Port to passwordless

azure.yaml

@@ -8,3 +8,10 @@ services:
     project: ./src
     language: py
     host: appservice
+hooks:
+    postprovision:
+      posix:
+        shell: sh
+        run: ./scripts/setup_postgres_azurerole.sh
+        interactive: true
+        continueOnError: false

infra/core/database/postgresql/flexibleserver.bicep

@@ -4,9 +4,32 @@ param tags object = {}
 
 param sku object
 param storage object
-param administratorLogin string
+
+@allowed([
+  'Password'
+  'EntraOnly'
+])
+param authType string = 'Password'
+
+param administratorLogin string = ''
 @secure()
-param administratorLoginPassword string
+param administratorLoginPassword string = ''
+
+@description('Entra admin role name')
+param entraAdministratorName string = ''
+
+@description('Entra admin role object ID (in Entra)')
+param entraAdministratorObjectId string = ''
+
+@description('Entra admin user type')
+@allowed([
+  'User'
+  'Group'
+  'ServicePrincipal'
+])
+param entraAdministratorType string = 'User'
+
+
 param databaseNames array = []
 param allowAzureIPsFirewall bool = false
 param allowAllIPsFirewall bool = false
@@ -15,50 +38,93 @@ param allowedSingleIPs array = []
 // PostgreSQL version
 param version string
 
-// Latest official version 2022-12-01 does not have Bicep types available
+var authProperties = authType == 'Password' ? {
+  administratorLogin: administratorLogin
+  administratorLoginPassword: administratorLoginPassword
+  authConfig: {
+    passwordAuth: 'Enabled'
+  }
+} : {
+  authConfig: {
+    activeDirectoryAuth: 'Enabled'
+    passwordAuth: 'Disabled'
+  }
+}
+
 resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
   location: location
   tags: tags
   name: name
   sku: sku
-  properties: {
+  properties: union(authProperties, {
     version: version
-    administratorLogin: administratorLogin
-    administratorLoginPassword: administratorLoginPassword
     storage: storage
     highAvailability: {
       mode: 'Disabled'
     }
-  }
+  })
 
   resource database 'databases' = [for name in databaseNames: {
     name: name
   }]
+}
 
-  resource firewall_all 'firewallRules' = if (allowAllIPsFirewall) {
-    name: 'allow-all-IPs'
-    properties: {
-        startIpAddress: '0.0.0.0'
-        endIpAddress: '255.255.255.255'
-    }
+// This must be done separately due to conflicts with the Entra setup
+resource firewall_all 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = if (allowAllIPsFirewall) {
+  parent: postgresServer
+  name: 'allow-all-IPs'
+  properties: {
+    startIpAddress: '0.0.0.0'
+    endIpAddress: '255.255.255.255'
   }
+}
 
-  resource firewall_azure 'firewallRules' = if (allowAzureIPsFirewall) {
-    name: 'allow-all-azure-internal-IPs'
-    properties: {
-        startIpAddress: '0.0.0.0'
-        endIpAddress: '0.0.0.0'
-    }
+// This must be done separately due to conflicts with the Entra setup
+resource firewall_azure 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = if (allowAzureIPsFirewall) {
+  parent: postgresServer
+  name: 'allow-all-azure-internal-IPs'
+  properties: {
+    startIpAddress: '0.0.0.0'
+    endIpAddress: '0.0.0.0'
   }
+}
 
-  resource firewall_single 'firewallRules' = [for ip in allowedSingleIPs: {
-    name: 'allow-single-${replace(ip, '.', '')}'
-    properties: {
-        startIpAddress: ip
-        endIpAddress: ip
-    }
-  }]
+@batchSize(1)
+// This must be done separately due to conflicts with the Entra setup
+resource firewall_single 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = [for ip in allowedSingleIPs: {
+  parent: postgresServer
+  name: 'allow-single-${replace(ip, '.', '')}'
+  properties: {
+    startIpAddress: ip
+    endIpAddress: ip
+  }
+}]
 
