chore: upgrade to latest IasC azure verified module

christianacca · Dec 5, 2024 · 98a4ed2 · 98a4ed2
1 parent e5c6ded
commit 98a4ed2
Show file tree

Hide file tree

Showing 11 changed files with 53 additions and 169 deletions.
diff --git a/tools/infrastructure/arm-templates/api.bicep b/tools/infrastructure/arm-templates/api.bicep
@@ -62,7 +62,7 @@ module appEnvVars 'desired-env-vars.bicep' = {
   }
 }
 
-module api 'br/public:avm/res/app/container-app:0.4.1' = {
+module api 'br/public:avm/res/app/container-app:0.11.0' = {
   name: '${uniqueString(deployment().name, location)}-AcaApi'
   params: {
     containers: [
@@ -102,7 +102,7 @@ module api 'br/public:avm/res/app/container-app:0.4.1' = {
         bindingType: 'SniEnabled'
       }
     ] : []
-    environmentId: acaEnv.id
+    environmentResourceId: acaEnv.id
     managedIdentities: {
       userAssignedResourceIds: sharedSettings.managedIdentityResourceIds
     }

diff --git a/tools/infrastructure/arm-templates/appsettings.bicep b/tools/infrastructure/arm-templates/appsettings.bicep
diff --git a/tools/infrastructure/arm-templates/azure-monitor.bicep b/tools/infrastructure/arm-templates/azure-monitor.bicep
@@ -84,7 +84,7 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
   }
 }
 
-module webTests 'br/public:avm/res/insights/webtest:0.1.3' = [for (webTest, i) in defaultAvailabilityTests: {
+module webTests 'br/public:avm/res/insights/webtest:0.3.0' = [for (webTest, i) in defaultAvailabilityTests: {
   name: '${uniqueString(deployment().name, location)}-${i}-WebTest'
   params: {
     appInsightResourceId: appInsights.id

diff --git a/tools/infrastructure/arm-templates/azure-sql-server.bicep b/tools/infrastructure/arm-templates/azure-sql-server.bicep
@@ -23,8 +23,9 @@ param databaseName string
 @description('The name of the user-assigned managed identity.')
 param managedIdentityName string
 
+import { firewallRuleType } from 'br/public:avm/res/sql/server:0.11.1'
 @description('The firewall rules to configure access to the SQL server')
-param firewallRules array = []
+param firewallRules firewallRuleType[]
 
 @description('Optional. The failover server to configure.')
 param failoverInfo serverType?
@@ -47,38 +48,47 @@ var managedId = {
   ]
 }
 
-module server 'br/public:avm/res/sql/server:0.1.4' = {
+module server 'br/public:avm/res/sql/server:0.11.1' = {
   name: '${serverName}Deployment'
   params: {
     name: serverName
     location: location
-    primaryUserAssignedIdentityId: managedIdentity.id
-    managedIdentities: managedId
-    administrators: admin
-    firewallRules: firewallRules
     databases: [
       {
         name: databaseName
-        skuName: 'Standard'
-        skuTier: 'Standard'
+        sku: {
+          name: 'Standard'
+          tier: 'Standard'
+        }
         maxSizeBytes: 268435456000
         requestedBackupStorageRedundancy: 'Geo'
+        zoneRedundant: false
       }
     ]
+    // begin: shared settings - keep in sync with failover server definition below
+    primaryUserAssignedIdentityId: managedIdentity.id
+    managedIdentities: managedId
+    administrators: admin
+    firewallRules: firewallRules
+    auditSettings: { state: 'Disabled' }
+    // end: shared settings - keep in sync with failover server definition below
   }
 }
 
 var failoverServerName = failoverInfo != null ? failoverInfo!.serverName : ''
 
-module failoverServer 'br/public:avm/res/sql/server:0.1.4' = if (failoverInfo != null) {
+module failoverServer 'br/public:avm/res/sql/server:0.11.1' = if (failoverInfo != null) {
   name: '${failoverServerName}Deployment'
   params: {
     name: failoverServerName
     location: failoverInfo != null ? failoverInfo!.location : ''
+    // begin: shared settings - keep in sync with primary server definition above
     primaryUserAssignedIdentityId: managedIdentity.id
     managedIdentities: managedId
     administrators: admin
     firewallRules: firewallRules
+    auditSettings: { state: 'Disabled' }
+    // end: shared settings - keep in sync with primary server definition above
   }
 }
 

diff --git a/tools/infrastructure/arm-templates/bicepconfig.json b/tools/infrastructure/arm-templates/bicepconfig.json
@@ -1,5 +1,8 @@
 {
   "experimentalFeaturesEnabled": {
     "extensibility": true
+  },
+  "extensions": {
+    "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
   }
 }
diff --git a/tools/infrastructure/arm-templates/eg-functions-app-preserve-appsettings.bicep b/tools/infrastructure/arm-templates/eg-functions-app-preserve-appsettings.bicep
diff --git a/tools/infrastructure/arm-templates/internal-api.bicep b/tools/infrastructure/arm-templates/internal-api.bicep
@@ -1,4 +1,4 @@
-extension 'br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview'
+extension microsoftGraphV1
 
