pulumi-django-azure 1.0.8__tar.gz → 1.0.10__tar.gz

{pulumi-django-azure-1.0.8/src/pulumi_django_azure.egg-info → pulumi_django_azure-1.0.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.8
+Version: 1.0.10
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -47,8 +47,21 @@ To have a proper and secure environment, we need these components:
 * PostgreSQL server
 * Azure Communication Services to send e-mails
 * Webapp with multiple custom host names and managed SSL for the website itself
+* Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -176,6 +189,55 @@ pgAdmin will be created with a default login:
 
 Best practice is to log in right away, create a user for yourself and delete this default user.
 
+## Azure OAuth2 / Django Social Auth
+If you want to set up login with Azure, which would make sense since you are in the ecosystem, you need to create an App Registration in Entra ID, create a secret and then register these settings in your stack:
+```
+pulumi config set --secret --path 'mywebsite_social_auth_azure.key' secret_ID
+pulumi config set --secret --path 'mywebsite_social_auth_azure.secret' secret_value
+pulumi config set --secret --path 'mywebsite_social_auth_azure.tenant_id' directory_tenant_id
+pulumi config set --secret --path 'mywebsite_social_auth_azure.client_id' application_id
+```
+
+Then in your Django deployment, pass to the `add_django_website` command:
+```
+secrets={
+    "mywebsite_social_auth_azure": "AZURE_OAUTH",
+},
+```
+
+The value will be automatically stored in the vault where the application has access to.
+The environment variable will be suffixed with `_SECRET_NAME`.
+
+Then, in your application, retrieve this data from the vault, e.g.:
+```python
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+# Azure credentials
+azure_credential = DefaultAzureCredential()
+
+# Azure Key Vault
+AZURE_KEY_VAULT = env("AZURE_KEY_VAULT")
+AZURE_KEY_VAULT_URI = f"https://{AZURE_KEY_VAULT}.vault.azure.net"
+azure_key_vault_client = SecretClient(vault_url=AZURE_KEY_VAULT_URI, credential=azure_credential)
+
+# Social Auth settings
+oauth_secret = azure_key_vault_client.get_secret(env("AZURE_OAUTH_SECRET_NAME"))
+oauth_secret = json.loads(oauth_secret.value)
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = oauth_secret["client_id"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = oauth_secret["secret"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = oauth_secret["tenant_id"]
+SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
+SOCIAL_AUTH_POSTGRES_JSONFIELD = True
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.azuread_tenant.AzureADTenantOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+```
+
+And of course add the login button somewhere, following Django Social Auth instructions.
+
 ## Automate deployments
 When using a service like GitLab, you can configure a Webhook to fire upon a push to your branch.
 

{pulumi-django-azure-1.0.8 → pulumi_django_azure-1.0.10}/README.md

@@ -8,8 +8,21 @@ To have a proper and secure environment, we need these components:
 * PostgreSQL server
 * Azure Communication Services to send e-mails
 * Webapp with multiple custom host names and managed SSL for the website itself
+* Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -137,6 +150,55 @@ pgAdmin will be created with a default login:
 
 Best practice is to log in right away, create a user for yourself and delete this default user.
 
+## Azure OAuth2 / Django Social Auth
+If you want to set up login with Azure, which would make sense since you are in the ecosystem, you need to create an App Registration in Entra ID, create a secret and then register these settings in your stack:
+```
+pulumi config set --secret --path 'mywebsite_social_auth_azure.key' secret_ID
+pulumi config set --secret --path 'mywebsite_social_auth_azure.secret' secret_value
+pulumi config set --secret --path 'mywebsite_social_auth_azure.tenant_id' directory_tenant_id
+pulumi config set --secret --path 'mywebsite_social_auth_azure.client_id' application_id
+```
+
+Then in your Django deployment, pass to the `add_django_website` command:
+```
+secrets={
+    "mywebsite_social_auth_azure": "AZURE_OAUTH",
+},
+```
+
+The value will be automatically stored in the vault where the application has access to.
+The environment variable will be suffixed with `_SECRET_NAME`.
+
+Then, in your application, retrieve this data from the vault, e.g.:
+```python
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+# Azure credentials
+azure_credential = DefaultAzureCredential()
+
+# Azure Key Vault
+AZURE_KEY_VAULT = env("AZURE_KEY_VAULT")
+AZURE_KEY_VAULT_URI = f"https://{AZURE_KEY_VAULT}.vault.azure.net"
+azure_key_vault_client = SecretClient(vault_url=AZURE_KEY_VAULT_URI, credential=azure_credential)
+
+# Social Auth settings
+oauth_secret = azure_key_vault_client.get_secret(env("AZURE_OAUTH_SECRET_NAME"))
+oauth_secret = json.loads(oauth_secret.value)
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = oauth_secret["client_id"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = oauth_secret["secret"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = oauth_secret["tenant_id"]
+SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
+SOCIAL_AUTH_POSTGRES_JSONFIELD = True
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.azuread_tenant.AzureADTenantOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+```
+
+And of course add the login button somewhere, following Django Social Auth instructions.
+
 ## Automate deployments
 When using a service like GitLab, you can configure a Webhook to fire upon a push to your branch.
 

