pulumi-django-azure 1.0.9__tar.gz → 1.0.15__tar.gz

{pulumi_django_azure-1.0.9 → pulumi_django_azure-1.0.15}/LICENSE

@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

{pulumi_django_azure-1.0.9/src/pulumi_django_azure.egg-info → pulumi_django_azure-1.0.15}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.9
+Version: 1.0.15
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -50,6 +50,19 @@ To have a proper and secure environment, we need these components:
 * Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  python manage.py purge_cdn
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above. To see the `purge_cdn` management command we use here, see below.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -244,6 +257,82 @@ Be sure to configure the SSH key that Azure will use on GitLab side. You can obt
 
 This would then trigger a redeploy everytime you make a commit to your live branch.
 
+## CDN Purging
+We added a management command to Django to purge the CDN cache, and added that to the startup script. Our version is here:
+```python
+import os
+
+from azure.mgmt.cdn import CdnManagementClient
+from azure.mgmt.cdn.models import PurgeParameters
+from django.core.management.base import BaseCommand
+
+from core.azure_helper import AZURE_CREDENTIAL, get_subscription_id
+
+
+class Command(BaseCommand):
+    help = "Purges the CDN endpoint"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--wait",
+            action="store_true",
+            help="Wait for the purge operation to complete",
+        )
+
+    def handle(self, *args, **options):
+        # Read environment variables
+        resource_group = os.getenv("WEBSITE_RESOURCE_GROUP")
+        profile_name = os.getenv("CDN_PROFILE")
+        endpoint_name = os.getenv("CDN_ENDPOINT")
+        content_paths = ["/*"]
+
+        # Ensure all required environment variables are set
+        if not all([resource_group, profile_name, endpoint_name]):
+            self.stderr.write(self.style.ERROR("Missing required environment variables."))
+            return
+
+        # Authenticate with Azure
+        cdn_client = CdnManagementClient(AZURE_CREDENTIAL, get_subscription_id())
+
+        try:
+            # Purge the CDN endpoint
+            purge_operation = cdn_client.endpoints.begin_purge_content(
+                resource_group_name=resource_group,
+                profile_name=profile_name,
+                endpoint_name=endpoint_name,
+                content_file_paths=PurgeParameters(content_paths=content_paths),
+            )
+
+            # Check if the --wait argument was provided
+            if options["wait"]:
+                purge_operation.result()  # Wait for the operation to complete
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation completed successfully."))
+            else:
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation started successfully."))
+
+        except Exception as e:
+            self.stderr.write(self.style.ERROR(f"Error executing CDN endpoint purge command: {e}"))
+```
+
+And our azure_helper:
+```python
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resource import SubscriptionClient
+
+# Azure credentials
+AZURE_CREDENTIAL = DefaultAzureCredential()
+
+
+def get_db_password() -> str:
+    return AZURE_CREDENTIAL.get_token("https://ossrdbms-aad.database.windows.net/.default").token
+
+
+def get_subscription_id() -> str:
+    subscription_client = SubscriptionClient(AZURE_CREDENTIAL)
+    subscriptions = list(subscription_client.subscriptions.list())
+    return subscriptions[0].subscription_id
+```
+
 ## Change requests
 I created this for internal use but since it took me a while to puzzle all the things together I decided to share it.
 Therefore this project is not super generic, but tailored to my needs. I am however open to pull or change requests to improve this project or to make it more usable for others.

{pulumi_django_azure-1.0.9 → pulumi_django_azure-1.0.15}/README.md

@@ -11,6 +11,19 @@ To have a proper and secure environment, we need these components:
 * Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  python manage.py purge_cdn
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above. To see the `purge_cdn` management command we use here, see below.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -205,6 +218,82 @@ Be sure to configure the SSH key that Azure will use on GitLab side. You can obt
 
 This would then trigger a redeploy everytime you make a commit to your live branch.
 
+## CDN Purging
+We added a management command to Django to purge the CDN cache, and added that to the startup script. Our version is here:
+```python
+import os
+
+from azure.mgmt.cdn import CdnManagementClient
+from azure.mgmt.cdn.models import PurgeParameters
+from django.core.management.base import BaseCommand
+
+from core.azure_helper import AZURE_CREDENTIAL, get_subscription_id
+
+
+class Command(BaseCommand):
+    help = "Purges the CDN endpoint"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--wait",
+            action="store_true",
+            help="Wait for the purge operation to complete",
+        )
+
+    def handle(self, *args, **options):
+        # Read environment variables
+        resource_group = os.getenv("WEBSITE_RESOURCE_GROUP")
+        profile_name = os.getenv("CDN_PROFILE")
+        endpoint_name = os.getenv("CDN_ENDPOINT")
+        content_paths = ["/*"]
+
+        # Ensure all required environment variables are set
+        if not all([resource_group, profile_name, endpoint_name]):
+            self.stderr.write(self.style.ERROR("Missing required environment variables."))
+            return
+
+        # Authenticate with Azure
+        cdn_client = CdnManagementClient(AZURE_CREDENTIAL, get_subscription_id())
+
+        try:
+            # Purge the CDN endpoint
+            purge_operation = cdn_client.endpoints.begin_purge_content(
+                resource_group_name=resource_group,
+                profile_name=profile_name,
+                endpoint_name=endpoint_name,
+                content_file_paths=PurgeParameters(content_paths=content_paths),
+            )
+
+            # Check if the --wait argument was provided
+            if options["wait"]:
+                purge_operation.result()  # Wait for the operation to complete
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation completed successfully."))
+            else:
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation started successfully."))
+
+        except Exception as e:
+            self.stderr.write(self.style.ERROR(f"Error executing CDN endpoint purge command: {e}"))
+```
+
+And our azure_helper:
+```python
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resource import SubscriptionClient
+
+# Azure credentials
+AZURE_CREDENTIAL = DefaultAzureCredential()
+
+
+def get_db_password() -> str:
+    return AZURE_CREDENTIAL.get_token("https://ossrdbms-aad.database.windows.net/.default").token
+
+
+def get_subscription_id() -> str:
+    subscription_client = SubscriptionClient(AZURE_CREDENTIAL)
+    subscriptions = list(subscription_client.subscriptions.list())
+    return subscriptions[0].subscription_id
+```
+
 ## Change requests
 I created this for internal use but since it took me a while to puzzle all the things together I decided to share it.
 Therefore this project is not super generic, but tailored to my needs. I am however open to pull or change requests to improve this project or to make it more usable for others.

