Update blog 5.4: add IdentityServer Admin app (8 resources, 3 Web Apps)

Author: workcontrolgit

blogs/series-5-devops-data/5.4-azure-bicep-infrastructure.md

@@ -6,7 +6,7 @@ Clicking through the Azure Portal to create seven resources manually is slow, er
 
 Azure Bicep solves this. One file describes the desired state. One command creates everything. Run it again and Azure updates only what changed. The same template creates both a dev environment and a production environment identically.
 
-This article walks through the Bicep templates that provision the full Talent Management stack — App Service Plan, two Web Apps, a Static Web App, a shared SQL Server, and two databases — and runs the deployment against a real Azure subscription.
+This article walks through the Bicep templates that provision the full Talent Management stack — App Service Plan, three Web Apps, a Static Web App, a shared SQL Server, and two databases — and runs the deployment against a real Azure subscription.
 
 ![Azure Resources Created](https://raw.githubusercontent.com/workcontrolgit/AngularNetTutorial/master/docs/images/webapi/swagger-api-endpoints.png)
 
@@ -25,7 +25,7 @@ This article is part of the **AngularNetTutorial** series. The full-stack tutori
 * **`@secure()` parameters** — how to pass SQL passwords without storing them in files
 * **CAF naming convention** — why resources are named `app-talent-api-dev` and not `myapp1`
 * **Bicep outputs** — how deployed URLs flow into GitHub Actions workflows
-* **`az deployment group create`** — the one command that provisions all seven resources
+* **`az deployment group create`** — the one command that provisions all eight resources
 
 ---
 
@@ -56,7 +56,7 @@ The Azure Portal is a point-and-click interface. Every decision you make — whi
 * **No repeatability** — no way to recreate an environment identically
 * **No history** — changes to resources aren't tracked in git
 * **No review** — no pull request for a resource configuration change
-* **Slow** — creating seven resources manually takes 30+ minutes
+* **Slow** — creating eight resources manually takes 30+ minutes
 
 ---
 
@@ -84,7 +84,7 @@ infra/
 ├── main.bicep                  ← entry point, composes all modules
 ├── modules/
 │   ├── appServicePlan.bicep    ← B1 App Service Plan
-│   ├── webApp.bicep            ← reusable Web App (used for API and IdentityServer)
+│   ├── webApp.bicep            ← reusable Web App (used for API, IdentityServer STS, and Admin)
 │   ├── staticWebApp.bicep      ← Angular client, Free tier
 │   └── sqlServer.bicep         ← logical server + 2 databases
 └── parameters/
@@ -119,10 +119,29 @@ module apiApp 'modules/webApp.bicep' = {
   }
 }
 
-// ... identityApp, angularSwa, sqlServer modules ...
+module identityApp 'modules/webApp.bicep' = {
+  name: 'identityApp'
+  params: {
+    webAppName: identityAppName
+    location: location
+    appServicePlanId: appServicePlan.outputs.id
+  }
+}
+
+module identityAdminApp 'modules/webApp.bicep' = {
+  name: 'identityAdminApp'
+  params: {
+    webAppName: identityAdminAppName
+    location: location
+    appServicePlanId: appServicePlan.outputs.id
+  }
+}
+
+// ... angularSwa, sqlServer modules ...
 
 output apiAppUrl string = apiApp.outputs.url
 output identityAppUrl string = identityApp.outputs.url
+output identityAdminAppUrl string = identityAdminApp.outputs.url
 output angularAppUrl string = angularSwa.outputs.url
 ```
 
@@ -260,14 +279,15 @@ resource apiDatabase 'Microsoft.Sql/servers/databases@2023-05-01-preview' = {
 
 using '../main.bicep'
 
-param appServicePlanName = 'asp-talent-b1-dev'
-param apiAppName         = 'app-talent-api-dev'
-param identityAppName    = 'app-talent-ids-dev'
-param staticWebAppName   = 'swa-talent-ui-dev'
-param sqlServerName      = 'sql-talent-dev'
-param apiDbName          = 'sqldb-talent-api-dev'
-param identityDbName     = 'sqldb-talent-ids-dev'
-param sqlAdminLogin      = 'sqladmin'
+param appServicePlanName   = 'asp-talent-b1-dev'
+param apiAppName           = 'app-talent-api-dev'
+param identityAppName      = 'app-talent-ids-dev'
+param identityAdminAppName = 'app-talent-admin-dev'
+param staticWebAppName     = 'swa-talent-ui-dev'
+param sqlServerName        = 'sql-talent-dev'
+param apiDbName            = 'sqldb-talent-api-dev'
+param identityDbName       = 'sqldb-talent-ids-dev'
+param sqlAdminLogin        = 'sqladmin'
 
 // sqlAdminPassword is NOT here — pass it at deploy time
 ```
@@ -292,7 +312,7 @@ az group create \
   --location eastus
 ```
 
-Deploy all seven resources:
+Deploy all eight resources:
 
