feat: Refactor Azure deployment scripts and add ASP.NET Web App blueprint

Author: emmanuelknafo

.github/agents/security-agent.md

@@ -15,7 +15,7 @@ Identify vulnerabilities and misconfigurations, assess risk, and produce a secur
 Prioritize review of:
 
 - `src/webapp01` (ASP.NET Core Razor Pages)
-- `infra/`, `terraform/`, `manifests/` (IaC)
+- `blueprints/`, `infra/`, `terraform/`, `bicep/`, `manifests/` (IaC)
 - `.github/workflows/` (pipeline security)
 - Container configuration (Dockerfiles) where present
 

.github/workflows/cicd.yml

@@ -7,10 +7,10 @@ on:
   workflow_dispatch:
     inputs:
       azure_location:
-        description: 'Azure region for deployment'
+        description: "Azure region for deployment"
         required: true
         type: choice
-        default: 'canadacentral'
+        default: "canadacentral"
         options:
           - canadacentral
           - canadaeast
@@ -21,10 +21,10 @@ on:
           - westeurope
           - northeurope
       instance_number:
-        description: 'Instance number for resource naming'
+        description: "Instance number for resource naming"
         required: true
         type: string
-        default: '002'
+        default: "003"
 
 permissions:
   attestations: write
@@ -34,22 +34,24 @@ permissions:
   security-events: write
 
 env:
-  INSTANCE_NUMBER: ${{ github.event.inputs.instance_number || '002' }}
-  AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'canadacentral' }}
-  AZURE_WEBAPP_NAME: app-gh-aspnet-webapp-${{ github.event.inputs.instance_number || '002' }}
+  DEFAULT_INSTANCE_NUMBER: "003"
+  DEFAULT_AZURE_LOCATION: "canadacentral"
   SRC_PROJECT_PATH: "/webapp01/webapp01.csproj"
   AZURE_WEBAPP_PACKAGE_PATH: "./src"
   DOTNET_VERSION: "9.0.x"
-  AZURE_ACR_NAME: crdevsecopscldev${{ github.event.inputs.instance_number || '002' }}
 
 jobs:
   deploy-infrastructure:
     name: Deploy Azure Infrastructure
     runs-on: ubuntu-latest
+    env:
+      INSTANCE_NUMBER: ${{ github.event.inputs.instance_number || 'DEFAULT_INSTANCE' }}
+      AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'DEFAULT_LOCATION' }}
     outputs:
       acr_name: ${{ steps.deploy.outputs.acr_name }}
       webapp_name: ${{ steps.deploy.outputs.webapp_name }}
       webapp_url: ${{ steps.deploy.outputs.webapp_url }}
+      resource_group: ${{ steps.deploy.outputs.resource_group }}
     steps:
       - uses: actions/checkout@v5
 
@@ -64,19 +66,19 @@ jobs:
         id: deploy
         shell: pwsh
         run: |
-          $instanceNumber = "${{ env.INSTANCE_NUMBER }}"
-          $location = "${{ env.AZURE_LOCATION }}"
-          
+          $instanceNumber = "${{ env.INSTANCE_NUMBER }}".Replace('DEFAULT_INSTANCE', '${{ env.DEFAULT_INSTANCE_NUMBER }}')
+          $location = "${{ env.AZURE_LOCATION }}".Replace('DEFAULT_LOCATION', '${{ env.DEFAULT_AZURE_LOCATION }}')
+
           # Calculate resource names based on instance number
           $acrName = "crdevsecopscldev$instanceNumber"
           $appServicePlanName = "asp-gh-aspnet-webapp-$instanceNumber"
           $webAppName = "app-gh-aspnet-webapp-$instanceNumber"
           $resourceGroupName = "rg-gh-aspnet-webapp-$instanceNumber"
           $containerImage = "$acrName.azurecr.io/webapp01:latest"
-          
+
           # Deployment name based only on instance number for idempotence
           $deploymentName = "deploy-infra-$instanceNumber"
-          
+
           Write-Host "=== Azure Infrastructure Deployment ===" -ForegroundColor Cyan
           Write-Host "Instance Number: $instanceNumber" -ForegroundColor Green
           Write-Host "Location: $location" -ForegroundColor Green
@@ -85,43 +87,44 @@ jobs:
           Write-Host "Web App Name: $webAppName" -ForegroundColor Green
           Write-Host "Resource Group: $resourceGroupName" -ForegroundColor Green
           Write-Host "Deployment Name: $deploymentName" -ForegroundColor Green
-          
+
           # Deploy using inline parameters instead of parameters file
           az deployment sub create `
             --name $deploymentName `
             --location $location `
-            --template-file ./infra/main.bicep `
+            --template-file ./blueprints/gh-aspnet-webapp/bicep/main.bicep `
             --parameters acrName=$acrName `
             --parameters acrSku=Basic `
             --parameters appServicePlanName=$appServicePlanName `
             --parameters webAppName=$webAppName `
             --parameters location=$location `
             --parameters containerImage=$containerImage `
             --parameters resourceGroupName=$resourceGroupName
-          
+
           if ($LASTEXITCODE -ne 0) {
             Write-Error "Deployment failed with exit code: $LASTEXITCODE"
             exit $LASTEXITCODE
           }
-          
+
           Write-Host "Deployment completed successfully!" -ForegroundColor Green
-          
+
           # Set outputs for subsequent jobs
           echo "acr_name=$acrName" >> $env:GITHUB_OUTPUT
           echo "webapp_name=$webAppName" >> $env:GITHUB_OUTPUT
           echo "webapp_url=https://$webAppName.azurewebsites.net" >> $env:GITHUB_OUTPUT
+          echo "resource_group=$resourceGroupName" >> $env:GITHUB_OUTPUT
 
