-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(service): deploy application in container apps #1303
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,163 @@ | ||
targetScope = 'resourceGroup' | ||
|
||
@description('The tag of the image to be used') | ||
@minLength(3) | ||
param imageTag string | ||
|
||
@description('The environment for the deployment') | ||
@minLength(3) | ||
param environment string | ||
|
||
@description('The location where the resources will be deployed') | ||
@minLength(3) | ||
param location string | ||
|
||
@description('The suffix for the revision of the container app') | ||
@minLength(3) | ||
param revisionSuffix string | ||
|
||
@description('CPU and memory resources for the container app') | ||
param resources object? | ||
|
||
@description('The name of the container app environment') | ||
@minLength(3) | ||
@secure() | ||
param containerAppEnvironmentName string | ||
|
||
@description('The connection string for Application Insights') | ||
@minLength(3) | ||
@secure() | ||
param appInsightConnectionString string | ||
|
||
@description('The name of the App Configuration store') | ||
@minLength(5) | ||
@secure() | ||
param appConfigurationName string | ||
arealmaas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
@description('The name of the Key Vault for the environment') | ||
@minLength(3) | ||
@secure() | ||
param environmentKeyVaultName string | ||
arealmaas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
var namePrefix = 'dp-be-${environment}' | ||
var baseImageUrl = 'ghcr.io/digdir/dialogporten-' | ||
var tags = { | ||
Environment: environment | ||
Product: 'Dialogporten' | ||
} | ||
|
||
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { | ||
name: appConfigurationName | ||
} | ||
|
||
resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = { | ||
name: containerAppEnvironmentName | ||
} | ||
|
||
var containerAppEnvVars = [ | ||
{ | ||
name: 'ASPNETCORE_ENVIRONMENT' | ||
value: environment | ||
} | ||
{ | ||
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING' | ||
value: appInsightConnectionString | ||
} | ||
{ | ||
name: 'AZURE_APPCONFIG_URI' | ||
value: appConfiguration.properties.endpoint | ||
} | ||
{ | ||
name: 'ASPNETCORE_URLS' | ||
value: 'http://+:8080' | ||
} | ||
] | ||
|
||
resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { | ||
name: environmentKeyVaultName | ||
} | ||
|
||
var serviceName = 'service' | ||
|
||
var containerAppName = '${namePrefix}-${serviceName}' | ||
|
||
var port = 8080 | ||
|
||
var probes = [ | ||
{ | ||
periodSeconds: 5 | ||
initialDelaySeconds: 2 | ||
type: 'Liveness' | ||
httpGet: { | ||
path: '/health/liveness' | ||
port: port | ||
} | ||
} | ||
{ | ||
periodSeconds: 5 | ||
initialDelaySeconds: 2 | ||
type: 'Readiness' | ||
httpGet: { | ||
path: '/health/readiness' | ||
port: port | ||
} | ||
} | ||
{ | ||
periodSeconds: 5 | ||
initialDelaySeconds: 2 | ||
type: 'Startup' | ||
httpGet: { | ||
path: '/health/startup' | ||
port: port | ||
} | ||
} | ||
] | ||
|
||
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { | ||
name: '${namePrefix}-service-identity' | ||
location: location | ||
tags: tags | ||
} | ||
arealmaas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = { | ||
name: 'keyVaultReaderAccessPolicy-${containerAppName}' | ||
params: { | ||
keyvaultName: environmentKeyVaultResource.name | ||
principalIds: [managedIdentity.properties.principalId] | ||
} | ||
} | ||
|
||
module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = { | ||
name: 'appConfigReaderAccessPolicy-${containerAppName}' | ||
params: { | ||
appConfigurationName: appConfigurationName | ||
principalIds: [managedIdentity.properties.principalId] | ||
} | ||
} | ||
|
||
module containerApp '../../modules/containerApp/main.bicep' = { | ||
name: containerAppName | ||
params: { | ||
name: containerAppName | ||
// todo: make this dynamic based on service name. Using webapi for now. | ||
// image: '${baseImageUrl}${serviceName}:${imageTag}' | ||
image: '${baseImageUrl}webapi:${imageTag}' | ||
arealmaas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
location: location | ||
envVariables: containerAppEnvVars | ||
containerAppEnvId: containerAppEnvironment.id | ||
tags: tags | ||
resources: resources | ||
probes: probes | ||
port: port | ||
revisionSuffix: revisionSuffix | ||
userAssignedIdentityId: managedIdentity.id | ||
// TODO: Once all container apps use user-assigned identities, remove this comment and ensure userAssignedIdentityId is always provided | ||
} | ||
dependsOn: [ | ||
keyVaultReaderAccessPolicy | ||
appConfigReaderAccessPolicy | ||
] | ||
} | ||
|
||
output name string = containerApp.outputs.name | ||
output revisionName string = containerApp.outputs.revisionName | ||
Comment on lines
+160
to
+161
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Consider outputting the managed identity principal ID If other resources need to reference the managed identity's principal ID, it might be helpful to output it. You can add the following output: output name string = containerApp.outputs.name
output revisionName string = containerApp.outputs.revisionName
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
using './main.bicep' | ||
|
||
param environment = 'prod' | ||
param location = 'norwayeast' | ||
param imageTag = readEnvironmentVariable('IMAGE_TAG') | ||
param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') | ||
|
||
// secrets | ||
param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') | ||
param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') | ||
param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') | ||
param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
using './main.bicep' | ||
|
||
param environment = 'staging' | ||
param location = 'norwayeast' | ||
param imageTag = readEnvironmentVariable('IMAGE_TAG') | ||
param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') | ||
|
||
// secrets | ||
param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') | ||
param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') | ||
param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') | ||
param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
using './main.bicep' | ||
|
||
param environment = 'test' | ||
param location = 'norwayeast' | ||
Comment on lines
+3
to
+4
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛠️ Refactor suggestion Consider using environment variables for environment and location. While the current setup is functional, using environment variables for param environment = readEnvironmentVariable('ENVIRONMENT', 'test')
param location = readEnvironmentVariable('AZURE_LOCATION', 'norwayeast') This approach allows for easier configuration changes without modifying the Bicep file, while still maintaining default values. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. the bicepparam file is only used for that environment, so would be overkill to supply environment too right? I'll make a note of AZURE_LOCATION for later, good point! There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @arealmaas, you make a great point—it might be unnecessary to supply the (_/_) ✏️ Learnings added
|
||
param imageTag = readEnvironmentVariable('IMAGE_TAG') | ||
param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX') | ||
|
||
// secrets | ||
param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME') | ||
param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME') | ||
param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING') | ||
param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove
@secure()
from non-sensitive parameterThe
containerAppEnvironmentName
parameter is annotated with@secure()
, which is typically used for sensitive data like passwords or connection strings. Since this parameter represents a resource name and is not sensitive, consider removing the@secure()
attribute to avoid unnecessary restrictions.Apply this diff to remove the
@secure()
attribute:@description('The name of the container app environment') @minLength(3) -@secure() param containerAppEnvironmentName string
📝 Committable suggestion