Add bicep

Author: workcontrolgit

ApiResources/TalentManagement-API

@@ -78,11 +78,12 @@ module identityApp 'modules/webApp.bicep' = {
 }
 
 // ─── Angular Static Web App ───────────────────────────────────────────────────
+// Static Web Apps are not available in eastus — use eastus2
 module angularSwa 'modules/staticWebApp.bicep' = {
   name: 'angularSwa'
   params: {
     staticWebAppName: staticWebAppName
-    location: location
+    location: 'westus2'
   }
 }
 
@@ -104,5 +105,3 @@ output apiAppUrl string = apiApp.outputs.url
 output identityAppUrl string = identityApp.outputs.url
 output angularAppUrl string = angularSwa.outputs.url
 output sqlServerFqdn string = sqlServer.outputs.sqlServerFqdn
-output apiDbConnectionString string = sqlServer.outputs.apiDbConnectionString
-output identityDbConnectionString string = sqlServer.outputs.identityDbConnectionString

infra/main.bicep

@@ -8,8 +8,8 @@ resource appServicePlan 'Microsoft.Web/serverfarms@2023-01-01' = {
   name: appServicePlanName
   location: location
   sku: {
-    name: 'B1'
-    tier: 'Basic'
+    name: 'F1'
+    tier: 'Free'
   }
   properties: {
     reserved: false // Windows

infra/modules/appServicePlan.bicep

@@ -69,5 +69,5 @@ resource identityDatabase 'Microsoft.Sql/servers/databases@2023-05-01-preview' =
 }
 
 output sqlServerFqdn string = sqlServer.properties.fullyQualifiedDomainName
-output apiDbConnectionString string = 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Initial Catalog=${apiDbName};Persist Security Info=False;User ID=${sqlAdminLogin};Password=${sqlAdminPassword};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;'
-output identityDbConnectionString string = 'Server=tcp:${sqlServer.properties.fullyQualifiedDomainName},1433;Initial Catalog=${identityDbName};Persist Security Info=False;User ID=${sqlAdminLogin};Password=${sqlAdminPassword};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;'
+output apiDbName string = apiDbName
+output identityDbName string = identityDbName

infra/modules/sqlServer.bicep

@@ -7,9 +7,6 @@ param location string
 @description('Resource ID of the App Service Plan')
 param appServicePlanId string
 
-@description('Stack: dotnet, node, python, etc.')
-param linuxFxVersion string = ''
-
 resource webApp 'Microsoft.Web/sites@2023-01-01' = {
   name: webAppName
   location: location

infra/modules/webApp.bicep

@@ -1,20 +1,20 @@
 // dev.bicepparam — parameter values for the dev environment
-// DO NOT add sqlAdminPassword here — pass it at deploy time from a GitHub Secret:
-//   --parameters sqlAdminPassword=$SQL_ADMIN_PASSWORD
+// SQL password is read from the SQL_ADMIN_PASSWORD environment variable.
+// Set it before deploying: $env:SQL_ADMIN_PASSWORD = 'your-password'
 
 using '../main.bicep'
 
 // ─── Resource naming (Cloud Adoption Framework convention) ────────────────────
 // Pattern: {type}-{workload}-{qualifier}-{env}
 
-param appServicePlanName = 'asp-talent-b1-dev'
+param appServicePlanName = 'asp-talent-f1-dev'
 param apiAppName         = 'app-talent-api-dev'
 param identityAppName    = 'app-talent-ids-dev'
 param staticWebAppName   = 'swa-talent-ui-dev'
 param sqlServerName      = 'sql-talent-dev'
 param apiDbName          = 'sqldb-talent-api-dev'
 param identityDbName     = 'sqldb-talent-ids-dev'
 
-// ─── SQL admin login ──────────────────────────────────────────────────────────
-// Password is passed at deploy time — never stored here
-param sqlAdminLogin = 'sqladmin'
+// SQL admin credentials
+param sqlAdminLogin      = 'sqladmin'
+param sqlAdminPassword   = readEnvironmentVariable('SQL_ADMIN_PASSWORD')

