Add webapi controller for devops POST webhook (#8167)

Author: hallipr

tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/Controllers/DevopsEventsController.cs

@@ -0,0 +1,53 @@
+using System.Text.Json;
+using System.Threading.Tasks;
+using Azure.Sdk.Tools.PipelineWitness.Configuration;
+using Azure.Storage.Queues;
+using Azure.Storage.Queues.Models;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+// For more information on enabling Web API for empty projects, visit https://go.microsoft.com/fwlink/?LinkID=397860
+
+namespace Azure.Sdk.Tools.PipelineWitness.Controllers
+{
+    [Route("api/devopsevents")]
+    [ApiController]
+    public class DevopsEventsController : ControllerBase
+    {
+        private readonly QueueClient queueClient;
+        private readonly ILogger<DevopsEventsController> logger;
+
+        public DevopsEventsController(ILogger<DevopsEventsController> logger, QueueServiceClient queueServiceClient, IOptions<PipelineWitnessSettings> options)
+        {
+            this.queueClient = queueServiceClient.GetQueueClient(options.Value.BuildCompleteQueueName);
+            this.logger = logger;
+        }
+
+        // POST api/devopsevents
+        [HttpPost]
+        public async Task PostAsync([FromBody] JsonDocument value)
+        {
+            if (value == null) {
+                throw new BadHttpRequestException("Missing payload", 400);
+            }
+
+            this.logger.LogInformation("Message received in DevopsEventsController.PostAsync");
+            string message = value.RootElement.GetRawText();
+
+            if (value.RootElement.TryGetProperty("resource", out var resource)
+                && resource.TryGetProperty("url", out var url)
+                && url.GetString().StartsWith("https://dev.azure.com/azure-sdk/"))
+            {
+                SendReceipt response = await this.queueClient.SendMessageAsync(message);
+                this.logger.LogInformation("Message added to queue with id {MessageId}", response.MessageId);
+            }
+            else
+            {
+                this.logger.LogError("Message content invalid: {Content}", message);
+                throw new BadHttpRequestException("Invalid payload", 400);
+            }
+        }
+    }
+}

tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/Program.cs

@@ -19,6 +19,7 @@ public static async Task Main(params string[] args)
             // Add services to the container.
             builder.Services.AddControllers();
             builder.Services.AddHealthChecks();
+            builder.Services.AddHttpLogging(options => { });
 
             // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
             builder.Services.AddEndpointsApiExplorer();
@@ -43,6 +44,8 @@ public static async Task Main(params string[] args)
 
             app.UseHealthChecks("/");
 
+            app.UseHttpLogging();
+
             await app.RunAsync();
         }
     }

tools/pipeline-witness/Azure.Sdk.Tools.PipelineWitness/appsettings.json

@@ -3,7 +3,6 @@
     "LogLevel": {
       "Default": "Warning",
       "Microsoft.Hosting": "Information",
-      "Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware": "Information",
       "Azure.Sdk.Tools.PipelineWitness": "Debug",
       "Azure.Core": "Error"
     },

tools/pipeline-witness/infrastructure/Assign-StoragePermissions.ps1

@@ -18,6 +18,7 @@ try {
   $subscriptionName = $target -eq 'test' ? 'Azure SDK Developer Playground' : 'Azure SDK Engineering System'
   Write-Host "Setting subscription to '$subscriptionName'"
   Invoke "az account set --subscription '$subscriptionName' --output none"
+  $subscriptionId = az account show --query id -o tsv
 
   $parametersFile = "./bicep/parameters.$target.json"
   Write-Host "Reading parameters from $parametersFile"
@@ -30,7 +31,7 @@ try {
 
   Write-Host "Adding Azure SDK Engineering System Team RBAC access to storage resources:`n" + `
     "  Blob: $logsResourceGroupName/$logsStorageAccountName`n" + `
-    "  Queue: `n" + `
+    "  Queue: $appResourceGroupName/$appStorageAccountName`n" + `
     "  Cosmos: $appResourceGroupName/$cosmosAccountName`n"
 
   Write-Host "Getting group id for Azure SDK Engineering System Team"

tools/pipeline-witness/infrastructure/bicep/logsResourceGroup.bicep

@@ -249,14 +249,16 @@ resource kustoDataConnections 'Microsoft.Kusto/Clusters/Databases/DataConnection
     dataFormat: 'JSON'
     blobStorageEventType: 'Microsoft.Storage.BlobCreated'
     databaseRouting: 'Single'
+    managedIdentityResourceId: kustoCluster.id
   }
   dependsOn: [ kustoScriptInvocation ]
 }]
 
-// Assign Storage Blob Data Contributor role for the Web App on the Logs Storage Account
+// Assign roles to the Kusto cluster and App Service
 resource blobContributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
   scope: subscription()
-  // This is the Storage Blob Data Contributor role, which is the minimum role permission we can give.
+  // This is the Storage Blob Data Contributor role.
+  // Read, write, and delete Azure Storage containers and blobs
   // See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage
   name: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
 }
@@ -270,3 +272,31 @@ resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-
     description: 'Blob Contributor for PipelineWitness'
   }
 }
+
+resource kustoStorageAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' =  {
+  name: guid(blobContributorRoleDefinition.id, kustoClusterName, logsStorageAccount.id)
+  scope: logsStorageAccount
+  properties:{
+    principalId: kustoCluster.identity.principalId
+    roleDefinitionId: blobContributorRoleDefinition.id
+    description: 'Blob Contributor for Kusto ingestion'
+  }
+}
+
+resource eventHubsDataReceiverRoleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
+  scope: subscription()
+  // This is the Event Hubs Data Receiver role
+  // Allows receive access to Azure Event Hubs resources.
+  // see https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#analytics
+  name: 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde'
+}
+
+resource kustoEventHubsAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' =  {
+  name: guid(blobContributorRoleDefinition.id, kustoClusterName, eventHubNamespace.id)
+  scope: eventHubNamespace
+  properties:{
+    principalId: kustoCluster.identity.principalId
+    roleDefinitionId: eventHubsDataReceiverRoleDefinition.id
+    description: 'Blob Contributor for Kusto ingestion'
+  }
+}