pulumi-django-azure 1.0.4__py3-none-any.whl → 1.0.10__py3-none-any.whl

pulumi_django_azure/django_deployment.py

@@ -14,6 +14,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         tenant_id: str,
         resource_group_name: pulumi.Input[str],
         vnet: azure.network.VirtualNetwork,
+        pgsql_sku: azure.dbforpostgresql.SkuArgs,
         pgsql_ip_prefix: str,
         appservice_ip_prefix: str,
         app_service_sku: azure.web.SkuDescriptionArgs,
@@ -28,6 +29,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param tenant_id: The Entra tenant ID for the database authentication.
         :param resource_group_name: The resource group name to create the resources in.
         :param vnet: The virtual network to create the subnets in.
+        :param pgsql_sku: The SKU for the PostgreSQL server.
         :param pgsql_ip_prefix: The IP prefix for the PostgreSQL subnet.
         :param appservice_ip_prefix: The IP prefix for the app service subnet.
         :param app_service_sku: The SKU for the app service plan.
@@ -39,6 +41,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         super().__init__("pkg:index:DjangoDeployment", name, None, opts)
 
         # child_opts = pulumi.ResourceOptions(parent=self)
+        self._config = pulumi.Config()
 
         self._name = name
         self._tenant_id = tenant_id
@@ -50,7 +53,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._cdn_host = self._create_cdn(custom_host=cdn_host)
 
         # PostgreSQL resources
-        self._create_database(ip_prefix=pgsql_ip_prefix)
+        self._create_database(sku=pgsql_sku, ip_prefix=pgsql_ip_prefix)
 
         # Subnet for the apps
         self._app_subnet = self._create_subnet(
@@ -145,7 +148,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             # Return the default CDN host name
             return self._cdn_endpoint.host_name
 
-    def _create_database(self, ip_prefix: str):
+    def _create_database(self, sku: azure.dbforpostgresql.SkuArgs, ip_prefix: str):
         # Create subnet for PostgreSQL
         subnet = self._create_subnet(
             name="pgsql",
@@ -176,10 +179,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._pgsql = azure.dbforpostgresql.Server(
             f"pgsql-{self._name}",
             resource_group_name=self._rg,
-            sku=azure.dbforpostgresql.SkuArgs(
-                name="Standard_B2s",
-                tier=azure.dbforpostgresql.SkuTier.BURSTABLE,
-            ),
+            sku=sku,
             version="16",
             auth_config=azure.dbforpostgresql.AuthConfigArgs(
                 password_auth=azure.dbforpostgresql.PasswordAuthEnum.DISABLED,
@@ -260,8 +260,6 @@ class DjangoDeployment(pulumi.ComponentResource):
                     # azure.web.NameValuePairArgs(name="WEBSITE_HTTPLOGGING_RETENTION_DAYS", value="7"),
                     # pgAdmin settings
                     azure.web.NameValuePairArgs(name="PGADMIN_DISABLE_POSTFIX", value="true"),
-                    azure.web.NameValuePairArgs(name="PGADMIN_AUTHENTICATION_SOURCES", value="['oauth2, 'internal']"),
-                    azure.web.NameValuePairArgs(name="PGADMIN_OAUTH2_NAME", value="azure"),
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_EMAIL", value="dbadmin@dbadmin.net"),
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_PASSWORD", value="dbadmin"),
                 ],
@@ -348,6 +346,104 @@ class DjangoDeployment(pulumi.ComponentResource):
                 host_name=host,
             )
 
