-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor bicep, change redis name (#3935)
- Loading branch information
Showing
12 changed files
with
874 additions
and
681 deletions.
There are no files selected for viewing
145 changes: 145 additions & 0 deletions
145
eng/service-templates/ProductConstructionService/container-app.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
param location string | ||
param containerRegistryName string | ||
param containerImageName string | ||
param containerCpuCoreCount string | ||
param containerMemory string | ||
param aspnetcoreEnvironment string | ||
param productConstructionServiceName string | ||
param applicationInsightsConnectionString string | ||
param pcsIdentityId string | ||
param containerEnvironmentId string | ||
param contributorRoleId string | ||
param deploymentIdentityPrincipalId string | ||
|
||
// common environment variables used by the app | ||
var containerAppEnv = [ | ||
{ | ||
name: 'ASPNETCORE_ENVIRONMENT' | ||
value: aspnetcoreEnvironment | ||
} | ||
{ | ||
name: 'Logging__Console__FormatterName' | ||
value: 'simple' | ||
} | ||
{ | ||
name: 'Logging__Console__FormatterOptions__SingleLine' | ||
value: 'true' | ||
} | ||
{ | ||
name: 'Logging__Console__FormatterOptions__IncludeScopes' | ||
value: 'true' | ||
} | ||
{ | ||
name: 'ASPNETCORE_LOGGING__CONSOLE__DISABLECOLORS' | ||
value: 'true' | ||
} | ||
{ | ||
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING' | ||
value: applicationInsightsConnectionString | ||
} | ||
{ | ||
name: 'VmrPath' | ||
value: '/mnt/datadir/vmr' | ||
} | ||
{ | ||
name: 'TmpPath' | ||
value: '/mnt/datadir/tmp' | ||
} | ||
] | ||
|
||
// container app hosting the Product Construction Service | ||
resource containerApp 'Microsoft.App/containerApps@2023-04-01-preview' = { | ||
name: productConstructionServiceName | ||
location: location | ||
identity: { | ||
type: 'UserAssigned' | ||
userAssignedIdentities: { '${pcsIdentityId}' : {}} | ||
} | ||
properties: { | ||
managedEnvironmentId: containerEnvironmentId | ||
configuration: { | ||
activeRevisionsMode: 'Multiple' | ||
maxInactiveRevisions: 5 | ||
ingress: { | ||
external: true | ||
targetPort: 8080 | ||
transport: 'http' | ||
} | ||
dapr: { enabled: false } | ||
registries: [ | ||
{ | ||
server: '${containerRegistryName}.azurecr.io' | ||
identity: pcsIdentityId | ||
} | ||
] | ||
} | ||
template: { | ||
scale: { | ||
minReplicas: 1 | ||
maxReplicas: 1 | ||
} | ||
serviceBinds: [] | ||
containers: [ | ||
{ | ||
image: containerImageName | ||
name: 'api' | ||
env: containerAppEnv | ||
resources: { | ||
cpu: json(containerCpuCoreCount) | ||
memory: containerMemory | ||
ephemeralStorage: '50Gi' | ||
} | ||
volumeMounts: [ | ||
{ | ||
volumeName: 'data' | ||
mountPath: '/mnt/datadir' | ||
} | ||
] | ||
probes: [ | ||
{ | ||
httpGet: { | ||
path: '/alive' | ||
port: 8080 | ||
scheme: 'HTTP' | ||
} | ||
initialDelaySeconds: 5 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
failureThreshold: 3 | ||
type: 'Startup' | ||
} | ||
{ | ||
httpGet: { | ||
path: '/health' | ||
port: 8080 | ||
scheme: 'HTTP' | ||
} | ||
initialDelaySeconds: 60 | ||
failureThreshold: 10 | ||
successThreshold: 1 | ||
periodSeconds: 30 | ||
type: 'Readiness' | ||
} | ||
] | ||
} | ||
] | ||
volumes: [ | ||
{ | ||
name: 'data' | ||
storageType: 'EmptyDir' | ||
} | ||
] | ||
} | ||
} | ||
} | ||
|
||
// Give the PCS Deployment MI the Contributor role in the containerapp to allow it to deploy | ||
resource deploymentSubscriptionTriggererContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: containerApp | ||
name: guid(subscription().id, resourceGroup().id, '${productConstructionServiceName}-contributor') | ||
properties: { | ||
roleDefinitionId: contributorRoleId | ||
principalType: 'ServicePrincipal' | ||
principalId: deploymentIdentityPrincipalId | ||
} | ||
} |
61 changes: 61 additions & 0 deletions
