fix: add client id and remove application id for azure service princi…

…pal (#688)

Co-authored-by: Tim Holm <[email protected]>

cloud/aws/go.mod

@@ -35,8 +35,8 @@ require (
 	github.com/hashicorp/terraform-cdk-go/cdktf v0.20.7
 	github.com/imdario/mergo v0.3.15
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/nitrictech/nitric/cloud/common v0.0.0-20240527032744-811df854d69d
-	github.com/nitrictech/nitric/core v0.0.0-20240827004051-cd5d36aaa8e6
+	github.com/nitrictech/nitric/cloud/common v0.0.0-20241029232835-f023e1be393d
+	github.com/nitrictech/nitric/core v0.0.0-20241029232835-f023e1be393d
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.34.2
 	github.com/pkg/errors v0.9.1
@@ -45,7 +45,7 @@ require (
 	github.com/pulumi/pulumi-awsx/sdk v1.0.6
 	github.com/pulumi/pulumi-docker/sdk/v4 v4.1.0
 	github.com/pulumi/pulumi-random/sdk/v4 v4.8.2
-	github.com/pulumi/pulumi/sdk/v3 v3.133.0
+	github.com/pulumi/pulumi/sdk/v3 v3.137.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/samber/lo v1.38.1
 	github.com/uw-labs/lichen v0.1.7
@@ -77,8 +77,8 @@ require (
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/alecthomas/assert/v2 v2.6.0 // indirect
 	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
+	github.com/alecthomas/repr v0.4.0 // indirect
 	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
@@ -126,6 +126,7 @@ require (
 	github.com/ckaznocha/intrange v0.2.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
+	github.com/containerd/containerd v1.7.17 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/curioswitch/go-reassign v0.2.0 // indirect
@@ -144,7 +145,6 @@ require (
 	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/firefart/nonamedreturns v1.0.5 // indirect
-	github.com/frankban/quicktest v1.14.6 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
 	github.com/ghostiam/protogetter v0.3.6 // indirect
@@ -232,6 +232,9 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/moricho/tparallel v0.3.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
@@ -323,13 +326,11 @@ require (
 	go-simpler.org/musttag v0.12.2 // indirect
 	go-simpler.org/sloglint v0.7.2 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 // indirect
 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.29.0 // indirect
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/automaxprocs v1.5.3 // indirect
-	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/crypto v0.27.0 // indirect
@@ -343,17 +344,14 @@ require (
 	golang.org/x/term v0.24.0 // indirect
 	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gotest.tools/v3 v3.5.1 // indirect
 	honnef.co/go/tools v0.5.1 // indirect
 	lukechampine.com/frand v1.4.2 // indirect
 	mvdan.cc/gofumpt v0.7.0 // indirect
 	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
-	pgregory.net/rapid v0.6.1 // indirect
 )

cloud/azure/deploy/api.go

@@ -25,6 +25,7 @@ import (
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/pkg/errors"
 	apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v2"
+	"github.com/pulumi/pulumi-random/sdk/v4/go/random"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 
 	common "github.com/nitrictech/nitric/cloud/common/deploy/tags"
@@ -95,7 +96,23 @@ func (p *NitricAzurePulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resou
 		}.ToUserIdentityPropertiesMapOutput()
 	}).(apimanagement.UserIdentityPropertiesMapOutput)
 
-	mgmtService, err := apimanagement.NewApiManagementService(ctx, ResourceName(ctx, name, ApiManagementServiceRT), &apimanagement.ApiManagementServiceArgs{
+	serviceName := ResourceName(ctx, name, ApiManagementServiceRT)
+	managedServiceId, err := random.NewRandomString(ctx, fmt.Sprintf("%s-id", name), &random.RandomStringArgs{
+		Length: pulumi.Int(4),
+		Keepers: pulumi.ToMap(map[string]interface{}{
+			"name": name,
+		}),
+		Upper:   pulumi.Bool(false),
+		Special: pulumi.Bool(false),
+	})
+	if err != nil {
+		return err
+	}
+
+	managedServiceName := pulumi.Sprintf("%s%s", serviceName, managedServiceId.Result)
+
+	mgmtService, err := apimanagement.NewApiManagementService(ctx, fmt.Sprintf("%s-mgmt", name), &apimanagement.ApiManagementServiceArgs{
+		ServiceName:       managedServiceName,
 		ResourceGroupName: p.ResourceGroup.Name,
 		PublisherEmail:    pulumi.String(p.AzureConfig.AdminEmail),
 		PublisherName:     pulumi.String(p.AzureConfig.Org),
@@ -131,7 +148,7 @@ func (p *NitricAzurePulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resou
 		return err
 	}
 
-	api, err := apimanagement.NewApi(ctx, ResourceName(ctx, name, ApiRT), &apimanagement.ApiArgs{
+	api, err := apimanagement.NewApi(ctx, fmt.Sprintf("%s-api", name), &apimanagement.ApiArgs{
 		Description:          pulumi.String(description),
 		DisplayName:          pulumi.String(displayName),
 		Protocols:            pulumi.StringArray{pulumi.String("https")},

cloud/azure/deploy/resourcename.go

@@ -44,7 +44,7 @@ var (
 	// Can't end with period. Regex pattern: ^[-\w\._\(\)]+$
 	ResourceGroupRT = ResourceType{Abbreviation: "rg", MaxLen: 90, AllowUpperCase: true, AllowHyphen: true}
 
-	ContainerAppRT = ResourceType{Abbreviation: "app", MaxLen: 32, UseName: true, AllowHyphen: true}
+	ContainerAppRT = ResourceType{Abbreviation: "app", MaxLen: 28, UseName: true, AllowHyphen: true}
 	// Alphanumerics
 	RegistryRT = ResourceType{Abbreviation: "cr", MaxLen: 50, AllowUpperCase: true}
 	// Alphanumerics and hyphens. Start and end with alphanumeric.

