pulumi-django-azure 1.0.28__py3-none-any.whl → 1.0.59__py3-none-any.whl

pulumi_django_azure/django_deployment.py

@@ -1,9 +1,12 @@
 from collections.abc import Sequence
 
 import pulumi
+import pulumi_azure as azure_classic
 import pulumi_azure_native as azure
 import pulumi_random
 
+REDIS_IMAGE = "mcr.microsoft.com/mirror/docker/library/redis:7.2"
+
 
 class HostDefinition:
     """
@@ -68,11 +71,10 @@ class DjangoDeployment(pulumi.ComponentResource):
         app_service_sku: azure.web.SkuDescriptionArgs,
         storage_account_name: str,
         storage_allowed_origins: Sequence[str] | None = None,
+        pgsql_version: str = "17",
         pgsql_parameters: dict[str, str] | None = None,
         pgadmin_access_ip: Sequence[str] | None = None,
         pgadmin_dns_zone: azure.dns.Zone | None = None,
-        cache_ip_prefix: str | None = None,
-        cache_sku: azure.redis.SkuArgs | None = None,
         cdn_host: HostDefinition | None = None,
         opts=None,
     ):
@@ -92,8 +94,6 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param pgsql_parameters: The parameters to set on the PostgreSQL server. (optional)
         :param pgadmin_access_ip: The IP addresses to allow access to pgAdmin. If empty, all IP addresses are allowed.
         :param pgadmin_dns_zone: The Azure DNS zone to a pgadmin DNS record in. (optional)
-        :param cache_ip_prefix: The IP prefix for the cache subnet. (optional)
-        :param cache_sku: The SKU for the cache. (optional)
         :param cdn_host: A custom CDN host name. (optional)
         :param opts: The resource options
         """
@@ -113,13 +113,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._cdn_host = self._create_cdn(custom_host=cdn_host)
 
         # PostgreSQL resources
-        self._create_database(sku=pgsql_sku, ip_prefix=pgsql_ip_prefix, parameters=pgsql_parameters)
-
-        # Cache resources
-        if cache_ip_prefix and cache_sku:
-            self._create_cache(sku=cache_sku, ip_prefix=cache_ip_prefix)
-        else:
-            self._cache = None
+        self._create_database(sku=pgsql_sku, version=pgsql_version, ip_prefix=pgsql_ip_prefix, parameters=pgsql_parameters)
 
         # Subnet for the apps
         self._app_subnet = self._create_subnet(
@@ -185,7 +179,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             resource_group_name=self._rg,
             location="global",
             sku=azure.cdn.SkuArgs(
-                name=azure.cdn.SkuName.STANDARD_MICROSOFT,
+                name=azure.cdn.SkuName.STANDARD_AZURE_FRONT_DOOR,
             ),
         )
 
@@ -193,73 +187,86 @@ class DjangoDeployment(pulumi.ComponentResource):
             lambda primary_endpoints: primary_endpoints.blob.replace("https://", "").replace("/", "")
         )
 
-        self._cdn_endpoint = azure.cdn.Endpoint(
+        self._cdn_endpoint = azure.cdn.AFDEndpoint(
             f"cdn-endpoint-{self._name}",
             resource_group_name=self._rg,
             location="global",
-            is_compression_enabled=True,
-            content_types_to_compress=[
-                "application/javascript",
-                "application/json",
-                "application/x-javascript",
-                "application/xml",
-                "text/css",
-                "text/html",
-                "text/javascript",
-                "text/plain",
-            ],
-            is_http_allowed=False,
-            is_https_allowed=True,
             profile_name=self._cdn_profile.name,
-            origin_host_header=endpoint_origin,
-            origins=[azure.cdn.DeepCreatedOriginArgs(name="origin-storage", host_name=endpoint_origin)],
-            query_string_caching_behavior=azure.cdn.QueryStringCachingBehavior.USE_QUERY_STRING,
         )
 
-        pulumi.export("cdn_cname", self._cdn_endpoint.host_name)
+        origin_group = azure.cdn.AFDOriginGroup(
+            f"cdn-origin-group-{self._name}",
+            resource_group_name=self._rg,
+            profile_name=self._cdn_profile.name,
+            load_balancing_settings=azure.cdn.LoadBalancingSettingsParametersArgs(
+                sample_size=4, successful_samples_required=3, additional_latency_in_milliseconds=50
+            ),
+        )
+
+        azure.cdn.AFDOrigin(
+            f"cdn-origin-{self._name}",
+            resource_group_name=self._rg,
+            profile_name=self._cdn_profile.name,
+            origin_group_name=origin_group.name,
+            host_name=endpoint_origin,
+            origin_host_header=endpoint_origin,
+        )
 