+    def _add_webapp_comms(self, data_location: str, domains: list[str], suffix: str) -> azure.communication.CommunicationService:
+        email_service = azure.communication.EmailService(
+            f"comms-email-{suffix}",
+            resource_group_name=self._rg,
+            location="global",
+            data_location=data_location,
+        )
+
+        domain_resources = []
+        if domains:
+            # Add our own custom domains
+            for domain in domains:
+                safe_host = domain.replace(".", "-")
+                d = azure.communication.Domain(
+                    f"comms-email-domain-{suffix}-{safe_host}",
+                    resource_group_name=self._rg,
+                    location="global",
+                    domain_management=azure.communication.DomainManagement.CUSTOMER_MANAGED,
+                    domain_name=domain,
+                    email_service_name=email_service.name,
+                )
+                domain_resources.append(d.id.apply(lambda n: n))
+        else:
+            # Add an Azure managed domain
+            d = azure.communication.Domain(
+                f"comms-email-domain-{suffix}-azure",
+                resource_group_name=self._rg,
+                location="global",
+                domain_management=azure.communication.DomainManagement.AZURE_MANAGED,
+                domain_name="AzureManagedDomain",
+                email_service_name=email_service.name,
+            )
+            domain_resources.append(d.id.apply(lambda n: n))
+
+        # Create Communication Services and link the domains
+        comm_service = azure.communication.CommunicationService(
+            f"comms-{suffix}",
+            resource_group_name=self._rg,
+            location="global",
+            data_location=data_location,
+            linked_domains=domain_resources,
+        )
+
+        return comm_service
+
+    def _add_webapp_vault(self, administrators: list[str], suffix: str) -> azure.keyvault.Vault:
+        # Create a keyvault
+        vault = azure.keyvault.Vault(
+            f"vault-{suffix}",
+            resource_group_name=self._rg,
+            vault_name=f"vault-{suffix}",
+            properties=azure.keyvault.VaultPropertiesArgs(
+                tenant_id=self._tenant_id,
+                sku=azure.keyvault.SkuArgs(
+                    name=azure.keyvault.SkuName.STANDARD,
+                    family=azure.keyvault.SkuFamily.A,
+                ),
+                enable_rbac_authorization=True,
+            ),
+        )
+
+        # Find the Key Vault Administrator role
+        administrator_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
+                scope=scope,
+            )
+        )
+
+        # Add vault administrators
+        for a in administrators:
+            azure.authorization.RoleAssignment(
+                f"ra-{suffix}-vault-admin-{a}",
+                principal_id=a,
+                principal_type=azure.authorization.PrincipalType.USER,
+                role_definition_id=administrator_role.id,
+                scope=vault.id,
+            )
+
+        return vault
+
+    def _add_webapp_secret(self, vault: azure.keyvault.Vault, secret_name: str, config_secret_name: str, suffix: str):
+        secret = self._config.require_secret(config_secret_name)
+
+        # Normalize the secret name
+        secret_name = secret_name.replace("_", "-").lower()
+
+        # Create a secret in the vault
+        return azure.keyvault.Secret(
+            f"secret-{suffix}-{secret_name}",
+            resource_group_name=self._rg,
+            vault_name=vault.name,
+            secret_name=secret_name,
+            properties=azure.keyvault.SecretPropertiesArgs(
+                value=secret,
+            ),
+        )
+
     def _get_storage_account_access_keys(
         self, storage_account: azure.storage.StorageAccount
     ) -> Sequence[azure.storage.outputs.StorageAccountKeyResponse]:
@@ -394,6 +490,10 @@ class DjangoDeployment(pulumi.ComponentResource):
         website_hosts: list[str],
         django_settings_module: str,
         environment_variables: dict[str, str] = {},
+        secrets: dict[str, str] = {},
+        comms_data_location: Optional[str] = None,
+        comms_domains: Optional[list[str]] = [],
+        vault_administrators: Optional[list[str]] = [],
     ) -> azure.web.WebApp:
         """
         Create a Django website with it's own database and storage containers.
@@ -405,6 +505,12 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param website_hosts: The list of custom host names for the website.
         :param django_settings_module: The Django settings module to load.
         :param environment_variables: A dictionary of environment variables to set.
+        :param secrets: A dictionary of secrets to store in the Key Vault and assign as environment variables.
+            The key is the name of the Pulumi secret, the value is the name of the environment variable
+            and the name of the secret in the Key Vault.
+        :param comms_data_location: The data location for the Communication Services (optional if you don't need it).
+        :param comms_domains: The list of custom domains for the E-mail Communication Services (optional).
+        :param vault_administrator: The principal ID of the vault administrator (optional).
         """
 
         # Create a database
@@ -433,6 +539,22 @@ class DjangoDeployment(pulumi.ComponentResource):
             container_name=f"{name}-static",
         )
 
