createapiserver.sh

API_APP_NAME="ca-dtrack-api-prod"

# Create managed identity for Key Vault access
IDENTITY_NAME="id-dtrack-api"
az identity create \
  --name $IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP

IDENTITY_ID=$(az identity show \
  --name $IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP \
  --query id -o tsv)

IDENTITY_CLIENT_ID=$(az identity show \
  --name $IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP \
  --query clientId -o tsv)

# Grant Key Vault access to managed identity
az keyvault set-policy \
  --name $KEY_VAULT_NAME \
  --object-id $(az identity show --name $IDENTITY_NAME --resource-group $RESOURCE_GROUP --query principalId -o tsv) \
  --secret-permissions get list

# Create API server container app
az containerapp create \
  --name $API_APP_NAME \
  --resource-group $RESOURCE_GROUP \
  --environment $ENVIRONMENT_NAME \
  --image dependencytrack/apiserver:latest \
  --target-port 8080 \
  --ingress internal \
  --min-replicas 1 \
  --max-replicas 3 \
  --cpu 2.0 \
  --memory 4Gi \
  --user-assigned $IDENTITY_ID \
  --env-vars \
    "ALPINE_DATABASE_MODE=external" \
    "ALPINE_DATABASE_DRIVER=org.postgresql.Driver" \
    "ALPINE_DATABASE_URL=secretref:db-connection-string" \
    "ALPINE_DATABASE_USERNAME=secretref:db-username" \
    "ALPINE_DATABASE_PASSWORD=secretref:db-password" \
    "ALPINE_DATABASE_POOL_ENABLED=true" \
    "ALPINE_DATABASE_POOL_MAX_SIZE=20" \
    "ALPINE_DATABASE_POOL_MIN_IDLE=10" \
    "ALPINE_WORKER_THREADS=4" \
    "ALPINE_WORKER_THREAD_MULTIPLIER=4" \
  --secrets \
    "db-connection-string=keyvaultref:${DB_CONNECTION_STRING},identityref:${IDENTITY_ID}" \
    "db-username=keyvaultref:${DB_ADMIN_USER},identityref:${IDENTITY_ID}" \
    "db-password=keyvaultref:${DB_ADMIN_PASSWORD},identityref:${IDENTITY_ID}"

# Mount storage for vulnerability data
az containerapp update \
  --name $API_APP_NAME \
  --resource-group $RESOURCE_GROUP \
  --set-env-vars "ALPINE_DATA_DIRECTORY=/data" \
  --storage-mount "vulnerability-data:/data"