Skip to content

Commit

Permalink
Merge pull request #13 from seesharprun/update-aca
Browse files Browse the repository at this point in the history
WIP: Use Azure Container Apps
  • Loading branch information
seesharprun authored Oct 18, 2023
2 parents 065d47c + 86bae49 commit 61a7554
Show file tree
Hide file tree
Showing 22 changed files with 464 additions and 97 deletions.
7 changes: 6 additions & 1 deletion azure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,9 @@ services:
web:
project: ./src/web
language: csharp
host: appservice
host: containerapp
docker:
path: ./Dockerfile
context: ../
pipeline:
provider: github
8 changes: 5 additions & 3 deletions infra/abbreviations.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
{
"appServicePlan": "app-service-plan",
"appServiceSite": "app-service-site",
"cosmosDbAccount": "cosmos-db-nosql"
"containerRegistry": "containerreg",
"containerAppsEnv": "container-env",
"containerAppsApp": "container-app",
"cosmosDbAccount": "cosmos-db-nosql",
"userAssignedIdentity": "ua-id"
}
23 changes: 8 additions & 15 deletions infra/app/database.bicep
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
metadata description = 'Create Azure Cosmos DB for NoSQL resources.'
metadata description = 'Create database accounts.'

param accountName string
param location string = resourceGroup().location
param tags object = {}

param database object = {
var database = {
name: 'cosmicworks' // Based on AdventureWorksLT data set
autoscale: true // Scale at the database level
throughput: 1000 // Enable autoscale with a minimum of 100 RUs and a maximum of 1,000 RUs
}

param containers array = [
var containers = [
{
name: 'products' // Set of products
partitionKeyPaths: [
Expand All @@ -29,33 +29,26 @@ module cosmosDbAccount '../core/database/cosmos-db/nosql/account.bicep' = {
}

module cosmosDbDatabase '../core/database/cosmos-db/nosql/database.bicep' = {
name: 'cosmos-db-database'
dependsOn: [
cosmosDbAccount
]
name: 'cosmos-db-database-${database.name}'
params: {
name: database.name
parentAccountName: cosmosDbAccount.outputs.name
tags: tags
setThroughput: true
autoscale: database.autoscale
throughput: database.throughput
tags: tags
}
}

module cosmosDbContainers '../core/database/cosmos-db/nosql/container.bicep' = [for (container, index) in containers: {
name: 'cosmos-db-container-${index}'
dependsOn: [
cosmosDbAccount
cosmosDbDatabase
]
module cosmosDbContainers '../core/database/cosmos-db/nosql/container.bicep' = [for (container, _) in containers: {
name: 'cosmos-db-container-${container.name}'
params: {
name: container.name
parentAccountName: cosmosDbAccount.outputs.name
parentDatabaseName: cosmosDbDatabase.outputs.name
tags: tags
setThroughput: false
partitionKeyPaths: container.partitionKeyPaths
tags: tags
}
}]

Expand Down
18 changes: 18 additions & 0 deletions infra/app/identity.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
metadata description = 'Create identity resources.'

param identityName string
param location string = resourceGroup().location
param tags object = {}

module userAssignedIdentity '../core/security/identity/user-assigned.bicep' = {
name: 'user-assigned-identity'
params: {
name: identityName
location: location
tags: tags
}
}

output name string = userAssignedIdentity.outputs.name
output resourceId string = userAssignedIdentity.outputs.resourceId
output principalId string = userAssignedIdentity.outputs.principalId
21 changes: 21 additions & 0 deletions infra/app/registry.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
metadata description = 'Create container registries.'

param registryName string
param location string = resourceGroup().location
param tags object = {}

module containerRegistry '../core/host/container-registry/registry.bicep' = {
name: 'container-registry'
params: {
name: registryName
location: location
tags: tags
adminUserEnabled: false
anonymousPullEnabled: false
publicNetworkAccessEnabled: true
skuName: 'Basic'
}
}

output endpoint string = containerRegistry.outputs.endpoint
output name string = containerRegistry.outputs.name
53 changes: 44 additions & 9 deletions infra/app/security.bicep
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
metadata description = 'Create identity resources for Azure Cosmos DB and Azure App Service.'
metadata description = 'Create role assignment and definition resources.'

