Skip to content

Commit

Permalink
Refactor bicep, change redis name (#3935)
Browse files Browse the repository at this point in the history
  • Loading branch information
dkurepa authored Sep 9, 2024
1 parent 8f15c7d commit 3d25e8c
Show file tree
Hide file tree
Showing 12 changed files with 874 additions and 681 deletions.
145 changes: 145 additions & 0 deletions eng/service-templates/ProductConstructionService/container-app.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,145 @@
param location string
param containerRegistryName string
param containerImageName string
param containerCpuCoreCount string
param containerMemory string
param aspnetcoreEnvironment string
param productConstructionServiceName string
param applicationInsightsConnectionString string
param pcsIdentityId string
param containerEnvironmentId string
param contributorRoleId string
param deploymentIdentityPrincipalId string

// common environment variables used by the app
var containerAppEnv = [
{
name: 'ASPNETCORE_ENVIRONMENT'
value: aspnetcoreEnvironment
}
{
name: 'Logging__Console__FormatterName'
value: 'simple'
}
{
name: 'Logging__Console__FormatterOptions__SingleLine'
value: 'true'
}
{
name: 'Logging__Console__FormatterOptions__IncludeScopes'
value: 'true'
}
{
name: 'ASPNETCORE_LOGGING__CONSOLE__DISABLECOLORS'
value: 'true'
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: applicationInsightsConnectionString
}
{
name: 'VmrPath'
value: '/mnt/datadir/vmr'
}
{
name: 'TmpPath'
value: '/mnt/datadir/tmp'
}
]

// container app hosting the Product Construction Service
resource containerApp 'Microsoft.App/containerApps@2023-04-01-preview' = {
name: productConstructionServiceName
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: { '${pcsIdentityId}' : {}}
}
properties: {
managedEnvironmentId: containerEnvironmentId
configuration: {
activeRevisionsMode: 'Multiple'
maxInactiveRevisions: 5
ingress: {
external: true
targetPort: 8080
transport: 'http'
}
dapr: { enabled: false }
registries: [
{
server: '${containerRegistryName}.azurecr.io'
identity: pcsIdentityId
}
]
}
template: {
scale: {
minReplicas: 1
maxReplicas: 1
}
serviceBinds: []
containers: [
{
image: containerImageName
name: 'api'
env: containerAppEnv
resources: {
cpu: json(containerCpuCoreCount)
memory: containerMemory
ephemeralStorage: '50Gi'
}
volumeMounts: [
{
volumeName: 'data'
mountPath: '/mnt/datadir'
}
]
probes: [
{
httpGet: {
path: '/alive'
port: 8080
scheme: 'HTTP'
}
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
type: 'Startup'
}
{
httpGet: {
path: '/health'
port: 8080
scheme: 'HTTP'
}
initialDelaySeconds: 60
failureThreshold: 10
successThreshold: 1
periodSeconds: 30
type: 'Readiness'
}
]
}
]
volumes: [
{
name: 'data'
storageType: 'EmptyDir'
}
]
}
}
}

// Give the PCS Deployment MI the Contributor role in the containerapp to allow it to deploy
resource deploymentSubscriptionTriggererContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerApp
name: guid(subscription().id, resourceGroup().id, '${productConstructionServiceName}-contributor')
properties: {
roleDefinitionId: contributorRoleId
principalType: 'ServicePrincipal'
principalId: deploymentIdentityPrincipalId
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
param location string
param logAnalyticsName string
param containerEnvironmentName string
param productConstructionServiceSubnetId string
param infrastructureResourceGroupName string
param applicationInsightsName string

resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: logAnalyticsName
location: location
properties: any({
retentionInDays: 30
features: {
searchVersion: 1
}
sku: {
name: 'PerGB2018'
}
})
}

resource containerEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' = {
name: containerEnvironmentName
location: location
properties: {
appLogsConfiguration: {
destination: 'log-analytics'
logAnalyticsConfiguration: {
customerId: logAnalytics.properties.customerId
sharedKey: logAnalytics.listKeys().primarySharedKey
}
}
workloadProfiles: [
{
name: 'Consumption'
workloadProfileType: 'Consumption'
}
]
vnetConfiguration: {
infrastructureSubnetId: productConstructionServiceSubnetId
}
infrastructureResourceGroup: infrastructureResourceGroupName
}
}