+// This must be created *after* the server is created - it cannot be a nested child resource
+resource addAddUser 'Microsoft.DBforPostgreSQL/flexibleServers/administrators@2023-03-01-preview' = {
+  parent: postgresServer
+  name: entraAdministratorObjectId
+  properties: {
+    tenantId: subscription().tenantId
+    principalType: entraAdministratorType
+    principalName: entraAdministratorName
+  }
+  // This is a workaround for a bug in the API that requires the parent to be fully resolved
+  dependsOn: [postgresServer, firewall_all, firewall_azure]
 }
 
-output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName
+// Workaround issue https://github.com/Azure/bicep-types-az/issues/1507
+resource configurations 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2023-03-01-preview' = {
+  name: 'azure.extensions'
+  parent: postgresServer
+  properties: {
+    value: 'vector'
+    source: 'user-override'
+  }
+  dependsOn: [
+    addAddUser, firewall_all, firewall_azure, firewall_single
+  ]
+}
+
+
+output POSTGRES_DOMAIN_NAME string =  postgresServer.properties.fullyQualifiedDomainName

infra/core/security/keyvault.bicep

@@ -2,8 +2,6 @@ param name string
 param location string = resourceGroup().location
 param tags object = {}
 
-param principalId string = ''
-
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: name
   location: location
@@ -11,13 +9,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   properties: {
     tenantId: subscription().tenantId
     sku: { family: 'A', name: 'standard' }
-    accessPolicies: !empty(principalId) ? [
-      {
-        objectId: principalId
-        permissions: { secrets: [ 'get', 'list' ] }
-        tenantId: subscription().tenantId
-      }
-    ] : []
+    enableRbacAuthorization: true
   }
 }
 

infra/core/security/role.bicep

@@ -0,0 +1,21 @@
+metadata description = 'Creates a role assignment for a service principal.'
+param principalId string
+
+@allowed([
+  'Device'
+  'ForeignGroup'
+  'Group'
+  'ServicePrincipal'
+  'User'
+])
+param principalType string = 'ServicePrincipal'
+param roleDefinitionId string
+
+resource role 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, resourceGroup().id, principalId, roleDefinitionId)
+  properties: {
+    principalId: principalId
+    principalType: principalType
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+  }
+}

infra/main.bicep

@@ -9,9 +9,19 @@ param name string
 @description('Primary location for all resources')
 param location string
 
-@secure()
-@description('PostGreSQL Server administrator password')
-param postgresAdminPassword string
+@description('Entra admin role name')
+param postgresEntraAdministratorName string
+
+@description('Entra admin role object ID (in Entra)')
+param postgresEntraAdministratorObjectId string
+
+@description('Entra admin user type')
+@allowed([
+  'User'
+  'Group'
+  'ServicePrincipal'
+])
+param postgresEntraAdministratorType string = 'User'
 
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
@@ -20,6 +30,9 @@ param principalId string = ''
 @description('Django SECRET_KEY for cryptographic signing')
 param djangoSecretKey string
 
+@description('Running on GitHub Actions?')
+param runningOnGh bool = false
+
 var resourceToken = toLower(uniqueString(subscription().id, name, location))
 var tags = { 'azd-env-name': name }
 
@@ -32,7 +45,6 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
 var prefix = '${name}-${resourceToken}'
 
 var postgresServerName = '${prefix}-postgresql'
-var postgresAdminUser = 'admin${uniqueString(resourceGroup.id)}'
 var postgresDatabaseName = 'django'
 
 module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
@@ -50,18 +62,22 @@ module postgresServer 'core/database/postgresql/flexibleserver.bicep' = {
       storageSizeGB: 32
     }
     version: '14'
-    administratorLogin: postgresAdminUser
-    administratorLoginPassword: postgresAdminPassword
+    authType: 'EntraOnly'
+    entraAdministratorName: postgresEntraAdministratorName
+    entraAdministratorObjectId: postgresEntraAdministratorObjectId
+    entraAdministratorType: postgresEntraAdministratorType
     databaseNames: [ postgresDatabaseName ]
     allowAzureIPsFirewall: true
+    allowAllIPsFirewall: true // Necessary for post-provision script, can be disabled after
   }
 }
 