 @description('List of principal ids that are allowed to make http requests to the function app')
 param allowedPrincipalIds string[] = []
@@ -15,8 +15,8 @@ param functionAppName string
 @description('Specify the location for the function application resources')
 param location string = resourceGroup().location
 
-@description('The name of the user-assigned managed identity to be used by the function app.')
-param managedIdentityName string
+@description('A list of Resource ID of the user-assigned managed identities, in the form of /subscriptions/<subscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managedIdentity>.')
+param managedIdentityResourceIds array
 
 @description('The name of the Storage Account')
 param storageAccountName string = toLower('funcsa${uniqueString(resourceGroup().id)}')
@@ -30,10 +30,6 @@ param appInsightsResourceId string = ''
 @description('The name of the function app as it appears in application insights')
 param appInsightsCloudRoleName string = functionAppName
 
-@description('Flag to indicate site exists. If true, the module will preserve the existing appsettings for the site.')
-param resourceExists bool = true
-
-
 var roleName = 'app_only'
 var roleId = guid(roleName, functionAppName)
 resource appReg 'Microsoft.Graph/applications@v1.0' = {
@@ -43,6 +39,8 @@ resource appReg 'Microsoft.Graph/applications@v1.0' = {
     'api://${functionAppName}'
   ]
   appRoles: [
+    // important: to delete a role, set it's `isEnabled` to false then deploy to all environments, only then can remove the role from the list
+    // note: in the future, this may not be necessary see: https://github.com/microsoftgraph/msgraph-bicep-types/issues/197
     {
       allowedMemberTypes: [
         'Application'
@@ -68,39 +66,25 @@ resource appRoleAssignments 'Microsoft.Graph/appRoleAssignedTo@v1.0' = [for prin
 }]
 
 
-resource internalApiManagedId 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
-  name: managedIdentityName
-}
-
-var requiredAppsettings = {
-  AzureWebJobsFeatureFlags: 'EnableHttpProxying'
-  FUNCTIONS_EXTENSION_VERSION: '~4'
-  FUNCTIONS_WORKER_RUNTIME: 'dotnet-isolated'
-  WEBSITE_CLOUD_ROLENAME: appInsightsCloudRoleName
-  // note: ideally, WEBSITE_CONTENTAZUREFILECONNECTIONSTRING should be set by the module - see ote on setWebsiteContentAzureFileConnectionString
-  WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
-  WEBSITE_CONTENTSHARE: toLower(functionAppName)
-  WEBSITE_RUN_FROM_PACKAGE: '1'
-}
-
-var existingAppsettings = resourceExists ? list(resourceId('Microsoft.Web/sites/config', functionAppName, 'appsettings'), '2020-12-01').properties : {}
-
-// module should ideally assign WEBSITE_CONTENTAZUREFILECONNECTIONSTRING using a param value setWebsiteContentAzureFileConnectionString
-module functionApp 'br/public:avm/res/web/site:0.2.0' = {
+module functionApp 'br/public:avm/res/web/site:0.11.1' = {
   name: '${uniqueString(deployment().name, location)}-InternalApi'
   params:{
     name: functionAppName
     kind: 'functionapp'
     managedIdentities: {
       systemAssigned: false
-      userAssignedResourceIds: [
-        internalApiManagedId.id
-      ]
+      userAssignedResourceIds: managedIdentityResourceIds
     }
     appInsightResourceId: appInsightsResourceId
-    appSettingsKeyValuePairs: union(requiredAppsettings, existingAppsettings)
-    setAzureWebJobsDashboard: false
-    // setWebsiteContentAzureFileConnectionString: true
+    appSettingsKeyValuePairs: {
+      AzureWebJobsFeatureFlags: 'EnableHttpProxying'
+      FUNCTIONS_EXTENSION_VERSION: '~4'
+      FUNCTIONS_WORKER_RUNTIME: 'dotnet-isolated'
+      WEBSITE_CLOUD_ROLENAME: appInsightsCloudRoleName
+      WEBSITE_CONTENTAZUREFILECONNECTIONSTRING: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
+      WEBSITE_CONTENTSHARE: toLower(functionAppName)
+      WEBSITE_RUN_FROM_PACKAGE: '1'
+    }
     siteConfig: {
       netFrameworkVersion: 'v8.0'
       cors: {
@@ -165,6 +149,3 @@ module hostingPlan 'br/public:avm/res/web/serverfarm:0.1.0' = {
 resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {
   name: storageAccountName
 }
-
-@description('The Client ID of the Azure AD application associated with the internal api managed identity.')
-output internalApiManagedIdentityClientId string = internalApiManagedId.properties.clientId
diff --git a/tools/infrastructure/arm-templates/main.bicep b/tools/infrastructure/arm-templates/main.bicep
@@ -1,6 +1,3 @@
-@description('Whether the Internal Api function app already exists.')
-param internalApiExists bool = true
-
 @description('Whether the failover intance of the API container app already exists.')
 param apiFailoverExists bool = true
 
