Merge pull request #13 from workcontrolgit/develop

Update blog 5.6: complete App Service settings reference and workflow fixes

Author: workcontrolgit

.github/workflows/deploy-api.yml

@@ -62,20 +62,19 @@ jobs:
 
       - name: Configure App Service settings
         env:
-          API_CONN: ${{ secrets.API_DB_CONNECTION_STRING }}
           IDS_URL: ${{ secrets.IDENTITY_SERVER_URL }}
-          JWT_KEY: ${{ secrets.JWT_KEY }}
           ANGULAR_URL: ${{ secrets.ANGULAR_APP_URL }}
+          KV_URI: ${{ secrets.KEY_VAULT_URI }}
         run: |
           az webapp config appsettings set \
             --resource-group ${{ env.RESOURCE_GROUP }} \
             --name ${{ env.APP_SERVICE_NAME }} \
             --settings \
-              "ConnectionStrings__DefaultConnection=$API_CONN" \
+              "ConnectionStrings__DefaultConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--DefaultConnection)" \
+              "JWTSettings__Key=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/JWTSettings--Key)" \
               "Sts__ServerUrl=$IDS_URL" \
               "Sts__ValidIssuer=$IDS_URL" \
               "Sts__Audience=app.api.talentmanagement" \
-              "JWTSettings__Key=$JWT_KEY" \
               "JWTSettings__Issuer=CoreIdentity" \
               "JWTSettings__Audience=CoreIdentityUser" \
               "JWTSettings__DurationInMinutes=60" \

.github/workflows/deploy-identityserver.yml

@@ -72,18 +72,18 @@ jobs:
 
       - name: Configure STS App Service settings
         env:
-          IDS_CONN: ${{ secrets.IDS_DB_CONNECTION_STRING }}
           IDS_URL: ${{ secrets.IDENTITY_SERVER_URL }}
           ADMIN_URL: ${{ secrets.IDENTITY_ADMIN_URL }}
+          KV_URI: ${{ secrets.KEY_VAULT_URI }}
         run: |
           az webapp config appsettings set \
             --resource-group ${{ env.RESOURCE_GROUP }} \
             --name ${{ env.APP_SERVICE_NAME }} \
             --settings \
-              "ConnectionStrings__ConfigurationDbConnection=$IDS_CONN" \
-              "ConnectionStrings__PersistedGrantDbConnection=$IDS_CONN" \
-              "ConnectionStrings__IdentityDbConnection=$IDS_CONN" \
-              "ConnectionStrings__DataProtectionDbConnection=$IDS_CONN" \
+              "ConnectionStrings__ConfigurationDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__PersistedGrantDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__IdentityDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__DataProtectionDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
               "AdminConfiguration__IdentityServerBaseUrl=$IDS_URL" \
               "AdminConfiguration__IdentityAdminBaseUrl=$ADMIN_URL" \
               "CspTrustedDomains__0=www.gravatar.com" \
@@ -95,20 +95,20 @@ jobs:
 
       - name: Configure Admin App Service settings
         env:
-          IDS_CONN: ${{ secrets.IDS_DB_CONNECTION_STRING }}
           IDS_URL: ${{ secrets.IDENTITY_SERVER_URL }}
           ADMIN_URL: ${{ secrets.IDENTITY_ADMIN_URL }}
+          KV_URI: ${{ secrets.KEY_VAULT_URI }}
         run: |
           az webapp config appsettings set \
             --resource-group ${{ env.RESOURCE_GROUP }} \
             --name ${{ env.ADMIN_APP_SERVICE_NAME }} \
             --settings \
-              "ConnectionStrings__ConfigurationDbConnection=$IDS_CONN" \
-              "ConnectionStrings__PersistedGrantDbConnection=$IDS_CONN" \
-              "ConnectionStrings__IdentityDbConnection=$IDS_CONN" \
-              "ConnectionStrings__AdminLogDbConnection=$IDS_CONN" \
-              "ConnectionStrings__AdminAuditLogDbConnection=$IDS_CONN" \
-              "ConnectionStrings__DataProtectionDbConnection=$IDS_CONN" \
+              "ConnectionStrings__ConfigurationDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__PersistedGrantDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__IdentityDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__AdminLogDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__AdminAuditLogDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
+              "ConnectionStrings__DataProtectionDbConnection=@Microsoft.KeyVault(SecretUri=${KV_URI}secrets/ConnectionStrings--IdsDbConnection)" \
               "AdminConfiguration__IdentityServerBaseUrl=$IDS_URL" \
               "AdminConfiguration__IdentityAdminRedirectUri=$ADMIN_URL/signin-oidc" \
               "SeedConfiguration__ApplySeed=false" \