-        # Add custom domain if given
         if custom_host:
-            if custom_host.zone:
-                # Create a DNS record for the custom host in the given zone
-                rs = azure.dns.RecordSet(
-                    f"cdn-cname-{self._name}",
-                    resource_group_name=self._rg,
-                    zone_name=custom_host.zone.name,
-                    relative_record_set_name=custom_host.host,
-                    record_type="CNAME",
-                    ttl=3600,
-                    target_resource=azure.dns.SubResourceArgs(
-                        id=self._cdn_endpoint.id,
-                    ),
-                )
+            # Add custom hostname
+            custom_domain = azure.cdn.AFDCustomDomain(
+                f"cdn-custom-domain-{self._name}",
+                resource_group_name=self._rg,
+                profile_name=self._cdn_profile.name,
+                host_name=custom_host.host,
+            )
+            custom_domains = [azure.cdn.ResourceReferenceArgs(id=custom_domain.id)]
 
-                azure.cdn.CustomDomain(
-                    f"cdn-custom-domain-{self._name}",
-                    resource_group_name=self._rg,
-                    profile_name=self._cdn_profile.name,
-                    endpoint_name=self._cdn_endpoint.name,
-                    host_name=custom_host.full_host,
-                    opts=pulumi.ResourceOptions(depends_on=rs),
-                )
+            # Export the TXT validation records needed
+            pulumi.export("cdn_validation_record_txt_name", f"_dnsauth.{custom_host.host}")
+            pulumi.export(
+                "cdn_validation_record_txt_value", custom_domain.validation_properties.apply(lambda properties: properties.validation_token)
+            )
+        else:
+            custom_domains = None
 
-                return custom_host.full_host
-            else:
-                # Add custom hostname without a zone
-                azure.cdn.CustomDomain(
-                    f"cdn-custom-domain-{self._name}",
-                    resource_group_name=self._rg,
-                    profile_name=self._cdn_profile.name,
-                    endpoint_name=self._cdn_endpoint.name,
-                    host_name=custom_host.host,
-                )
+        azure.cdn.Route(
+            f"cdn-route-{self._name}",
+            resource_group_name=self._rg,
+            profile_name=self._cdn_profile.name,
+            endpoint_name=self._cdn_endpoint.name,
+            origin_group=azure.cdn.ResourceReferenceArgs(id=origin_group.id),
+            link_to_default_domain=azure.cdn.LinkToDefaultDomain.ENABLED,
+            custom_domains=custom_domains,
+            cache_configuration=azure.cdn.AfdRouteCacheConfigurationArgs(
+                compression_settings=azure.cdn.CompressionSettingsArgs(
+                    content_types_to_compress=[
+                        "application/javascript",
+                        "application/json",
+                        "application/x-javascript",
+                        "application/xml",
+                        "text/css",
+                        "text/html",
+                        "text/javascript",
+                        "text/plain",
+                    ],
+                    is_compression_enabled=True,
+                ),
+                query_string_caching_behavior=azure.cdn.AfdQueryStringCachingBehavior.USE_QUERY_STRING,
+            ),
+            supported_protocols=[azure.cdn.AFDEndpointProtocols.HTTP, azure.cdn.AFDEndpointProtocols.HTTPS],
+            https_redirect=azure.cdn.HttpsRedirect.ENABLED,
+            opts=pulumi.ResourceOptions(depends_on=[origin_group]),
+        )
+
+        pulumi.export("cdn_cname", self._cdn_endpoint.host_name)
 
-                return custom_host.host
+        if custom_host:
+            return custom_domain.host_name
         else:
-            # Return the default CDN host name
             return self._cdn_endpoint.host_name
 
