pulumi-django-azure 1.0.8__py3-none-any.whl → 1.0.9__py3-none-any.whl

pulumi_django_azure/django_deployment.py

@@ -35,13 +35,13 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param app_service_sku: The SKU for the app service plan.
         :param storage_account_name: The name of the storage account. Should be unique across Azure.
         :param cdn_host: A custom CDN host name (optional)
-        :param comms_data_location: The data location for the Communication Services (optional if you don't need it)
         :param opts: The resource options
         """
 
         super().__init__("pkg:index:DjangoDeployment", name, None, opts)
 
         # child_opts = pulumi.ResourceOptions(parent=self)
+        self._config = pulumi.Config()
 
         self._name = name
         self._tenant_id = tenant_id
@@ -391,6 +391,59 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         return comm_service
 
+    def _add_webapp_vault(self, administrators: list[str], suffix: str) -> azure.keyvault.Vault:
+        # Create a keyvault
+        vault = azure.keyvault.Vault(
+            f"vault-{suffix}",
+            resource_group_name=self._rg,
+            vault_name=f"vault-{suffix}",
+            properties=azure.keyvault.VaultPropertiesArgs(
+                tenant_id=self._tenant_id,
+                sku=azure.keyvault.SkuArgs(
+                    name=azure.keyvault.SkuName.STANDARD,
+                    family=azure.keyvault.SkuFamily.A,
+                ),
+                enable_rbac_authorization=True,
+            ),
+        )
+
+        # Find the Key Vault Administrator role
+        administrator_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
+                scope=scope,
+            )
+        )
+
+        # Add vault administrators
+        for a in administrators:
+            azure.authorization.RoleAssignment(
+                f"ra-{suffix}-vault-admin-{a}",
+                principal_id=a,
+                principal_type=azure.authorization.PrincipalType.USER,
+                role_definition_id=administrator_role.id,
+                scope=vault.id,
+            )
+
+        return vault
+
+    def _add_webapp_secret(self, vault: azure.keyvault.Vault, secret_name: str, config_secret_name: str, suffix: str):
+        secret = self._config.require_secret(config_secret_name)
+
+        # Normalize the secret name
+        secret_name = secret_name.replace("_", "-").lower()
+
+        # Create a secret in the vault
+        return azure.keyvault.Secret(
+            f"secret-{suffix}-{secret_name}",
+            resource_group_name=self._rg,
+            vault_name=vault.name,
+            secret_name=secret_name,
+            properties=azure.keyvault.SecretPropertiesArgs(
+                value=secret,
+            ),
+        )
+
     def _get_storage_account_access_keys(
         self, storage_account: azure.storage.StorageAccount
     ) -> Sequence[azure.storage.outputs.StorageAccountKeyResponse]:
@@ -437,8 +490,10 @@ class DjangoDeployment(pulumi.ComponentResource):
         website_hosts: list[str],
         django_settings_module: str,
         environment_variables: dict[str, str] = {},
+        secrets: dict[str, str] = {},
         comms_data_location: Optional[str] = None,
         comms_domains: Optional[list[str]] = [],
+        vault_administrators: Optional[list[str]] = [],
     ) -> azure.web.WebApp:
         """
         Create a Django website with it's own database and storage containers.
@@ -450,8 +505,12 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param website_hosts: The list of custom host names for the website.
         :param django_settings_module: The Django settings module to load.
         :param environment_variables: A dictionary of environment variables to set.
+        :param secrets: A dictionary of secrets to store in the Key Vault and assign as environment variables.
+            The key is the name of the Pulumi secret, the value is the name of the environment variable
+            and the name of the secret in the Key Vault.
         :param comms_data_location: The data location for the Communication Services (optional if you don't need it).
         :param comms_domains: The list of custom domains for the E-mail Communication Services (optional).
+        :param vault_administrator: The principal ID of the vault administrator (optional).
         """
 
         # Create a database
@@ -483,11 +542,19 @@ class DjangoDeployment(pulumi.ComponentResource):
         # Communication Services (optional)
         if comms_data_location:
             comms = self._add_webapp_comms(comms_data_location, comms_domains, f"{name}-{self._name}")
-            # Add the domains as environment variable
+            # Add the service endpoint as environment variable
             environment_variables["AZURE_COMMUNICATION_SERVICE_ENDPOINT"] = comms.host_name.apply(lambda host: f"https://{host}")
         else:
             comms = None
 
+        # Key Vault
+        vault = self._add_webapp_vault(vault_administrators, f"{name}-{self._name}")
+
+        # Add secrets
+        for config_name, env_name in secrets.items():
+            s = self._add_webapp_secret(vault, env_name, config_name, f"{name}-{self._name}")
+            environment_variables[f"{env_name}_SECRET_NAME"] = s.name
+
         # Create a Django Secret Key (random)
         secret_key = pulumi_random.RandomString(f"django-secret-{name}-{self._name}", length=50)
 
@@ -528,6 +595,8 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="DJANGO_SETTINGS_MODULE", value=django_settings_module),
                     azure.web.NameValuePairArgs(name="DJANGO_SECRET_KEY", value=secret_key.result),
                     azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=",".join(website_hosts)),
+                    # Vault settings
+                    azure.web.NameValuePairArgs(name="AZURE_KEY_VAULT", value=vault.name),
                     # Storage settings
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_ACCOUNT_NAME", value=self._storage_account.name),
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_STATICFILES", value=static_container.name),
@@ -572,6 +641,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             f"{name}_deploy_ssh_key_url", app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1")
         )
 