{pulumi_django_azure-1.0.9 → pulumi_django_azure-1.0.15}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "pulumi-django-azure"
-version = "1.0.9"
+version = "1.0.15"
 description = "Simply deployment of Django on Azure with Pulumi"
 readme = "README.md"
 authors = [{ name = "Maarten Ureel", email = "maarten@youreal.eu" }]
@@ -27,19 +27,36 @@ Homepage = "https://gitlab.com/MaartenUreel/pulumi-django-azure"
 
 [tool.poetry]
 name = "pulumi-django-azure"
-version = "1.0.9"
+version = "1.0.15"
 description = "Simply deployment of Django on Azure with Pulumi"
 authors = ["Maarten Ureel <maarten@youreal.eu>"]
 
 [tool.poetry.dependencies]
 python = "^3.11"
-pulumi-azure-native = "^2.24.0"
-pulumi = "^3.99.0"
-pulumi-random = "^4.15.0"
+pulumi-azure-native = "^2.64.2"
+pulumi = "^3.135.0"
+pulumi-random = "^4.16.6"
 
 [tool.poetry.group.dev.dependencies]
-twine = "^4.0.2"
-build = "^1.0.3"
+twine = "^5.1.1"
+build = "^1.2.2"
+ruff = "^0.4.9"
 
-[tool.isort]
-profile = "black"
+[tool.ruff]
+line-length = 140
+
+[tool.ruff.lint]
+select = [
+    # pycodestyle
+    "E",
+    # Pyflakes
+    "F",
+    # pyupgrade
+    "UP",
+    # flake8-bugbear
+    "B",
+    # flake8-simplify
+    "SIM",
+    # isort
+    "I",
+]

pulumi_django_azure-1.0.15/src/pulumi_django_azure/__init__.py

@@ -0,0 +1 @@
+from .django_deployment import DjangoDeployment, HostDefinition  # noqa: F401

{pulumi_django_azure-1.0.9 → pulumi_django_azure-1.0.15}/src/pulumi_django_azure/django_deployment.py

@@ -1,10 +1,56 @@
-from typing import Optional, Sequence
+from collections.abc import Sequence
+from typing import Optional, Union
 
 import pulumi
 import pulumi_azure_native as azure
 import pulumi_random
 
 
+class HostDefinition:
+    """
+    A definition for a custom host name, optionally with a DNS zone.
+
+    :param host: The host name. If a zone is given, this is the relative host name.
+    :param zone: The DNS zone (optional).
+    :param identifier: An identifier for this host definition (optional).
+    """
+
+    def __init__(self, host: str, zone: Optional[azure.network.Zone] = None, identifier: Optional[str] = None):
+        self.host = host
+        self.zone = zone
+        self._identifier = identifier
+
+    @property
+    def identifier(self) -> str:
+        """
+        The identifier for this host definition.
+
+        :return: The identifier
+        """
+        if not self._identifier:
+            if self.zone:
+                raise ValueError(f"An identifier is required for the HostDefinition with host '{self.host}' ensure uniqueness.")
+            else:
+                # Use the host name as the identifier
+                return self.host.replace(".", "-")
+        else:
+            return self._identifier
+
+    @property
+    def full_host(self) -> pulumi.Output[str]:
+        """
+        The full host name, including the zone.
+
+        :return: The full host name
+        """
+        if not self.zone:
+            return pulumi.Output.concat(self.host)
+        elif self.host == "@":
+            return self.zone.name
+        else:
+            return pulumi.Output.concat(self.host, ".", self.zone.name)
+
+
 class DjangoDeployment(pulumi.ComponentResource):
     HEALTH_CHECK_PATH = "/health-check"
 
@@ -19,7 +65,10 @@ class DjangoDeployment(pulumi.ComponentResource):
         appservice_ip_prefix: str,
         app_service_sku: azure.web.SkuDescriptionArgs,
         storage_account_name: str,
-        cdn_host: Optional[str],
+        storage_allowed_origins: Optional[Sequence[str]] = None,
+        pgadmin_access_ip: Optional[Sequence[str]] = None,
+        pgadmin_dns_zone: Optional[azure.network.Zone] = None,
+        cdn_host: Optional[HostDefinition] = None,
         opts=None,
     ):
         """
@@ -34,7 +83,10 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param appservice_ip_prefix: The IP prefix for the app service subnet.
         :param app_service_sku: The SKU for the app service plan.
         :param storage_account_name: The name of the storage account. Should be unique across Azure.
-        :param cdn_host: A custom CDN host name (optional)
+        :param storage_allowed_origins: The origins (hosts) to allow access through CORS policy. You can specify '*' to allow all.
+        :param pgadmin_access_ip: The IP addresses to allow access to pgAdmin. If empty, all IP addresses are allowed.
+        :param pgadmin_dns_zone: The Azure DNS zone to a pgadmin DNS record in. (optional)
+        :param cdn_host: A custom CDN host name. (optional)
         :param opts: The resource options
         """
 