-    def _create_database(self, sku: azure.dbforpostgresql.SkuArgs, ip_prefix: str, parameters: dict[str, str]):
+    def _create_database(self, sku: azure.dbforpostgresql.SkuArgs, version: str, ip_prefix: str, parameters: dict[str, str]):
         # Create subnet for PostgreSQL
         subnet = self._create_subnet(
             name="pgsql",
@@ -291,13 +298,16 @@ class DjangoDeployment(pulumi.ComponentResource):
             f"pgsql-{self._name}",
             resource_group_name=self._rg,
             sku=sku,
-            version="16",
+            version=version,
             auth_config=azure.dbforpostgresql.AuthConfigArgs(
                 password_auth=azure.dbforpostgresql.PasswordAuthEnum.DISABLED,
                 active_directory_auth=azure.dbforpostgresql.ActiveDirectoryAuthEnum.ENABLED,
                 tenant_id=self._tenant_id,
             ),
-            storage=azure.dbforpostgresql.StorageArgs(storage_size_gb=32),
+            storage=azure.dbforpostgresql.StorageArgs(
+                storage_size_gb=32,
+                auto_grow=azure.dbforpostgresql.StorageAutoGrow.ENABLED,
+            ),
             network=azure.dbforpostgresql.NetworkArgs(
                 delegated_subnet_resource_id=subnet.id,
                 private_dns_zone_arm_resource_id=dns.id,
@@ -322,85 +332,6 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         pulumi.export("pgsql_host", self._pgsql.fully_qualified_domain_name)
 
-    def _create_cache(self, sku: azure.redis.SkuArgs, ip_prefix: str):
-        # Create a Redis cache
-        self._cache = azure.redis.Redis(
-            f"cache-{self._name}",
-            resource_group_name=self._rg,
-            sku=sku,
-            enable_non_ssl_port=False,
-            public_network_access=azure.redis.PublicNetworkAccess.DISABLED,
-        )
-
-        # Create an access policy that gives us access to the cache
-        self._cache_access_policy = azure.redis.AccessPolicy(
-            f"cache-access-policy-{self._name}",
-            resource_group_name=self._rg,
-            cache_name=self._cache.name,
-            # Same as the built in Data Contributor policy + flushdb permissions
-            permissions="+@all -@dangerous +flushdb +cluster|info +cluster|nodes +cluster|slots allkeys",
-        )
-
-        # Allocate a subnet for the cache
-        subnet = self._create_subnet(
-            name="cache",
-            prefix=ip_prefix,
-        )
-
-        # Create a private DNS zone for the cache
-        dns = azure.privatedns.PrivateZone(
-            f"dns-cache-{self._name}",
-            resource_group_name=self._rg,
-            location="global",
-            private_zone_name="privatelink.redis.cache.windows.net",
-        )
-
-        # Link the private DNS zone to the VNet in order to make resolving work
-        azure.privatedns.VirtualNetworkLink(
-            f"vnet-link-cache-{self._name}",
-            resource_group_name=self._rg,
-            location="global",
-            private_zone_name=dns.name,
-            virtual_network=azure.network.SubResourceArgs(id=self._vnet.id),
-            registration_enabled=True,
-        )
-
-        # Create a private endpoint for the cache
-        endpoint = azure.network.PrivateEndpoint(
-            f"private-endpoint-cache-{self._name}",
-            resource_group_name=self._rg,
-            subnet=azure.network.SubnetArgs(id=subnet.id),
-            custom_network_interface_name=f"nic-cache-{self._name}",
-            private_link_service_connections=[
-                azure.network.PrivateLinkServiceConnectionArgs(
-                    name=f"pls-cache-{self._name}",
-                    private_link_service_id=self._cache.id,
-                    group_ids=["redisCache"],
-                )
-            ],
-        )
-
-        # Get the private IP address of the endpoint NIC
-        ip = endpoint.network_interfaces.apply(
-            lambda nics: azure.network.get_network_interface(
-                network_interface_name=nics[0].id.split("/")[-1],
-                resource_group_name=self._rg,
-            )
-            .ip_configurations[0]
-            .private_ip_address
-        )
-
-        # Create a DNS record for the cache
-        azure.privatedns.PrivateRecordSet(
-            f"dns-a-cache-{self._name}",
-            resource_group_name=self._rg,
-            private_zone_name=dns.name,
-            relative_record_set_name=self._cache.name,
-            record_type="A",
-            ttl=300,
-            a_records=[azure.privatedns.ARecordArgs(ipv4_address=ip)],
-        )
-
     def _create_subnet(
         self,
         name,
@@ -562,16 +493,6 @@ class DjangoDeployment(pulumi.ComponentResource):
             },
         )
 
