Fix logger for Azure App Service and update deployment docs

- Fix logger to handle Azure App Service write restrictions - Skip file logging in Azure App Service (console logs captured automatically) - Add deployment scripts for App Service setup - Update documentation with correct resource names - Add Key Vault access request documentation - Add alternative authentication methods for ACR and Key Vault
2026-01-22 00:51:53 +01:00
parent ffce6e8db3
commit b8d7e7a229
7 changed files with 644 additions and 77 deletions
--- a/docs/AZURE-APP-SERVICE-DEPLOYMENT.md
+++ b/docs/AZURE-APP-SERVICE-DEPLOYMENT.md
@@ -5,7 +5,7 @@ Complete deployment guide voor CMDB Insight naar Azure App Service.
 ## 📋 Prerequisites

 - Azure CLI geïnstalleerd en geconfigureerd (`az login`)
- Docker images in ACR: `zdlas.azurecr.io/cmdb-insight/backend:latest` en `frontend:latest`
+- Docker images in ACR: `zdlasacr.azurecr.io/cmdb-insight/backend:latest` en `frontend:latest`
 - Azure DevOps pipeline werkt (images worden automatisch gebouwd)

 ---
@@ -16,7 +16,7 @@ Complete deployment guide voor CMDB Insight naar Azure App Service.

 ```bash
 az group create \
-  --name rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-euwe-rg \
  --location westeurope
 ```

@@ -24,8 +24,8 @@ az group create \

 ```bash
 az appservice plan create \
-  --name plan-cmdb-gui-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-euwe-appsvc \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --sku B1 \
  --is-linux
 ```
@@ -35,32 +35,38 @@ az appservice plan create \
 ```bash
 # Backend
 az webapp create \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
-  --plan plan-cmdb-gui-prod \
-  --deployment-container-image-name zdlas.azurecr.io/cmdb-insight/backend:latest
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --plan zdl-cmdb-insight-prd-euwe-appsvc \
+  --container-image-name zdlasacr.azurecr.io/cmdb-insight/backend:latest

 # Frontend
 az webapp create \
-  --name cmdb-frontend-prod \
-  --resource-group rg-cmdb-gui-prod \
-  --plan plan-cmdb-gui-prod \
-  --deployment-container-image-name zdlas.azurecr.io/cmdb-insight/frontend:latest
+  --name zdl-cmdb-insight-prd-frontend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --plan zdl-cmdb-insight-prd-euwe-appsvc \
+  --container-image-name zdlasacr.azurecr.io/cmdb-insight/frontend:latest
 ```

 ### Stap 4: ACR Authentication

 ```bash
 # Enable Managed Identity
-az webapp identity assign --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod
-az webapp identity assign --name cmdb-frontend-prod --resource-group rg-cmdb-gui-prod
+az webapp identity assign --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg
+az webapp identity assign --name zdl-cmdb-insight-prd-frontend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg

 # Get Principal IDs
-BACKEND_PRINCIPAL_ID=$(az webapp identity show --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod --query principalId -o tsv)
-FRONTEND_PRINCIPAL_ID=$(az webapp identity show --name cmdb-frontend-prod --resource-group rg-cmdb-gui-prod --query principalId -o tsv)
+BACKEND_PRINCIPAL_ID=$(az webapp identity show \
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --query principalId -o tsv)
+FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
+  --name zdl-cmdb-insight-prd-frontend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --query principalId -o tsv)

-# Get ACR Resource ID (vervang <acr-resource-group> met jouw ACR resource group)
-ACR_ID=$(az acr show --name zdlas --query id -o tsv)
+# Get ACR Resource ID
+ACR_ID=$(az acr show --name zdlasacr --query id -o tsv)

 # Grant AcrPull permissions
 az role assignment create --assignee $BACKEND_PRINCIPAL_ID --role AcrPull --scope $ACR_ID
@@ -68,16 +74,14 @@ az role assignment create --assignee $FRONTEND_PRINCIPAL_ID --role AcrPull --sco

 # Configure container settings
 az webapp config container set \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
-  --docker-custom-image-name zdlas.azurecr.io/cmdb-insight/backend:latest \
-  --docker-registry-server-url https://zdlas.azurecr.io
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --docker-registry-server-url https://zdlasacr.azurecr.io

 az webapp config container set \
-  --name cmdb-frontend-prod \
-  --resource-group rg-cmdb-gui-prod \
-  --docker-custom-image-name zdlas.azurecr.io/cmdb-insight/frontend:latest \
-  --docker-registry-server-url https://zdlas.azurecr.io
+  --name zdl-cmdb-insight-prd-frontend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --docker-registry-server-url https://zdlasacr.azurecr.io
 ```