@@ -49,7 +101,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._vnet = vnet
 
         # Storage resources
-        self._create_storage(account_name=storage_account_name)
+        self._create_storage(account_name=storage_account_name, allowed_origins=storage_allowed_origins)
         self._cdn_host = self._create_cdn(custom_host=cdn_host)
 
         # PostgreSQL resources
@@ -67,9 +119,9 @@ class DjangoDeployment(pulumi.ComponentResource):
         self._app_service_plan = self._create_app_service_plan(sku=app_service_sku)
 
         # Create a pgAdmin app
-        self._create_pgadmin_app()
+        self._create_pgadmin_app(access_ip=pgadmin_access_ip, dns_zone=pgadmin_dns_zone)
 
-    def _create_storage(self, account_name: str):
+    def _create_storage(self, account_name: str, allowed_origins: Optional[Sequence[str]] = None):
         # Create blob storage
         self._storage_account = azure.storage.StorageAccount(
             f"sa-{self._name}",
@@ -85,7 +137,26 @@ class DjangoDeployment(pulumi.ComponentResource):
             enable_https_traffic_only=True,
         )
 
-    def _create_cdn(self, custom_host: Optional[str]) -> pulumi.Output[str]:
+        if allowed_origins:
+            azure.storage.BlobServiceProperties(
+                f"sa-{self._name}-blob-properties",
+                resource_group_name=self._rg,
+                account_name=self._storage_account.name,
+                blob_services_name="default",
+                cors=azure.storage.CorsRulesArgs(
+                    cors_rules=[
+                        azure.storage.CorsRuleArgs(
+                            allowed_headers=["*"],
+                            allowed_methods=["GET", "OPTIONS", "HEAD"],
+                            allowed_origins=allowed_origins,
+                            exposed_headers=["Access-Control-Allow-Origin"],
+                            max_age_in_seconds=86400,
+                        )
+                    ]
+                ),
+            )
+
+    def _create_cdn(self, custom_host: Optional[HostDefinition]) -> pulumi.Output[str]:
         """
         Create a CDN endpoint. If a host name is given, it will be used as the custom domain.
         Otherwise, the default CDN host name will be returned.
@@ -95,7 +166,7 @@ class DjangoDeployment(pulumi.ComponentResource):
         """
 
         # Put CDN in front
-        cdn = azure.cdn.Profile(
+        self._cdn_profile = azure.cdn.Profile(
             f"cdn-{self._name}",
             resource_group_name=self._rg,
             location="global",
@@ -125,25 +196,51 @@ class DjangoDeployment(pulumi.ComponentResource):
             ],
             is_http_allowed=False,
             is_https_allowed=True,
-            profile_name=cdn.name,
+            profile_name=self._cdn_profile.name,
             origin_host_header=endpoint_origin,
             origins=[azure.cdn.DeepCreatedOriginArgs(name="origin-storage", host_name=endpoint_origin)],
-            query_string_caching_behavior=azure.cdn.QueryStringCachingBehavior.IGNORE_QUERY_STRING,
+            query_string_caching_behavior=azure.cdn.QueryStringCachingBehavior.USE_QUERY_STRING,
         )
 
         pulumi.export("cdn_cname", self._cdn_endpoint.host_name)
 
         # Add custom domain if given
         if custom_host:
-            azure.cdn.CustomDomain(
-                f"cdn-custom-domain-{self._name}",
-                resource_group_name=self._rg,
-                profile_name=cdn.name,
-                endpoint_name=self._cdn_endpoint.name,
-                host_name=custom_host,
-            )
+            if custom_host.zone:
+                # Create a DNS record for the custom host in the given zone
+                rs = azure.network.RecordSet(
+                    f"cdn-cname-{self._name}",
+                    resource_group_name=self._rg,
+                    zone_name=custom_host.zone.name,
+                    relative_record_set_name=custom_host.host,
+                    record_type="CNAME",
+                    ttl=3600,
+                    target_resource=azure.network.SubResourceArgs(
+                        id=self._cdn_endpoint.id,
+                    ),
+                )
 
-            return custom_host
+                azure.cdn.CustomDomain(
+                    f"cdn-custom-domain-{self._name}",
+                    resource_group_name=self._rg,
+                    profile_name=self._cdn_profile.name,
+                    endpoint_name=self._cdn_endpoint.name,
+                    host_name=custom_host.full_host,
+                    opts=pulumi.ResourceOptions(depends_on=rs),
+                )
+
+                return custom_host.full_host
+            else:
+                # Add custom hostname without a zone
+                azure.cdn.CustomDomain(
+                    f"cdn-custom-domain-{self._name}",
+                    resource_group_name=self._rg,
+                    profile_name=self._cdn_profile.name,
+                    endpoint_name=self._cdn_endpoint.name,
+                    host_name=custom_host.host,
+                )
+
+                return custom_host.host
         else:
             # Return the default CDN host name
             return self._cdn_endpoint.host_name
@@ -200,7 +297,11 @@ class DjangoDeployment(pulumi.ComponentResource):
         pulumi.export("pgsql_host", self._pgsql.fully_qualified_domain_name)
 
     def _create_subnet(
-        self, name, prefix, delegation_service: Optional[str] = None, service_endpoints: Sequence[str] = []
+        self,
+        name,
+        prefix,
+        delegation_service: Optional[str] = None,
+        service_endpoints: Sequence[str] = [],
     ) -> azure.network.Subnet:
         """
         Generic method to create a subnet with a delegation.
@@ -239,7 +340,22 @@ class DjangoDeployment(pulumi.ComponentResource):
             sku=sku,
         )
 