-    def _get_existing_web_app_host_name_binding(self, resource_group_name: str, app_name: str, host_name: str):
-        try:
-            return azure.web.get_web_app_host_name_binding(
-                resource_group_name=resource_group_name,
-                name=app_name,
-                host_name=host_name,
-            )
-        except Exception:
-            return None
-
     def _add_webapp_host(
         self,
         app: azure.web.WebApp,
@@ -579,13 +500,9 @@ class DjangoDeployment(pulumi.ComponentResource):
         suffix: str,
         identifier: str,
         depends_on: Sequence[pulumi.Resource] | None = None,
-    ):
+    ) -> azure.web.WebAppHostNameBinding:
         """
-        Because of a circular dependency, we need to create the certificate and the binding in two steps.
-        First we create a binding without a certificate,
-        then we create the certificate and then we update the binding.
-
-        The certificate needs the binding, and the binding needs the thumbprint of the certificate.
+        We need to use a few steps and CertificateBinding from Azure Classic to make this work.
 
         See also: https://github.com/pulumi/pulumi-azure-native/issues/578
 
@@ -598,52 +515,37 @@ class DjangoDeployment(pulumi.ComponentResource):
         if not depends_on:
             depends_on = []
 
-        # Retrieve the existing binding (None if it doesn't exist)
-        existing_binding = pulumi.Output.all(app.resource_group, app.name, host).apply(
-            lambda args: self._get_existing_web_app_host_name_binding(
-                resource_group_name=args[0],
-                app_name=args[1],
-                host_name=args[2],
-            )
+        # Create a binding without a certificate
+        binding = azure.web.WebAppHostNameBinding(
+            f"host-binding-{suffix}-{identifier}",
+            resource_group_name=self._rg,
+            name=app.name,
+            host_name=host,
+            ssl_state=azure.web.SslState.DISABLED,
+            # Ignore changes in SSL state and thumbprint
+            opts=pulumi.ResourceOptions(depends_on=depends_on, ignore_changes=["ssl_state", "thumbprint"]),
         )
 
-        # Create an inline function that we will invoke through the Output.apply lambda
-        def _create_binding_with_cert(existing_binding):
-            if existing_binding:
-                # Create a managed certificate
-                # This will work because the binding exists actually
-                certificate = azure.web.Certificate(
-                    f"cert-{suffix}-{identifier}",
-                    resource_group_name=self._rg,
-                    server_farm_id=app.server_farm_id,
-                    canonical_name=host,
-                    host_names=[host],
-                    opts=pulumi.ResourceOptions(depends_on=depends_on),
-                )
-
-                # Create a new binding, replacing the old one,
-                # with the certificate
-                azure.web.WebAppHostNameBinding(
-                    f"host-binding-{suffix}-{identifier}",
-                    resource_group_name=self._rg,
-                    name=app.name,
-                    host_name=host,
-                    ssl_state=azure.web.SslState.SNI_ENABLED,
-                    thumbprint=certificate.thumbprint,
-                    opts=pulumi.ResourceOptions(depends_on=depends_on),
-                )
+        # Create a certificate that depends on the binding
+        certificate = azure.web.Certificate(
+            f"cert-{suffix}-{identifier}",
+            resource_group_name=self._rg,
+            server_farm_id=app.server_farm_id,
+            canonical_name=host,
+            opts=pulumi.ResourceOptions(depends_on=[binding] + depends_on),
+        )
 
-            else:
-                # Create a binding without a certificate
-                azure.web.WebAppHostNameBinding(
-                    f"host-binding-{suffix}-{identifier}",
-                    resource_group_name=self._rg,
-                    name=app.name,
-                    host_name=host,
-                    opts=pulumi.ResourceOptions(depends_on=depends_on),
-                )
+        # Create CertificateBinding from Azure Classic to link it together
+        # Inspired by https://github.com/pulumi/pulumi-azure-native/issues/578#issuecomment-2705952672
+        azure_classic.appservice.CertificateBinding(
+            f"cert-binding-{suffix}-{identifier}",
+            hostname_binding_id=binding.id,
+            certificate_id=certificate.id,
+            ssl_state="SniEnabled",
+            opts=pulumi.ResourceOptions(depends_on=depends_on, ignore_changes=["hostname_binding_id"]),
+        )
 