+var webAppName = '${prefix}-app-service'
 module web 'core/host/appservice.bicep' = {
   name: 'appservice'
   scope: resourceGroup
   params: {
-    name: '${prefix}-appservice'
+    name: webAppName
     location: location
     tags: union(tags, { 'azd-service-name': 'web' })
     appServicePlanId: appServicePlan.outputs.id
@@ -74,10 +90,9 @@ module web 'core/host/appservice.bicep' = {
     appSettings: {
       ADMIN_URL: 'admin${uniqueString(appServicePlan.outputs.id)}'
       DBENGINE: 'django.db.backends.postgresql'
-      DBHOST: '${postgresServerName}.postgres.database.azure.com'
+      DBHOST: '${postgresServerName}.postgres.database.azure.com' // todo replace with ouput
       DBNAME: postgresDatabaseName
-      DBUSER: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=postgresAdminUser)'
-      DBPASS: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=postgresAdminPassword)'
+      DBUSER: webAppName
       DBSSL: 'require'
       STATIC_BACKEND: 'whitenoise.storage.CompressedManifestStaticFilesStorage'
       SECRET_KEY: '@Microsoft.KeyVault(VaultName=${keyVault.outputs.name};SecretName=djangoSecretKey)'
@@ -116,7 +131,26 @@ module keyVault './core/security/keyvault.bicep' = {
     name: '${take(replace(prefix, '-', ''), 17)}-vault'
     location: location
     tags: tags
+  }
+}
+
+module userKeyVaultAccess 'core/security/role.bicep' = {
+  name: 'user-keyvault-access'
+  scope: resourceGroup
+  params: {
     principalId: principalId
+    principalType: runningOnGh ? 'ServicePrincipal' : 'User'
+    roleDefinitionId: '00482a5a-887f-4fb3-b363-3b7fe8e74483'
+  }
+}
+
+module backendKeyVaultAccess 'core/security/role.bicep' = {
+  name: 'backend-keyvault-access'
+  scope: resourceGroup
+  params: {
+    principalId: web.outputs.identityPrincipalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: '00482a5a-887f-4fb3-b363-3b7fe8e74483'
   }
 }
 
@@ -125,14 +159,6 @@ var secrets = [
     name: 'djangoSecretKey'
     value: djangoSecretKey
   }
-  {
-    name: 'postgresAdminUser'
-    value: postgresAdminUser
-  }
-  {
-    name: 'postgresAdminPassword'
-    value: postgresAdminPassword
-  }
 ]
 
 @batchSize(1)
@@ -146,6 +172,8 @@ module keyVaultSecrets './core/security/keyvault-secret.bicep' = [for secret in
   }
 }]
 
+
+
 module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
   name: 'loganalytics'
   scope: resourceGroup
@@ -156,6 +184,12 @@ module logAnalyticsWorkspace 'core/monitor/loganalytics.bicep' = {
   }
 }
 
+output WEB_APP_NAME string = webAppName
 output WEB_URI string = 'https://${web.outputs.uri}'
+output SERVICE_WEB_IDENTITY_NAME string = webAppName
+
 output AZURE_LOCATION string = location
-output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name
+output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name
+
+output POSTGRES_HOST string = postgresServer.outputs.POSTGRES_DOMAIN_NAME
+output POSTGRES_USERNAME string = postgresEntraAdministratorName

infra/main.parameters.json

@@ -11,11 +11,20 @@
       "principalId": {
         "value": "${AZURE_PRINCIPAL_ID}"
       },
-      "postgresAdminPassword": {
-        "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} postgresAdminPassword)"
+      "runningOnGh": {
+        "value": "${GITHUB_ACTIONS}"
       },
       "djangoSecretKey": {
         "value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} djangoSecretKey)"
+      },
+      "postgresEntraAdministratorName": {
+        "value": "useradmin"
+      },
+      "postgresEntraAdministratorObjectId": {
+        "value": "${AZURE_PRINCIPAL_ID}"
+      },
+      "postgresEntraAdministratorType": {
+        "value": "User"
       }
     }
   }