-    def _create_pgadmin_app(self):
+    def _create_pgadmin_app(self, access_ip: Optional[Sequence[str]] = None, dns_zone: Optional[azure.network.Zone] = None):
+        # Determine the IP restrictions
+        ip_restrictions = []
+        default_restriction = azure.web.DefaultAction.ALLOW
+        if access_ip:
+            default_restriction = azure.web.DefaultAction.DENY
+
+            for ip in access_ip:
+                ip_restrictions.append(
+                    azure.web.IpSecurityRestrictionArgs(
+                        action="Allow",
+                        ip_address=ip,
+                        priority=300,
+                    )
+                )
+
         # The app itself
         app = azure.web.WebApp(
             f"app-pgadmin-{self._name}",
@@ -255,7 +371,10 @@ class DjangoDeployment(pulumi.ComponentResource):
                 linux_fx_version="DOCKER|dpage/pgadmin4",
                 health_check_path="/misc/ping",
                 app_settings=[
-                    azure.web.NameValuePairArgs(name="DOCKER_REGISTRY_SERVER_URL", value="https://index.docker.io/v1"),
+                    azure.web.NameValuePairArgs(
+                        name="DOCKER_REGISTRY_SERVER_URL",
+                        value="https://index.docker.io/v1",
+                    ),
                     azure.web.NameValuePairArgs(name="DOCKER_ENABLE_CI", value="true"),
                     # azure.web.NameValuePairArgs(name="WEBSITE_HTTPLOGGING_RETENTION_DAYS", value="7"),
                     # pgAdmin settings
@@ -263,6 +382,9 @@ class DjangoDeployment(pulumi.ComponentResource):
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_EMAIL", value="dbadmin@dbadmin.net"),
                     azure.web.NameValuePairArgs(name="PGADMIN_DEFAULT_PASSWORD", value="dbadmin"),
                 ],
+                # IP restrictions
+                ip_security_restrictions_default_action=default_restriction,
+                ip_security_restrictions=ip_restrictions,
             ),
         )
 
@@ -274,6 +396,50 @@ class DjangoDeployment(pulumi.ComponentResource):
             share_name="pgadmin",
         )
 
+        if dns_zone:
+            # Create a DNS record for the pgAdmin app
+            cname = azure.network.RecordSet(
+                f"dns-cname-pgadmin-{self._name}",
+                resource_group_name=self._rg,
+                zone_name=dns_zone.name,
+                relative_record_set_name="pgadmin",
+                record_type="CNAME",
+                ttl=3600,
+                cname_record=azure.network.CnameRecordArgs(
+                    cname=app.default_host_name,
+                ),
+            )
+
+            # For the certificate validation to work
+            txt_validation = azure.network.RecordSet(
+                f"dns-txt-pgadmin-{self._name}",
+                resource_group_name=self._rg,
+                zone_name=dns_zone.name,
+                relative_record_set_name="asuid.pgadmin",
+                record_type="TXT",
+                ttl=3600,
+                txt_records=[
+                    azure.network.TxtRecordArgs(
+                        value=[app.custom_domain_verification_id],
+                    )
+                ],
+            )
+
+            # Add custom hostname
+            self._add_webapp_host(
+                app=app,
+                host=dns_zone.name.apply(lambda name: f"pgadmin.{name}"),
+                suffix=self._name,
+                depends_on=[cname, txt_validation],
+                identifier="pgadmin",
+            )
+
+            # Export the custom hostname
+            pulumi.export("pgadmin_url", dns_zone.name.apply(lambda name: f"https://pgadmin.{name}"))
+        else:
+            # Export the default hostname
+            pulumi.export("pgadmin_url", app.default_host_name.apply(lambda host: f"https://{host}"))
+
         # Mount the storage container
         azure.web.WebAppAzureStorageAccounts(
             f"app-pgadmin-mount-{self._name}",
@@ -290,9 +456,24 @@ class DjangoDeployment(pulumi.ComponentResource):
             },
         )
 
-        pulumi.export("pgadmin_url", app.default_host_name.apply(lambda host: f"https://{host}"))
+    def _get_existing_web_app_host_name_binding(self, resource_group_name: str, app_name: str, host_name: str):
+        try:
+            return azure.web.get_web_app_host_name_binding(
+                resource_group_name=resource_group_name,
+                name=app_name,
+                host_name=host_name,
+            )
+        except Exception:
+            return None
 
-    def _add_webapp_host(self, app: azure.web.WebApp, host: str, suffix: str):
+    def _add_webapp_host(
+        self,
+        app: azure.web.WebApp,
+        host: Union[str, pulumi.Input[str]],
+        suffix: str,
+        identifier: str,
+        depends_on: Optional[Sequence[pulumi.Resource]] = None,
+    ):
         """
         Because of a circular dependency, we need to create the certificate and the binding in two steps.
         First we create a binding without a certificate,
@@ -305,48 +486,93 @@ class DjangoDeployment(pulumi.ComponentResource):
         :param app: The web app
         :param host: The host name
         :param suffix: A suffix to make the resource name unique
+        :param depend_on: The resource to depend on (optional)
         """
 
-        safe_host = host.replace(".", "-")
+        if not depends_on:
+            depends_on = []
 
-        try:
-            # Retrieve the existing binding - this will throw an exception if it doesn't exist
-            azure.web.get_web_app_host_name_binding(
-                resource_group_name=app.resource_group,
-                name=app.name,
-                host_name=host,
+        # Retrieve the existing binding (None if it doesn't exist)
+        existing_binding = pulumi.Output.all(app.resource_group, app.name, host).apply(
+            lambda args: self._get_existing_web_app_host_name_binding(
+                resource_group_name=args[0],
+                app_name=args[1],
+                host_name=args[2],
             )
+        )
 