-        existing_binding.apply(_create_binding_with_cert)
+        return binding
 
     def _create_comms_dns_records(self, suffix, host: HostDefinition, records: dict) -> list[azure.dns.RecordSet]:
         created_records = []
@@ -850,15 +752,17 @@ class DjangoDeployment(pulumi.ComponentResource):
         repository_branch: str,
         website_hosts: list[HostDefinition],
         django_settings_module: str,
-        python_version: str = "3.13",
+        python_version: str = "3.14",
         environment_variables: dict[str, str] | None = None,
         secrets: dict[str, str] | None = None,
         comms_data_location: str | None = None,
         comms_domains: list[HostDefinition] | None = None,
         dedicated_app_service_sku: azure.web.SkuDescriptionArgs | None = None,
         vault_administrators: list[str] | None = None,
-        cache_db: int | None = None,
-        startup_timeout: int = 300,
+        redis_sidecar: bool = True,
+        django_tasks: bool = True,
+        startup_timeout: int = 600,
+        log_retention_days: int = 7,
     ) -> azure.web.WebApp:
         """
         Create a Django website with it's own database and storage containers.
@@ -878,7 +782,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param comms_domains: The list of custom domains for the E-mail Communication Services (optional).
         :param dedicated_app_service_sku: The SKU for the dedicated App Service Plan (optional).
         :param vault_administrators: The principal IDs of the vault administrators (optional).
-        :param cache_db: The index of the cache database to use (optional).
+        :param redis_sidecar: Whether to create a Redis sidecar container.
         :param startup_timeout: The startup timeout for the App Service (default is 300 seconds).
         """
 
@@ -908,6 +812,16 @@ class DjangoDeployment(pulumi.ComponentResource):
             container_name=f"{name}-static",
         )
 
+        # Redis cache environment variable
+        if redis_sidecar:
+            environment_variables["REDIS_SIDECAR"] = "true"
+
+        if django_tasks:
+            if not redis_sidecar:
+                raise ValueError("django-tasks requires redis-sidecar to be enabled.")
+
+            environment_variables["DJANGO_TASKS"] = "true"
+
         # Communication Services (optional)
         if comms_data_location:
             if not comms_domains:
@@ -928,15 +842,12 @@ class DjangoDeployment(pulumi.ComponentResource):
             s = self._add_webapp_secret(vault, env_name, config_name, f"{name}-{self._name}")
             environment_variables[f"{env_name}_SECRET_NAME"] = s.name
 
-        # Cache (we need to check explicitly if it is not None because the db could also be 0)
-        if self._cache and cache_db is not None:
-            environment_variables["REDIS_CACHE_HOST"] = self._cache.host_name
-            environment_variables["REDIS_CACHE_PORT"] = self._cache.ssl_port.apply(lambda port: str(port))
-            environment_variables["REDIS_CACHE_DB"] = str(cache_db)
-
         # Create a Django Secret Key (random)
         secret_key = pulumi_random.RandomString(f"django-secret-{name}-{self._name}", length=50)
 
+        if log_retention_days > 0:
+            environment_variables["WEBSITE_HTTPLOGGING_RETENTION_DAYS"] = str(log_retention_days)
+
         # Convert environment variables to NameValuePairArgs
         environment_variables = [
             azure.web.NameValuePairArgs(
@@ -977,6 +888,7 @@ class DjangoDeployment(pulumi.ComponentResource):
                 python_version=python_version,
                 # scm_type=azure.web.ScmType.EXTERNAL_GIT,
                 linux_fx_version=f"PYTHON|{python_version}",
+                http20_enabled=True,
                 app_settings=[
                     # Startup settings
                     azure.web.NameValuePairArgs(name="WEBSITES_CONTAINER_START_TIME_LIMIT", value=str(startup_timeout)),
@@ -984,7 +896,9 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="IS_AZURE_ENVIRONMENT", value="true"),
                     # Build settings
                     azure.web.NameValuePairArgs(name="SCM_DO_BUILD_DURING_DEPLOYMENT", value="true"),
-                    azure.web.NameValuePairArgs(name="PRE_BUILD_COMMAND", value="cicd/pre_build.sh"),
+                    azure.web.NameValuePairArgs(name="PRE_BUILD_COMMAND", value="curl -sSL https://bootstrap.django-azu.re | bash"),
+                    # azure.web.NameValuePairArgs(name="PRE_BUILD_COMMAND", value="cicd/pre_build.sh"),
+                    # This script will be created by the bootstrap script
                     azure.web.NameValuePairArgs(name="POST_BUILD_COMMAND", value="cicd/post_build.sh"),
                     azure.web.NameValuePairArgs(name="DISABLE_COLLECTSTATIC", value="true"),
                     azure.web.NameValuePairArgs(name="HEALTH_CHECK_PATH", value=self.HEALTH_CHECK_PATH),
@@ -1012,6 +926,18 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
         )
 
