From a4d2bd438cf95398452649a0cb6e71a23ad35f73 Mon Sep 17 00:00:00 2001 From: Adrian Gavrila Date: Thu, 23 Apr 2026 12:25:23 -0400 Subject: [PATCH 1/2] Set PYRIT_CORS_ORIGINS env var in Bicep instead of imperatively The Container App's CORS origin (its own ingress FQDN) was previously applied via a manual z containerapp update --set-env-vars step after every deploy, per infra/README.md step 5. That value drifts whenever the ACA app gets re-created (new revision suffix, region change) and is easy to forget on first stand-up. ACA generates a deterministic FQDN (.), so we can compute the same value at deploy time from upstream resources without self-referencing the containerApp resource (which would create a cycle). Setting it as an env var on the container guarantees it stays in sync on every Bicep deploy and removes the imperative post-deploy step. Also removes the now-redundant CORS step from infra/README.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- infra/README.md | 6 ------ infra/main.bicep | 10 ++++++++++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/infra/README.md b/infra/README.md index dc91654b8..61e442da3 100644 --- a/infra/README.md +++ b/infra/README.md @@ -388,12 +388,6 @@ az deployment group create \ 4. **Manage access** — Add or remove users via Entra security groups (`allowedGroupObjectIds`). Each group must also be assigned to the enterprise app. -5. **Set CORS origins** for production (the Bicep template does not set this): - ```bash - az containerapp update -n -g \ - --set-env-vars "PYRIT_CORS_ORIGINS=https://$FQDN" - ``` - ## Access the GUI ```bash diff --git a/infra/main.bicep b/infra/main.bicep index 833b6fcc7..2494e386f 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -475,6 +475,16 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { name: 'AZURE_CLIENT_ID' value: managedIdentity.properties.clientId } + // CORS origin for the SPA. The ACA-generated FQDN is deterministic + // (.), so we compute it from upstream + // resources rather than self-referencing containerApp (which would + // create a deploy-time cycle). Set as an env var here so it stays + // in sync with the ingress on every deploy — no out-of-band + // `az containerapp update` needed. + { + name: 'PYRIT_CORS_ORIGINS' + value: 'https://${appName}.${acaEnvironment.properties.defaultDomain}' + } ] } ] From 4f9d0150e8db4dbad87ee18cc5607a4b910a13a7 Mon Sep 17 00:00:00 2001 From: Adrian Gavrila <50029937+adrian-gavrila@users.noreply.github.com> Date: Thu, 23 Apr 2026 13:03:15 -0400 Subject: [PATCH 2/2] Clean up comments in main.bicep Removed comments about CORS origin handling. --- infra/main.bicep | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 2494e386f..d4efac8d9 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -477,10 +477,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = { } // CORS origin for the SPA. The ACA-generated FQDN is deterministic // (.), so we compute it from upstream - // resources rather than self-referencing containerApp (which would - // create a deploy-time cycle). Set as an env var here so it stays - // in sync with the ingress on every deploy — no out-of-band - // `az containerapp update` needed. + // resources rather than self-referencing containerApp. { name: 'PYRIT_CORS_ORIGINS' value: 'https://${appName}.${acaEnvironment.properties.defaultDomain}'