-            # Create a managed certificate
-            # This will work because the binding exists actually
-            certificate = azure.web.Certificate(
-                f"cert-{suffix}-{safe_host}",
-                resource_group_name=self._rg,
-                server_farm_id=app.server_farm_id,
-                canonical_name=host,
-                host_names=[host],
-            )
+        # Create an inline function that we will invoke through the Output.apply lambda
+        def _create_binding_with_cert(existing_binding):
+            if existing_binding:
+                # Create a managed certificate
+                # This will work because the binding exists actually
+                certificate = azure.web.Certificate(
+                    f"cert-{suffix}-{identifier}",
+                    resource_group_name=self._rg,
+                    server_farm_id=app.server_farm_id,
+                    canonical_name=host,
+                    host_names=[host],
+                    opts=pulumi.ResourceOptions(depends_on=depends_on),
+                )
 
-            # Create a new binding, replacing the old one,
-            # with the certificate
-            azure.web.WebAppHostNameBinding(
-                f"host-binding-{suffix}-{safe_host}",
-                resource_group_name=self._rg,
-                name=app.name,
-                host_name=host,
-                ssl_state=azure.web.SslState.SNI_ENABLED,
-                thumbprint=certificate.thumbprint,
-            )
-        except Exception:
-            # Create a binding without a certificate
-            azure.web.WebAppHostNameBinding(
-                f"host-binding-{suffix}-{safe_host}",
+                # Create a new binding, replacing the old one,
+                # with the certificate
+                azure.web.WebAppHostNameBinding(
+                    f"host-binding-{suffix}-{identifier}",
+                    resource_group_name=self._rg,
+                    name=app.name,
+                    host_name=host,
+                    ssl_state=azure.web.SslState.SNI_ENABLED,
+                    thumbprint=certificate.thumbprint,
+                    opts=pulumi.ResourceOptions(depends_on=depends_on),
+                )
+
+            else:
+                # Create a binding without a certificate
+                azure.web.WebAppHostNameBinding(
+                    f"host-binding-{suffix}-{identifier}",
+                    resource_group_name=self._rg,
+                    name=app.name,
+                    host_name=host,
+                    opts=pulumi.ResourceOptions(depends_on=depends_on),
+                )
+
+        existing_binding.apply(_create_binding_with_cert)
+
+    def _create_comms_dns_records(self, suffix, host: HostDefinition, records: dict) -> list[azure.network.RecordSet]:
+        created_records = []
+
+        # Domain validation and SPF record (one TXT record with multiple values)
+        r = azure.network.RecordSet(
+            f"dns-comms-{suffix}-{host.identifier}-domain",
+            resource_group_name=self._rg,
+            zone_name=host.zone.name,
+            relative_record_set_name="@",
+            record_type="TXT",
+            ttl=3600,
+            txt_records=[
+                azure.network.TxtRecordArgs(value=[records["domain"]["value"]]),
+                azure.network.TxtRecordArgs(value=[records["s_pf"]["value"]]),
+            ],
+        )
+        created_records.append(r)
+
+        # DKIM records (two CNAME records)
+        for record in ("d_kim", "d_kim2"):
+            r = azure.network.RecordSet(
+                f"dns-comms-{suffix}-{host.identifier}-{record}",
                 resource_group_name=self._rg,
-                name=app.name,
-                host_name=host,
+                zone_name=host.zone.name,
+                relative_record_set_name=records[record]["name"],
+                record_type="CNAME",
+                ttl=records[record]["ttl"],
+                cname_record=azure.network.CnameRecordArgs(cname=records[record]["value"]),
             )
+            created_records.append(r)
 
-    def _add_webapp_comms(self, data_location: str, domains: list[str], suffix: str) -> azure.communication.CommunicationService:
+        return created_records
+
+    def _add_webapp_comms(self, data_location: str, domains: list[HostDefinition], suffix: str) -> azure.communication.CommunicationService:
         email_service = azure.communication.EmailService(
             f"comms-email-{suffix}",
             resource_group_name=self._rg,
@@ -355,30 +581,37 @@ class DjangoDeployment(pulumi.ComponentResource):
         )
 
         domain_resources = []
-        if domains:
-            # Add our own custom domains
-            for domain in domains:
-                safe_host = domain.replace(".", "-")
-                d = azure.communication.Domain(
-                    f"comms-email-domain-{suffix}-{safe_host}",
-                    resource_group_name=self._rg,
-                    location="global",
-                    domain_management=azure.communication.DomainManagement.CUSTOMER_MANAGED,
-                    domain_name=domain,
-                    email_service_name=email_service.name,
-                )
-                domain_resources.append(d.id.apply(lambda n: n))
-        else:
-            # Add an Azure managed domain
+        comm_dependencies = []
+
+        # Add our own custom domains
+        for domain in domains:
             d = azure.communication.Domain(
-                f"comms-email-domain-{suffix}-azure",
+                f"comms-email-domain-{suffix}-{domain.identifier}",
                 resource_group_name=self._rg,
                 location="global",
-                domain_management=azure.communication.DomainManagement.AZURE_MANAGED,
-                domain_name="AzureManagedDomain",
+                domain_management=azure.communication.DomainManagement.CUSTOMER_MANAGED,
+                domain_name=domain.full_host,
                 email_service_name=email_service.name,
             )
-            domain_resources.append(d.id.apply(lambda n: n))
+
+            if domain.zone:
+                # Create DNS records in the managed zone
+                comm_dependencies = pulumi.Output.all(suffix, domain, d.verification_records).apply(
+                    lambda args: self._create_comms_dns_records(suffix=args[0], host=args[1], records=args[2])
+                )
+
+            domain_resources.append(d.id)
+
+        # Add an Azure managed domain
+        d = azure.communication.Domain(
+            f"comms-email-domain-{suffix}-azure",
+            resource_group_name=self._rg,
+            location="global",
+            domain_management=azure.communication.DomainManagement.AZURE_MANAGED,
+            domain_name="AzureManagedDomain",
+            email_service_name=email_service.name,
+        )
+        domain_resources.append(d.id)
 
