Merge branch 'main' into dependabot/pip/pytest-approx-eq-8.0.0

marvinbuss · web-flow · commit 265e6190ec4c · 2024-02-07T21:21:27.000+01:00
diff --git a/.github/workflows/_containerTemplate.yml b/.github/workflows/_containerTemplate.yml
@@ -54,7 +54,7 @@ jobs:
 
       # Install cosign
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3.3.0
+        uses: sigstore/cosign-installer@v3.4.0
         id: install_cosign
         if: github.event_name == 'release'
         with:
@@ -83,7 +83,7 @@ jobs:
       # Extract Metadata (tags, labels)
       - name: Extract Metadata
         id: metadata
-        uses: docker/metadata-action@v5.5.0
+        uses: docker/metadata-action@v5.5.1
         with:
           context: workflow
           images: |
diff --git a/.github/workflows/functionApp.yml b/.github/workflows/functionApp.yml
@@ -6,13 +6,17 @@ on:
     paths:
       - "**.py"
       - "code/function/**"
+      - "tests/**"
+      - "requirements.txt"
 
   pull_request:
     branches:
       - main
     paths:
       - "**.py"
       - "code/function/**"
+      - "tests/**"
+      - "requirements.txt"
 
 jobs:
   function_test:
diff --git a/code/function/fastapp/core/config.py b/code/function/fastapp/core/config.py
@@ -21,6 +21,7 @@ class Settings(BaseSettings):
     WEBSITE_AUTH_ENCRYPTION_KEY: str = Field(
         default="", alias="WEBSITE_AUTH_ENCRYPTION_KEY"
     )
+    WEBSITE_OS_TYPE: str = Field(default="test", alias="WEBSITE_OS_TYPE")
     MY_SECRET_CONFIG: str = Field(default="", alias="MY_SECRET_CONFIG")
 
 
diff --git a/code/function/fastapp/health/validate_request.py b/code/function/fastapp/health/validate_request.py
@@ -4,24 +4,28 @@
 
 from fastapi import Header, HTTPException
 from fastapp.core.config import settings
+from fastapp.utils import setup_logging
+
+logger = setup_logging(__name__)
 
 
 async def verify_health_auth_header(
-    x_ms_auth_internal_token: Annotated[str, Header()]
+    x_ms_auth_internal_token: Annotated[str | None, Header()] = None
 ) -> bool:
     """Returns true if SHA256 of header_value matches WEBSITE_AUTH_ENCRYPTION_KEY.
+    This only works on Windows-based app services. Therefore, this feature is turned off for other OS types.
     Documentation: https://learn.microsoft.com/en-us/azure/app-service/monitor-instances-health-check?tabs=python#authentication-and-security
 
     x_ms_auth_internal_token: Value of the x-ms-auth-internal-token header.
     RETURNS (bool): Specifies whether the header matches.
     """
-    website_auth_encryption_key = settings.WEBSITE_AUTH_ENCRYPTION_KEY
-    hash = base64.b64encode(
-        sha256(website_auth_encryption_key.encode("utf-8")).digest()
-    ).decode("utf-8")
-    if hash != x_ms_auth_internal_token:
-        raise HTTPException(
-            status_code=400, detail="x-ms-auth-internal-token is invalid"
-        )
-    else:
-        return True
+    if settings.WEBSITE_OS_TYPE.lower() == "windows":
+        website_auth_encryption_key = settings.WEBSITE_AUTH_ENCRYPTION_KEY
+        hash = base64.b64encode(
+            sha256(website_auth_encryption_key.encode("utf-8")).digest()
+        ).decode("utf-8")
+        if hash != x_ms_auth_internal_token:
+            raise HTTPException(
+                status_code=400, detail="x-ms-auth-internal-token is invalid"
+            )
+    return True
diff --git a/code/function/requirements.txt b/code/function/requirements.txt
@@ -4,10 +4,10 @@
 
