Fix logger for Azure App Service and update deployment docs

- Fix logger to handle Azure App Service write restrictions - Skip file logging in Azure App Service (console logs captured automatically) - Add deployment scripts for App Service setup - Update documentation with correct resource names - Add Key Vault access request documentation - Add alternative authentication methods for ACR and Key Vault
2026-01-22 00:51:53 +01:00
parent ffce6e8db3
commit b8d7e7a229
7 changed files with 644 additions and 77 deletions
--- a/docs/KEY-VAULT-ACCESS-REQUEST.md
+++ b/docs/KEY-VAULT-ACCESS-REQUEST.md
@@ -0,0 +1,101 @@
+# Key Vault Access Request - For Administrators
+
+## 📋 Request Information
+
+**Requested by:** adm_bhausmans@zuyderland.nl  
+**Date:** $(date +%Y-%m-%d)  
+**Purpose:** Grant App Services access to Key Vault for CMDB Insight deployment
+
+## 🔐 Key Vault Details
+
+- **Key Vault Name:** `zdl-cmdb-insight-prd-kv`
+- **Resource Group:** `zdl-cmdb-insight-prd-euwe-rg`
+- **Key Vault ID:** `/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv`
+
+## 🎯 Required Access
+
+**Role:** `Key Vault Secrets User`  
+**Scope:** Key Vault resource  
+**Purpose:** Allow App Services to read secrets from Key Vault
+
+## 📱 App Service Principal IDs
+
+### Backend Web App
+- **App Name:** `zdl-cmdb-insight-prd-backend-webapp`
+- **Principal ID:** `6bd8373f-f734-4d21-84f2-776fd11b17ae`
+
+### Frontend Web App
+- **App Name:** `zdl-cmdb-insight-prd-frontend-webapp`
+- **Principal ID:** *(Get with command below)*
+
+## 🚀 Commands for Administrator
+
+### Option 1: Use the Script (Recommended)
+
+```bash
+cd /path/to/cmdb-insight
+./scripts/grant-keyvault-access-admin.sh
+```
+
+### Option 2: Manual Commands
+
+```bash
+# Get Key Vault Resource ID
+KV_ID=$(az keyvault show \
+  --name zdl-cmdb-insight-prd-kv \
+  --query id -o tsv)
+
+# Get Frontend Principal ID (if needed)
+FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
+  --name zdl-cmdb-insight-prd-frontend-webapp \
+  --resource-group zdl-cmdb-insight-prd-euwe-rg \
+  --query principalId -o tsv)
+
+# Grant access to Backend
+az role assignment create \
+  --assignee "6bd8373f-f734-4d21-84f2-776fd11b17ae" \
+  --role "Key Vault Secrets User" \
+  --scope $KV_ID
+
+# Grant access to Frontend (if needed)
+az role assignment create \
+  --assignee $FRONTEND_PRINCIPAL_ID \
+  --role "Key Vault Secrets User" \
+  --scope $KV_ID
+```
+
+### Option 3: Via Azure Portal
+
+1. Navigate to Key Vault: `zdl-cmdb-insight-prd-kv`
+2. Go to **Access control (IAM)**
+3. Click **Add** → **Add role assignment**
+4. Select role: **Key Vault Secrets User**
+5. Assign access to: **Managed identity**
+6. Select members:
+   - Backend: `zdl-cmdb-insight-prd-backend-webapp`
+   - Frontend: `zdl-cmdb-insight-prd-frontend-webapp`
+7. Click **Review + assign**
+
+## ✅ Verification
+
+After granting access, verify with:
+
+```bash
+# Check role assignments
+az role assignment list \
+  --scope "/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv" \
+  --query "[?principalId=='6bd8373f-f734-4d21-84f2-776fd11b17ae']" \
+  --output table
+```
+
+## 📝 Notes
+
+- Key Vault uses **RBAC authorization** (not access policies)
+- The role "Key Vault Secrets User" only allows reading secrets (not writing/deleting)
+- This is the recommended approach for production deployments
+- Access is granted via Managed Identity (no credentials stored)
+
+## 🔗 Related Documentation
+
+- `docs/AZURE-APP-SERVICE-DEPLOYMENT.md` - Complete deployment guide
+- `scripts/grant-keyvault-access-admin.sh` - Automated script for admins