         # Create Communication Services and link the domains
         comm_service = azure.communication.CommunicationService(
@@ -387,16 +620,25 @@ class DjangoDeployment(pulumi.ComponentResource):
             location="global",
             data_location=data_location,
             linked_domains=domain_resources,
+            opts=pulumi.ResourceOptions(depends_on=comm_dependencies),
         )
 
         return comm_service
 
     def _add_webapp_vault(self, administrators: list[str], suffix: str) -> azure.keyvault.Vault:
-        # Create a keyvault
+        # Create a keyvault with a random suffix to make the name unique
+        random_suffix = pulumi_random.RandomString(
+            f"vault-suffix-{suffix}",
+            # Total length is 24, so deduct the length of the suffix
+            length=(24 - 7 - len(suffix)),
+            special=False,
+            upper=False,
+        )
+
         vault = azure.keyvault.Vault(
             f"vault-{suffix}",
             resource_group_name=self._rg,
-            vault_name=f"vault-{suffix}",
+            vault_name=random_suffix.result.apply(lambda r: f"vault-{suffix}-{r}"),
             properties=azure.keyvault.VaultPropertiesArgs(
                 tenant_id=self._tenant_id,
                 sku=azure.keyvault.SkuArgs(
@@ -407,27 +649,35 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
         )
 
-        # Find the Key Vault Administrator role
-        administrator_role = vault.id.apply(
-            lambda scope: azure.authorization.get_role_definition(
-                role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
-                scope=scope,
-            )
-        )
-
         # Add vault administrators
-        for a in administrators:
-            azure.authorization.RoleAssignment(
-                f"ra-{suffix}-vault-admin-{a}",
-                principal_id=a,
-                principal_type=azure.authorization.PrincipalType.USER,
-                role_definition_id=administrator_role.id,
-                scope=vault.id,
+        if administrators:
+            # Find the Key Vault Administrator role
+            administrator_role = vault.id.apply(
+                lambda scope: azure.authorization.get_role_definition(
+                    role_definition_id="00482a5a-887f-4fb3-b363-3b7fe8e74483",
+                    scope=scope,
+                )
             )
 
+            # Actual administrator roles
+            for a in administrators:
+                azure.authorization.RoleAssignment(
+                    f"ra-{suffix}-vault-admin-{a}",
+                    principal_id=a,
+                    principal_type=azure.authorization.PrincipalType.USER,
+                    role_definition_id=administrator_role.id,
+                    scope=vault.id,
+                )
+
         return vault
 
-    def _add_webapp_secret(self, vault: azure.keyvault.Vault, secret_name: str, config_secret_name: str, suffix: str):
+    def _add_webapp_secret(
+        self,
+        vault: azure.keyvault.Vault,
+        secret_name: str,
+        config_secret_name: str,
+        suffix: str,
+    ):
         secret = self._config.require_secret(config_secret_name)
 
         # Normalize the secret name
@@ -487,13 +737,13 @@ class DjangoDeployment(pulumi.ComponentResource):
         db_name: str,
         repository_url: str,
         repository_branch: str,
-        website_hosts: list[str],
+        website_hosts: list[HostDefinition],
         django_settings_module: str,
-        environment_variables: dict[str, str] = {},
-        secrets: dict[str, str] = {},
+        environment_variables: Optional[dict[str, str]] = None,
+        secrets: Optional[dict[str, str]] = None,
         comms_data_location: Optional[str] = None,
-        comms_domains: Optional[list[str]] = [],
-        vault_administrators: Optional[list[str]] = [],
+        comms_domains: Optional[list[HostDefinition]] = None,
+        vault_administrators: Optional[list[str]] = None,
     ) -> azure.web.WebApp:
         """
         Create a Django website with it's own database and storage containers.
@@ -541,7 +791,11 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         # Communication Services (optional)
         if comms_data_location:
+            if not comms_domains:
+                comms_domains = []
+
             comms = self._add_webapp_comms(comms_data_location, comms_domains, f"{name}-{self._name}")
+
             # Add the service endpoint as environment variable
             environment_variables["AZURE_COMMUNICATION_SERVICE_ENDPOINT"] = comms.host_name.apply(lambda host: f"https://{host}")
         else:
@@ -567,6 +821,8 @@ class DjangoDeployment(pulumi.ComponentResource):
             for key, value in environment_variables.items()
         ]
 