blogs/series-5-devops-data/5.6-azure-deploy-dotnet-apps.md

@@ -82,6 +82,8 @@ https://app-talent-ids-dev.azurewebsites.net
 ```
 
 * **`JWT_KEY`** — the symmetric key used by the API's local JWT authentication (copy from `appsettings.json` → `JWTSettings.Key`)
+* **`ANGULAR_APP_URL`** — the Azure Static Web App URL (e.g. `https://mango-flower-0ced4011e.4.azurestaticapps.net`) — added to API CORS allowed origins
+* **`IDENTITY_ADMIN_URL`** — the IdentityServer Admin UI URL (e.g. `https://app-talent-admin-dev.azurewebsites.net`) — used by STS and Admin app configuration
 
 **Retrieve the connection strings from the Bicep outputs:**
 
@@ -190,23 +192,86 @@ This is the OIDC exchange described in Article 5.5. After this step, all subsequ
 
 ```yaml
 - name: Configure App Service settings
+  env:
+    API_CONN: ${{ secrets.API_DB_CONNECTION_STRING }}
+    IDS_URL: ${{ secrets.IDENTITY_SERVER_URL }}
+    JWT_KEY: ${{ secrets.JWT_KEY }}
+    ANGULAR_URL: ${{ secrets.ANGULAR_APP_URL }}
   run: |
     az webapp config appsettings set \
       --resource-group ${{ env.RESOURCE_GROUP }} \
       --name ${{ env.APP_SERVICE_NAME }} \
       --settings \
-        "ConnectionStrings__DefaultConnection=${{ secrets.API_DB_CONNECTION_STRING }}" \
-        "Sts__ServerUrl=${{ secrets.IDENTITY_SERVER_URL }}" \
-        "Sts__ValidIssuer=${{ secrets.IDENTITY_SERVER_URL }}" \
+        "ConnectionStrings__DefaultConnection=$API_CONN" \
+        "Sts__ServerUrl=$IDS_URL" \
+        "Sts__ValidIssuer=$IDS_URL" \
         "Sts__Audience=app.api.talentmanagement" \
-        "JWTSettings__Key=${{ secrets.JWT_KEY }}" \
+        "JWTSettings__Key=$JWT_KEY" \
+        "JWTSettings__Issuer=CoreIdentity" \
+        "JWTSettings__Audience=CoreIdentityUser" \
+        "JWTSettings__DurationInMinutes=60" \
+        "FeatureManagement__AuthEnabled=true" \
+        "Cors__AllowedOrigins__0=$ANGULAR_URL" \
+        "Cors__AllowedOrigins__1=https://workcontrolgit.github.io" \
         "ASPNETCORE_ENVIRONMENT=Production"
 ```
 
+**Why `env:` block instead of `${{ secrets.X }}` inline?** Bash strips characters after `$` followed by a digit — a password like `Abc$9xyz` becomes `Abcxyz` when interpolated inline in a shell script. Mapping secrets to environment variables in the `env:` block and referencing them as `$API_CONN` avoids this. Always use `env:` when passing secrets into shell commands.
+
 App Service uses double underscores (`__`) to represent the `:` separator in .NET configuration keys. `ConnectionStrings__DefaultConnection` maps to `ConnectionStrings:DefaultConnection` in the .NET configuration system, which in turn maps to `appsettings.json`'s `ConnectionStrings.DefaultConnection`. This is the standard pattern for hierarchical configuration in Azure App Service.
 
 `ASPNETCORE_ENVIRONMENT=Production` causes ASP.NET Core to merge `appsettings.Production.json` (if it exists) on top of `appsettings.json`, then apply App Service settings on top of that. App Service settings always win — they cannot be overridden by a file in the deployment package.
 
+### Complete App Service Settings Reference
+
+All settings injected by the GitHub Actions workflows, cross-referenced against the live Azure environment.
+
+**API App (`app-talent-api-dev`):**
+
+* **`ConnectionStrings__DefaultConnection`** — Azure SQL connection string for the API database — source: `API_DB_CONNECTION_STRING` GitHub Secret
+* **`Sts__ServerUrl`** — IdentityServer URL used to fetch the OIDC discovery document — source: `IDENTITY_SERVER_URL` Secret
+* **`Sts__ValidIssuer`** — Expected `iss` claim in incoming JWT tokens — source: `IDENTITY_SERVER_URL` Secret
+* **`Sts__Audience`** — Expected `aud` claim — hardcoded: `app.api.talentmanagement`