       - name: Configure ACR Managed Identity
         shell: pwsh
         run: |
           $webAppName = "${{ steps.deploy.outputs.webapp_name }}"
-          $resourceGroupName = "rg-gh-aspnet-webapp-${{ env.INSTANCE_NUMBER }}"
-          
+          $resourceGroupName = "${{ steps.deploy.outputs.resource_group }}"
+
           Write-Host "Configuring ACR managed identity authentication..." -ForegroundColor Yellow
-          
+
           # Verify ACR managed identity configuration
           $config = az webapp config show --name $webAppName --resource-group $resourceGroupName --query "acrUseManagedIdentityCreds" -o tsv
-          
+
           if ($config -ne "true") {
             Write-Host "Setting acrUseManagedIdentityCreds=true..." -ForegroundColor Cyan
             az webapp config set --name $webAppName --resource-group $resourceGroupName --generic-configurations '{"acrUseManagedIdentityCreds": true}'
@@ -136,6 +139,9 @@ jobs:
     name: Build and Deploy to Azure Web App
     needs: deploy-infrastructure
     runs-on: ubuntu-latest
+    env:
+      AZURE_ACR_NAME: ${{ needs.deploy-infrastructure.outputs.acr_name }}
+      AZURE_WEBAPP_NAME: ${{ needs.deploy-infrastructure.outputs.webapp_name }}
     steps:
       # Checkout the repo
       - uses: actions/checkout@v5

blueprints/gh-aspnet-webapp/README.md

@@ -0,0 +1,71 @@
+# ASP.NET Web App Blueprint
+
+## Overview
+
+A containerized ASP.NET web application deployed to Azure App Service using Azure Container Registry (ACR) with managed identity authentication.
+
+## Architecture Components
+
+| Component | Azure Service | Purpose |
+| --- | --- | --- |
+| Web Application | App Service (Linux) | Hosts the containerized ASP.NET application |
+| Container Registry | Azure Container Registry | Stores Docker container images |
+| Identity | System-Assigned Managed Identity | Secure authentication to ACR without credentials |
+
+## Data Flows
+
+1. Container images are pushed to Azure Container Registry
+2. App Service pulls container images from ACR using managed identity (AcrPull role)
+3. Users access the web application via HTTPS
+
+## Deployment
+
+### Prerequisites
+
+- Azure CLI installed and authenticated
+- Azure subscription with appropriate permissions
+- PowerShell (for deployment script)
+
+### Parameters
+
+| Parameter | Description | Default |
+| --- | --- | --- |
+| `acrName` | Name of the Azure Container Registry | Required |
+| `acrSku` | SKU of the Container Registry | `Basic` |
+| `appServicePlanName` | Name of the App Service Plan | Required |
+| `webAppName` | Name of the Web App | Required |
+| `location` | Azure region for resources | Required |
+| `containerImage` | Container image to deploy | Required |
+| `resourceGroupName` | Name of the Resource Group | `rg-webapp01-dev` |
+
+### Deploy
+
+```powershell
+cd bicep
+./deploy.ps1
+```
+
+Or deploy directly with Azure CLI:
+
+```bash
+az deployment sub create \
+  --location <location> \
+  --template-file ./bicep/main.bicep \
+  --parameters ./bicep/main.parameters.json
+```
+
+## Security Considerations
+
+- Admin user disabled on ACR; managed identity used instead
+- System-assigned managed identity eliminates credential storage
+- AcrPull role assignment follows least-privilege principle
+- App Service runs on Linux with container isolation
+
+## Outputs
+
+| Output | Description |
+| --- | --- |
+| `webAppName` | Name of the deployed Web App |
+| `webAppUrl` | HTTPS URL of the Web App |
+| `acrLoginServer` | Login server URL for the Container Registry |
+| `webAppPrincipalId` | Principal ID of the Web App's managed identity |