infra/parameters/dev.bicepparam

@@ -0,0 +1,77 @@
+# =============================================================================
+# setup-azure.ps1 - Deploy Azure infrastructure via Bicep
+# =============================================================================
+#
+# Provisions all Azure resources for the Talent Management full stack:
+#   - App Service Plan (B1)
+#   - Web App: Talent Management API  (app-talent-api-dev)
+#   - Web App: Duende IdentityServer  (app-talent-ids-dev)
+#   - Static Web App: Angular UI      (swa-talent-ui-dev)
+#   - Azure SQL Server                (sql-talent-dev)
+#   - SQL Database: API               (sqldb-talent-api-dev)
+#   - SQL Database: IdentityServer    (sqldb-talent-ids-dev)
+#
+# Prerequisites:
+#   az login
+#   az account set --subscription "7d4355af-9f71-4123-8a18-aa68dc430bbf"
+#   Resource group must exist (run setup-oidc.ps1 first)
+#
+# Usage (from repo root):
+#   .\infra\scripts\setup-azure.ps1
+# =============================================================================
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+
+# --- Configuration ------------------------------------------------------------
+$RESOURCE_GROUP     = "rg-talent-dev"
+$RESOURCE_LOCATION  = "westus3"
+$TEMPLATE_FILE      = "infra/main.bicep"
+$PARAMETERS_FILE    = "infra/parameters/dev.bicepparam"
+$SQL_ADMIN_PASSWORD = 'Tr@7vK#2mX$9pL4!'
+# ------------------------------------------------------------------------------
+
+Write-Host ""
+Write-Host "========================================================"
+Write-Host " Azure Infrastructure Deployment"
+Write-Host " Resource Group: $RESOURCE_GROUP"
+Write-Host " Template:       $TEMPLATE_FILE"
+Write-Host " Parameters:     $PARAMETERS_FILE"
+Write-Host "========================================================"
+Write-Host ""
+
+Write-Host ">>> Ensuring resource group exists in $RESOURCE_LOCATION..."
+
+az group create `
+  --name $RESOURCE_GROUP `
+  --location $RESOURCE_LOCATION `
+  --output none
+
+Write-Host "    Resource group ready: $RESOURCE_GROUP ($RESOURCE_LOCATION)"
+Write-Host ""
+Write-Host ">>> Deploying Bicep template..."
+
+# Set env var so dev.bicepparam reads it via readEnvironmentVariable()
+$env:SQL_ADMIN_PASSWORD = $SQL_ADMIN_PASSWORD
+
+$DEPLOYMENT = az deployment group create `
+  --resource-group $RESOURCE_GROUP `
+  --template-file $TEMPLATE_FILE `
+  --parameters $PARAMETERS_FILE `
+  --parameters "location=$RESOURCE_LOCATION" `
+  --output json | ConvertFrom-Json
+
+if (-not $DEPLOYMENT) {
+    Write-Error "Deployment failed - no output returned from az CLI."
+    exit 1
+}
+
+Write-Host ""
+Write-Host "========================================================"
+Write-Host " Deployment Complete - Resource URLs"
+Write-Host "========================================================"
+Write-Host " API App:         $($DEPLOYMENT.properties.outputs.apiAppUrl.value)"
+Write-Host " IdentityServer:  $($DEPLOYMENT.properties.outputs.identityAppUrl.value)"
+Write-Host " Angular SWA:     $($DEPLOYMENT.properties.outputs.angularAppUrl.value)"
+Write-Host " SQL FQDN:        $($DEPLOYMENT.properties.outputs.sqlServerFqdn.value)"
+Write-Host "========================================================"