+        # Communication Services (optional)
+        if comms_data_location:
+            comms = self._add_webapp_comms(comms_data_location, comms_domains, f"{name}-{self._name}")
+            # Add the service endpoint as environment variable
+            environment_variables["AZURE_COMMUNICATION_SERVICE_ENDPOINT"] = comms.host_name.apply(lambda host: f"https://{host}")
+        else:
+            comms = None
+
+        # Key Vault
+        vault = self._add_webapp_vault(vault_administrators, f"{name}-{self._name}")
+
+        # Add secrets
+        for config_name, env_name in secrets.items():
+            s = self._add_webapp_secret(vault, env_name, config_name, f"{name}-{self._name}")
+            environment_variables[f"{env_name}_SECRET_NAME"] = s.name
+
         # Create a Django Secret Key (random)
         secret_key = pulumi_random.RandomString(f"django-secret-{name}-{self._name}", length=50)
 
@@ -455,6 +577,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
             https_only=True,
             site_config=azure.web.SiteConfigArgs(
+                app_command_line="cicd/startup.sh",
                 always_on=True,
                 health_check_path=self.HEALTH_CHECK_PATH,
                 ftps_state=azure.web.FtpsState.DISABLED,
@@ -473,6 +596,8 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="DJANGO_SETTINGS_MODULE", value=django_settings_module),
                     azure.web.NameValuePairArgs(name="DJANGO_SECRET_KEY", value=secret_key.result),
                     azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=",".join(website_hosts)),
+                    # Vault settings
+                    azure.web.NameValuePairArgs(name="AZURE_KEY_VAULT", value=vault.name),
                     # Storage settings
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_ACCOUNT_NAME", value=self._storage_account.name),
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_STATICFILES", value=static_container.name),
@@ -517,6 +642,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             f"{name}_deploy_ssh_key_url", app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1")
         )
 
+        # Find the role for Key Vault Secrets User
+        vault_access_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="4633458b-17de-408a-b874-0445c86b69e6",
+                scope=scope,
+            )
+        )
+
+        # Grant the app access to the vault
+        azure.authorization.RoleAssignment(
+            f"ra-{name}-vault-user",
+            principal_id=principal_id,
+            principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+            # Key Vault Secrets User
+            role_definition_id=vault_access_role.id,
+            scope=vault.id,
+        )
+
         # Find the role for Storage Blob Data Contributor
         storage_role = self._storage_account.id.apply(
             lambda scope: azure.authorization.get_role_definition(
@@ -534,6 +677,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             scope=self._storage_account.id,
         )
 
+        # Grant the app to send e-mails
+        if comms:
+            comms_role = comms.id.apply(
+                lambda scope: azure.authorization.get_role_definition(
+                    # Contributor
+                    role_definition_id="b24988ac-6180-42a0-ab88-20f7382dd24c",
+                    scope=scope,
+                )
+            )
+
+            azure.authorization.RoleAssignment(
+                f"ra-{name}-comms",
+                principal_id=principal_id,
+                principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+                role_definition_id=comms_role.id,
+                scope=comms.id,
+            )
+
         # Create a CORS rules for this website
         if website_hosts:
             origins = [f"https://{host}" for host in website_hosts]

{pulumi_django_azure-1.0.4.dist-info → pulumi_django_azure-1.0.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.4
+Version: 1.0.10
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -45,9 +45,23 @@ To have a proper and secure environment, we need these components:
 * Storage account for media and static files
 * CDN endpoint in front with a domain name of our choosing
 * PostgreSQL server
+* Azure Communication Services to send e-mails
 * Webapp with multiple custom host names and managed SSL for the website itself
+* Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -101,6 +115,8 @@ django.add_django_website(
     repository_branch="main",
     website_hosts=["example.com", "www.example.com"],
     django_settings_module="mywebsite.settings.production",
+    comms_data_location="europe",
+    comms_domains=["mydomain.com"],
 )
 
 django.add_database_administrator(
@@ -120,6 +136,7 @@ django.add_database_administrator(
 6. Re-deploy with custom hosts
 7. Re-deploy once more to enable HTTPS on website domains
 8. Manually activate HTTPS on the CDN host
+9. Go to the e-mail communications service on Azure and configure DKIM, SPF,... for your custom domains.
 