 # azure-identity~=1.15.0
 azure-functions~=1.18.0
-fastapi~=0.109.0
+fastapi~=0.109.1
 pydantic-settings~=2.1.0
 httpx~=0.26.0
-azure-monitor-opentelemetry-exporter==1.0.0b20
+azure-monitor-opentelemetry-exporter==1.0.0b22
 opentelemetry-instrumentation-fastapi==0.43b0
 opentelemetry-instrumentation-httpx~=0.43b0
 opentelemetry-instrumentation-system-metrics~=0.43b0
diff --git a/code/infra/function.tf b/code/infra/function.tf
@@ -121,6 +121,10 @@ resource "azapi_resource" "function" {
             name  = "WEBSITE_CONTENTOVERVNET"
             value = "1"
           },
+          {
+            name  = "WEBSITE_OS_TYPE"
+            value = azurerm_service_plan.service_plan.os_type
+          },
           {
             name  = "WEBSITE_RUN_FROM_PACKAGE"
             value = "0"
diff --git a/code/infra/logging.tf b/code/infra/logging.tf
@@ -16,32 +16,32 @@ resource "azurerm_application_insights" "application_insights" {
   workspace_id                          = azurerm_log_analytics_workspace.log_analytics_workspace.id
 }
 
-data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" {
-  resource_id = azurerm_application_insights.application_insights.id
-}
-
-resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" {
-  name                       = "logAnalytics"
-  target_resource_id         = azurerm_application_insights.application_insights.id
-  log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
-
-  dynamic "enabled_log" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups
-    content {
-      category_group = entry.value
-    }
-  }
-
-  dynamic "metric" {
-    iterator = entry
-    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics
-    content {
-      category = entry.value
-      enabled  = true
-    }
-  }
-}
+# data "azurerm_monitor_diagnostic_categories" "diagnostic_categories_application_insights" { # Disable to avoid duplicate logs in Application Insights
+#   resource_id = azurerm_application_insights.application_insights.id
+# }
+
+# resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_application_insights" {
+#   name                       = "logAnalytics"
+#   target_resource_id         = azurerm_application_insights.application_insights.id
+#   log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id
+
+#   dynamic "enabled_log" {
+#     iterator = entry
+#     for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.log_category_groups
+#     content {
+#       category_group = entry.value
+#     }
+#   }
+
+#   dynamic "metric" {
+#     iterator = entry
+#     for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories_application_insights.metrics
+#     content {
+#       category = entry.value
+#       enabled  = true
+#     }
+#   }
+# }
 
 resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
   name                = "${local.prefix}-log001"
diff --git a/code/infra/storage.tf b/code/infra/storage.tf
@@ -34,6 +34,10 @@ resource "azurerm_storage_account" "storage" {
     default_action             = "Deny"
     ip_rules                   = []
     virtual_network_subnet_ids = []
+    private_link_access {
+      endpoint_resource_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/providers/Microsoft.Security/datascanners/storageDataScanner"
+      endpoint_tenant_id   = data.azurerm_client_config.current.tenant_id
+    }
   }
   nfsv3_enabled                 = false
   public_network_access_enabled = false
diff --git a/code/infra/terraform.tf b/code/infra/terraform.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.87.0"
+      version = "3.90.0"
     }
     azapi = {
       source  = "azure/azapi"
-      version = "1.11.0"
+      version = "1.12.0"
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ class Settings(BaseSettings):`
`21`	`21`	`WEBSITE_AUTH_ENCRYPTION_KEY: str = Field(`
`22`	`22`	`default="", alias="WEBSITE_AUTH_ENCRYPTION_KEY"`
`23`	`23`	`)`
	`24`	`+ WEBSITE_OS_TYPE: str = Field(default="test", alias="WEBSITE_OS_TYPE")`
`24`	`25`	`MY_SECRET_CONFIG: str = Field(default="", alias="MY_SECRET_CONFIG")`
`25`	`26`
`26`	`27`
Original file line number	Diff line number	Diff line change
`@@ -4,11 +4,11 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`azurerm = {`
`6`	`6`	`source = "hashicorp/azurerm"`
`7`		`- version = "3.87.0"`
	`7`	`+ version = "3.90.0"`
`8`	`8`	`}`
`9`	`9`	`azapi = {`
`10`	`10`	`source = "azure/azapi"`
`11`		`- version = "1.11.0"`
	`11`	`+ version = "1.12.0"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`