+* **`JWTSettings__Key`** — Symmetric signing key for the API's own JWT issuance — source: `JWT_KEY` Secret
+* **`JWTSettings__Issuer`** — Issuer name in API-issued tokens — hardcoded: `CoreIdentity`
+* **`JWTSettings__Audience`** — Audience in API-issued tokens — hardcoded: `CoreIdentityUser`
+* **`JWTSettings__DurationInMinutes`** — Token lifetime — hardcoded: `60`
+* **`FeatureManagement__AuthEnabled`** — Enables JWT authentication globally — hardcoded: `true`
+* **`Cors__AllowedOrigins__0`** — Azure SWA URL — source: `ANGULAR_APP_URL` Secret
+* **`Cors__AllowedOrigins__1`** — GitHub Pages URL — hardcoded: `https://workcontrolgit.github.io`
+* **`ASPNETCORE_ENVIRONMENT`** — Runtime environment — hardcoded: `Production`
+
+**IdentityServer STS (`app-talent-ids-dev`):**
+
+* **`ConnectionStrings__ConfigurationDbConnection`** — Clients, scopes, resources — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__PersistedGrantDbConnection`** — Tokens, sessions, grants — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__IdentityDbConnection`** — User accounts (ASP.NET Identity) — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__DataProtectionDbConnection`** — ASP.NET Data Protection keys — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`AdminConfiguration__IdentityServerBaseUrl`** — STS own public URL (used by Admin) — source: `IDENTITY_SERVER_URL` Secret
+* **`AdminConfiguration__IdentityAdminBaseUrl`** — Admin UI URL (used for back-channel links) — source: `IDENTITY_ADMIN_URL` Secret
+* **`CspTrustedDomains__0`** — hardcoded: `www.gravatar.com` (user avatars)
+* **`CspTrustedDomains__1`** — hardcoded: `fonts.googleapis.com`
+* **`CspTrustedDomains__2`** — hardcoded: `fonts.gstatic.com`
+* **`CspTrustedDomains__3`** — hardcoded: `workcontrolgit.github.io` (GitHub Pages Angular)
+* **`CspTrustedDomains__4`** — hardcoded: `mango-flower-0ced4011e.4.azurestaticapps.net` (Azure SWA Angular)
+* **`ASPNETCORE_ENVIRONMENT`** — hardcoded: `Production`
+
+**IdentityServer Admin (`app-talent-admin-dev`):**
+
+* **`ConnectionStrings__ConfigurationDbConnection`** — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__PersistedGrantDbConnection`** — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__IdentityDbConnection`** — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__AdminLogDbConnection`** — Admin action logs — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__AdminAuditLogDbConnection`** — Audit trail — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`ConnectionStrings__DataProtectionDbConnection`** — source: `IDS_DB_CONNECTION_STRING` Secret
+* **`AdminConfiguration__IdentityServerBaseUrl`** — STS URL for Admin to authenticate against — source: `IDENTITY_SERVER_URL` Secret
+* **`AdminConfiguration__IdentityAdminRedirectUri`** — OIDC callback URL for the Admin UI — source: `IDENTITY_ADMIN_URL` Secret + `/signin-oidc`
+* **`SeedConfiguration__ApplySeed`** — Prevents re-seeding on every deploy — hardcoded: `false`
+* **`DatabaseMigrationsConfiguration__ApplyDatabaseMigrations`** — Prevents auto-migration on deploy — hardcoded: `false`
+* **`ASPNETCORE_ENVIRONMENT`** — hardcoded: `Production`
+
+**⚠️ Stale settings to be aware of:** Running `az webapp config appsettings list` against the live apps may show additional settings not managed by the workflow — for example `CorsOrigins` (an older duplicate of `Cors__AllowedOrigins__0`) or `ASPNETCORE_DETAILEDERRORS` set manually during debugging. Settings set outside the workflow are not removed by subsequent workflow runs — only values for keys the workflow explicitly sets are updated. Remove stale settings manually via the Portal or `az webapp config appsettings delete`.
+
 **Deploy:**
 