 ### Stap 5: Environment Variabelen
@@ -85,8 +89,8 @@ az webapp config container set \
 ```bash
 # Backend (vervang met jouw waarden)
 az webapp config appsettings set \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --settings \
    NODE_ENV=production \
    PORT=3001 \
@@ -94,37 +98,37 @@ az webapp config appsettings set \
    JIRA_SCHEMA_ID=your-schema-id \
    JIRA_PAT=your-pat-token \
    SESSION_SECRET=$(openssl rand -hex 32) \
-    FRONTEND_URL=https://cmdb-frontend-prod.azurewebsites.net
+    FRONTEND_URL=https://zdl-cmdb-insight-prd-frontend-webapp.azurewebsites.net

 # Frontend
 az webapp config appsettings set \
-  --name cmdb-frontend-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-frontend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --settings \
-    VITE_API_URL=https://cmdb-backend-prod.azurewebsites.net/api
+    VITE_API_URL=https://zdl-cmdb-insight-prd-backend-webapp.azurewebsites.net/api
 ```

 ### Stap 6: Start Apps

 ```bash
-az webapp start --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod
-az webapp start --name cmdb-frontend-prod --resource-group rg-cmdb-gui-prod
+az webapp start --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg
+az webapp start --name zdl-cmdb-insight-prd-frontend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg
 ```

 ### Stap 7: Test

 ```bash
 # Health check
-curl https://cmdb-backend-prod.azurewebsites.net/api/health
+curl https://zdl-cmdb-insight-prd-backend-webapp.azurewebsites.net/api/health

 # Frontend
-curl https://cmdb-frontend-prod.azurewebsites.net
+curl https://zdl-cmdb-insight-prd-frontend-webapp.azurewebsites.net
 ```

 **🎉 Je applicatie is nu live!**

- Frontend: `https://cmdb-frontend-prod.azurewebsites.net`
- Backend API: `https://cmdb-backend-prod.azurewebsites.net/api`
+- Frontend: `https://zdl-cmdb-insight-prd-frontend-webapp.azurewebsites.net`
+- Backend API: `https://zdl-cmdb-insight-prd-backend-webapp.azurewebsites.net/api`

 ---

@@ -136,8 +140,8 @@ Voor productie: gebruik Azure Key Vault voor secrets.

 ```bash
 az keyvault create \
-  --name kv-cmdb-gui-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name kv-cmdb-insight-prod \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --location westeurope \
  --sku standard
 ```
@@ -145,30 +149,53 @@ az keyvault create \
 ### Stap 2: Secrets Toevoegen

 ```bash
-az keyvault secret set --vault-name kv-cmdb-gui-prod --name JiraPat --value "your-token"
-az keyvault secret set --vault-name kv-cmdb-gui-prod --name SessionSecret --value "$(openssl rand -hex 32)"
-az keyvault secret set --vault-name kv-cmdb-gui-prod --name JiraSchemaId --value "your-schema-id"
+az keyvault secret set --vault-name kv-cmdb-insight-prod --name JiraPat --value "your-token"
+az keyvault secret set --vault-name kv-cmdb-insight-prod --name SessionSecret --value "$(openssl rand -hex 32)"
+az keyvault secret set --vault-name kv-cmdb-insight-prod --name JiraSchemaId --value "your-schema-id"
 ```