// application insights for service logging
resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
name: applicationInsightsName
location: location
kind: 'web'
properties: {
Application_Type: 'web'
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
RetentionInDays: 120
WorkspaceResourceId: logAnalytics.id
}
}

output applicationInsightsConnectionString string = applicationInsights.properties.ConnectionString
output containerEnvironmentId string = containerEnvironment.id
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
param location string
param containerRegistryName string
param acrPullRole string
param pcsIdentityPrincipalId string
param subscriptionTriggererPricnipalId string
param longestBuildPathUpdaterIdentityPrincipalId string
param feedCleanerIdentityPrincipalId string
param acrPushRole string
param deploymentIdentityPrincipalId string

resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = {
name: containerRegistryName
location: location
sku: {
name: 'Premium'
}
properties: {
adminUserEnabled: false
anonymousPullEnabled: false
dataEndpointEnabled: false
encryption: {
status: 'disabled'
}
networkRuleBypassOptions: 'AzureServices'
publicNetworkAccess: 'Enabled'
zoneRedundancy: 'Disabled'
policies: {
retentionPolicy: {
days: 60
status: 'enabled'
}
}
}
}

// allow acr pulls to the identity used for the pcs
resource aksAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(subscription().id, resourceGroup().id, 'pcsAcrPull')
properties: {
roleDefinitionId: acrPullRole
principalType: 'ServicePrincipal'
principalId: pcsIdentityPrincipalId
}
}

// allow acr pulls to the identity used for the subscription triggerer
resource subscriptionTriggererIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(subscription().id, resourceGroup().id, 'subscriptionTriggererAcrPull')
properties: {
roleDefinitionId: acrPullRole
principalType: 'ServicePrincipal'
principalId: subscriptionTriggererPricnipalId
}
}

// allow acr pulls to the identity used for the longest build path updater
resource longestBuildPathUpdaterIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(subscription().id, resourceGroup().id, 'longestBuildPathUpdaterAcrPull')
properties: {
roleDefinitionId: acrPullRole
principalType: 'ServicePrincipal'
principalId: longestBuildPathUpdaterIdentityPrincipalId
}
}

// allow acr pulls to the identity used for the feed cleaner
resource feedCleanerIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(subscription().id, resourceGroup().id, 'feedCleanerAcrPull')
properties: {
roleDefinitionId: acrPullRole
principalType: 'ServicePrincipal'
principalId: feedCleanerIdentityPrincipalId
}
}

// Give the PCS Deployment MI the ACR Push role to be able to push docker images
resource deploymentAcrPush 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: containerRegistry
name: guid(subscription().id, resourceGroup().id, 'deploymentAcrPush')
properties: {
roleDefinitionId: acrPushRole
principalType: 'ServicePrincipal'
principalId: deploymentIdentityPrincipalId
}
}
98 changes: 98 additions & 0 deletions eng/service-templates/ProductConstructionService/key-vaults.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
param aspnetcoreEnvironment string
param location string
param keyVaultName string
param devKeyVaultName string
param kvSecretUserRole string
param kvCryptoUserRole string
param pcsIdentityPrincipalId string

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
name: 'standard'
family: 'A'
}
tenantId: subscription().tenantId
enableSoftDelete: true
softDeleteRetentionInDays: 90
accessPolicies: []
enableRbacAuthorization: true
}
}

// If we're creating the staging environment, also create a dev key vault
resource devKeyVault 'Microsoft.KeyVault/vaults@2022-07-01' = if (aspnetcoreEnvironment == 'Staging') {
name: devKeyVaultName
location: location
properties: {
sku: {
name: 'standard'
family: 'A'
}
tenantId: subscription().tenantId
enableSoftDelete: true
softDeleteRetentionInDays: 90
accessPolicies: []
enableRbacAuthorization: true
}
}

// allow secret access to the identity used for the aca's
resource secretAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: keyVault
name: guid(subscription().id, resourceGroup().id, kvSecretUserRole)
properties: {
roleDefinitionId: kvSecretUserRole
principalType: 'ServicePrincipal'
principalId: pcsIdentityPrincipalId
}
}

// allow crypto access to the identity used for the aca's
resource cryptoAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
scope: keyVault
name: guid(subscription().id, resourceGroup().id, kvCryptoUserRole)
properties: {
roleDefinitionId: kvCryptoUserRole
principalType: 'ServicePrincipal'
principalId: pcsIdentityPrincipalId
}
}

resource dataProtectionKey 'Microsoft.KeyVault/vaults/keys@2023-07-01' = {
name: 'data-protection-encryption-key'
parent: keyVault
properties: {
attributes: {
enabled: true
exportable: false
}
keyOps: [
'sign'
'verify'
'wrapKey'
'unwrapKey'
'encrypt'
'decrypt'
]
keySize: 2048
kty: 'RSA'
rotationPolicy: {
attributes: {
expiryTime: 'P540D'
}
lifetimeActions: [
{
action: {
type: 'rotate'
}
trigger: {
timeBeforeExpiry: 'P30D'
}
}
]
}
}
}
Loading

0 comments on commit 3d25e8c

Please sign in to comment.