+        allowed_hosts = pulumi.Output.concat(*[pulumi.Output.concat(host.full_host, ",") for host in website_hosts])
+
         app = azure.web.WebApp(
             f"app-{name}-{self._name}",
             resource_group_name=self._rg,
@@ -577,6 +833,7 @@ class DjangoDeployment(pulumi.ComponentResource):
             ),
             https_only=True,
             site_config=azure.web.SiteConfigArgs(
+                app_command_line="cicd/startup.sh",
                 always_on=True,
                 health_check_path=self.HEALTH_CHECK_PATH,
                 ftps_state=azure.web.FtpsState.DISABLED,
@@ -594,15 +851,23 @@ class DjangoDeployment(pulumi.ComponentResource):
                     # azure.web.NameValuePairArgs(name="DEBUG", value="true"),
                     azure.web.NameValuePairArgs(name="DJANGO_SETTINGS_MODULE", value=django_settings_module),
                     azure.web.NameValuePairArgs(name="DJANGO_SECRET_KEY", value=secret_key.result),
-                    azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=",".join(website_hosts)),
+                    azure.web.NameValuePairArgs(name="DJANGO_ALLOWED_HOSTS", value=allowed_hosts),
                     # Vault settings
                     azure.web.NameValuePairArgs(name="AZURE_KEY_VAULT", value=vault.name),
                     # Storage settings
-                    azure.web.NameValuePairArgs(name="AZURE_STORAGE_ACCOUNT_NAME", value=self._storage_account.name),
-                    azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_STATICFILES", value=static_container.name),
+                    azure.web.NameValuePairArgs(
+                        name="AZURE_STORAGE_ACCOUNT_NAME",
+                        value=self._storage_account.name,
+                    ),
+                    azure.web.NameValuePairArgs(
+                        name="AZURE_STORAGE_CONTAINER_STATICFILES",
+                        value=static_container.name,
+                    ),
                     azure.web.NameValuePairArgs(name="AZURE_STORAGE_CONTAINER_MEDIA", value=media_container.name),
                     # CDN
                     azure.web.NameValuePairArgs(name="CDN_HOST", value=self._cdn_host),
+                    azure.web.NameValuePairArgs(name="CDN_PROFILE", value=self._cdn_profile.name),
+                    azure.web.NameValuePairArgs(name="CDN_ENDPOINT", value=self._cdn_endpoint.name),
                     # Database settings
                     azure.web.NameValuePairArgs(name="DB_HOST", value=self._pgsql.fully_qualified_domain_name),
                     azure.web.NameValuePairArgs(name="DB_NAME", value=db.name),
@@ -620,9 +885,85 @@ class DjangoDeployment(pulumi.ComponentResource):
         # We need this to verify custom domains
         pulumi.export(f"{name}_site_domain_verification_id", app.custom_domain_verification_id)
         pulumi.export(f"{name}_site_domain_cname", app.default_host_name)
+        virtual_ip = app.outbound_ip_addresses.apply(lambda addresses: addresses.split(",")[-1])
+        pulumi.export(f"{name}_site_virtual_ip", virtual_ip)
+
+        # Get the URL of the publish profile.
+        # Use app.identity here too to ensure the app is actually created before getting credentials.
+        credentials = pulumi.Output.all(self._rg, app.name, app.identity).apply(
+            lambda args: azure.web.list_web_app_publishing_credentials(
+                resource_group_name=args[0],
+                name=args[1],
+            )
+        )
+
+        pulumi.export(f"{name}_deploy_url", pulumi.Output.concat(credentials.scm_uri, "/deploy"))
 
         for host in website_hosts:
-            self._add_webapp_host(app=app, host=host, suffix=f"{name}-{self._name}")
+            dependencies = []
+
+            if host.zone:
+                # Create a DNS record in the zone
+
+                if host.host == "@":
+                    # Create a A record for the virtual IP address
+                    a = azure.network.RecordSet(
+                        f"dns-a-{name}-{self._name}-{host.identifier}",
+                        resource_group_name=self._rg,
+                        zone_name=host.zone.name,
+                        relative_record_set_name=host.host,
+                        record_type="A",
+                        ttl=3600,
+                        a_records=[
+                            azure.network.ARecordArgs(
+                                ipv4_address=virtual_ip,
+                            )
+                        ],
+                    )
+
+                    dependencies.append(a)
+                else:
+                    # Create a CNAME record for the custom hostname
+                    cname = azure.network.RecordSet(
+                        f"dns-cname-{name}-{self._name}-{host.identifier}",
+                        resource_group_name=self._rg,
+                        zone_name=host.zone.name,
+                        relative_record_set_name=host.host,
+                        record_type="CNAME",
+                        ttl=3600,
+                        cname_record=azure.network.CnameRecordArgs(
+                            cname=app.default_host_name,
+                        ),
+                    )
+                    dependencies.append(cname)
+
+                # For the certificate validation to work
+                relative_record_set_name = "asuid" if host.host == "@" else pulumi.Output.concat("asuid.", host.host)
+
+                txt_validation = azure.network.RecordSet(
+                    f"dns-txt-{name}-{self._name}-{host.identifier}",
+                    resource_group_name=self._rg,
+                    zone_name=host.zone.name,
+                    relative_record_set_name=relative_record_set_name,
+                    record_type="TXT",
+                    ttl=3600,
+                    txt_records=[
+                        azure.network.TxtRecordArgs(
+                            value=[app.custom_domain_verification_id],
+                        )
+                    ],
+                )
+
+                dependencies.append(txt_validation)
+
+            # Add the host with optional dependencies
+            self._add_webapp_host(
+                app=app,
+                host=host.full_host,
+                suffix=f"{name}-{self._name}",
+                identifier=host.identifier,
+                depends_on=dependencies,
+            )
 
         # To enable deployment from GitLab
         azure.web.WebAppSourceControl(
@@ -638,7 +979,8 @@ class DjangoDeployment(pulumi.ComponentResource):
 
         # Where we can retrieve the SSH key
         pulumi.export(
-            f"{name}_deploy_ssh_key_url", app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1")
+            f"{name}_deploy_ssh_key_url",
+            app.name.apply(lambda name: f"https://{name}.scm.azurewebsites.net/api/sshkey?ensurePublicKey=1"),
         )
 
         # Find the role for Key Vault Secrets User
@@ -694,28 +1036,29 @@ class DjangoDeployment(pulumi.ComponentResource):
                 scope=comms.id,
             )
 
-        # Create a CORS rules for this website
-        if website_hosts:
-            origins = [f"https://{host}" for host in website_hosts]
-        else:
-            origins = ["*"]
+        # Grant the app to purge the CDN endpoint
+        cdn_role = self._cdn_endpoint.id.apply(
+            lambda scope: azure.authorization.get_role_definition(
+                role_definition_id="/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
+                scope=scope,
+            )
+        )
 