param databaseAccountName string

@description('Id of the principal to assign database and application roles.')
param principalIds array
@description('Id of the service principals to assign database and application roles.')
param appPrincipalId string = ''

@description('Id of the user principals to assign database and application roles.')
param userPrincipalId string = ''

resource database 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
name: databaseAccountName
Expand All @@ -22,15 +25,47 @@ module nosqlDefinition '../core/database/cosmos-db/nosql/role/definition.bicep'
}
}

module nosqlAssignments '../core/database/cosmos-db/nosql/role/assignment.bicep' = [for (principalId, index) in principalIds: {
name: 'nosql-role-assignment-${index}'
module nosqlAppAssignment '../core/database/cosmos-db/nosql/role/assignment.bicep' = if (!empty(appPrincipalId)) {
name: 'nosql-role-assignment-app'
params: {
targetAccountName: database.name // Existing account
roleDefinitionId: nosqlDefinition.outputs.id // New role definition
principalId: principalId // Principal to assign role
principalId: appPrincipalId // Principal to assign role
}
}]
}

output nosqlRoleDefinitionId string = nosqlDefinition.outputs.id
output nosqlRoleAssignmentIds array = [for (_, index) in principalIds: nosqlAssignments[index].outputs.id]
module nosqlUserAssignment '../core/database/cosmos-db/nosql/role/assignment.bicep' = if (!empty(userPrincipalId)) {
name: 'nosql-role-assignment-user'
params: {
targetAccountName: database.name // Existing account
roleDefinitionId: nosqlDefinition.outputs.id // New role definition
principalId: userPrincipalId ?? '' // Principal to assign role
}
}

module registryAppAssignment '../core/security/role/assignment.bicep' = if (!empty(appPrincipalId)) {
name: 'container-registry-role-assignment-pull-app'
params: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d') // AcrPull built-in role
principalId: appPrincipalId // Principal to assign role
principalType: 'ServicePrincipal' // Named principals created with deployment
}
}

module registryUserAssignment '../core/security/role/assignment.bicep' = if (!empty(userPrincipalId)) {
name: 'container-registry-role-assignment-push-user'
params: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec') // AcrPush built-in role
principalId: userPrincipalId // Principal to assign role
principalType: 'User' // Current deployment user
}
}

output roleDefinitions object = {
nosql: nosqlDefinition.outputs.id
}

output roleAssignments array = union(
!empty(appPrincipalId) ? [ nosqlAppAssignment.outputs.id, registryAppAssignment.outputs.id ] : [],
!empty(userPrincipalId) ? [ nosqlUserAssignment.outputs.id, registryUserAssignment.outputs.id ] : []
)
74 changes: 36 additions & 38 deletions infra/app/web.bicep
Original file line number Diff line number Diff line change
@@ -1,60 +1,58 @@
metadata description = 'Create Azure App Service resources.'
metadata description = 'Create web application resources.'

param planName string
param siteName string
param envName string
param appName string
param serviceTag string
param location string = resourceGroup().location
param tags object = {}

@description('Endpoint for Azure Cosmos DB for NoSQL account.')
param databaseAccountEndpoint string

module appServicePlan '../core/web/app-service/plan.bicep' = {
name: 'app-service-plan'
@description('Endpoint for private container registry.')
param containerRegistryEndpoint string = ''

module containerAppsEnvironment '../core/host/container-apps/environments/managed.bicep' = {
name: 'container-apps-env'
params: {
name: planName
name: envName
location: location
tags: tags
kind: 'linux' // Use Linux
sku: 'B1' // Basic tier
}
}

module appServiceSite '../core/web/app-service/site.bicep' = {
name: 'app-service-site'
dependsOn: [
appServicePlan
]
module containerAppsApp '../core/host/container-apps/app.bicep' = {
name: 'container-apps-app'
params: {
name: siteName
parentPlanName: appServicePlan.outputs.name
name: appName
parentEnvironmentName: containerAppsEnvironment.outputs.name
location: location
tags: union(tags, {
'azd-service-name': serviceTag
})
runtimeName: 'dotnetcore' // ASP.NET
runtimeVersion: '7.0' // .NET 7 (LTS)
enableSystemAssignedManagedIdentity: true // Create system-assigned managed identity
}
}