{pulumi-django-azure-1.0.8 → pulumi_django_azure-1.0.10}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "pulumi-django-azure"
-version = "1.0.8"
+version = "1.0.10"
 description = "Simply deployment of Django on Azure with Pulumi"
 readme = "README.md"
 authors = [{ name = "Maarten Ureel", email = "maarten@youreal.eu" }]
@@ -27,7 +27,7 @@ Homepage = "https://gitlab.com/MaartenUreel/pulumi-django-azure"
 
 [tool.poetry]
 name = "pulumi-django-azure"
-version = "1.0.8"
+version = "1.0.10"
 description = "Simply deployment of Django on Azure with Pulumi"
 authors = ["Maarten Ureel <maarten@youreal.eu>"]
 

{pulumi-django-azure-1.0.8 → pulumi_django_azure-1.0.10}/src/pulumi_django_azure/django_deployment.py

@@ -35,13 +35,13 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param app_service_sku: The SKU for the app service plan.
         :param storage_account_name: The name of the storage account. Should be unique across Azure.
         :param cdn_host: A custom CDN host name (optional)
-        :param comms_data_location: The data location for the Communication Services (optional if you don't need it)
         :param opts: The resource options
         """
 
         super().__init__("pkg:index:DjangoDeployment", name, None, opts)
 
         # child_opts = pulumi.ResourceOptions(parent=self)
+        self._config = pulumi.Config()
 
         self._name = name
         self._tenant_id = tenant_id
@@ -391,6 +391,59 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         return comm_service
 
+    def _add_webapp_vault(self, administrators: list[str], suffix: str) -> azure.keyvault.Vault:
+        # Create a keyvault
+        vault = azure.keyvault.Vault(
+            f"vault-{suffix}",
+            resource_group_name=self._rg,
+            vault_name=f"vault-{suffix}",
+            properties=azure.keyvault.VaultPropertiesArgs(
+                tenant_id=self._tenant_id,
+                sku=azure.keyvault.SkuArgs(
+                    name=azure.keyvault.SkuName.STANDARD,
+                    family=azure.keyvault.SkuFamily.A,
+                ),
+                enable_rbac_authorization=True,
+            ),
+        )
+
+        # Find the Key Vault Administrator role
+        administrator_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
+                scope=scope,
+            )
+        )
+
+        # Add vault administrators
+        for a in administrators:
+            azure.authorization.RoleAssignment(
+                f"ra-{suffix}-vault-admin-{a}",
+                principal_id=a,
+                principal_type=azure.authorization.PrincipalType.USER,
+                role_definition_id=administrator_role.id,
+                scope=vault.id,
+            )
+
+        return vault
+
+    def _add_webapp_secret(self, vault: azure.keyvault.Vault, secret_name: str, config_secret_name: str, suffix: str):
+        secret = self._config.require_secret(config_secret_name)
+
+        # Normalize the secret name
+        secret_name = secret_name.replace("_", "-").lower()
+
+        # Create a secret in the vault
+        return azure.keyvault.Secret(
+            f"secret-{suffix}-{secret_name}",
+            resource_group_name=self._rg,
+            vault_name=vault.name,
+            secret_name=secret_name,
+            properties=azure.keyvault.SecretPropertiesArgs(
+                value=secret,
+            ),
+        )
+
     def _get_storage_account_access_keys(
         self, storage_account: azure.storage.StorageAccount
     ) -> Sequence[azure.storage.outputs.StorageAccountKeyResponse]:
@@ -437,8 +490,10 @@ class DjangoDeployment(pulumi.ComponentResource):
         website_hosts: list[str],
         django_settings_module: str,
         environment_variables: dict[str, str] = {},
+        secrets: dict[str, str] = {},
         comms_data_location: Optional[str] = None,
         comms_domains: Optional[list[str]] = [],
+        vault_administrators: Optional[list[str]] = [],
     ) -> azure.web.WebApp:
         """
         Create a Django website with it's own database and storage containers.
@@ -450,8 +505,12 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param website_hosts: The list of custom host names for the website.
         :param django_settings_module: The Django settings module to load.
         :param environment_variables: A dictionary of environment variables to set.
+        :param secrets: A dictionary of secrets to store in the Key Vault and assign as environment variables.
+            The key is the name of the Pulumi secret, the value is the name of the environment variable
+            and the name of the secret in the Key Vault.
         :param comms_data_location: The data location for the Communication Services (optional if you don't need it).
         :param comms_domains: The list of custom domains for the E-mail Communication Services (optional).
+        :param vault_administrator: The principal ID of the vault administrator (optional).
         """
 
         # Create a database
@@ -483,11 +542,19 @@ class DjangoDeployment(pulumi.ComponentResource):
         # Communication Services (optional)
         if comms_data_location:
             comms = self._add_webapp_comms(comms_data_location, comms_domains, f"{name}-{self._name}")
-            # Add the domains as environment variable
+            # Add the service endpoint as environment variable
             environment_variables["AZURE_COMMUNICATION_SERVICE_ENDPOINT"] = comms.host_name.apply(lambda host: f"https://{host}")
         else:
             comms = None
 