+        # Find the role for Key Vault Secrets User
+        vault_access_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="4633458b-17de-408a-b874-0445c86b69e6",
+                scope=scope,
+            )
+        )
+
+        # Grant the app access to the vault
+        azure.authorization.RoleAssignment(
+            f"ra-{name}-vault-user",
+            principal_id=principal_id,
+            principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+            # Key Vault Secrets User
+            role_definition_id=vault_access_role.id,
+            scope=vault.id,
+        )
+
         # Find the role for Storage Blob Data Contributor
         storage_role = self._storage_account.id.apply(
             lambda scope: azure.authorization.get_role_definition(

{pulumi_django_azure-1.0.8.dist-info → pulumi_django_azure-1.0.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.8
+Version: 1.0.9
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -47,6 +47,7 @@ To have a proper and secure environment, we need these components:
 * PostgreSQL server
 * Azure Communication Services to send e-mails
 * Webapp with multiple custom host names and managed SSL for the website itself
+* Azure Key Vault per application
 * Webapp running pgAdmin
 
 ## Installation
@@ -176,6 +177,55 @@ pgAdmin will be created with a default login:
 
 Best practice is to log in right away, create a user for yourself and delete this default user.
 
+## Azure OAuth2 / Django Social Auth
+If you want to set up login with Azure, which would make sense since you are in the ecosystem, you need to create an App Registration in Entra ID, create a secret and then register these settings in your stack:
+```
+pulumi config set --secret --path 'mywebsite_social_auth_azure.key' secret_ID
+pulumi config set --secret --path 'mywebsite_social_auth_azure.secret' secret_value
+pulumi config set --secret --path 'mywebsite_social_auth_azure.tenant_id' directory_tenant_id
+pulumi config set --secret --path 'mywebsite_social_auth_azure.client_id' application_id
+```
+
+Then in your Django deployment, pass to the `add_django_website` command:
+```
+secrets={
+    "mywebsite_social_auth_azure": "AZURE_OAUTH",
+},
+```
+
+The value will be automatically stored in the vault where the application has access to.
+The environment variable will be suffixed with `_SECRET_NAME`.
+
+Then, in your application, retrieve this data from the vault, e.g.:
+```python
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+# Azure credentials
+azure_credential = DefaultAzureCredential()
+
+# Azure Key Vault
+AZURE_KEY_VAULT = env("AZURE_KEY_VAULT")
+AZURE_KEY_VAULT_URI = f"https://{AZURE_KEY_VAULT}.vault.azure.net"
+azure_key_vault_client = SecretClient(vault_url=AZURE_KEY_VAULT_URI, credential=azure_credential)
+
+# Social Auth settings
+oauth_secret = azure_key_vault_client.get_secret(env("AZURE_OAUTH_SECRET_NAME"))
+oauth_secret = json.loads(oauth_secret.value)
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = oauth_secret["client_id"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = oauth_secret["secret"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = oauth_secret["tenant_id"]
+SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
+SOCIAL_AUTH_POSTGRES_JSONFIELD = True
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.azuread_tenant.AzureADTenantOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+```
+
+And of course add the login button somewhere, following Django Social Auth instructions.
+
 ## Automate deployments
 When using a service like GitLab, you can configure a Webhook to fire upon a push to your branch.
 

pulumi_django_azure-1.0.9.dist-info/RECORD

@@ -0,0 +1,7 @@
+pulumi_django_azure/__init__.py,sha256=tXTvPfr8-Nll5cjMyY9yj_0z_PQ0XAcxihzHRCES-hU,63
+pulumi_django_azure/django_deployment.py,sha256=gqdrUq7dLO7ds4OmZt5X-UKEO328ZlxsFTqA97UiSFo,30222
+pulumi_django_azure-1.0.9.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
+pulumi_django_azure-1.0.9.dist-info/METADATA,sha256=3-xSB9Kfhrwn2yWW7KOsVQsJuNMyl2fDU3c02SttWcY,10283
+pulumi_django_azure-1.0.9.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+pulumi_django_azure-1.0.9.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
+pulumi_django_azure-1.0.9.dist-info/RECORD,,

pulumi_django_azure-1.0.8.dist-info/RECORD

@@ -1,7 +0,0 @@
-pulumi_django_azure/__init__.py,sha256=tXTvPfr8-Nll5cjMyY9yj_0z_PQ0XAcxihzHRCES-hU,63
-pulumi_django_azure/django_deployment.py,sha256=nNf6dt9Zp8IXMf9n63lxpkRNfogyb1VXx3aPm2Vzln4,26659
-pulumi_django_azure-1.0.8.dist-info/LICENSE,sha256=NX2LN3U319Zaac8b7ZgfNOco_nTBbN531X_M_13niSg,1087
-pulumi_django_azure-1.0.8.dist-info/METADATA,sha256=Y6pp3unBOMUFApTjglKm6fgbXcHk0Uz1gC-xN_Srl9o,8113
-pulumi_django_azure-1.0.8.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
-pulumi_django_azure-1.0.8.dist-info/top_level.txt,sha256=MNPRJhq-_G8EMCHRkjdcb_xrqzOkmKogXUGV7Ysz3g0,20
-pulumi_django_azure-1.0.8.dist-info/RECORD,,