alan-turing-institute · JimMadge · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024
@@ -10,6 +10,10 @@
     SREApplicationGatewayComponent,
     SREApplicationGatewayProps,
 )
+from .sre.apps import (
+    SREAppsComponent,
+    SREAppsProps,
+)
 from .sre.apt_proxy_server import SREAptProxyServerComponent, SREAptProxyServerProps
 from .sre.backup import (
     SREBackupComponent,
@@ -327,6 +331,17 @@ def __call__(self) -> None:
             tags=self.tags,
         )
 
+        # Deploy apps
+        SREAppsComponent(
+            "sre_apps",
+            self.stack_name,
+            SREAppsProps(
+                location=self.config.azure.location,
+                resource_group_name=resource_group.name,
+            ),
+            tags=self.tags,
+        )
+
         # Deploy monitoring
         monitoring = SREMonitoringComponent(
             "sre_monitoring",

@@ -0,0 +1,196 @@
+"""Pulumi component for SRE function/web apps"""
+
+from collections.abc import Mapping
+
+from pulumi import ComponentResource, FileArchive, Input, Output, ResourceOptions
+from pulumi_azure_native import (
+    storage,
+    web,
+)
+
+from data_safe_haven.functions import (
+    alphanumeric,
+    truncate_tokens,
+)
+from data_safe_haven.resources import resources_path
+
+
+class SREAppsProps:
+    """Properties for SREAppsComponent"""
+
+    def __init__(
+        self,
+        location: Input[str],
+        resource_group_name: Input[str],
+    ):
+        self.location = location
+        self.resource_group_name = resource_group_name
+
+
+class SREAppsComponent(ComponentResource):
+    """Deploy SRE function/web apps with Pulumi"""
+
+    def __init__(
+        self,
+        name: str,
+        stack_name: str,
+        props: SREAppsProps,
+        opts: ResourceOptions | None = None,
+        tags: Input[Mapping[str, Input[str]]] | None = None,
+    ) -> None:
+        super().__init__("dsh:sre:AppsComponent", name, {}, opts)
+        child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
+        child_tags = tags if tags else {}
+
+        # Deploy storage account
+        # The storage account holds app data/configuration
+        storage_account = storage.StorageAccount(
+            f"{self._name}_storage_account",
+            account_name=alphanumeric(
+                f"{''.join(truncate_tokens(stack_name.split('-'), 14))}apps"
+            )[:24],
+            kind=storage.Kind.STORAGE_V2,
+            location=props.location,
+            resource_group_name=props.resource_group_name,
+            sku=storage.SkuArgs(name=storage.SkuName.STANDARD_GRS),
+            opts=child_opts,
+            tags=child_tags,
+        )
+
+        # Create function apps container
+        container = storage.BlobContainer(
+            f"{self._name}_container_functions",
+            account_name=storage_account.name,
+            container_name="functions",
+            public_access=storage.PublicAccess.NONE,
+            resource_group_name=props.resource_group_name,
+            opts=ResourceOptions.merge(
+                child_opts,
+                ResourceOptions(parent=storage_account),
+            ),
+        )
+
+        # Upload Gitea mirror function app
+        blob_gitea_mirror = storage.Blob(
+            f"{self._name}_blob_gitea_mirror",
+            account_name=storage_account.name,
+            container_name=container.name,
+            resource_group_name=props.resource_group_name,
+            source=FileArchive(
+                str((resources_path / "gitea_mirror" / "functions").absolute()),
+            ),
+            opts=ResourceOptions.merge(
+                child_opts,
+                ResourceOptions(parent=container),
+            ),
+        )
+
+        # Get URL of app blob
+        blob_url = get_blob_url(
+            blob=blob_gitea_mirror,
+            container=container,
+            storage_account=storage_account,
+            resource_group_name=props.resource_group_name,
+        )
+
+        # Get connection string
+        connection_string = get_connection_string(
+            resource_group_name=props.resource_group_name,
+            storage_account=storage_account,
+        )
+
+        # Deploy service plan
+        app_service_plan = web.AppServicePlan(
+            f"{self._name}_app_service_plan",
+            kind="linux",
+            location=props.location,
+            name=f"{stack_name}-app-service-plan",
+            reserved=True,
+            resource_group_name=props.resource_group_name,
+            sku={
+                "name": "B1",
+                "tier": "Basic",
+                "size": "B1",
+                "family": "B",
+                "capacity": 1,
+            },
+            tags=child_tags,
+        )
+
+        # Deploy app
+        web.WebApp(
+            f"{self._name}_web_app",
+            enabled=True,
+            https_only=True,
+            kind="functionapp,linux",
+            location=props.location,
+            name=f"{stack_name}-gitea-mirror-api",
+            resource_group_name=props.resource_group_name,
+            server_farm_id=app_service_plan.id,
+            site_config=web.SiteConfigArgs(
+                always_on=True,
+                app_settings=[
+                    {"name": "AzureWebJobsStorage", "value": connection_string},
+                    {"name": "runtime", "value": "python"},
