Merge branch 'dev' into master

Author: ntsim

.eslintrc.json

@@ -118,6 +118,12 @@
       }
     ],
     "no-shadow": "off",
+    "no-underscore-dangle": [
+      "error",
+      {
+        "allow": ["_def"]
+      }
+    ],
     "no-unreachable": "error",
     "no-use-before-define": "off",
     "no-useless-constructor": "off"

infrastructure/parameters/dev.parameters.json

@@ -50,7 +50,7 @@
     "devopsSPN": {
       "value": "e541f669-7fac-4d33-b480-29b523b9d968",
       "metadata": {
-         "comments": "ObjectId for s101d-datahub-spn-ees-dfe-gov-uk"
+        "comments": "ObjectId for s101d-datahub-spn-ees-dfe-gov-uk"
       }
     },
     "domain": {
@@ -62,6 +62,9 @@
     "dataApiUrl": {
       "value": "data.dev.explore-education-statistics.service.gov.uk"
     },
+    "publicApiUrl": {
+      "value": "dev.statistics.api.education.gov.uk"
+    },
     "detailedErrors": {
       "value": true
     },
@@ -72,7 +75,7 @@
       "value": "G-GRPHH2FN0L"
     },
     "enableSwagger": {
-       "value": true
+      "value": true
     },
     "enableThemeDeletion": {
       "value": true
@@ -81,7 +84,7 @@
       "value": 10
     },
     "branch": {
-       "value": "dev"
+      "value": "dev"
     },
     "skuContentDb": {
       "value": "Standard"

infrastructure/parameters/pre-prod.parameters.json

@@ -41,7 +41,7 @@
     "devopsSPN": {
       "value": "2d5a7bf2-a6b1-4474-b202-ab17dd87c375",
       "metadata": {
-         "comments": "ObjectId for s101prep-datahub-spn-ees-dfe-gov-uk"
+        "comments": "ObjectId for s101prep-datahub-spn-ees-dfe-gov-uk"
       }
     },
     "domain": {
@@ -53,6 +53,9 @@
     "dataApiUrl": {
       "value": "data.pre-production.explore-education-statistics.service.gov.uk"
     },
+    "publicApiUrl": {
+      "value": "pre-production.statistics.api.education.gov.uk"
+    },
     "publicAppGATrackingId": {
       "value": "G-8FSLWXTV2W"
     },

infrastructure/parameters/prod.parameters.json

@@ -44,7 +44,7 @@
     "devopsSPN": {
       "value": "911681c3-8cc7-4afc-8355-4cf60359d743",
       "metadata": {
-         "comments": "ObjectId for s101p-datahub-spn-ees-dfe-gov-uk"
+        "comments": "ObjectId for s101p-datahub-spn-ees-dfe-gov-uk"
       }
     },
     "domain": {
@@ -56,6 +56,9 @@
     "dataApiUrl": {
       "value": "data.explore-education-statistics.service.gov.uk"
     },
+    "publicApiUrl": {
+      "value": "statistics.api.education.gov.uk"
+    },
     "publicAppGATrackingId": {
       "value": "G-9YG8ESXR5Y"
     },

infrastructure/parameters/test.parameters.json

@@ -41,7 +41,7 @@
     "devopsSPN": {
       "value": "22888fee-3aa4-411d-8016-bb8a8c3b825a",
       "metadata": {
-         "comments": "ObjectId for s101t-datahub-spn-ees-dfe-gov-uk"
+        "comments": "ObjectId for s101t-datahub-spn-ees-dfe-gov-uk"
       }
     },
     "domain": {
@@ -53,6 +53,9 @@
     "dataApiUrl": {
       "value": "data.test.explore-education-statistics.service.gov.uk"
     },
+    "publicApiUrl": {
+      "value": "test.statistics.api.education.gov.uk"
+    },
     "detailedErrors": {
       "value": true
     },

infrastructure/templates/public-api/components/containerApp.bicep

@@ -12,12 +12,19 @@ param containerAppImageName string
 
 @minLength(2)
 @maxLength(32)
-@description('Specifies the name of the container app.')
+@description('Specifies the name of the Container App.')
 param containerAppName string
 
 @description('Specifies the container port.')
 param containerAppTargetPort int = 8080
 
+@description('The CORS policy to use for the Container App.')
+param corsPolicy {
+  allowedHeaders: string[]?
+  allowedMethods: string[]?
+  allowedOrigins: string[]?
+}
+
 @description('Number of CPU cores the container can use. Can be with a maximum of two decimals.')
 @allowed([
   '1'
@@ -88,7 +95,7 @@ param volumeMounts {
 var containerImageName = '${acrLoginServer}/${containerAppImageName}'
 var containerApplicationName = toLower('${resourcePrefix}-ca-${containerAppName}')
 
-resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
+resource containerApp 'Microsoft.App/containerApps@2023-11-02-preview' = {
   name: containerApplicationName
   location: location
   identity: {
@@ -106,6 +113,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
         external: true
         targetPort: containerAppTargetPort
         allowInsecure: false
+        corsPolicy: corsPolicy
         traffic: [
           {
             latestRevision: true
@@ -123,7 +131,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
     template: {
       containers: [
         {
-          name: containerAppName 
+          name: containerAppName
           image: containerImageName
           env: appSettings
           resources: {

infrastructure/templates/public-api/deploy-stage-template.yml

@@ -20,8 +20,8 @@ stages:
 - stage: ${{parameters.stageName}}
   displayName: 'Deploy ${{parameters.environment}} Infrastructure and Applications'
   # Prevent this stage from running in parallel with the same deploy stage in other ongoing runs of this pipeline.
-  # Instead, multiple executions of this stage will be queued and run sequentially in the order that their pipelines 
-  # were triggered.  
+  # Instead, multiple executions of this stage will be queued and run sequentially in the order that their pipelines
+  # were triggered.
   lockBehavior: sequential
   condition: ${{parameters.condition}}
   variables:
@@ -68,7 +68,6 @@ stages:
                   --parameters \
                       subscription='$(subscription)' \
                       resourceTags='$(resourceTags)' \
-                      publicUrls='$(publicUrls)' \
                       postgreSqlAdminName='$(postgreSqlAdminName)' \
                       postgreSqlAdminPassword='$(postgreSqlAdminPassword)' \
                       postgreSqlFirewallRules='$(maintenanceFirewallRules)' \
@@ -122,7 +121,7 @@ stages:
                   --settings \
                     "PublicDataDb=@Microsoft.KeyVault(VaultName=$(keyVaultName); SecretName=$(dataProcessorPsqlConnectionStringSecretKey))"
 
-          # TODO EES-5128 - add Private Endpoint to Data Processor Function App into the VMSS VNet to allow DevOps to 
+          # TODO EES-5128 - add Private Endpoint to Data Processor Function App into the VMSS VNet to allow DevOps to
           # deploy the Data Processor Function App without having to temporarily make it publicly accessible.
           - task: AzureCLI@2
             displayName: 'Deploy Data Processor Function App - temporarily enable public network access before deploy'
@@ -142,11 +141,11 @@ stages:
                     publicNetworkAccess=Enabled \
                     siteConfig.publicNetworkAccess=Enabled
 
-          # TODO EES-5128 - we will try several attempts to deploy the Function App in order to allow the staging 
+          # TODO EES-5128 - we will try several attempts to deploy the Function App in order to allow the staging
           # slot the time to fully restart after appsettings and network visibility settings have been updated prior to
-          # attempting the deploy. Deploying prematurely results in a 500 from the deployment endpoint until the 
+          # attempting the deploy. Deploying prematurely results in a 500 from the deployment endpoint until the
           # endpoint is ready to accept the deployment request. In the future it would be preferable to have a health
-          # check Function that we could call to establish that the site is ready, but this will require adding the 
+          # check Function that we could call to establish that the site is ready, but this will require adding the
           # Service Principal to allowed Client IDs / Identities that can access the Function App. The Service Principal
           # that is performing the deploy can be accessed by using the "addSpnToEnvironment" config option in the task
           # definition and using the $(servicePrincipalId) variable.
@@ -165,7 +164,7 @@ stages:
                   --resource-group $(resourceGroupName) \
                   --slot staging
 
-          # TODO EES-5128 - add Private Endpoint to Data Processor Function App into the VMSS VNet to allow DevOps to 
+          # TODO EES-5128 - add Private Endpoint to Data Processor Function App into the VMSS VNet to allow DevOps to
           # deploy the Data Processor Function App without having to temporarily make it publicly accessible.
           - task: AzureCLI@2
             displayName: 'Deploy Data Processor Function App - disable public network access after deploy'

infrastructure/templates/public-api/main.bicep

@@ -64,15 +64,16 @@ param dockerImagesTag string = ''
 @description('Can we deploy the Container App yet?  This is dependent on the user-assigned Managed Identity for the API Container App being created with the AcrPull role, and the database users added to PSQL.')
 param deployContainerApp bool = true
 
-// TODO EES-5128 - Note that this has been added temporarily to avoid 10+ minute deploys where it appears that PSQL 
+// TODO EES-5128 - Note that this has been added temporarily to avoid 10+ minute deploys where it appears that PSQL
 // will redeploy even if no changes exist in this deploy from the previous one.
 @description('Does the PostgreSQL Flexible Server require any updates? False by default to avoid unnecessarily lengthy deploys.')
 param updatePsqlFlexibleServer bool = false
 
 @description('Public URLs of other components in the service.')
 param publicUrls {
   contentApi: string
-}?
+  publicApp: string
+}
 
