-
Notifications
You must be signed in to change notification settings - Fork 525
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Azure.Provisioning to latest version #5592
Conversation
Fix dotnet#5583 WIP: This first stab converts KeyVault to the new Provisioning version.
src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs
Outdated
Show resolved
Hide resolved
AssignRole(StorageBuiltInRole.StorageTableDataContributor); | ||
AssignRole(StorageBuiltInRole.StorageQueueDataContributor); | ||
|
||
construct.Add(new BicepOutput("blobEndpoint", typeof(string)) { Value = storageAccount.PrimaryEndpoints.Value!.BlobUri }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tg-msft why is .Value nullable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BicepValue<T>
is either a T? Value
or an Expression? Expression
. We have plans to clean this up so folks won't be using .Value!
s and .Expression!
s anywhere.
src/Aspire.Hosting.Azure.KeyVault/AzureKeyVaultResourceExtensions.cs
Outdated
Show resolved
Hide resolved
new MemberExpression( | ||
new MemberExpression( | ||
new IdentifierExpression(keyVault.ResourceName), | ||
"properties"), | ||
"vaultUri") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why doesn't storage look like this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding of @tg-msft's explanation is because the VaultUri
property isn't parented directly under the KeyVaultService
, but instead under the .Properties
property. And that causes issues with the expressions. He is aware and is fixing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Known issue related to an open design question around BicepValue<T>
vs "T
with internal expression" for models. I think folks are leaning toward the latter. Eventually this will be able to replaced with keyVault.Properties.VaultUri
. (This is the same reason we had the .Value!
in one of the other comments.)
keyVault.Tags["aspire-resource-name"] = construct.Resource.Name; | ||
|
||
var role = KeyVaultBuiltInRole.KeyVaultAdministrator; | ||
var roleAssignment = new RoleAssignment($"{KeyVaultBuiltInRole.GetBuiltInRoleName(role)}_{keyVault.ResourceName}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does GetBuiltInRole have an interface (static interface method). We should be able to make this AssignRole method generic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be able to punt on this with the new generated AssignRole
overloads.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be able to punt on this with the new generated AssignRole overloads.
Yep, for all except WebPubSub, which doesn't have a BuiltInRole.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @vicancy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just need to add some metadata to the spec (i.e., like this example) but didn't see anything documented at https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles other than SignalR/Web PubSub Contributor
. I was going to follow-up with Liangying, but David beat me to it here. 😆 Are https://github.com/microsoft/azure-roles/blob/main/azure_roles.json#L585-L586 sufficient to add?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about Azure/azure-sdk-for-net#45977 ? For some reason that the team is now investigating, the builtin roles for Web PubSub are listed in Preview category somehow, so that they are not seen in the documentation.
@@ -17,6 +18,10 @@ namespace Aspire.Hosting; | |||
/// </summary> | |||
public static class AzurePostgresExtensions | |||
{ | |||
private const string ServerResourceVersion = "2023-03-01-preview"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidfowl @mitchdenny @tg-msft - how should we think about resource versions? Should we always hard-code the version we expect, and then periodically update to new versions on some sort of cadence? Similar to our other dependency versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment I have everything default to "latest stable" in Azure.Provisioning.*
(though I'm pulling the info from ARM so it's not perfect yet). The long term plan is to have Azure.Provisioning.*
automatically release whenever the management plane libraries are updated so the "latest stable" will change seemingly at random.
As a general rule, moving to newer service versions is goodness for customers but there are occasionally breaking changes. We could float on latest by default and allow conservative customers to pin, or we could pin and have to manually test/bump the world a couple times a year. We might want to talk offline with Jeff Richter and Mike Kistler from Azure's Breaking Change Review Board for their advice on how dangerous it would be for customers to float on latest.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've decided to define these for all resources and put them in a shared file. Some things, like KeyVault, need to be used across many libraries. Thoughts on this approach?
Note I still need to ensure all resources use this pattern. Right now EventHubs doesn't.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer updating the library and letting that determine the version of the default azure resource. If we don't do that then this will be just like container image tags except it'll be managed in both the Azure.Provisioning libraries and in aspire.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer that too, but there are problems with that approach.
- Not all resources have a default version in the CDK right now. Especially "child" resources. For those we need to provide a version, or else we get errors that it is unset.
- The default version for some things don't actually work. For example, the CDK doesn't emit an empty "properties" objects, but the default version for ServiceBus topics (I think it was this one) says that you must have a
properties
object. I can look up the exact error, if someone cares. - The concern that updating to a new version will break something. @tg-msft assures me that there are breaking changes that happen from time to time. So if we just take the version that the CDK uses, and someone updates their CDK to a new version, with new default resource versions, there is a potential for our bicep to be broken.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 is a bug that will be fixed by either generating the same default as parent resources or using a resolver to copy those. There's still a bit to design around the versioning story. I'd like to to have one list of versions per library, but there are some challenges there with ARM.
Let's follow up on 2. I currently try to omit as many empty objects as possible (i.e., no reason to serialize the entire object graph with empty braces everywhere) but we can design a way to include specific empty objects where needed if using a new ObjectExpression()
isn't already a sufficient workaround.
Tests are broken becuase I need to update the test nuget.config file for the new feed. @radical - is it possible to not have the duplicate test nuget.config? |
Yes, I will fix that. |
The ones that still need to be specified are: Top-level - RedisResource - SignalRService - WebPubSubService Child resources - CognitiveServicesAccountDeployment - CosmosDBSqlDatabase - PostgreSqlFlexibleServerFirewallRule - PostgreSqlFlexibleServerDatabase - SqlFirewallRule - SqlDatabase
OK, I think this PR is ready for final review and can be merged to unblock other work. There are follow up issues on the CDK we can make later.
|
playground/AspireEventHub/EventHubs.AppHost/ehstorage.module.bicep
Outdated
Show resolved
Hide resolved
playground/AspireEventHub/EventHubs.AppHost/eventhubns.module.bicep
Outdated
Show resolved
Hide resolved
playground/SqlServerEndToEnd/SqlServerEndToEnd.AppHost/sql1.module.bicep
Show resolved
Hide resolved
|
||
resource keyVault_IeF8jZvXV 'Microsoft.KeyVault/vaults@2022-07-01' existing = { | ||
name: keyVaultName | ||
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the downgrade in API version (surprising) /cc @tg-msft
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me look into it.
OK I've done a full pass over this now. Its looking really good. I've left a few comments but the themes are:
Not specifically called out in comments above, but some of this has got a lot more verbose. That isn't a problem provided we provide really good documentation. |
- Default Storage AccessTier = Hot, to keep existing behavior - Use IPAddress when setting PostgreSQL firewall rules
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
Update to the new Azure.Provisioning libraries.
Fix #5583
cc @mitchdenny @davidfowl @tg-msft @JoshLove-msft
Checklist
<remarks />
and<code />
elements on your triple slash comments?Microsoft Reviewers: Open in CodeFlow