+        # Key Vault
+        vault = self._add_webapp_vault(vault_administrators, f"{name}-{self._name}")
+
+        # Add secrets
+        for config_name, env_name in secrets.items():
+            s = self._add_webapp_secret(vault, env_name, config_name, f"{name}-{self._name}")
+            environment_variables[f"{env_name}_SECRET_NAME"] = s.name
+
         # Create a Django Secret Key (random)
         secret_key = pulumi_random.RandomString(f"django-secret-{name}-{self._name}", length=50)
 
@@ -510,6 +577,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
             https_only=True,
             site_config=azure.web.SiteConfigArgs(
+                app_command_line="cicd/startup.sh",
                 always_on=True,
                 health_check_path=self.HEALTH_CHECK_PATH,
                 ftps_state=azure.web.FtpsState.DISABLED,
@@ -528,6 +596,8 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="DJANGO_SETTINGS_MODULE", value=django_settings_module),
                     azure.web.NameValuePairArgs(name="DJANGO_SECRET_KEY", value=secret_key.result),
                     azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=",".join(website_hosts)),
+                    # Vault settings
+                    azure.web.NameValuePairArgs(name="AZURE_KEY_VAULT", value=vault.name),
                     # Storage settings
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_ACCOUNT_NAME", value=self._storage_account.name),
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_STATICFILES", value=static_container.name),
@@ -572,6 +642,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             f"{name}_deploy_ssh_key_url", app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1")
         )
 
+        # Find the role for Key Vault Secrets User
+        vault_access_role = vault.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="4633458b-17de-408a-b874-0445c86b69e6",
+                scope=scope,
+            )
+        )
+
+        # Grant the app access to the vault
+        azure.authorization.RoleAssignment(
+            f"ra-{name}-vault-user",
+            principal_id=principal_id,
+            principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+            # Key Vault Secrets User
+            role_definition_id=vault_access_role.id,
+            scope=vault.id,
+        )
+
         # Find the role for Storage Blob Data Contributor
         storage_role = self._storage_account.id.apply(
             lambda scope: azure.authorization.get_role_definition(

{pulumi-django-azure-1.0.8 → pulumi_django_azure-1.0.10/src/pulumi_django_azure.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.8
+Version: 1.0.10
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -47,8 +47,21 @@ To have a proper and secure environment, we need these components:
 * PostgreSQL server
 * Azure Communication Services to send e-mails
 * Webapp with multiple custom host names and managed SSL for the website itself
+* Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -176,6 +189,55 @@ pgAdmin will be created with a default login:
 
 Best practice is to log in right away, create a user for yourself and delete this default user.
 
+## Azure OAuth2 / Django Social Auth
+If you want to set up login with Azure, which would make sense since you are in the ecosystem, you need to create an App Registration in Entra ID, create a secret and then register these settings in your stack:
+```
+pulumi config set --secret --path 'mywebsite_social_auth_azure.key' secret_ID
+pulumi config set --secret --path 'mywebsite_social_auth_azure.secret' secret_value
+pulumi config set --secret --path 'mywebsite_social_auth_azure.tenant_id' directory_tenant_id
+pulumi config set --secret --path 'mywebsite_social_auth_azure.client_id' application_id
+```
+
+Then in your Django deployment, pass to the `add_django_website` command:
+```
+secrets={
+    "mywebsite_social_auth_azure": "AZURE_OAUTH",
+},
+```
+
+The value will be automatically stored in the vault where the application has access to.
+The environment variable will be suffixed with `_SECRET_NAME`.
+
+Then, in your application, retrieve this data from the vault, e.g.:
+```python
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+# Azure credentials
+azure_credential = DefaultAzureCredential()
+
+# Azure Key Vault
+AZURE_KEY_VAULT = env("AZURE_KEY_VAULT")
+AZURE_KEY_VAULT_URI = f"https://{AZURE_KEY_VAULT}.vault.azure.net"
+azure_key_vault_client = SecretClient(vault_url=AZURE_KEY_VAULT_URI, credential=azure_credential)
+
+# Social Auth settings
+oauth_secret = azure_key_vault_client.get_secret(env("AZURE_OAUTH_SECRET_NAME"))
+oauth_secret = json.loads(oauth_secret.value)
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY = oauth_secret["client_id"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET = oauth_secret["secret"]
+SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID = oauth_secret["tenant_id"]
+SOCIAL_AUTH_ADMIN_USER_SEARCH_FIELDS = ["username", "first_name", "last_name", "email"]
+SOCIAL_AUTH_POSTGRES_JSONFIELD = True
+
+AUTHENTICATION_BACKENDS = (
+    "social_core.backends.azuread_tenant.AzureADTenantOAuth2",
+    "django.contrib.auth.backends.ModelBackend",
+)
+```
+
+And of course add the login button somewhere, following Django Social Auth instructions.
+
 ## Automate deployments
 When using a service like GitLab, you can configure a Webhook to fire upon a push to your branch.