 ### Stap 3: Grant Access

+**Voor Key Vault met RBAC authorization (aanbevolen):**
+
+```bash
+# Get Key Vault Resource ID
+KV_ID=$(az keyvault show --name zdl-cmdb-insight-prd-kv --query id -o tsv)
+
+# Grant Key Vault Secrets User role to backend
+az role assignment create \
+  --assignee $BACKEND_PRINCIPAL_ID \
+  --role "Key Vault Secrets User" \
+  --scope $KV_ID
+
+# Grant to frontend (if needed)
+az role assignment create \
+  --assignee $FRONTEND_PRINCIPAL_ID \
+  --role "Key Vault Secrets User" \
+  --scope $KV_ID
+```
+
+**Voor Key Vault met Access Policies (oude methode):**
+
 ```bash
 az keyvault set-policy \
-  --name kv-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-kv \
  --object-id $BACKEND_PRINCIPAL_ID \
  --secret-permissions get list
 ```

+**Let op:** Als je de fout krijgt "Cannot set policies to a vault with '--enable-rbac-authorization'", gebruik dan de RBAC methode hierboven.
+
 ### Stap 4: Configure App Settings met Key Vault References

 ```bash
 az webapp config appsettings set \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --settings \
-    JIRA_PAT="@Microsoft.KeyVault(SecretUri=https://kv-cmdb-gui-prod.vault.azure.net/secrets/JiraPat/)" \
-    SESSION_SECRET="@Microsoft.KeyVault(SecretUri=https://kv-cmdb-gui-prod.vault.azure.net/secrets/SessionSecret/)" \
-    JIRA_SCHEMA_ID="@Microsoft.KeyVault(SecretUri=https://kv-cmdb-gui-prod.vault.azure.net/secrets/JiraSchemaId/)"
+    JIRA_PAT="@Microsoft.KeyVault(SecretUri=https://kv-cmdb-insight-prod.vault.azure.net/secrets/JiraPat/)" \
+    SESSION_SECRET="@Microsoft.KeyVault(SecretUri=https://kv-cmdb-insight-prod.vault.azure.net/secrets/SessionSecret/)" \
+    JIRA_SCHEMA_ID="@Microsoft.KeyVault(SecretUri=https://kv-cmdb-insight-prod.vault.azure.net/secrets/JiraSchemaId/)"
 ```

 ---
@@ -180,21 +207,21 @@ az webapp config appsettings set \
 ```bash
 # Create Application Insights
 az monitor app-insights component create \
-  --app cmdb-gui-prod \
+  --app cmdb-insight-prod \
  --location westeurope \
-  --resource-group rg-cmdb-gui-prod \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --application-type web

 # Get Instrumentation Key
 INSTRUMENTATION_KEY=$(az monitor app-insights component show \
-  --app cmdb-gui-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --app cmdb-insight-prod \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --query instrumentationKey -o tsv)

 # Configure App Settings
 az webapp config appsettings set \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --settings \
    APPINSIGHTS_INSTRUMENTATIONKEY=$INSTRUMENTATION_KEY
 ```
@@ -207,8 +234,8 @@ az webapp config appsettings set \

 ```bash
 # Restart Web Apps (pull nieuwe latest image)
-az webapp restart --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod
-az webapp restart --name cmdb-frontend-prod --resource-group rg-cmdb-gui-prod
+az webapp restart --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg
+az webapp restart --name zdl-cmdb-insight-prd-frontend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg
 ```

 ### Optie 2: Deployment Slots (Zero-Downtime)
@@ -216,14 +243,14 @@ az webapp restart --name cmdb-frontend-prod --resource-group rg-cmdb-gui-prod
 ```bash
 # Create staging slot
 az webapp deployment slot create \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --slot staging

 # Deploy to staging
 az webapp deployment slot swap \
-  --name cmdb-backend-prod \
-  --resource-group rg-cmdb-gui-prod \
+  --name zdl-cmdb-insight-prd-backend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --slot staging \
  --target-slot production
 ```
@@ -236,22 +263,22 @@ az webapp deployment slot swap \

 ```bash
 # Live logs
-az webapp log tail --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod
+az webapp log tail --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg

 # Download logs
-az webapp log download --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod --log-file logs.zip
+az webapp log download --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg --log-file logs.zip
 ```