module appServiceConfig '../core/web/app-service/config.bicep' = {
name: 'app-service-config'
dependsOn: [
appServicePlan
appServiceSite
]
params: {
parentSiteName: appServiceSite.outputs.name
appSettings: {
SCM_DO_BUILD_DURING_DEPLOYMENT: string(false)
ENABLE_ORYX_BUILD: string(true)
WEBSITES_PORT: '80'
AZURE_COSMOS_DB_NOSQL_ENDPOINT: databaseAccountEndpoint
}
containerImage: 'ghcr.io/azure-samples/cosmos-db-nosql-dotnet-quickstart:main' // Pre-built container image and tag from GitHub
secrets: [
{
name: 'azure-cosmos-db-nosql-endpoint' // Create a uniquely-named secret
value: databaseAccountEndpoint // NoSQL database account endpoint
}
]
environmentVariables: [
{
name: 'AZURE_COSMOS_DB_NOSQL_ENDPOINT' // Name of the environment variable referenced in the application
secretRef: 'azure-cosmos-db-nosql-endpoint' // Reference to secret
}
]
enableSystemAssignedManagedIdentity: true
privateRegistries: !empty(containerRegistryEndpoint) ? [
{
server: containerRegistryEndpoint // Endpoint to Azure Container Registry
identity: 'system'
}
] : []
}
}

output endpoint string = appServiceSite.outputs.endpoint
output siteName string = appServiceSite.outputs.name
output siteManagedIdentityPrincipalId string = appServiceSite.outputs.managedIdentityPrincipalId
output endpoint string = containerAppsApp.outputs.endpoint
output envName string = containerAppsApp.outputs.name
output managedIdentityPrincipalId string = containerAppsApp.outputs.systemAssignedManagedIdentityPrincipalId
6 changes: 6 additions & 0 deletions infra/bicepconfig.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"experimentalFeaturesEnabled": {
"resourceTypedParamsAndOutputs": true,
"userDefinedTypes": true
}
}
2 changes: 1 addition & 1 deletion infra/core/database/cosmos-db/nosql/container.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ param autoscale bool = false
param throughput int = 400

@description('List of hierarhical partition key paths. Defaults to an array that only contains /id.')
param partitionKeyPaths array = [
param partitionKeyPaths string[] = [
'/id'
]

Expand Down
4 changes: 2 additions & 2 deletions infra/core/database/cosmos-db/nosql/role/definition.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ param targetAccountName string
param definitionName string

@description('An array of data actions that are allowed. Defaults to an empty array.')
param permissionsDataActions array = []
param permissionsDataActions string[] = []

@description('An array of data actions that are denied. Defaults to an empty array.')
param permissionsNonDataActions array = []
param permissionsNonDataActions string[] = []

resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' existing = {
name: targetAccountName
Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,15 @@ param name string
param location string = resourceGroup().location
param tags object = {}

@allowed([
'linux'
])
@description('OS type of the plan. Defaults to "linux".')
param kind string = 'linux'

@allowed([
'F1'
])
@description('SKU for the plan. Defaults to "F1".')
param sku string = 'F1'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,14 @@ param tags object = {}
param parentPlanName string

@allowed([
'dotnet', 'dotnetcore', 'dotnet-isolated', 'node', 'python', 'java', 'powershell', 'custom'
'dotnet'
'dotnetcore'
'dotnet-isolated'
'node'
'python'
'java'
'powershell'
'custom'
])
@description('Runtime to use for the site.')
param runtimeName string
Expand All @@ -23,7 +30,7 @@ param kind string = 'app,linux'
param alwaysOn bool = true

@description('Allowed origins for client-side CORS request on the site.')
param allowedCorsOrigins array = []
param allowedCorsOrigins string[] = []

@description('Enable system-assigned managed identity. Defaults to false.')
param enableSystemAssignedManagedIdentity bool = false
Expand Down
Loading

0 comments on commit 61a7554

Please sign in to comment.