+                    {"name": "pythonVersion", "value": "3.11"},
+                    {"name": "FUNCTIONS_WORKER_RUNTIME", "value": "python"},
+                    {"name": "WEBSITE_RUN_FROM_PACKAGE", "value": blob_url},
+                    {"name": "FUNCTIONS_EXTENSION_VERSION", "value": "~4"},
+                ],
+                linux_fx_version="Python|3.11",
+            ),
+            tags=child_tags,
+        )
+
+
+def get_blob_url(
+    blob: Input[storage.Blob],
+    container: Input[storage.BlobContainer],
+    resource_group_name: Input[str],
+    storage_account: Input[storage.StorageAccount],
+) -> Output[str]:
+    sas = storage.list_storage_account_service_sas_output(
+        account_name=storage_account.name,
+        protocols=storage.HttpProtocol.HTTPS,
+        shared_access_expiry_time="2030-01-01",
+        shared_access_start_time="2021-01-01",
+        resource_group_name=resource_group_name,
+        # Access to container
+        resource=storage.SignedResource.C,
+        # Read access
+        permissions=storage.Permissions.R,
+        canonicalized_resource=Output.format(
+            "/blob/{account_name}/{container_name}",
+            account_name=storage_account.name,
+            container_name=container.name,
+        ),
+        # content_type="application/json",
+        # cache_control="max-age=5",
+        # content_disposition="inline",
+        # content_encoding="deflate",
+    )
+    token = sas.service_sas_token
+    return Output.format(
+        "https://{storage_account_name}.blob.core.windows.net/{container_name}/{blob_name}?{token}",
+        storage_account_name=storage_account.name,
+        container_name=container.name,
+        blob_name=blob.name,
+        token=token,
+    )
+
+
+def get_connection_string(
+    resource_group_name: Input[str],
+    storage_account: Input[storage.StorageAccount],
+) -> Output[str]:
+    storage_account_keys = storage.list_storage_account_keys_output(
+        resource_group_name=resource_group_name,
+        account_name=storage_account.name,
+    )
+    primary_storage_key = storage_account_keys.keys[0].value
+
+    return Output.format(
+        "DefaultEndpointsProtocol=https;AccountName={storage_account_name};AccountKey={primary_storage_key}",
+        storage_account_name=storage_account.name,
+        primary_storage_key=primary_storage_key,
+    )
@@ -0,0 +1,48 @@
+bin
+obj
+csx
+.vs
+edge
+Publish
+
+*.user
+*.suo
+*.cscfg
+*.Cache
+project.lock.json
+
+/packages
+/TestResults
+
+/tools/NuGet.exe
+/App_Data
+/secrets
+/data
+.secrets
+appsettings.json
+local.settings.json
+
+node_modules
+dist
+
+# Local python packages
+.python_packages/
+
+# Python Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Azurite artifacts
+__blobstorage__
+__queuestorage__
+__azurite_db*__.json
@@ -0,0 +1,87 @@
+import logging
+
+import azure.functions as func
+import requests
+from requests.auth import HTTPBasicAuth
+from shared_code import (
+    api_root,
+    check_args,
+    get_args,
+    gitea_host,
+    handle_response,
+    migrate_path,
+    missing_parameters_repsonse,
+    repos_path,
+    timeout,
+)
+
+
+def main(req: func.HttpRequest) -> func.HttpResponse:
+    logging.info("Request received.")
+
+    raw_args = get_args(
+        [
+            "address",
+            "name",
+            "password",
+            "username",
+        ],
+        req,
+    )
+    args = check_args(raw_args)
+    if not args:
+        return missing_parameters_repsonse()
+
+    extra_data = {
+        "description": f"Read-only mirror of {args['address']}",
+        "mirror": True,
+        "mirror_interval": "10m",
+    }
+
+    auth = HTTPBasicAuth(
+        username=args["username"],
+        password=args["password"],
+    )
+
+    logging.info("Sending request to create mirror.")
+
+    response = requests.post(
+        auth=auth,
+        data={
+            "clone_addr": args["address"],
+            "repo_name": args["name"],
+        }
+        | extra_data,
+        timeout=timeout,
+        url=gitea_host + api_root + migrate_path,
+    )
+
+    if r := handle_response(response, [201], "Error creating repository."):
+        return r
+
+    # Some arguments of the migrate endpoint seem to be ignored or overwritten.
+    # We set repository settings here.
+    logging.info("Sending request to configure mirror repo.")
+
+    response = requests.patch(
+        auth=auth,
+        data={
+            "has_actions": False,
+            "has_issues": False,
+            "has_packages": False,
+            "has_projects": False,
+            "has_pull_requests": False,
+            "has_releases": False,
+            "has_wiki": False,
+        },
+        timeout=timeout,
+        url=gitea_host + api_root + repos_path + f"/{args['username']}/{args['name']}",
+    )
+
+    if r := handle_response(response, [200], "Error configuring repository."):
+        return r
+
+    return func.HttpResponse(
+        "Mirror successfully created.",
+        status_code=200,
+    )
@@ -0,0 +1,20 @@
+{
+  "scriptFile": "__init__.py",
+  "bindings": [
+    {
+      "authLevel": "anonymous",
+      "type": "httpTrigger",
+      "direction": "in",
+      "name": "req",
+      "methods": [
+        "get",
+        "post"
+      ]
+    },
+    {
+      "type": "http",
+      "direction": "out",
+      "name": "$return"
+    }
+  ]
+}