 ## Custom domain name for CDN
 When deploying the first time, you will get a `cdn_cname` output. You need to create a CNAME to this domain before the deployment of the custom domain will succeed.
@@ -172,6 +189,55 @@ pgAdmin will be created with a default login:
 
 Best practice is to log in right away, create a user for yourself and delete this default user.
 
+## Azure OAuth2 / Django Social Auth
+If you want to set up login with Azure, which would make sense since you are in the ecosystem, you need to create an App Registration in Entra ID, create a secret and then register these settings in your stack:
+```
+pulumi config set --secret --path 'mywebsite_social_auth_azure.key' secret_ID
+pulumi config set --secret --path 'mywebsite_social_auth_azure.secret' secret_value
+pulumi config set --secret --path 'mywebsite_social_auth_azure.tenant_id' directory_tenant_id
+pulumi config set --secret --path 'mywebsite_social_auth_azure.client_id' application_id
+```
+
+Then in your Django deployment, pass to the `add_django_website` command:
+```
+secrets={
+    "mywebsite_social_auth_azure": "AZURE_OAUTH",
+},
+```
+
+The value will be automatically stored in the vault where the application has access to.
+The environment variable will be suffixed with `_SECRET_NAME`.
+
+Then, in your application, retrieve this data from the vault, e.g.:
+```python
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+# Azure credentials
+azure_credential = DefaultAzureCredential()
+
+# Azure Key Vault
+AZURE_KEY_VAULT = env("AZURE_KEY_VAULT")
+AZURE_KEY_VAULT_URI = f"https://{AZURE_KEY_VAULT}.vault.azure.net"
+azure_key_vault_client = SecretClient(vault_url=AZURE_KEY_VAULT_URI, credential=azure_credential)
+
+# Social Auth settings
+oauth_secret = azure_key_vault_client.get_secret(env("AZURE_OAUTH_SECRET_NAME"))
+oauth_secret = json.loads(oauth_secret.value)
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = oauth_secret["client_id"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = oauth_secret["secret"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = oauth_secret["tenant_id"]
+SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
+SOCIAL_AUTH_POSTGRES_JSONFIELD = True
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.azuread_tenant.AzureADTenantOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+```
+
+And of course add the login button somewhere, following Django Social Auth instructions.
+
 ## Automate deployments
 When using a service like GitLab, you can configure a Webhook to fire upon a push to your branch.
 

pulumi_django_azure-1.0.10.dist-info/RECORD

@@ -0,0 +1,7 @@
+pulumi_django_azure/__init__.py,sha256=tXTvPfr8-Nll5cjMyY9yj_0z_PQ0XAcxihzHRCES-hU,63
+pulumi_django_azure/django_deployment.py,sha256=SgMLoQ2Jwm8anADzrEjVhtfJVAJrYJYFoaOL9bDZngE,30275
+pulumi_django_azure-1.0.10.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
+pulumi_django_azure-1.0.10.dist-info/METADATA,sha256=rAAqdkW9F0I0OWn7XQA2fHKIpqxmJDQWx39TmH0FEnc,11083
+pulumi_django_azure-1.0.10.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+pulumi_django_azure-1.0.10.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
+pulumi_django_azure-1.0.10.dist-info/RECORD,,

{pulumi_django_azure-1.0.4.dist-info → pulumi_django_azure-1.0.10.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.42.0)
+Generator: bdist_wheel (0.43.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

pulumi_django_azure-1.0.4.dist-info/RECORD

@@ -1,7 +0,0 @@
-pulumi_django_azure/__init__.py,sha256=tXTvPfr8-Nll5cjMyY9yj_0z_PQ0XAcxihzHRCES-hU,63
-pulumi_django_azure/django_deployment.py,sha256=yvpOUkcHs37Mb2xTD6BqtB21opxTvFLQzRxMHXTK2aY,23410
-pulumi_django_azure-1.0.4.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
-pulumi_django_azure-1.0.4.dist-info/METADATA,sha256=25RH8tZL2LrhBjuYRngUcRArER9TiAorLEaCJulFhLA,7887
-pulumi_django_azure-1.0.4.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-pulumi_django_azure-1.0.4.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
-pulumi_django_azure-1.0.4.dist-info/RECORD,,