cloud/azure/deploy/service.go

@@ -308,7 +308,22 @@ func (p *NitricAzurePulumiProvider) Service(ctx *pulumi.Context, parent pulumi.R
 
 	appName := ResourceName(ctx, name, ContainerAppRT)
 
-	res.App, err = app.NewContainerApp(ctx, appName, &app.ContainerAppArgs{
+	containerAppId, err := random.NewRandomString(ctx, fmt.Sprintf("%s-id", name), &random.RandomStringArgs{
+		Length: pulumi.Int(4),
+		Keepers: pulumi.ToMap(map[string]interface{}{
+			"name": name,
+		}),
+		Upper:   pulumi.Bool(false),
+		Special: pulumi.Bool(false),
+	})
+	if err != nil {
+		return err
+	}
+
+	containerAppName := pulumi.Sprintf("%s%s", appName, containerAppId.Result)
+
+	res.App, err = app.NewContainerApp(ctx, fmt.Sprintf("%s-app", name), &app.ContainerAppArgs{
+		ContainerAppName:     containerAppName,
 		ResourceGroupName:    p.ResourceGroup.Name,
 		Location:             p.ResourceGroup.Location,
 		ManagedEnvironmentId: p.ContainerEnv.ManagedEnv.ID(),
@@ -326,7 +341,7 @@ func (p *NitricAzurePulumiProvider) Service(ctx *pulumi.Context, parent pulumi.R
 				},
 			},
 			Dapr: &app.DaprArgs{
-				AppId:       pulumi.String(appName),
+				AppId:       containerAppName,
 				AppPort:     pulumi.Int(9001),
 				AppProtocol: pulumi.String("http"),
 				Enabled:     pulumi.Bool(true),
@@ -373,9 +388,7 @@ func (p *NitricAzurePulumiProvider) Service(ctx *pulumi.Context, parent pulumi.R
 		return err
 	}
 
-	authName := fmt.Sprintf("%s-auth", appName)
-
-	_, err = app.NewContainerAppsAuthConfig(ctx, authName, &app.ContainerAppsAuthConfigArgs{
+	_, err = app.NewContainerAppsAuthConfig(ctx, fmt.Sprintf("%s-auth", name), &app.ContainerAppsAuthConfigArgs{
 		AuthConfigName:   pulumi.String("current"),
 		ContainerAppName: res.App.Name,
 		GlobalValidation: &app.GlobalValidationArgs{

cloud/azure/deploy/serviceprinciple.go

@@ -53,8 +53,8 @@ func NewServicePrincipal(ctx *pulumi.Context, name string, args *ServicePrincipa
 		Owners: pulumi.StringArray{
 			pulumi.String(current.ObjectId),
 		},
-		AppRoles: azuread.ApplicationAppRoleArray{
-			&azuread.ApplicationAppRoleArgs{
+		AppRoles: azuread.ApplicationAppRoleTypeArray{
+			&azuread.ApplicationAppRoleTypeArgs{
 				AllowedMemberTypes: pulumi.StringArray{
 					pulumi.String("Application"),
 				},
@@ -71,10 +71,8 @@ func NewServicePrincipal(ctx *pulumi.Context, name string, args *ServicePrincipa
 		return nil, err
 	}
 
-	res.ClientID = app.ApplicationId
-
 	sp, err := azuread.NewServicePrincipal(ctx, ResourceName(ctx, name, ADServicePrincipalRT), &azuread.ServicePrincipalArgs{
-		ApplicationId: app.ApplicationId,
+		ClientId: app.ClientId,
 		Owners: pulumi.StringArray{
 			pulumi.String(current.ObjectId),
 		},
@@ -85,6 +83,7 @@ func NewServicePrincipal(ctx *pulumi.Context, name string, args *ServicePrincipa
 
 	res.TenantID = sp.ApplicationTenantId
 	res.ServicePrincipalId = pulumi.StringOutput(sp.ID())
+	res.ClientID = app.ClientId
 
 	_, err = azuread.NewAppRoleAssignment(ctx, name+"sub-role", &azuread.AppRoleAssignmentArgs{
 		AppRoleId:         appRoleId,

cloud/azure/go.mod

@@ -43,10 +43,10 @@ require (
 	github.com/pulumi/pulumi-azure-native-sdk/resources v1.92.0
 	github.com/pulumi/pulumi-azure-native-sdk/storage v1.92.0
 	github.com/pulumi/pulumi-azure/sdk/v4 v4.42.0
-	github.com/pulumi/pulumi-azuread/sdk/v5 v5.33.0
+	github.com/pulumi/pulumi-azuread/sdk/v5 v5.53.5
 	github.com/pulumi/pulumi-docker/sdk/v4 v4.1.0
 	github.com/pulumi/pulumi-random/sdk/v4 v4.8.2
-	github.com/pulumi/pulumi/sdk/v3 v3.133.0
+	github.com/pulumi/pulumi/sdk/v3 v3.137.0
 	github.com/samber/lo v1.38.1
 	github.com/uw-labs/lichen v0.1.7
 	github.com/valyala/fasthttp v1.55.0
@@ -87,8 +87,8 @@ require (
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/alecthomas/assert/v2 v2.6.0 // indirect
 	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
+	github.com/alecthomas/repr v0.4.0 // indirect
 	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
@@ -360,5 +360,4 @@ require (
 	lukechampine.com/frand v1.4.2 // indirect
 	mvdan.cc/gofumpt v0.7.0 // indirect
 	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
-	pgregory.net/rapid v0.6.1 // indirect
 )