Ees 4807 small tweaks after merge

[duncan-at-hiveit]

This PR:

• changes Container App Environment to be internal rather than having a Public IP address, in preparation for adding an Application Gateway in front, as requested by the Security Architecture group.
• adds in a conditional flag to omit the Container App from deployment until a user-assigned managed identity has been created and assigned the AcrPull role.
• swaps out the conditional inclusion of chunks of YAML in the pipeline for different environments (which turned out not to be working!) with "condition" property on Stages based on the current branch.
• removes PSQL VNet integration in favour of enabling public SQL access to whitelisted IP address ranges, as per existing SQL Server setups. In the future this will be resolved for VNet traffic by EES-5052, by adding a Private Endpoint linking PSQL to the VNet.
• adds additional necessary subnets to the main ARM template's control.
• adds new appsettings to Container App, and SQL connection string secret creation for Admin, Publisher and Data Processor.
• amends the initial migration of the Container App to allow all PSQL db users to have access to future tables as well as initial ones.

Optimisation flag for PSQL

I've added a flag for effectively skipping the PSQL stage of the deploy, as currently it seems that PSQL attempts to update every single time that we do a Public API Inf deploy, which leads to at least 5 minutes extra deploy time and at worst about 13 minutes extra. We need to work out what is causing it to redeploy each time even when nothing has changed. It may be down to the child "databases" and "firewallRules" resources, which could potentially be solved by moving them out into top-level resources in the postgres module rather than as child resources, but haven't investigated yet.

[benoutram]

As discussed, we could create a new ticket to investigate this and tidy it up, or create an overarching tidy-up ticket to begin listing any stuff like this that still needs looking at.

[duncan-at-hiveit]

I've created https://dfedigital.atlassian.net/browse/EES-5128 to cover this, and added some TODOs to the codebase to reference it.

[benoutram]

Could this be inside the containerApp module rather than in main?

[duncan-at-hiveit]

I've created https://dfedigital.atlassian.net/browse/EES-5128 to cover this, and added a TODO to the codebase to reference it.

[benoutram]

I think we need a new ticket creating on configuring this Azure File Share at some point, in order to mount the data directory.

[duncan-at-hiveit]

I've created https://dfedigital.atlassian.net/browse/EES-5127 to cover this.

[benoutram]

Just wondering if this is still required? If deployContainerApp is true and updatePsqlFlexibleServer is false would this work?

[duncan-at-hiveit]

Yeah, so this is in the situation where updatePsqlFlexibleServer is false. In that case, it's dependent on postgreSqlServerModule being complete before continuing - we have to be explicit about the dependency because we're not using any actual values from the postgreSqlServerModule output in this definition.

If updatePsqlFlexibleServer is true, postgreSqlServerModule will be undefined, and any undefined references in the dependsOn array get ignored, so this module can just deploy immediately.