+        # Redis cache
+        if redis_sidecar:
+            azure.web.WebAppSiteContainer(
+                f"redis-sidecar-{name}-{self._name}",
+                resource_group_name=self._rg,
+                name=app.name,
+                is_main=False,
+                container_name="redis-sidecar",
+                image=REDIS_IMAGE,
+                # target_port="6379",
+            )
+
         # We need this to create the database role and grant permissions
         principal_id = app.identity.apply(lambda identity: identity.principal_id)
         pulumi.export(f"{name}_site_principal_id", principal_id)
@@ -1034,8 +960,10 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         pulumi.export(f"{name}_deploy_url", pulumi.Output.concat(credentials.scm_uri, "/deploy"))
 
+        bindings = []
         for host in website_hosts:
-            dependencies = []
+            # Only one binding can be created at a time, so we need to depend on the previous one.
+            dependencies = bindings or []
 
             if host.zone:
                 # Create a DNS record in the zone.
@@ -1076,7 +1004,7 @@ class DjangoDeployment(pulumi.ComponentResource):
                 dependencies.append(txt_validation)
 
             # Add the host with optional dependencies
-            self._add_webapp_host(
+            binding = self._add_webapp_host(
                 app=app,
                 host=host.full_host,
                 suffix=f"{name}-{self._name}",
@@ -1084,6 +1012,8 @@ class DjangoDeployment(pulumi.ComponentResource):
                 depends_on=dependencies,
             )
 
+            bindings.append(binding)
+
         # To enable deployment from GitLab
         azure.web.WebAppSourceControl(
             f"app-{name}-sourcecontrol-{self._name}",
@@ -1137,18 +1067,6 @@ class DjangoDeployment(pulumi.ComponentResource):
             scope=self._storage_account.id,
         )
 
-        # Grant the app access to the cache if needed.
-        # We need to check explicitly if it is not None because the db could also be 0.
-        if self._cache and cache_db is not None:
-            azure.redis.AccessPolicyAssignment(
-                f"ra-{name}-cache",
-                resource_group_name=self._rg,
-                cache_name=self._cache.name,
-                object_id=principal_id,
-                object_id_alias=f"app-{name}-managed-identity",
-                access_policy_name=self._cache_access_policy.name,
-            )
-
         # Grant the app to send e-mails
         if comms:
             comms_role = comms.id.apply(
@@ -1167,29 +1085,20 @@ class DjangoDeployment(pulumi.ComponentResource):
                 scope=comms.id,
             )
 
-        # Grant the app to purge the CDN endpoint
-        cdn_role = self._cdn_endpoint.id.apply(
+        # Grant the app to manage the CDN endpoint (CDN Profile Contributor)
+        cdn_profile_role = self._cdn_profile.id.apply(
             lambda scope: azure.authorization.get_role_definition(
-                role_definition_id="/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
+                role_definition_id="ec156ff8-a8d1-4d15-830c-5b80698ca432",
                 scope=scope,
             )
         )
 
         azure.authorization.RoleAssignment(
-            f"ra-{name}-cdn",
+            f"ra-{name}-cdn-profile",
             principal_id=principal_id,
             principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
-            role_definition_id=cdn_role.id,
-            scope=self._cdn_endpoint.id,
+            role_definition_id=cdn_profile_role.id,
+            scope=self._cdn_profile.id,
         )
 
         return app
-
-    def _strip_off_dns_zone_name(self, host: str, zone: azure.dns.Zone) -> pulumi.Output[str]:
-        """
-        Strip off the DNS zone name from the host name.
-
-        :param host: The host name
-        :return: The host name without the DNS zone
-        """
-        return zone.name.apply(lambda name: host[: -len(name) - 1])