Merge remote-tracking branch 'origin/vNext-Dev' into joshuakr/7569-Ba…

…ckend-TestClient

app/frontend/vite.config.ts

@@ -8,7 +8,10 @@ export default defineConfig({
     build: {
         outDir: "../backend/static",
         emptyOutDir: true,
-        sourcemap: true
+        sourcemap: true,
+        rollupOptions: {
+            external: ['__vite-browser-external']
+        } 
     },
     server: {
         proxy: {

docs/deployment/deployment.md

@@ -166,6 +166,10 @@ run-data-migration           Run the data migration moving data from one resourc
 manual-inf-destroy           A command triggered by a user to destroy a resource group, associated resources, and related Entra items
 ```
 
+## Configure AD app registration ( manual steps )
+
+If you have insufficient permissions at the tenant level (Application Administrator Entra Role), follow the guide to complete the deployment [manual app registration](/docs/deployment/manual_app_registration.md).
+
 ## Configure authentication and authorization
 
 If you have chosen to enable authentication and authorization for your deployment by setting the environment variable `REQUIRE_WEBSITE_SECURITY_MEMBERSHIP` to `true`, you will need to configure it at this point. Please see [Known Issues](/docs/knownissues.md#error-your-adminstrator-has-configured-the-application-infoasst_web_access_xxxxx-to-block-users) section for guidance on how to configure.

docs/deployment/manual_app_registration.md

@@ -0,0 +1,82 @@
+# App Registration Creation Guide
+
+If you are unable to obtain the permission at the tenant level described in [Azure account requirements](https://github.com/microsoft/PubSec-Info-Assistant/tree/v1.0?tab=readme-ov-file#azure-account-requirements), you can follow the guidance below to create a manual app registration.
+
+## Tenant Administrator: Manual steps to create app registrations
+
+Here are the details of each step:
+
+### 1. Create a Random Sequence File
+
+Manually create a random string for your environment, which should be a 1 to 5 character sequence. The value must be a combination of letters a-z, A-Z, or numbers 0-9.
+
+### 2. Have the Tenant Administrator Should Create Two AD App Registrations
+
+An Administrator in the tenant would need to create two Azure AD App Registrations and Service Principals for you manually.
+
+#### First AD App Registration: Securing the Information Assistant Web Application
+
+The first AD App Registration will be used to secure the Information Assistant web application and will need to ensure the following settings:
+
+##### Azure AD App Registration**
+
+| Setting | Value |
+|---|---|
+| name | `infoasst_web_access_<<random_string_from_above>>` |
+| sign-in-audience | AzureADMyOrg |
+| identifier-uris | `api://infoasst-<<random_string_from_above>>` |
+| web-redirect-uris | `https://infoasst-web-<<random_string_from_above>>.azurewebsites.net/.auth/login/aad/callback` |
+| enable-access-token-issuance | true |
+| enable-id-token-issuance | true |
+
+#### Azure AD Enterprise Application (optional)
+
+If you desire to have the Information Assistant website secured by explicit membership, then the following settings will need to be updated:
+
+| Setting | Value |
+|---|---|
+| name | `infoasst_web_access_<<random_string_from_above>>` |
+| appRoleAssignmentRequired | true |
+
+#### Second AD App Registration: Querying Azure Management Plane APIs
+
+The second AD App Registration will be used to query the Azure management plane APIs for Azure service details. It needs the following settings:
+
+##### Azure AD App Registration
+
+| Setting | Value |
+|---|---|
+| name | `infoasst_mgmt_access_<<random_string_from_above>>` |
+| sign-in-audience | AzureADMyOrg |
+
+### 3.  Information to obtain from Tenant Administrator
+
+You will need to obtain the following information from your tenant Administrator to continue:
+
+- Web Access App Registration Client ID (guid)
+- Web Access Service Principal ID (guid)
+- Management Access App Registration Client ID (guid)
+- Management Access Service Principal ID (guid)
+- Management Access App Registration Client Secret (string)
+
+These values will be used to update the code in the infrastructure deployment section.
+
+### 4.  Adjust code in infrastructure deployment
+
+In the file `scripts/inf-create.sh`, between lines 63 - 69, you would need to uncomment the code  and update parameters with values provided by your tenant Administrator.
+
+```
+export TF_VAR_isInAutomation=true
+export TF_VAR_aadWebClientId=""
+export TF_VAR_aadMgmtClientId=""
+export TF_VAR_aadMgmtServicePrincipalId=""
+export TF_VAR_aadMgmtClientSecret=""
+```
+
+### 5. Resume the deployment as per the deployment procedure
+
+After completing the step4, you can resume back the deployment steps mentioned the documentation
+
+### 6: Update the AD App Registration
+
+Once Terraform completes the deployment of the infrastructure, update the `identifier-uris` and `web-redirect-uris` with the newly generated random_string created during the Terraform deployment.

infra/core/storage/storage-account.tf

@@ -12,6 +12,7 @@ resource "azurerm_storage_account" "storage" {
   access_tier              = var.accessTier
   min_tls_version          = var.minimumTlsVersion
   enable_https_traffic_only = true
+  allow_nested_items_to_be_public = false
 
   network_rules {
     default_action             = "Allow"

scripts/inf-create.sh

@@ -60,6 +60,14 @@ then
     az account set -s "$ARM_SUBSCRIPTION_ID"
 fi
 
+#If you are unable to obtain the permission at the tenant level described in Azure account requirements, you can set the following to true provided you have created Azure AD App Registrations. 
+
+#export TF_VAR_isInAutomation=true
+#export TF_VAR_aadWebClientId=""
+#export TF_VAR_aadMgmtClientId=""
+#export TF_VAR_aadMgmtServicePrincipalId=""
+#export TF_VAR_aadMgmtClientSecret=""
+
 
 # prepare vars for the users you wish to assign to the security group
 object_ids=()