 ### Check Status

 ```bash
-az webapp show --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod --query state
+az webapp show --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg --query state
 ```

 ### Restart App

 ```bash
-az webapp restart --name cmdb-backend-prod --resource-group rg-cmdb-gui-prod
+az webapp restart --name zdl-cmdb-insight-prd-backend-webapp --resource-group zdl-cmdb-insight-prd-euwe-rg
 ```

 ---
--- a/docs/KEY-VAULT-ACCESS-REQUEST.md
+++ b/docs/KEY-VAULT-ACCESS-REQUEST.md
@@ -0,0 +1,101 @@
+# Key Vault Access Request - For Administrators
+
+## 📋 Request Information
+
+**Requested by:** adm_bhausmans@zuyderland.nl  
+**Date:** $(date +%Y-%m-%d)  
+**Purpose:** Grant App Services access to Key Vault for CMDB Insight deployment
+
+## 🔐 Key Vault Details
+
+- **Key Vault Name:** `zdl-cmdb-insight-prd-kv`
+- **Resource Group:** `zdl-cmdb-insight-prd-euwe-rg`
+- **Key Vault ID:** `/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv`
+
+## 🎯 Required Access
+
+**Role:** `Key Vault Secrets User`  
+**Scope:** Key Vault resource  
+**Purpose:** Allow App Services to read secrets from Key Vault
+
+## 📱 App Service Principal IDs
+
+### Backend Web App
+- **App Name:** `zdl-cmdb-insight-prd-backend-webapp`
+- **Principal ID:** `6bd8373f-f734-4d21-84f2-776fd11b17ae`
+
+### Frontend Web App
+- **App Name:** `zdl-cmdb-insight-prd-frontend-webapp`
+- **Principal ID:** *(Get with command below)*
+
+## 🚀 Commands for Administrator
+
+### Option 1: Use the Script (Recommended)
+
+```bash
+cd /path/to/cmdb-insight
+./scripts/grant-keyvault-access-admin.sh
+```
+
+### Option 2: Manual Commands
+
+```bash
+# Get Key Vault Resource ID
+KV_ID=$(az keyvault show \
+  --name zdl-cmdb-insight-prd-kv \
+  --query id -o tsv)
+
+# Get Frontend Principal ID (if needed)
+FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
+  --name zdl-cmdb-insight-prd-frontend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --query principalId -o tsv)
+
+# Grant access to Backend
+az role assignment create \
+  --assignee "6bd8373f-f734-4d21-84f2-776fd11b17ae" \
+  --role "Key Vault Secrets User" \
+  --scope $KV_ID
+
+# Grant access to Frontend (if needed)
+az role assignment create \
+  --assignee $FRONTEND_PRINCIPAL_ID \
+  --role "Key Vault Secrets User" \
+  --scope $KV_ID
+```
+
+### Option 3: Via Azure Portal
+
+1. Navigate to Key Vault: `zdl-cmdb-insight-prd-kv`
+2. Go to **Access control (IAM)**
+3. Click **Add** → **Add role assignment**
+4. Select role: **Key Vault Secrets User**
+5. Assign access to: **Managed identity**
+6. Select members:
+   - Backend: `zdl-cmdb-insight-prd-backend-webapp`
+   - Frontend: `zdl-cmdb-insight-prd-frontend-webapp`
+7. Click **Review + assign**
+
+## ✅ Verification
+
+After granting access, verify with:
+
+```bash
+# Check role assignments
+az role assignment list \
+  --scope "/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv" \
+  --query "[?principalId=='6bd8373f-f734-4d21-84f2-776fd11b17ae']" \
+  --output table
+```
+
+## 📝 Notes
+
+- Key Vault uses **RBAC authorization** (not access policies)
+- The role "Key Vault Secrets User" only allows reading secrets (not writing/deleting)
+- This is the recommended approach for production deployments
+- Access is granted via Managed Identity (no credentials stored)
+
+## 🔗 Related Documentation
+
+- `docs/AZURE-APP-SERVICE-DEPLOYMENT.md` - Complete deployment guide
+- `scripts/grant-keyvault-access-admin.sh` - Automated script for admins