Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(service): deploy application in container apps #1303

Merged
merged 3 commits into from
Oct 16, 2024
Merged

feat(service): deploy application in container apps #1303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
173bf78
feat(service): deploy application in container apps
arealmaas Oct 16, 2024
c1ce84b
cleanup
arealmaas Oct 16, 2024
f8b40f5
cleanup
arealmaas Oct 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
161 changes: 161 additions & 0 deletions .azure/applications/service/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
targetScope = 'resourceGroup'

@description('The tag of the image to be used')
@minLength(3)
param imageTag string

@description('The environment for the deployment')
@minLength(3)
param environment string

@description('The location where the resources will be deployed')
@minLength(3)
param location string

@description('The suffix for the revision of the container app')
@minLength(3)
param revisionSuffix string

@description('CPU and memory resources for the container app')
param resources object?

@description('The name of the container app environment')
@minLength(3)
@secure()
param containerAppEnvironmentName string
Comment on lines +24 to +25
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove @secure() from non-sensitive parameter

The containerAppEnvironmentName parameter is annotated with @secure(), which is typically used for sensitive data like passwords or connection strings. Since this parameter represents a resource name and is not sensitive, consider removing the @secure() attribute to avoid unnecessary restrictions.

Apply this diff to remove the @secure() attribute:

 @description('The name of the container app environment')
 @minLength(3)
-@secure()
 param containerAppEnvironmentName string
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@secure()
param containerAppEnvironmentName string
@description('The name of the container app environment')
@minLength(3)
param containerAppEnvironmentName string


@description('The connection string for Application Insights')
@minLength(3)
@secure()
param appInsightConnectionString string

@description('The name of the App Configuration store')
@minLength(5)
param appConfigurationName string

@description('The name of the Key Vault for the environment')
@minLength(3)
param environmentKeyVaultName string

var namePrefix = 'dp-be-${environment}'
var baseImageUrl = 'ghcr.io/digdir/dialogporten-'
var tags = {
Environment: environment
Product: 'Dialogporten'
}

resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
name: appConfigurationName
}

resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
name: containerAppEnvironmentName
}

var containerAppEnvVars = [
{
name: 'ASPNETCORE_ENVIRONMENT'
value: environment
}
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: appInsightConnectionString
}
{
name: 'AZURE_APPCONFIG_URI'
value: appConfiguration.properties.endpoint
}
{
name: 'ASPNETCORE_URLS'
value: 'http://+:8080'
}
]

resource environmentKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: environmentKeyVaultName
}

var serviceName = 'service'

var containerAppName = '${namePrefix}-${serviceName}'

var port = 8080

var probes = [
{
periodSeconds: 5
initialDelaySeconds: 2
type: 'Liveness'
httpGet: {
path: '/health/liveness'
port: port
}
}
{
periodSeconds: 5
initialDelaySeconds: 2
type: 'Readiness'
httpGet: {
path: '/health/readiness'
port: port
}
}
{
periodSeconds: 5
initialDelaySeconds: 2
type: 'Startup'
httpGet: {
path: '/health/startup'
port: port
}
}
]

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: '${namePrefix}-service-identity'
location: location
tags: tags
}
arealmaas marked this conversation as resolved.
Show resolved Hide resolved

module keyVaultReaderAccessPolicy '../../modules/keyvault/addReaderRoles.bicep' = {
name: 'keyVaultReaderAccessPolicy-${containerAppName}'
params: {
keyvaultName: environmentKeyVaultResource.name
principalIds: [managedIdentity.properties.principalId]
}
}

module appConfigReaderAccessPolicy '../../modules/appConfiguration/addReaderRoles.bicep' = {
name: 'appConfigReaderAccessPolicy-${containerAppName}'
params: {
appConfigurationName: appConfigurationName
principalIds: [managedIdentity.properties.principalId]
}
}

module containerApp '../../modules/containerApp/main.bicep' = {
name: containerAppName
params: {
name: containerAppName
// todo: make this dynamic based on service name. Using webapi for now.
// image: '${baseImageUrl}${serviceName}:${imageTag}'
image: '${baseImageUrl}webapi:${imageTag}'
arealmaas marked this conversation as resolved.
Show resolved Hide resolved
location: location
envVariables: containerAppEnvVars
containerAppEnvId: containerAppEnvironment.id
tags: tags
resources: resources
probes: probes
port: port
revisionSuffix: revisionSuffix
userAssignedIdentityId: managedIdentity.id
// TODO: Once all container apps use user-assigned identities, remove this comment and ensure userAssignedIdentityId is always provided
}
dependsOn: [
keyVaultReaderAccessPolicy
appConfigReaderAccessPolicy
]
}

output name string = containerApp.outputs.name
output revisionName string = containerApp.outputs.revisionName
Comment on lines +160 to +161
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider outputting the managed identity principal ID

If other resources need to reference the managed identity's principal ID, it might be helpful to output it.