61
eng/service-templates/ProductConstructionService/container-environment.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
param location string | ||
param logAnalyticsName string | ||
param containerEnvironmentName string | ||
param productConstructionServiceSubnetId string | ||
param infrastructureResourceGroupName string | ||
param applicationInsightsName string | ||
|
||
resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = { | ||
name: logAnalyticsName | ||
location: location | ||
properties: any({ | ||
retentionInDays: 30 | ||
features: { | ||
searchVersion: 1 | ||
} | ||
sku: { | ||
name: 'PerGB2018' | ||
} | ||
}) | ||
} | ||
|
||
resource containerEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' = { | ||
name: containerEnvironmentName | ||
location: location | ||
properties: { | ||
appLogsConfiguration: { | ||
destination: 'log-analytics' | ||
logAnalyticsConfiguration: { | ||
customerId: logAnalytics.properties.customerId | ||
sharedKey: logAnalytics.listKeys().primarySharedKey | ||
} | ||
} | ||
workloadProfiles: [ | ||
{ | ||
name: 'Consumption' | ||
workloadProfileType: 'Consumption' | ||
} | ||
] | ||
vnetConfiguration: { | ||
infrastructureSubnetId: productConstructionServiceSubnetId | ||
} | ||
infrastructureResourceGroup: infrastructureResourceGroupName | ||
} | ||
} | ||
|
||
// application insights for service logging | ||
resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { | ||
name: applicationInsightsName | ||
location: location | ||
kind: 'web' | ||
properties: { | ||
Application_Type: 'web' | ||
publicNetworkAccessForIngestion: 'Enabled' | ||
publicNetworkAccessForQuery: 'Enabled' | ||
RetentionInDays: 120 | ||
WorkspaceResourceId: logAnalytics.id | ||
} | ||
} | ||
|
||
output applicationInsightsConnectionString string = applicationInsights.properties.ConnectionString | ||
output containerEnvironmentId string = containerEnvironment.id |
89 changes: 89 additions & 0 deletions
89
eng/service-templates/ProductConstructionService/container-registry.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
param location string | ||
param containerRegistryName string | ||
param acrPullRole string | ||
param pcsIdentityPrincipalId string | ||
param subscriptionTriggererPricnipalId string | ||
param longestBuildPathUpdaterIdentityPrincipalId string | ||
param feedCleanerIdentityPrincipalId string | ||
param acrPushRole string | ||
param deploymentIdentityPrincipalId string | ||
|
||
resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = { | ||
name: containerRegistryName | ||
location: location | ||
sku: { | ||
name: 'Premium' | ||
} | ||
properties: { | ||
adminUserEnabled: false | ||
anonymousPullEnabled: false | ||
dataEndpointEnabled: false | ||
encryption: { | ||
status: 'disabled' | ||
} | ||
networkRuleBypassOptions: 'AzureServices' | ||
publicNetworkAccess: 'Enabled' | ||
zoneRedundancy: 'Disabled' | ||
policies: { | ||
retentionPolicy: { | ||
days: 60 | ||
status: 'enabled' | ||
} | ||
} | ||
} | ||
} | ||
|
||
// allow acr pulls to the identity used for the pcs | ||
resource aksAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: containerRegistry | ||
name: guid(subscription().id, resourceGroup().id, 'pcsAcrPull') | ||
properties: { | ||
roleDefinitionId: acrPullRole | ||
principalType: 'ServicePrincipal' | ||
principalId: pcsIdentityPrincipalId | ||
} | ||
} | ||
|
||
// allow acr pulls to the identity used for the subscription triggerer | ||
resource subscriptionTriggererIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: containerRegistry | ||
name: guid(subscription().id, resourceGroup().id, 'subscriptionTriggererAcrPull') | ||
properties: { | ||
roleDefinitionId: acrPullRole | ||
principalType: 'ServicePrincipal' | ||
principalId: subscriptionTriggererPricnipalId | ||
} | ||
} | ||
|
||
// allow acr pulls to the identity used for the longest build path updater | ||
resource longestBuildPathUpdaterIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: containerRegistry | ||
name: guid(subscription().id, resourceGroup().id, 'longestBuildPathUpdaterAcrPull') | ||
properties: { | ||
roleDefinitionId: acrPullRole | ||
principalType: 'ServicePrincipal' | ||
principalId: longestBuildPathUpdaterIdentityPrincipalId | ||
} | ||
} | ||
|
||
// allow acr pulls to the identity used for the feed cleaner | ||
resource feedCleanerIdentityAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: containerRegistry | ||
name: guid(subscription().id, resourceGroup().id, 'feedCleanerAcrPull') | ||
properties: { | ||
roleDefinitionId: acrPullRole | ||
principalType: 'ServicePrincipal' | ||
principalId: feedCleanerIdentityPrincipalId | ||
} | ||
} | ||
|
||
// Give the PCS Deployment MI the ACR Push role to be able to push docker images | ||
resource deploymentAcrPush 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: containerRegistry | ||
name: guid(subscription().id, resourceGroup().id, 'deploymentAcrPush') | ||
properties: { | ||
roleDefinitionId: acrPushRole | ||
principalType: 'ServicePrincipal' | ||
principalId: deploymentIdentityPrincipalId | ||
} | ||
} |
98 changes: 98 additions & 0 deletions
98
eng/service-templates/ProductConstructionService/key-vaults.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
param aspnetcoreEnvironment string | ||
param location string | ||
param keyVaultName string | ||
param devKeyVaultName string | ||
param kvSecretUserRole string | ||
param kvCryptoUserRole string | ||
param pcsIdentityPrincipalId string | ||
|
||
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { | ||
name: keyVaultName | ||
location: location | ||
properties: { | ||
sku: { | ||
name: 'standard' | ||
family: 'A' | ||
} | ||
tenantId: subscription().tenantId | ||
enableSoftDelete: true | ||
softDeleteRetentionInDays: 90 | ||
accessPolicies: [] | ||
enableRbacAuthorization: true | ||
} | ||
} | ||
|
||
// If we're creating the staging environment, also create a dev key vault | ||
resource devKeyVault 'Microsoft.KeyVault/vaults@2022-07-01' = if (aspnetcoreEnvironment == 'Staging') { | ||
name: devKeyVaultName | ||
location: location | ||
properties: { | ||
sku: { | ||
name: 'standard' | ||
family: 'A' | ||
} | ||
tenantId: subscription().tenantId | ||
enableSoftDelete: true | ||
softDeleteRetentionInDays: 90 | ||
accessPolicies: [] | ||
enableRbacAuthorization: true | ||
} | ||
} | ||
|
||
// allow secret access to the identity used for the aca's | ||
resource secretAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: keyVault | ||
name: guid(subscription().id, resourceGroup().id, kvSecretUserRole) | ||
properties: { | ||
roleDefinitionId: kvSecretUserRole | ||
principalType: 'ServicePrincipal' | ||
principalId: pcsIdentityPrincipalId | ||
} | ||
} | ||
|
||
// allow crypto access to the identity used for the aca's | ||
resource cryptoAccess 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
scope: keyVault | ||
name: guid(subscription().id, resourceGroup().id, kvCryptoUserRole) | ||
properties: { | ||
roleDefinitionId: kvCryptoUserRole | ||
principalType: 'ServicePrincipal' | ||
principalId: pcsIdentityPrincipalId | ||
} | ||
} | ||
|
||
resource dataProtectionKey 'Microsoft.KeyVault/vaults/keys@2023-07-01' = { | ||
name: 'data-protection-encryption-key' | ||
parent: keyVault | ||
properties: { | ||
attributes: { | ||
enabled: true | ||
exportable: false | ||
} | ||
keyOps: [ | ||
'sign' | ||
'verify' | ||
'wrapKey' | ||
'unwrapKey' | ||
'encrypt' | ||
'decrypt' | ||
] | ||
keySize: 2048 | ||
kty: 'RSA' | ||
rotationPolicy: { | ||
attributes: { | ||
expiryTime: 'P540D' | ||
} | ||
lifetimeActions: [ | ||
{ | ||
action: { | ||
type: 'rotate' | ||
} | ||
trigger: { | ||
timeBeforeExpiry: 'P30D' | ||
} | ||
} | ||
] | ||
} | ||
} | ||
} |
Oops, something went wrong.