scripts/load_python_env.sh

@@ -0,0 +1,7 @@
+ #!/bin/sh
+
+echo 'Creating Python virtual environment in ".venv"...'
+python3 -m venv .venv
+
+echo 'Installing dependencies from "scripts/requirements.txt" into virtual environment (in quiet mode)...'
+.venv/bin/python -m pip --quiet --disable-pip-version-check install -r scripts/requirements.txt

scripts/requirements.txt

@@ -0,0 +1,2 @@
+psycopg2==2.9.9
+azure-identity==1.16.0

scripts/setup_postgres_azurerole.ps1

@@ -0,0 +1,18 @@
+. ./scripts/load_python_env.ps1
+
+$POSTGRES_HOST = ((azd env get-values | Select-String -Pattern "POSTGRES_HOST") -replace '^POSTGRES_HOST=', '')
+$POSTGRES_USERNAME = ((azd env get-values | Select-String -Pattern "POSTGRES_USERNAME") -replace '^POSTGRES_USERNAME=', '')
+$APP_IDENTITY_NAME = ((azd env get-values | Select-String -Pattern "SERVICE_WEB_IDENTITY_NAME") -replace '^SERVICE_WEB_IDENTITY_NAME=', '')
+
+if ([string]::IsNullOrEmpty($POSTGRES_HOST) -or [string]::IsNullOrEmpty($POSTGRES_USERNAME) -or [string]::IsNullOrEmpty($APP_IDENTITY_NAME)) {
+    Write-Host "Can't find POSTGRES_HOST, POSTGRES_USERNAME, and SERVICE_WEB_IDENTITY_NAME environment variables. Make sure you run azd up first."
+    exit 1
+}
+
+$venvPythonPath = "./.venv/scripts/python.exe"
+if (Test-Path -Path "/usr") {
+  # fallback to Linux venv path
+  $venvPythonPath = "./.venv/bin/python"
+}
+
+Start-Process -FilePath $venvPythonPath -ArgumentList "./src/setup_postgres_azurerole.py", "--host", $POSTGRES_HOST, "--username", $POSTGRES_USERNAME, "--app-identity-name", $APP_IDENTITY_NAME -Wait -NoNewWindow

scripts/setup_postgres_azurerole.sh

@@ -0,0 +1,12 @@
+POSTGRES_HOST=$(azd env get-values | grep POSTGRES_HOST | sed 's/="/=/' | sed 's/"$//' | sed 's/^POSTGRES_HOST=//')
+POSTGRES_USERNAME=$(azd env get-values | grep POSTGRES_USERNAME | sed 's/="/=/' | sed 's/"$//' | sed 's/^POSTGRES_USERNAME=//')
+APP_IDENTITY_NAME=$(azd env get-values | grep SERVICE_WEB_IDENTITY_NAME | sed 's/="/=/' | sed 's/"$//' | sed 's/^SERVICE_WEB_IDENTITY_NAME=//')
+
+if [ -z "$POSTGRES_HOST" ] || [ -z "$POSTGRES_USERNAME" ] || [ -z "$APP_IDENTITY_NAME" ]; then
+    echo "Can't find POSTGRES_HOST, POSTGRES_USERNAME, and SERVICE_WEB_IDENTITY_NAME environment variables. Make sure you run azd up first."
+    exit 1
+fi
+
+. ./scripts/load_python_env.sh
+
+./.venv/bin/python ./src/setup_postgres_azurerole.py --host $POSTGRES_HOST --username $POSTGRES_USERNAME --app-identity-name $APP_IDENTITY_NAME

src/quizsite/postgresql/base.py

@@ -0,0 +1,12 @@
+from azure.identity import DefaultAzureCredential
+from django.db.backends.postgresql import base
+
+
+class DatabaseWrapper(base.DatabaseWrapper):
+    def get_connection_params(self):
+        params = super().get_connection_params()
+        if params.get("host", "").endswith(".database.azure.com"):
+            azure_credential = DefaultAzureCredential()
+            dbpass = azure_credential.get_token("https://ossrdbms-aad.database.windows.net/.default").token
+            params["password"] = dbpass
+        return params

src/quizsite/settings.py

@@ -108,12 +108,13 @@ WSGI_APPLICATION = "quizsite.wsgi.application"
 
