chore: add option to IasC to skip custom domain

christianacca · Dec 5, 2024 · e5c6ded · e5c6ded
1 parent 5055105
commit e5c6ded
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 13 deletions.
diff --git a/docs/deploy-app.md b/docs/deploy-app.md
@@ -207,6 +207,8 @@ into a shared key vault accessible by the app:
 3. Download the Cloudflare Origin cert and private key as a PEM file
 4. Import the Cloudflare Origin cert PEM file into the shared key vault
    * see [Azure Key Vault | Import a certificate](https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal)
+   * **IMPORTANT**: the PEM file that you can download from the cloudflare site might not contain the private key section. In which case you will
+     need to generate a new origin cert from Cloudflare and then download that
 
 > [!Note]
 > The certificate for both production and non-production might be the same, and may be stored in the same key vault accessible by all environments.
@@ -446,11 +448,14 @@ In practice the only way to run these scripts from a dev machine is:
 > [!NOTE]
 > The steps below assume you are deploying to your own Azure subscription and Azure Entra-ID tenant
 
-1. Modify product conventions to avoid conflicts for those azure resource whose names are globally unique:
+1. Modify product conventions to customize azure resource whose names are globally unique, or otherwise different in your own subscription:
    1. open [get-product-conventions.ps1](../tools/infrastructure/get-product-conventions.ps1)
    2. set `CompanyName` (line 20) to make it globally unique (eg change `CLC` to your initials)
    3. uncomment `ProductAbbreviation` (line 22) and make it globally unique (eg replace `-cc` with your initials)
    4. Review `Domain` settings (starting line 23) and adjust as required. At minimum replace 'codingdemo' with the value of a custom domain you own
+   5. Set `Aca.IsCustomDomainEnabled` to `$false`. In order to have this set to true you will need
+       * a custom domain as explained in the section above "Register DNS records"
+       * a TLS certificate for the custom domain as explained in the section above "Add TLS certificates to shared key vault"
 2. Update the subscription id in [set-azure-connection-variables.ps1](../.github/actions/azure-login/set-azure-connection-variables.ps1) to your own subscription id
 3. Setup shared infrastructure:
    ```pwsh

diff --git a/tools/infrastructure/arm-templates/aca-environment.bicep b/tools/infrastructure/arm-templates/aca-environment.bicep
@@ -44,7 +44,7 @@ resource acaEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' = {
     zoneRedundant: false
   }
 
-  resource acaEnvCert 'certificates' = {
+  resource acaEnvCert 'certificates' = if (sharedSettings.isCustomDomainEnabled) {
     name: sharedSettings.certSettings.ResourceName
     location: location
     properties: {
@@ -67,6 +67,7 @@ output resourceId string = acaEnv.id
 
 type sharedSettingsType = {
   certSettings: object
+  isCustomDomainEnabled: bool
   managedIdentityResourceId: string
   logAnalyticsWorkspaceResourceId: string
 }
diff --git a/tools/infrastructure/arm-templates/api.bicep b/tools/infrastructure/arm-templates/api.bicep
@@ -95,13 +95,13 @@ module api 'br/public:avm/res/app/container-app:0.4.1' = {
         }
       }
     ]
-    customDomains: [
+    customDomains: sharedSettings.isCustomDomainEnabled ? [
       {
         name: sharedSettings.subProductsSettings.Api.HostName
         certificateId: acaEnv::cert.id
         bindingType: 'SniEnabled'
       }
-    ]
+    ] : []
     environmentId: acaEnv.id
     managedIdentities: {
       userAssignedResourceIds: sharedSettings.managedIdentityResourceIds
@@ -135,7 +135,7 @@ module api 'br/public:avm/res/app/container-app:0.4.1' = {
 
 resource acaEnv 'Microsoft.App/managedEnvironments@2023-11-02-preview' existing = {
   name: instanceSettings.AcaEnvResourceName
-  resource cert 'certificates' existing = { name: sharedSettings.certSettings.ResourceName }
+  resource cert 'certificates' existing = if (sharedSettings.isCustomDomainEnabled) { name: sharedSettings.certSettings.ResourceName }
 }
 
 resource existingApp 'Microsoft.App/containerApps@2023-11-02-preview' existing = if (exists) {
@@ -155,6 +155,7 @@ type managedIdentyClientIdsType = {
 type sharedSettingsType = {
   appInsightsConnectionString: string
   certSettings: object
+  isCustomDomainEnabled: bool
   managedIdentityResourceIds: array
   managedIdentityClientIds: managedIdentyClientIdsType
   subProductsSettings: object

diff --git a/tools/infrastructure/arm-templates/main.bicep b/tools/infrastructure/arm-templates/main.bicep
@@ -112,7 +112,7 @@ resource acaEnvManagedId 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-
 }
 
 var certSettings = settings.TlsCertificates.Current
-module acaEnvCertPermission 'keyvault-cert-role-assignment.bicep' = {
+module acaEnvCertPermission 'keyvault-cert-role-assignment.bicep' = if (settings.SubProducts.Aca.IsCustomDomainEnabled) {
   name: '${uniqueString(deployment().name, location)}-AcaEnvCertPermission'
   scope: resourceGroup((certSettings.KeyVault.SubscriptionId ?? subscription().subscriptionId), certSettings.KeyVault.ResourceGroupName)
   params: {
@@ -147,6 +147,7 @@ module acrPullPermissions 'acr-role-assignment.bicep' = [for (registry, index) i
 