You can add the following output:

 output name string = containerApp.outputs.name
 output revisionName string = containerApp.outputs.revisionName
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId

Committable suggestion was skipped due to low confidence.

12 changes: 12 additions & 0 deletions .azure/applications/service/prod.bicepparam
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
using './main.bicep'

param environment = 'prod'
param location = 'norwayeast'
param imageTag = readEnvironmentVariable('IMAGE_TAG')
param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')

// secrets
param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
12 changes: 12 additions & 0 deletions .azure/applications/service/staging.bicepparam
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
using './main.bicep'

param environment = 'staging'
param location = 'norwayeast'
param imageTag = readEnvironmentVariable('IMAGE_TAG')
param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')

// secrets
param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
12 changes: 12 additions & 0 deletions .azure/applications/service/test.bicepparam
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
using './main.bicep'

param environment = 'test'
param location = 'norwayeast'
Comment on lines +3 to +4
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider using environment variables for environment and location.

While the current setup is functional, using environment variables for environment and location parameters could provide more flexibility:

param environment = readEnvironmentVariable('ENVIRONMENT', 'test')
param location = readEnvironmentVariable('AZURE_LOCATION', 'norwayeast')

This approach allows for easier configuration changes without modifying the Bicep file, while still maintaining default values.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the bicepparam file is only used for that environment, so would be overkill to supply environment too right?

I'll make a note of AZURE_LOCATION for later, good point!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arealmaas, you make a great point—it might be unnecessary to supply the environment parameter via an environment variable since the bicepparam file is only used for that specific environment. Thanks for considering the suggestion about AZURE_LOCATION!

(_/_)
(•︵•)

✏️ Learnings added 
Learnt from: arealmaas
PR: digdir/dialogporten#1303
File: .azure/applications/service/test.bicepparam:3-4
Timestamp: 2024-10-16T08:43:00.537Z
Learning: When working with environment-specific bicepparam files, it's unnecessary to supply the `environment` parameter via environment variables because each bicepparam file is only used for that specific environment.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

param imageTag = readEnvironmentVariable('IMAGE_TAG')
param revisionSuffix = readEnvironmentVariable('REVISION_SUFFIX')

// secrets
param environmentKeyVaultName = readEnvironmentVariable('AZURE_ENVIRONMENT_KEY_VAULT_NAME')
param containerAppEnvironmentName = readEnvironmentVariable('AZURE_CONTAINER_APP_ENVIRONMENT_NAME')
param appInsightConnectionString = readEnvironmentVariable('AZURE_APP_INSIGHTS_CONNECTION_STRING')
param appConfigurationName = readEnvironmentVariable('AZURE_APP_CONFIGURATION_NAME')
23 changes: 19 additions & 4 deletions .azure/modules/containerApp/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ param revisionSuffix string
@description('The probes for the container app')
param probes array = []

// TODO: Refactor to make userAssignedIdentityId a required parameter once all container apps use user-assigned identities
@description('The ID of the user-assigned managed identity (optional)')
param userAssignedIdentityId string = ''

// Container app revision name does not allow '.' character
var cleanedRevisionSuffix = replace(revisionSuffix, '.', '-')

Expand All @@ -50,12 +54,19 @@ var ingress = {
ipSecurityRestrictions: ipSecurityRestrictions
}

var identityConfig = empty(userAssignedIdentityId) ? {
type: 'SystemAssigned'
} : {
type: 'UserAssigned'
userAssignedIdentities: {
'${userAssignedIdentityId}': {}
}
}

resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
name: name
location: location
identity: {
type: 'SystemAssigned'
}
identity: identityConfig
properties: {
configuration: {
ingress: ingress
Expand All @@ -81,6 +92,10 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
tags: tags
}

output identityPrincipalId string = containerApp.identity.principalId
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(userAssignedIdentityId)) {
name: last(split(userAssignedIdentityId, '/'))
}

output identityPrincipalId string = empty(userAssignedIdentityId) ? containerApp.identity.principalId : managedIdentity.properties.principalId
output name string = containerApp.name
output revisionName string = containerApp.properties.latestRevisionName
1 change: 1 addition & 0 deletions .github/workflows/workflow-deploy-apps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ jobs:
- name: web-api-eu
- name: web-api-so
- name: graphql
- name: service
arealmaas marked this conversation as resolved.
Show resolved Hide resolved
environment: ${{ inputs.environment }}
permissions:
id-token: write
Expand Down
Loading