # Database settings
                     azure.web.NameValuePairArgs(name="DB_HOST", value=self._pgsql.fully_qualified_domain_name),
                     azure.web.NameValuePairArgs(name="DB_NAME", value=db.name),
@@ -621,9 +864,85 @@ class DjangoDeployment(pulumi.ComponentResource):
         # We need this to verify custom domains
         pulumi.export(f"{name}_site_domain_verification_id", app.custom_domain_verification_id)
         pulumi.export(f"{name}_site_domain_cname", app.default_host_name)
+        virtual_ip = app.outbound_ip_addresses.apply(lambda addresses: addresses.split(",")[-1])
+        pulumi.export(f"{name}_site_virtual_ip", virtual_ip)
+
+        # Get the URL of the publish profile.
+        # Use app.identity here too to ensure the app is actually created before getting credentials.
+        credentials = pulumi.Output.all(self._rg, app.name, app.identity).apply(
+            lambda args: azure.web.list_web_app_publishing_credentials(
+                resource_group_name=args[0],
+                name=args[1],
+            )
+        )
+
+        pulumi.export(f"{name}_deploy_url", pulumi.Output.concat(credentials.scm_uri, "/deploy"))
 
         for host in website_hosts:
-            self._add_webapp_host(app=app, host=host, suffix=f"{name}-{self._name}")
+            dependencies = []
+
+            if host.zone:
+                # Create a DNS record in the zone
+
+                if host.host == "@":
+                    # Create a A record for the virtual IP address
+                    a = azure.network.RecordSet(
+                        f"dns-a-{name}-{self._name}-{host.identifier}",
+                        resource_group_name=self._rg,
+                        zone_name=host.zone.name,
+                        relative_record_set_name=host.host,
+                        record_type="A",
+                        ttl=3600,
+                        a_records=[
+                            azure.network.ARecordArgs(
+                                ipv4_address=virtual_ip,
+                            )
+                        ],
+                    )
+
+                    dependencies.append(a)
+                else:
+                    # Create a CNAME record for the custom hostname
+                    cname = azure.network.RecordSet(
+                        f"dns-cname-{name}-{self._name}-{host.identifier}",
+                        resource_group_name=self._rg,
+                        zone_name=host.zone.name,
+                        relative_record_set_name=host.host,
+                        record_type="CNAME",
+                        ttl=3600,
+                        cname_record=azure.network.CnameRecordArgs(
+                            cname=app.default_host_name,
+                        ),
+                    )
+                    dependencies.append(cname)
+
+                # For the certificate validation to work
+                relative_record_set_name = "asuid" if host.host == "@" else pulumi.Output.concat("asuid.", host.host)
+
+                txt_validation = azure.network.RecordSet(
+                    f"dns-txt-{name}-{self._name}-{host.identifier}",
+                    resource_group_name=self._rg,
+                    zone_name=host.zone.name,
+                    relative_record_set_name=relative_record_set_name,
+                    record_type="TXT",
+                    ttl=3600,
+                    txt_records=[
+                        azure.network.TxtRecordArgs(
+                            value=[app.custom_domain_verification_id],
+                        )
+                    ],
+                )
+
+                dependencies.append(txt_validation)
+
+            # Add the host with optional dependencies
+            self._add_webapp_host(
+                app=app,
+                host=host.full_host,
+                suffix=f"{name}-{self._name}",
+                identifier=host.identifier,
+                depends_on=dependencies,
+            )
 
         # To enable deployment from GitLab
         azure.web.WebAppSourceControl(
@@ -639,7 +958,8 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         # Where we can retrieve the SSH key
         pulumi.export(
-            f"{name}_deploy_ssh_key_url", app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1")
+            f"{name}_deploy_ssh_key_url",
+            app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1"),
         )
 
         # Find the role for Key Vault Secrets User
@@ -695,11 +1015,24 @@ class DjangoDeployment(pulumi.ComponentResource):
                 scope=comms.id,
             )
 
+        # Grant the app to purge the CDN endpoint
+        cdn_role = self._cdn_endpoint.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
+                scope=scope,
+            )
+        )
+
+        azure.authorization.RoleAssignment(
+            f"ra-{name}-cdn",
+            principal_id=principal_id,
+            principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+            role_definition_id=cdn_role.id,
+            scope=self._cdn_endpoint.id,
+        )
+
         # Create a CORS rules for this website
-        if website_hosts:
-            origins = [f"https://{host}" for host in website_hosts]
-        else:
-            origins = ["*"]
+        origins = [pulumi.Output.concat("https://", host.full_host) for host in website_hosts] if website_hosts else ["*"]
 
         azure.storage.BlobServiceProperties(
             f"sa-{name}-blob-properties",
@@ -720,3 +1053,12 @@ class DjangoDeployment(pulumi.ComponentResource):
         )
 
         return app
+
+    def _strip_off_dns_zone_name(self, host: str, zone: azure.network.Zone) -> pulumi.Output[str]:
+        """
+        Strip off the DNS zone name from the host name.
+
+        :param host: The host name
+        :return: The host name without the DNS zone
+        """
+        return zone.name.apply(lambda name: host[: -len(name) - 1])