infra/scripts/setup-azure.ps1

@@ -0,0 +1,133 @@
+# =============================================================================
+# setup-oidc.ps1 — One-time Azure OIDC setup for GitHub Actions (PowerShell)
+# =============================================================================
+#
+# Run this script ONCE per environment to wire up passwordless deployment.
+# It creates an App Registration, adds a Federated Identity Credential so
+# GitHub Actions can authenticate with Azure using short-lived OIDC tokens
+# (no stored passwords), and saves the three required values as GitHub secrets.
+#
+# Prerequisites:
+#   az login                              (logged in to Azure CLI)
+#   az account set --subscription "..."   (correct subscription selected)
+#   gh auth login                         (logged in to GitHub CLI)
+#
+# Usage:
+#   .\infra\scripts\setup-oidc.ps1
+# =============================================================================
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+
+# --- Configuration ------------------------------------------------------------
+# Edit these values before running.
+
+$APP_NAME           = "github-actions-talent-dev"   # App Registration display name
+$RESOURCE_GROUP     = "rg-talent-dev"               # Resource group to manage
+$LOCATION           = "eastus"                      # Azure region
+$GITHUB_ORG         = "workcontrolgit"              # GitHub organisation or username
+$GITHUB_REPO        = "AngularNetTutorial"          # GitHub repository name
+$BRANCH             = "main"                        # Branch that triggers deployments
+$SQL_ADMIN_PASSWORD = 'Tr@7vK#2mX$9pL4!'           # SQL admin password
+# ------------------------------------------------------------------------------
+
+Write-Host ""
+Write-Host "========================================================"
+Write-Host " Azure OIDC Setup for GitHub Actions"
+Write-Host " App:   $APP_NAME"
+Write-Host " Repo:  $GITHUB_ORG/$GITHUB_REPO  (branch: $BRANCH)"
+Write-Host " RG:    $RESOURCE_GROUP  ($LOCATION)"
+Write-Host "========================================================"
+Write-Host ""
+
+# --- Step 1: Create App Registration ------------------------------------------
+Write-Host ">>> Step 1: Create App Registration"
+
+$APP_ID = az ad app create `
+  --display-name $APP_NAME `
+  --query appId `
+  --output tsv
+
+Write-Host "    Created App Registration: $APP_ID"
+
+# --- Step 2: Create Service Principal -----------------------------------------
+Write-Host ">>> Step 2: Create Service Principal"
+
+az ad sp create --id $APP_ID --output none
+
+Write-Host "    Service Principal created"
+
+# --- Step 3: Add Federated Identity Credential --------------------------------
+Write-Host ">>> Step 3: Add Federated Identity Credential"
+
+$TEMP_CRED_FILE = [System.IO.Path]::GetTempFileName() + ".json"
+@{
+  name        = "github-actions-branch-$BRANCH"
+  issuer      = "https://token.actions.githubusercontent.com"
+  subject     = "repo:${GITHUB_ORG}/${GITHUB_REPO}:ref:refs/heads/$BRANCH"
+  audiences   = @("api://AzureADTokenExchange")
+  description = "GitHub Actions OIDC for $GITHUB_ORG/$GITHUB_REPO branch $BRANCH"
+} | ConvertTo-Json | Set-Content -Path $TEMP_CRED_FILE -Encoding UTF8
+
+az ad app federated-credential create `
+  --id $APP_ID `
+  --parameters "@$TEMP_CRED_FILE" `
+  --output none
+
+Remove-Item $TEMP_CRED_FILE -Force
+
+Write-Host "    Federated credential added (branch: $BRANCH)"
+
+# --- Step 4a: Create Resource Group -------------------------------------------
+Write-Host ">>> Step 4a: Create Resource Group (idempotent)"
+
+az group create `
+  --name $RESOURCE_GROUP `
+  --location $LOCATION `
+  --output none
+
+Write-Host "    Resource group ready: $RESOURCE_GROUP"
+
+# --- Step 4b: Grant Contributor Role on Resource Group ------------------------
+Write-Host ">>> Step 4b: Grant Contributor role on $RESOURCE_GROUP"
+
+$SUBSCRIPTION_ID = az account show --query id --output tsv
+$SCOPE = "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP"
+
+az role assignment create `
+  --assignee $APP_ID `
+  --role "Contributor" `
+  --scope $SCOPE `
+  --output none
+
+Write-Host "    Contributor role granted on: $SCOPE"
+
+# --- Step 5: Retrieve Tenant ID -----------------------------------------------
+$TENANT_ID = az account show --query tenantId --output tsv
+
+# --- Step 6: Save Secrets to GitHub Repository --------------------------------
+Write-Host ">>> Step 6: Save secrets to GitHub repository"
+
+gh secret set AZURE_CLIENT_ID       --body $APP_ID              --repo "${GITHUB_ORG}/${GITHUB_REPO}"
+gh secret set AZURE_TENANT_ID       --body $TENANT_ID           --repo "${GITHUB_ORG}/${GITHUB_REPO}"
+gh secret set AZURE_SUBSCRIPTION_ID --body $SUBSCRIPTION_ID     --repo "${GITHUB_ORG}/${GITHUB_REPO}"
+gh secret set SQL_ADMIN_PASSWORD    --body $SQL_ADMIN_PASSWORD  --repo "${GITHUB_ORG}/${GITHUB_REPO}"
+
+Write-Host "    AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID, SQL_ADMIN_PASSWORD saved"
+
+# --- Done ---------------------------------------------------------------------
+Write-Host ""
+Write-Host "========================================================"
+Write-Host " Summary"
+Write-Host "========================================================"
+Write-Host " AZURE_CLIENT_ID:       $APP_ID"
+Write-Host " AZURE_TENANT_ID:       $TENANT_ID"
+Write-Host " AZURE_SUBSCRIPTION_ID: $SUBSCRIPTION_ID"
+Write-Host " SQL_ADMIN_PASSWORD:    (set)"
+Write-Host ""
+Write-Host " Verify all 4 secrets at:"
+Write-Host "   https://github.com/${GITHUB_ORG}/${GITHUB_REPO}/settings/secrets/actions"
+Write-Host ""
+Write-Host " OIDC setup complete. GitHub Actions can now deploy to Azure"
+Write-Host " without any stored passwords or client secrets."
+Write-Host "========================================================"