 ```yaml
@@ -233,16 +298,26 @@ paths:
 
 IdentityServer changes trigger this workflow; API changes do not.
 
-**App Service settings for IdentityServer:**
+**App Service settings for IdentityServer STS (using `env:` block):**
 
 ```yaml
-"ConnectionStrings__ConfigurationDbConnection=${{ secrets.IDS_DB_CONNECTION_STRING }}"
-"ConnectionStrings__PersistedGrantDbConnection=${{ secrets.IDS_DB_CONNECTION_STRING }}"
-"ConnectionStrings__IdentityDbConnection=${{ secrets.IDS_DB_CONNECTION_STRING }}"
-"AdminConfiguration__IdentityServerBaseUrl=${{ secrets.IDENTITY_SERVER_URL }}"
+- name: Configure STS App Service settings
+  env:
+    IDS_CONN: ${{ secrets.IDS_DB_CONNECTION_STRING }}
+    IDS_URL: ${{ secrets.IDENTITY_SERVER_URL }}
+    ADMIN_URL: ${{ secrets.IDENTITY_ADMIN_URL }}
+  run: |
+    az webapp config appsettings set \
+      --settings \
+        "ConnectionStrings__ConfigurationDbConnection=$IDS_CONN" \
+        "ConnectionStrings__PersistedGrantDbConnection=$IDS_CONN" \
+        "ConnectionStrings__IdentityDbConnection=$IDS_CONN" \
+        "ConnectionStrings__DataProtectionDbConnection=$IDS_CONN" \
+        "AdminConfiguration__IdentityServerBaseUrl=$IDS_URL" \
+        "AdminConfiguration__IdentityAdminBaseUrl=$ADMIN_URL"
 ```
 
-IdentityServer uses three different connection string keys — `ConfigurationDbConnection` (clients, scopes), `PersistedGrantDbConnection` (tokens, sessions), and `IdentityDbConnection` (user accounts). All three point to the same Azure SQL database (`sqldb-talent-ids-dev`) in this tutorial. In production, separating them is common.
+IdentityServer uses four different connection string keys — `ConfigurationDbConnection` (clients, scopes), `PersistedGrantDbConnection` (tokens, sessions), `IdentityDbConnection` (user accounts), and `DataProtectionDbConnection` (ASP.NET Data Protection keys). All four point to the same Azure SQL database (`sqldb-talent-ids-dev`) in this tutorial. In production, separating them onto dedicated databases is common. The same `$IDS_CONN` value is reused for all four — the `env:` block means the secret is only referenced once.
 
 ### Step 5: Deployment Order