{pulumi_django_azure-1.0.10.dist-info → pulumi_django_azure-1.0.14.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.10
+Version: 1.0.14
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -33,9 +33,9 @@ Classifier: Programming Language :: Python :: 3
 Requires-Python: >=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
-Requires-Dist: pulumi >=3.99.0
-Requires-Dist: pulumi-azure-native >=2.24.0
-Requires-Dist: pulumi-random >=4.14.0
+Requires-Dist: pulumi>=3.99.0
+Requires-Dist: pulumi-azure-native>=2.24.0
+Requires-Dist: pulumi-random>=4.14.0
 
 # Pulumi Django Deployment
 
@@ -59,9 +59,10 @@ Your Django project should contain a folder `cicd` with these files:
   ```bash
   python manage.py migrate
   python manage.py collectstatic --noinput
+  python manage.py purge_cdn
   gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
   ```
-  Be sure to change `yourapplication` in the above.
+  Be sure to change `yourapplication` in the above. To see the `purge_cdn` management command we use here, see below.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -256,6 +257,82 @@ Be sure to configure the SSH key that Azure will use on GitLab side. You can obt
 
 This would then trigger a redeploy everytime you make a commit to your live branch.
 
+## CDN Purging
+We added a management command to Django to purge the CDN cache, and added that to the startup script. Our version is here:
+```python
+import os
+
+from azure.mgmt.cdn import CdnManagementClient
+from azure.mgmt.cdn.models import PurgeParameters
+from django.core.management.base import BaseCommand
+
+from core.azure_helper import AZURE_CREDENTIAL, get_subscription_id
+
+
+class Command(BaseCommand):
+    help = "Purges the CDN endpoint"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--wait",
+            action="store_true",
+            help="Wait for the purge operation to complete",
+        )
+
+    def handle(self, *args, **options):
+        # Read environment variables
+        resource_group = os.getenv("WEBSITE_RESOURCE_GROUP")
+        profile_name = os.getenv("CDN_PROFILE")
+        endpoint_name = os.getenv("CDN_ENDPOINT")
+        content_paths = ["/*"]
+
+        # Ensure all required environment variables are set
+        if not all([resource_group, profile_name, endpoint_name]):
+            self.stderr.write(self.style.ERROR("Missing required environment variables."))
+            return
+
+        # Authenticate with Azure
+        cdn_client = CdnManagementClient(AZURE_CREDENTIAL, get_subscription_id())
+
+        try:
+            # Purge the CDN endpoint
+            purge_operation = cdn_client.endpoints.begin_purge_content(
+                resource_group_name=resource_group,
+                profile_name=profile_name,
+                endpoint_name=endpoint_name,
+                content_file_paths=PurgeParameters(content_paths=content_paths),
+            )
+
+            # Check if the --wait argument was provided
+            if options["wait"]:
+                purge_operation.result()  # Wait for the operation to complete
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation completed successfully."))
+            else:
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation started successfully."))
+
+        except Exception as e:
+            self.stderr.write(self.style.ERROR(f"Error executing CDN endpoint purge command: {e}"))
+```
+
+And our azure_helper:
+```python
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resource import SubscriptionClient
+
+# Azure credentials
+AZURE_CREDENTIAL = DefaultAzureCredential()
+
+
+def get_db_password() -> str:
+    return AZURE_CREDENTIAL.get_token("https://ossrdbms-aad.database.windows.net/.default").token
+
+
+def get_subscription_id() -> str:
+    subscription_client = SubscriptionClient(AZURE_CREDENTIAL)
+    subscriptions = list(subscription_client.subscriptions.list())
+    return subscriptions[0].subscription_id
+```
+
 ## Change requests
 I created this for internal use but since it took me a while to puzzle all the things together I decided to share it.
 Therefore this project is not super generic, but tailored to my needs. I am however open to pull or change requests to improve this project or to make it more usable for others.

pulumi_django_azure-1.0.14.dist-info/RECORD

@@ -0,0 +1,7 @@
+pulumi_django_azure/__init__.py,sha256=5RY9reSVNw-HULrOXfhcq3cyPne-94ojFmeV1m6kIVg,79
+pulumi_django_azure/django_deployment.py,sha256=BWw8GVSsjPLIu2ud09KJGr4D-G7VuJNnJey4nBTCEHI,44199
+pulumi_django_azure-1.0.14.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
+pulumi_django_azure-1.0.14.dist-info/METADATA,sha256=4po_NMDQbKi7lopg17jjZ1LrLM4Ojoy7yiF7NdIibAs,13954
+pulumi_django_azure-1.0.14.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
+pulumi_django_azure-1.0.14.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
+pulumi_django_azure-1.0.14.dist-info/RECORD,,

{pulumi_django_azure-1.0.10.dist-info → pulumi_django_azure-1.0.14.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.43.0)
+Generator: setuptools (75.1.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

pulumi_django_azure-1.0.10.dist-info/RECORD

@@ -1,7 +0,0 @@
-pulumi_django_azure/__init__.py,sha256=tXTvPfr8-Nll5cjMyY9yj_0z_PQ0XAcxihzHRCES-hU,63
-pulumi_django_azure/django_deployment.py,sha256=SgMLoQ2Jwm8anADzrEjVhtfJVAJrYJYFoaOL9bDZngE,30275
-pulumi_django_azure-1.0.10.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
-pulumi_django_azure-1.0.10.dist-info/METADATA,sha256=rAAqdkW9F0I0OWn7XQA2fHKIpqxmJDQWx39TmH0FEnc,11083
-pulumi_django_azure-1.0.10.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-pulumi_django_azure-1.0.10.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
-pulumi_django_azure-1.0.10.dist-info/RECORD,,