 @description('Specifies whether or not the Data Processor Function App already exists.')
 param dataProcessorFunctionAppExists bool = false
@@ -256,11 +257,18 @@ module apiContainerAppModule 'components/containerApp.bicep' = if (deployContain
   params: {
     resourcePrefix: resourcePrefix
     location: location
-    containerAppName: apiContainerAppName 
+    containerAppName: apiContainerAppName
     acrLoginServer: containerRegistry.properties.loginServer
     containerAppImageName: 'ees-public-api/api:${dockerImagesTag}'
     userAssignedManagedIdentityId: apiContainerAppManagedIdentity.id
     managedEnvironmentId: containerAppEnvironmentModule.outputs.containerAppEnvironmentId
+    corsPolicy: {
+      allowedOrigins: [
+        publicUrls.publicApp
+        'http://localhost:3000'
+        'http://127.0.0.1'
+      ]
+    }
     volumeMounts: [
       {
         volumeName: dataFilesFileShareMountName
@@ -291,7 +299,7 @@ module apiContainerAppModule 'components/containerApp.bicep' = if (deployContain
       }
       {
         name: 'ContentApi__Url'
-        value: publicUrls!.contentApi
+        value: publicUrls.contentApi
       }
       {
         name: 'MiniProfiler__Enabled'

infrastructure/templates/public-api/parameters/main-dev.bicepparam

@@ -3,6 +3,11 @@ using '../main.bicep'
 // Environment Params
 param environmentName = 'Development'
 
+param publicUrls = {
+  contentApi: 'https://content.dev.explore-education-statistics.service.gov.uk'
+  publicApp: 'https://dev.explore-education-statistics.service.gov.uk'
+}
+
 // PostgreSQL Database Params
 param postgreSqlSkuName = 'Standard_B1ms'
 param postgreSqlStorageSizeGB = 32

infrastructure/templates/public-api/parameters/main-preprod.bicepparam

@@ -3,6 +3,11 @@ using '../main.bicep'
 // Environment Params
 param environmentName = 'Pre-Production'
 
+param publicUrls = {
+  contentApi: 'https://s101p02-as-ees-content.azurewebsites.net'
+  publicApp: 'https://pre-production.explore-education-statistics.service.gov.uk'
+}
+
 // PostgreSQL Database Params
 param postgreSqlSkuName = 'Standard_B1ms'
 param postgreSqlStorageSizeGB = 32

infrastructure/templates/public-api/parameters/main-prod.bicepparam

@@ -3,6 +3,11 @@ using '../main.bicep'
 // Environment Params
 param environmentName = 'Production'
 
+param publicUrls = {
+  contentApi: 'https://content.explore-education-statistics.service.gov.uk'
+  publicApp: 'https://explore-education-statistics.service.gov.uk'
+}
+
 // PostgreSQL Database Params
 param postgreSqlSkuName = 'Standard_B1ms'
 param postgreSqlStorageSizeGB = 32

infrastructure/templates/public-api/parameters/main-test.bicepparam

@@ -3,6 +3,11 @@ using '../main.bicep'
 // Environment Params
 param environmentName = 'Test'
 
+param publicUrls = {
+  contentApi: 'https://content.test.explore-education-statistics.service.gov.uk'
+  publicApp: 'https://test.explore-education-statistics.service.gov.uk'
+}
+
 // PostgreSQL Database Params
 param postgreSqlSkuName = 'Standard_B1ms'
 param postgreSqlStorageSizeGB = 32

infrastructure/templates/public-api/validate-stage-template.yml

@@ -17,8 +17,8 @@ stages:
   - stage: ${{parameters.stageName}}
     displayName: 'Validate ${{parameters.environment}} Infrastructure'
     # Prevent this stage from running in parallel with the same deploy stage in other ongoing runs of this pipeline.
-    # Instead, multiple executions of this stage will be queued and run sequentially in the order that their pipelines 
-    # were triggered.  
+    # Instead, multiple executions of this stage will be queued and run sequentially in the order that their pipelines
+    # were triggered.
     lockBehavior: sequential
     condition: ${{parameters.condition}}
     variables:
@@ -52,7 +52,6 @@ stages:
                 --parameters \
                     subscription='$(subscription)' \
                     resourceTags='$(resourceTags)' \
-                    publicUrls='$(publicUrls)' \
                     postgreSqlAdminName='$(postgreSqlAdminName)' \
                     postgreSqlAdminPassword='$(postgreSqlAdminPassword)' \
                     postgreSqlFirewallRules='$(maintenanceFirewallRules)' \

infrastructure/templates/template.json

@@ -11,6 +11,9 @@
     "dataApiUrl": {
       "type": "string"
     },
+    "publicApiUrl": {
+      "type": "string"
+    },
     "subscription": {
       "type": "string",
       "defaultValue": "",
@@ -2061,6 +2064,7 @@
         "NEXT_CONFIG_MODE": "server",
         "NODE_ENV": "production",
         "PUBLIC_URL": "[concat(variables('publicAppUrl'), '/')]",
+        "PUBLIC_API_BASE_URL": "[concat('https://', parameters('publicApiUrl'),'/api/v1.0')]",
         "WEBSITE_NODE_DEFAULT_VERSION": "20.14.0",
         "WEBSITES_PORT": 3000
       }

renovate.json

@@ -66,6 +66,12 @@
       "matchPackageNames": ["node"],
       "groupName": "Node version",
       "enabled": false
+    },
+    {
+      "matchDatasources": ["azure-bicep-resource"],
+      "groupName": "Azure Bicep resources",
+      "description": "Prevent unofficial resource versions being suggested",
+      "enabled": false
     }
   ]
 }