-        azure.storage.BlobServiceProperties(
-            f"sa-{name}-blob-properties",
-            resource_group_name=self._rg,
-            account_name=self._storage_account.name,
-            blob_services_name="default",
-            cors=azure.storage.CorsRulesArgs(
-                cors_rules=[
-                    azure.storage.CorsRuleArgs(
-                        allowed_headers=["*"],
-                        allowed_methods=["GET", "OPTIONS", "HEAD"],
-                        allowed_origins=origins,
-                        exposed_headers=["Access-Control-Allow-Origin"],
-                        max_age_in_seconds=86400,
-                    )
-                ]
-            ),
+        azure.authorization.RoleAssignment(
+            f"ra-{name}-cdn",
+            principal_id=principal_id,
+            principal_type=azure.authorization.PrincipalType.SERVICE_PRINCIPAL,
+            role_definition_id=cdn_role.id,
+            scope=self._cdn_endpoint.id,
         )
 
         return app
+
+    def _strip_off_dns_zone_name(self, host: str, zone: azure.network.Zone) -> pulumi.Output[str]:
+        """
+        Strip off the DNS zone name from the host name.
+
+        :param host: The host name
+        :return: The host name without the DNS zone
+        """
+        return zone.name.apply(lambda name: host[: -len(name) - 1])

{pulumi_django_azure-1.0.9 → pulumi_django_azure-1.0.15/src/pulumi_django_azure.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pulumi-django-azure
-Version: 1.0.9
+Version: 1.0.15
 Summary: Simply deployment of Django on Azure with Pulumi
 Author-email: Maarten Ureel <maarten@youreal.eu>
 License: MIT License
@@ -50,6 +50,19 @@ To have a proper and secure environment, we need these components:
 * Azure Key Vault per application
 * Webapp running pgAdmin
 
+## Project requirements
+Your Django project should contain a folder `cicd` with these files:
+* pre_build.sh: commands to be executed before building the application, for example NPM install, CSS build commands,...
+* post_build.sh: commands to be executed after building the application, e.g. cleaning up.
+  Note that this runs in the identity of the build container, so you should not run database or storage manipulations here.
+* startup.sh: commands to run the actual application. I recommend to put at least:
+  ```bash
+  python manage.py migrate
+  python manage.py collectstatic --noinput
+  python manage.py purge_cdn
+  gunicorn --timeout 600 --workers $((($NUM_CORES*2)+1)) --chdir $APP_PATH yourapplication.wsgi --access-logfile '-' --error-logfile '-'
+  ```
+  Be sure to change `yourapplication` in the above. To see the `purge_cdn` management command we use here, see below.
 ## Installation
 This package is published on PyPi, so you can just add pulumi-django-azure to your requirements file.
 
@@ -244,6 +257,82 @@ Be sure to configure the SSH key that Azure will use on GitLab side. You can obt
 
 This would then trigger a redeploy everytime you make a commit to your live branch.
 
+## CDN Purging
+We added a management command to Django to purge the CDN cache, and added that to the startup script. Our version is here:
+```python
+import os
+
+from azure.mgmt.cdn import CdnManagementClient
+from azure.mgmt.cdn.models import PurgeParameters
+from django.core.management.base import BaseCommand
+
+from core.azure_helper import AZURE_CREDENTIAL, get_subscription_id
+
+
+class Command(BaseCommand):
+    help = "Purges the CDN endpoint"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--wait",
+            action="store_true",
+            help="Wait for the purge operation to complete",
+        )
+
+    def handle(self, *args, **options):
+        # Read environment variables
+        resource_group = os.getenv("WEBSITE_RESOURCE_GROUP")
+        profile_name = os.getenv("CDN_PROFILE")
+        endpoint_name = os.getenv("CDN_ENDPOINT")
+        content_paths = ["/*"]
+
+        # Ensure all required environment variables are set
+        if not all([resource_group, profile_name, endpoint_name]):
+            self.stderr.write(self.style.ERROR("Missing required environment variables."))
+            return
+
+        # Authenticate with Azure
+        cdn_client = CdnManagementClient(AZURE_CREDENTIAL, get_subscription_id())
+
+        try:
+            # Purge the CDN endpoint
+            purge_operation = cdn_client.endpoints.begin_purge_content(
+                resource_group_name=resource_group,
+                profile_name=profile_name,
+                endpoint_name=endpoint_name,
+                content_file_paths=PurgeParameters(content_paths=content_paths),
+            )
+
+            # Check if the --wait argument was provided
+            if options["wait"]:
+                purge_operation.result()  # Wait for the operation to complete
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation completed successfully."))
+            else:
+                self.stdout.write(self.style.SUCCESS("CDN endpoint purge operation started successfully."))
+
+        except Exception as e:
+            self.stderr.write(self.style.ERROR(f"Error executing CDN endpoint purge command: {e}"))
+```
+
+And our azure_helper:
+```python
+from azure.identity import DefaultAzureCredential
+from azure.mgmt.resource import SubscriptionClient
+
+# Azure credentials
+AZURE_CREDENTIAL = DefaultAzureCredential()
+
+
+def get_db_password() -> str:
+    return AZURE_CREDENTIAL.get_token("https://ossrdbms-aad.database.windows.net/.default").token
+
+
+def get_subscription_id() -> str:
+    subscription_client = SubscriptionClient(AZURE_CREDENTIAL)
+    subscriptions = list(subscription_client.subscriptions.list())
+    return subscriptions[0].subscription_id
+```
+
 ## Change requests
 I created this for internal use but since it took me a while to puzzle all the things together I decided to share it.
 Therefore this project is not super generic, but tailored to my needs. I am however open to pull or change requests to improve this project or to make it more usable for others.

pulumi_django_azure-1.0.9/src/pulumi_django_azure/__init__.py

@@ -1 +0,0 @@
-from .django_deployment import DjangoDeployment  # noqa: F401