@@ -9,15 +6,15 @@ param apiPrimaryExists bool = true
 
 param location string = resourceGroup().location
 
-@description('The settings for all resources provisioned by this template.')
+@description('The settings for all resources provisioned by this template. TIP: to find the structure of settings object use: ./tools/infrastructure/get-product-conventions.ps1')
 param settings object
 
 @description('The Object ID of the SQL AAD Admin security group.')
 param sqlAdAdminGroupObjectId string
 
 
 var kvSettings = settings.SubProducts.KeyVault
-module keyVault 'br/public:avm/res/key-vault/vault:0.6.2' = {
+module keyVault 'br/public:avm/res/key-vault/vault:0.11.0' = {
   name: '${uniqueString(deployment().name, location)}-KeyVault'
   params: {
     name: kvSettings.ResourceName
@@ -56,7 +53,7 @@ module azureMonitor 'azure-monitor.bicep' = {
 }
 
 var reportStorage = settings.SubProducts.PbiReportStorage
-module pbiReportStorage 'br/public:avm/res/storage/storage-account:0.11.0' = {
+module pbiReportStorage 'br/public:avm/res/storage/storage-account:0.14.3' = {
   name: '${uniqueString(deployment().name, location)}-PbiReportStorage'
   params: {
     name: reportStorage.StorageAccountName
@@ -216,7 +213,7 @@ resource internalApiManagedId 'Microsoft.ManagedIdentity/userAssignedIdentities@
   location: location
 }
 
-module internalApiStorageAccount 'br/public:avm/res/storage/storage-account:0.11.0' = {
+module internalApiStorageAccount 'br/public:avm/res/storage/storage-account:0.14.3' = {
   name: '${uniqueString(deployment().name, location)}-FunctionsStorageAccount'
   params: {
     name: settings.SubProducts.InternalApi.StorageAccountName
@@ -248,9 +245,10 @@ module internalApi 'internal-api.bicep' = {
     appInsightsCloudRoleName: 'Web API Starter Functions'
     appInsightsResourceId: azureMonitor.outputs.appInsightsResourceId
     functionAppName: internalApiSettings.ResourceName
-    managedIdentityName: internalApiSettings.ManagedIdentity
+    managedIdentityResourceIds: [
+      internalApiManagedId.id
+    ]
     location: location
-    resourceExists: internalApiExists
     storageAccountName: internalApiStorageAccount.outputs.name
   }
 }
@@ -298,6 +296,6 @@ module azureSqlDb 'azure-sql-server.bicep' = {
 @description('The Client ID of the Azure AD application associated with the api managed identity.')
 output apiManagedIdentityClientId string = apiManagedId.properties.clientId
 @description('The Client ID of the Azure AD application associated with the internal api managed identity.')
-output internalApiManagedIdentityClientId string = internalApi.outputs.internalApiManagedIdentityClientId
+output internalApiManagedIdentityClientId string = internalApiManagedId.properties.clientId
 @description('The Client ID of the Azure AD application associated with the sql managed identity.')
 output sqlManagedIdentityClientId string = azureSqlDb.outputs.managedIdentityClientId
diff --git a/tools/infrastructure/arm-templates/shared-acr-services.bicep b/tools/infrastructure/arm-templates/shared-acr-services.bicep
@@ -12,14 +12,14 @@ var uniqueContainerRegistries = filter(
 // dev and prod registry resource groups can be same, therefore we use union to de-dup
 var resourceGroupNames = union(map(uniqueContainerRegistries, registry => registry.ResourceGroupName), [])
 
-module resourceGroups 'br/public:avm/res/resources/resource-group:0.2.4' = [for (name, index) in resourceGroupNames: {
+module resourceGroups 'br/public:avm/res/resources/resource-group:0.4.0' = [for (name, index) in resourceGroupNames: {
   name: '${uniqueString(deployment().name)}-${index}-ResourceGroup'
   params: {
     name: name
   }
 }]
 
-module acrs 'br/public:avm/res/container-registry/registry:0.3.1' = [for (registry, index) in uniqueContainerRegistries: {
+module acrs 'br/public:avm/res/container-registry/registry:0.6.0' = [for (registry, index) in uniqueContainerRegistries: {
   name: '${uniqueString(deployment().name)}-${index}-Acr'
   scope: resourceGroup(registry.ResourceGroupName)
   params: {