🧑‍💻 DevOps - Fix Infra Deployment (#1835)

* Added role assignment for script to have correct permissions * Removed unused script, fixed provisioning of roles * Cleaned up name, changed from BlobStorage to StorageV2
SSWConsulting · Dec 6, 2023 · b5e09e9 · b5e09e9
1 parent fcc7200
commit b5e09e9
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 35 deletions.
diff --git a/infra/archiveStorage.bicep b/infra/archiveStorage.bicep
@@ -18,14 +18,20 @@ param skuName string
 
 var unique = substring(uniqueString(resourceGroup().id), 0, 12)
 
+// Storage Account Contributor
+var roleDefinitionId = '17d1049b-9a84-46fb-8f53-869881c3d3ab'
+
 resource blobStorage 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: 'stsswwebsite${unique}'
   location: location
   tags: tags
   sku: {
     name: skuName
   }
-  kind: 'BlobStorage'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  kind: 'StorageV2'
   properties: {
     allowBlobPublicAccess: true
     publicNetworkAccess: 'Enabled'
@@ -38,12 +44,6 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01
   name: 'default'
   parent: blobStorage
   properties: {
-    changeFeed: {
-      enabled: false
-    }
-    restorePolicy: {
-      enabled: false
-    }
     containerDeleteRetentionPolicy: {
       enabled: true
       days: 7
@@ -86,43 +86,41 @@ resource webContainer 'Microsoft.Storage/storageAccounts/blobServices/containers
 }
 
 resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: 'blob-archive-static-site-script'
+  name: 'id-blob-archive'
   location: location
 }
 
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, roleDefinitionId)
+  scope: resourceGroup()
+  properties: {
+    // Storage Account Contributor
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 
 resource enableStaticSite 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
-  name: 'enableStaticSite'
+  name: 'script-enableStaticSite'
   location: location
-  kind: 'AzurePowerShell'
+  kind: 'AzureCLI'
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: {
       '${managedIdentity.id}': {}
     }
   }
+  dependsOn: [
+    blobServices
+    roleAssignment
+    webContainer
+  ]
   properties: {
-    azPowerShellVersion: '3.0'
-    scriptContent: loadTextContent('./scripts/enable-static-site.ps1')
+    azCliVersion: '2.53.0'
+    scriptContent: 'az storage blob service-properties update --account-name ${blobStorage.name} --static-website --404-document 404.html --index-document index.html --auth-mode login'
     retentionInterval: 'PT24H'
-    environmentVariables: [
-      {
-        name: 'IndexDocumentPath'
-        value: 'index.html'
-      }
-      {
-        name: 'ErrorDocument404Path'
-        value: '404.html'
-      }
-      {
-        name: 'ResourceGroupName'
-        value: resourceGroup().name
-      }
-      {
-        name: 'StorageAccountName'
-        value: blobStorage.name
-      }
-    ]
   }
 }
 

diff --git a/infra/scripts/enable-static-site.ps1 b/infra/scripts/enable-static-site.ps1