auth infra

infra/main.tf

@@ -53,7 +53,7 @@ resource "azurerm_service_plan" "asp" {
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
   os_type             = "Linux"
-  sku_name            = "B2"
+  sku_name            = "B3"
 }
 
 resource "azurerm_linux_web_app" "browserless" {
@@ -128,11 +128,52 @@ resource "azurerm_linux_web_app" "app" {
   service_plan_id     = azurerm_service_plan.asp.id
 
   app_settings = {
-    WEBSITES_ENABLE_APP_SERVICE_STORAGE = "false"
-    WEBSITES_PORT                       = "3000"
-    OPENAI_API_KEY                      = var.openai_api_key
-    ANTHROPIC_API_KEY                   = var.anthropic_api_key
-    GEMINI_API_KEY                      = var.gemini_api_key
+    WEBSITES_ENABLE_APP_SERVICE_STORAGE        = "false"
+    WEBSITES_PORT                              = "3000"
+    OPENAI_API_KEY                             = var.openai_api_key
+    ANTHROPIC_API_KEY                          = var.anthropic_api_key
+    GEMINI_API_KEY                             = var.gemini_api_key
+    DOCKER_ENABLE_CI                           = "true"
+    MICROSOFT_PROVIDER_AUTHENTICATION_SECRET   = var.azure_ad_client_secret
+    WEBSITE_AUTH_AAD_ALLOWED_TENANTS           = var.azure_ad_tenant_id
+    PUPPETEER_WSS_ENDPOINT                     = "wss://${var.project_name}-browserless.azurewebsites.net"
+  }
+
+  auth_settings_v2 {
+    auth_enabled             = true
+    default_provider         = "azureactivedirectory"
+    require_authentication   = true
+    unauthenticated_action   = "RedirectToLoginPage"
+    http_route_api_prefix    = "/.auth"
+    forward_proxy_convention = "NoProxy"
+    excluded_paths           = []
+    require_https            = true
+    runtime_version          = "~1"
+
+    active_directory_v2 {
+      client_id                       = var.azure_ad_client_id
+      client_secret_setting_name      = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
+      tenant_auth_endpoint            = "https://sts.windows.net/${var.azure_ad_tenant_id}/v2.0"
+      allowed_applications            = [var.azure_ad_client_id]
+      allowed_audiences               = ["api://${var.azure_ad_client_id}"]
+      allowed_groups                  = []
+      allowed_identities              = []
+      jwt_allowed_client_applications = []
+      jwt_allowed_groups              = []
+      login_parameters                = {}
+      www_authentication_disabled     = false
+    }
+
+    login {
+      token_store_enabled               = true
+      token_refresh_extension_time      = 72
+      preserve_url_fragments_for_logins = false
+      cookie_expiration_convention      = "FixedTime"
+      cookie_expiration_time            = "08:00:00"
+      nonce_expiration_time             = "00:05:00"
+      validate_nonce                    = true
+      allowed_external_redirect_urls    = []
+    }
   }
 
   site_config {
@@ -174,6 +215,10 @@ resource "azurerm_linux_web_app" "app" {
     type = "SystemAssigned"
   }
 
+  sticky_settings {
+    app_setting_names = ["MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"]
+}
+
   depends_on = [
     azurerm_container_registry.acr,
     azurerm_subnet.subnet
@@ -188,18 +233,4 @@ resource "azurerm_app_service_virtual_network_swift_connection" "app_vnet_integr
 resource "azurerm_app_service_virtual_network_swift_connection" "browserless_vnet_integration" {
   app_service_id = azurerm_linux_web_app.browserless.id
   subnet_id      = azurerm_subnet.subnet.id
-}
-
-resource "null_resource" "update_settings" {
-  triggers = {
-    always_run = "${timestamp()}"
   }
-
-  provisioner "local-exec" {
-    command = <<EOT
-az webapp config appsettings set --resource-group ${azurerm_resource_group.rg.name} --name ${azurerm_linux_web_app.app.name} --settings PUPPETEER_WSS_ENDPOINT=wss://${azurerm_linux_web_app.browserless.default_hostname}
-EOT
-  }
-
-  depends_on = [azurerm_linux_web_app.app, azurerm_linux_web_app.browserless]
-}

infra/variables.tf

@@ -1,19 +1,52 @@
-variable "azure_subscription_id" {}
-variable "openai_api_key" {}
-variable "anthropic_api_key" {}
-variable "gemini_api_key" {}
+variable "azure_subscription_id" {
+  type        = string
+  description = "Azure Subscription ID - Found in the Azure portal under 'Subscriptions'."
+}
+
+variable "azure_ad_tenant_id" {
+  type        = string
+  description = "Azure AD Tenant ID - Found in the Azure portal under 'Azure Entra ID' > 'Overview'."
+}
+
+variable "azure_ad_client_id" {
+  type        = string
+  description = "Azure AD Client ID - Found in the Azure portal under 'Azure Entra ID' > 'App registrations' > 'Your Application' > 'Overview'."
+}
+
+variable "azure_ad_client_secret" {
+  type        = string
+  description = "Azure AD Client Secret - Generated in the Azure portal under 'Azure Entra ID' > 'App registrations' > 'Your Application' > 'Certificates & secrets'."
+}
+
+variable "openai_api_key" {
+  type        = string
+  description = "OpenAI API Key - Retrieved from the OpenAI API Platform."
+}
+
+variable "anthropic_api_key" {
+  type        = string
+  description = "Anthropic API Key - Retrieved from the Anthropic API console."
+}
+
+variable "gemini_api_key" {
+  type        = string
+  description = "Gemini API Key - Retrieved from the Google Cloud AI dashboard."
+}
 
 variable "allowed_ip" {
-  type    = string
-  default = "X.X.X.X/32"
+  type        = string
+  default     = "X.X.X.X/32"
+  description = "IP address allowed to access resources. Use CIDR notation."
 }
 
 variable "project_name" {
-  type    = string
-  default = "big-agi"
+  type        = string
+  default     = "big-agi"
+  description = "Name of the project that determines resource names in Azure."
 }
 
 variable "location" {
-  type    = string
-  default = "Norway East"
+  type        = string
+  default     = "Norway East"
+  description = "Azure region where resources will be deployed."
 }