 var acaEnvSharedSettings = {
   certSettings: settings.TlsCertificates.Current
+  isCustomDomainEnabled: settings.SubProducts.Aca.IsCustomDomainEnabled
   logAnalyticsWorkspaceResourceId: azureMonitor.outputs.logAnalyticsWorkspaceResourceId
   managedIdentityResourceId: acaEnvManagedId.id
 }
@@ -157,7 +158,7 @@ module acaEnvPrimary 'aca-environment.bicep' = {
     instanceSettings: settings.SubProducts.Aca.Primary
     sharedSettings: acaEnvSharedSettings
   }
-  dependsOn: [acaEnvCertPermission]
+  dependsOn: acaEnvSharedSettings.isCustomDomainEnabled ? [acaEnvCertPermission] : []
 }
 
 var acaContainerRegistries = map(containerRegistries, registry => ({
@@ -168,6 +169,7 @@ var acaContainerRegistries = map(containerRegistries, registry => ({
 var apiSharedSettings = {
   appInsightsConnectionString: azureMonitor.outputs.appInsightsConnectionString
   certSettings: settings.TlsCertificates.Current
+  isCustomDomainEnabled: settings.SubProducts.Aca.IsCustomDomainEnabled
   managedIdentityClientIds: {
     default: apiManagedId.properties.clientId
   }
@@ -196,7 +198,7 @@ module acaEnvFailover 'aca-environment.bicep' = if (hasAcaFailover) {
     instanceSettings: settings.SubProducts.Aca.Failover
     sharedSettings: acaEnvSharedSettings
   }
-  dependsOn: [acaEnvCertPermission]
+  dependsOn: acaEnvSharedSettings.isCustomDomainEnabled ? [acaEnvCertPermission] : []
 }
 
 module apiFailover 'api.bicep' = if (!empty(settings.SubProducts.Api.Failover ?? {})) {

diff --git a/tools/infrastructure/get-product-conventions.ps1 b/tools/infrastructure/get-product-conventions.ps1
@@ -37,7 +37,11 @@
                         DefaultStorageTier  =   'Cool'
                         Usage               =   'Blob'
                     }
-                    Aca                 =   @{ Type = 'AcaEnvironment' }
+                    Aca                 =   @{
+                        # set to $false when you want to deploy without first having to create a custom domain and SSL certificate
+                        IsCustomDomainEnabled   =   $true
+                        Type = 'AcaEnvironment'
+                    }
                     AcrPull             =   @{ Type = 'ManagedIdentity' }
                     AppInsights         =   @{ Type = 'AppInsights' }
                     Sql                 =   @{ Type = 'SqlServer' }

diff --git a/tools/infrastructure/provision-azure-resources.ps1 b/tools/infrastructure/provision-azure-resources.ps1
@@ -197,6 +197,7 @@
 
             Set-AzureAccountContext -Login:$Login -SubscriptionId $SubscriptionId
 
+            # Tip: you can also print out listing for the conventions. See the examples in ./tools/infrastructure/print-product-convention-table.ps1
             $convention = & "$PSScriptRoot/get-product-conventions.ps1" -EnvironmentName $EnvironmentName -AsHashtable
 
             #-----------------------------------------------------------------------------------------------

diff --git a/tools/infrastructure/provision-shared-services.ps1 b/tools/infrastructure/provision-shared-services.ps1
@@ -44,6 +44,7 @@
 
             Set-AzureAccountContext -Login:$Login -SubscriptionId $SubscriptionId
 
+            # Tip: you can also print out listing for the conventions. See the examples in ./tools/infrastructure/print-product-convention-table.ps1
             $convention = & "$PSScriptRoot/get-product-conventions.ps1" -EnvironmentName $EnvironmentName -AsHashtable
 
             if ($CreateSharedContainerRegistry) {

diff --git a/tools/infrastructure/ps-functions/Get-ResourceConvention.ps1 b/tools/infrastructure/ps-functions/Get-ResourceConvention.ps1
@@ -370,10 +370,11 @@ function Get-ResourceConvention {
                     ResourceLocation    =   $acaSecondaryRegion.Name
                 }
                 @{
-                    ManagedIdentity     =   '{0}-{1}' -f $managedIdentityNamePrefix, $acaEnvPrefix
-                    Primary             =   $acaEnvPrimary
-                    Failover            =   if ($hasFailover) { $acaEnvFailover } else { $null }
-                    Type                =   $spInput.Type
+                    IsCustomDomainEnabled   =   $spInput.IsCustomDomainEnabled ?? $false
+                    ManagedIdentity         =   '{0}-{1}' -f $managedIdentityNamePrefix, $acaEnvPrefix
+                    Primary                 =   $acaEnvPrimary
+                    Failover                =   if ($hasFailover) { $acaEnvFailover } else { $null }
+                    Type                    =   $spInput.Type
                 }
             }
             'AcaApp' {