 ```bash
 az deployment group create \
@@ -331,19 +351,19 @@ az resource list \
   --output table
 ```
 
-You should see seven resources: one App Service Plan, two Web Apps, one Static Site, one SQL Server, and two SQL Databases.
+You should see eight resources: one App Service Plan, three Web Apps, one Static Site, one SQL Server, and two SQL Databases.
 
 Navigate to each Web App in the Portal (`portal.azure.com → App Services → app-talent-api-dev`) and confirm the URL opens — it will show a default "Your web app is running" page until the .NET application is deployed in Article 5.6.
 
 ---
 
 ## 🔑 Key Design Decisions
 
-**One shared App Service Plan for both .NET apps.** Azure charges at the App Service Plan level, not per Web App. Running two Web Apps on one B1 plan costs the same as running one Web App on that plan. Separate plans would double the compute cost for no benefit at this scale.
+**One shared App Service Plan for all three .NET apps.** Azure charges at the App Service Plan level, not per Web App. Running three Web Apps (API, IdentityServer STS, and IdentityServer Admin) on one B1 plan costs the same as running one. Separate plans would triple the compute cost for no benefit at this scale.
 
 **`@secure()` for SQL password — never in the parameters file.** Bicep's `@secure()` decorator marks a parameter as sensitive. The value is excluded from deployment logs and history. Passing it via `--parameters sqlAdminPassword="$SQL_ADMIN_PASSWORD"` at deploy time, sourced from an environment variable or GitHub Secret, ensures the password never touches source control.
 
-**Bicep outputs over hardcoded URLs.** `main.bicep` outputs `apiAppUrl`, `identityAppUrl`, and `angularAppUrl`. GitHub Actions workflows read these outputs instead of hardcoding URLs — if the resource name changes, the URLs update automatically.
+**Bicep outputs over hardcoded URLs.** `main.bicep` outputs `apiAppUrl`, `identityAppUrl`, `identityAdminAppUrl`, and `angularAppUrl`. GitHub Actions workflows read these outputs instead of hardcoding URLs — if the resource name changes, the URLs update automatically.
 
 **`skipGithubActionWorkflowGeneration: true` on Static Web App.** Azure would auto-generate a GitHub Actions file and commit it to the repository. The custom workflow in Article 5.7 handles environment variable injection that the auto-generated workflow cannot. Skipping auto-generation prevents a generated workflow from conflicting with the custom one.
 
@@ -355,7 +375,7 @@ Navigate to each Web App in the Portal (`portal.azure.com → App Services → a
 
 Infrastructure as Code is not just a DevOps practice — it is documentation. Every resource configuration, every SKU choice, every firewall rule is in source control and can be reviewed, questioned, and approved through a pull request. The Bicep files in this article are the complete specification of what is running in Azure.
 
-The module pattern — one reusable `webApp.bicep` used for both the API and IdentityServer — demonstrates a core Bicep principle: parameterize what varies, fix what doesn't. Adding a third Web App to this infrastructure requires one additional module call and one additional parameter. The module itself does not change.
+The module pattern — one reusable `webApp.bicep` used for the API, IdentityServer STS, and IdentityServer Admin — demonstrates a core Bicep principle: parameterize what varies, fix what doesn't. Adding another Web App requires one additional module call and one additional parameter. The module itself does not change.
 
 **Transferable skills:**