 DATABASES = {
     "default": {
-        "ENGINE": env("DBENGINE"),
+        "ENGINE": "quizsite.postgresql",
         "NAME": env("DBNAME"),
         "HOST": env("DBHOST"),
         "USER": env("DBUSER"),
-        "PASSWORD": env("DBPASS"),
+        "PASSWORD": env("DBPASS", default="PASSWORD_WILL_BE_SET_LATER"),
         "OPTIONS": {"sslmode": env("DBSSL")},
+        "CONN_MAX_AGE": 60 * 60 * 6,  # 6 hours
     }
 }
 

src/requirements.txt

@@ -3,3 +3,4 @@ psycopg2==2.9.9
 python-dotenv==1.0.1
 whitenoise[brotli]==6.6.0
 django-environ==0.11.2
+azure-identity==1.16.0

src/setup_postgres_azurerole.py

@@ -0,0 +1,66 @@
+import argparse
+import logging
+
+import psycopg2
+from azure.identity import DefaultAzureCredential
+
+logger = logging.getLogger("scripts")
+
+
+def assign_role_for_webapp(postgres_host, postgres_username, app_identity_name):
+    if not postgres_host.endswith(".database.azure.com"):
+        logger.info("This script is intended to be used with Azure Database for PostgreSQL.")
+        logger.info("Please set the environment variable DBHOST to the Azure Database for PostgreSQL server hostname.")
+        return
+
+    logger.info("Authenticating to Azure Database for PostgreSQL using Azure Identity...")
+    azure_credential = DefaultAzureCredential()
+    token = azure_credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
+    conn = psycopg2.connect(
+        database="postgres",  # You must connect to postgres database when assigning roles
+        user=postgres_username,
+        password=token.token,
+        host=postgres_host,
+        sslmode="require",
+    )
+
+    conn.autocommit = True
+    cur = conn.cursor()
+
+    cur.execute(f"select * from pgaadauth_list_principals(false) WHERE rolname = '{app_identity_name}'")
+    identities = cur.fetchall()
+    if len(identities) > 0:
+        logger.info(f"Found an existing PostgreSQL role for identity {app_identity_name}")
+    else:
+        logger.info(f"Creating a PostgreSQL role for identity {app_identity_name}")
+        cur.execute(f"SELECT * FROM pgaadauth_create_principal('{app_identity_name}', false, false)")
+
+    logger.info(f"Granting permissions to {app_identity_name}")
+    # set role to azure_pg_admin
+    cur.execute(f'GRANT USAGE ON SCHEMA public TO "{app_identity_name}"')
+    cur.execute(f'GRANT CREATE ON SCHEMA public TO "{app_identity_name}"')
+    cur.execute(f'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "{app_identity_name}"')
+    cur.execute(
+        f"ALTER DEFAULT PRIVILEGES IN SCHEMA public "
+        f'GRANT SELECT, UPDATE, INSERT, DELETE ON TABLES TO "{app_identity_name}"'
+    )
+
+    cur.close()
+
+
+if __name__ == "__main__":
+
+    logging.basicConfig(level=logging.WARNING)
+    logger.setLevel(logging.INFO)
+    parser = argparse.ArgumentParser(description="Create database schema")
+    parser.add_argument("--host", type=str, help="Postgres host")
+    parser.add_argument("--username", type=str, help="Postgres username")
+    parser.add_argument("--app-identity-name", type=str, help="Azure App Service identity name")
+
+    args = parser.parse_args()
+    if not args.host.endswith(".database.azure.com"):
+        logger.info("This script is intended to be used with Azure Database for PostgreSQL, not local PostgreSQL.")
+        exit(1)
+
+    assign_role_for_webapp(args.host, args.username, args.app_identity_name)
+    logger.info("Role created successfully.")