feat: add Azure infrastructure modules and parameters for web application deployment

Author: csharpfritz

AppHost/infra/web/web.tmpl.bicepparam

@@ -0,0 +1,15 @@
+using './web.module.bicep'
+
+param azure_storage_outputs_tableendpoint = '{{ .Env.AZURE_STORAGE_TABLEENDPOINT }}'
+param certificateName = '{{ parameter "certificateName" }}'
+param domainApex = '{{ parameter "domainApex" }}'
+param domainWww = '{{ parameter "domainWww" }}'
+param outputs_azure_container_apps_environment_default_domain = '{{ .Env.AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN }}'
+param outputs_azure_container_apps_environment_id = '{{ .Env.AZURE_CONTAINER_APPS_ENVIRONMENT_ID }}'
+param outputs_azure_container_registry_endpoint = '{{ .Env.AZURE_CONTAINER_REGISTRY_ENDPOINT }}'
+param outputs_azure_container_registry_managed_identity_id = '{{ .Env.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID }}'
+param web_containerimage = '{{ .Image }}'
+param web_containerport = '{{ targetPortOrDefault 8080 }}'
+param web_identity_outputs_clientid = '{{ .Env.WEB_IDENTITY_CLIENTID }}'
+param web_identity_outputs_id = '{{ .Env.WEB_IDENTITY_ID }}'
+param wwwCertificateName = '{{ parameter "wwwCertificateName" }}'

infra/azure-storage/azure-storage.module.bicep

@@ -0,0 +1,35 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource azure_storage 'Microsoft.Storage/storageAccounts@2024-01-01' = {
+  name: take('azurestorage${uniqueString(resourceGroup().id)}', 24)
+  kind: 'StorageV2'
+  location: location
+  sku: {
+    name: 'Standard_GRS'
+  }
+  properties: {
+    accessTier: 'Hot'
+    allowSharedKeyAccess: false
+    minimumTlsVersion: 'TLS1_2'
+    networkAcls: {
+      defaultAction: 'Allow'
+    }
+  }
+  tags: {
+    'aspire-resource-name': 'azure-storage'
+  }
+}
+
+resource blobs 'Microsoft.Storage/storageAccounts/blobServices@2024-01-01' = {
+  name: 'default'
+  parent: azure_storage
+}
+
+output blobEndpoint string = azure_storage.properties.primaryEndpoints.blob
+
+output queueEndpoint string = azure_storage.properties.primaryEndpoints.queue
+
+output tableEndpoint string = azure_storage.properties.primaryEndpoints.table
+
+output name string = azure_storage.name

infra/main.bicep

@@ -0,0 +1,74 @@
+targetScope = 'subscription'
+
+@minLength(1)
+@maxLength(64)
+@description('Name of the environment that can be used as part of naming resource convention, the name of the resource group for your application will use this name, prefixed with rg-')
+param environmentName string
+
+@minLength(1)
+@description('The location used for all deployed resources')
+param location string
+
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
+param certificateName string
+param domainApex string
+param domainWww string
+param wwwCertificateName string
+
+var tags = {
+  'azd-env-name': environmentName
+}
+
+resource rg 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+  name: 'rg-${environmentName}'
+  location: location
+  tags: tags
+}
+module resources 'resources.bicep' = {
+  scope: rg
+  name: 'resources'
+  params: {
+    location: location
+    tags: tags
+    principalId: principalId
+  }
+}
+
+module azure_storage 'azure-storage/azure-storage.module.bicep' = {
+  name: 'azure-storage'
+  scope: rg
+  params: {
+    location: location
+  }
+}
+module web_identity 'web-identity/web-identity.module.bicep' = {
+  name: 'web-identity'
+  scope: rg
+  params: {
+    location: location
+  }
+}
+module web_roles_azure_storage 'web-roles-azure-storage/web-roles-azure-storage.module.bicep' = {
+  name: 'web-roles-azure-storage'
+  scope: rg
+  params: {
+    azure_storage_outputs_name: azure_storage.outputs.name
+    location: location
+    principalId: web_identity.outputs.principalId
+  }
+}
+
+output MANAGED_IDENTITY_CLIENT_ID string = resources.outputs.MANAGED_IDENTITY_CLIENT_ID
+output MANAGED_IDENTITY_NAME string = resources.outputs.MANAGED_IDENTITY_NAME
+output AZURE_LOG_ANALYTICS_WORKSPACE_NAME string = resources.outputs.AZURE_LOG_ANALYTICS_WORKSPACE_NAME
+output AZURE_CONTAINER_REGISTRY_ENDPOINT string = resources.outputs.AZURE_CONTAINER_REGISTRY_ENDPOINT
+output AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID string = resources.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID
+output AZURE_CONTAINER_REGISTRY_NAME string = resources.outputs.AZURE_CONTAINER_REGISTRY_NAME
+output AZURE_CONTAINER_APPS_ENVIRONMENT_NAME string = resources.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_NAME
+output AZURE_CONTAINER_APPS_ENVIRONMENT_ID string = resources.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID
+output AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN string = resources.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN
+output AZURE_STORAGE_TABLEENDPOINT string = azure_storage.outputs.tableEndpoint
+output WEB_IDENTITY_CLIENTID string = web_identity.outputs.clientId
+output WEB_IDENTITY_ID string = web_identity.outputs.id

infra/main.parameters.json

@@ -0,0 +1,28 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+      "principalId": {
+        "value": "${AZURE_PRINCIPAL_ID}"
+      },
+      "certificateName": {
+        "value": "${AZURE_CERTIFICATE_NAME}"
+      },
+      "domainApex": {
+        "value": "${AZURE_DOMAIN_APEX}"
+      },
+      "domainWww": {
+        "value": "${AZURE_DOMAIN_WWW}"
+      },
+      "wwwCertificateName": {
+        "value": "${AZURE_WWW_CERTIFICATE_NAME}"
+      },
+      "environmentName": {
+        "value": "${AZURE_ENV_NAME}"
+      },
+      "location": {
+        "value": "${AZURE_LOCATION}"
+      }
+    }
+  }
+  

infra/resources.bicep

@@ -0,0 +1,85 @@
+@description('The location used for all deployed resources')
+param location string = resourceGroup().location
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
+
+@description('Tags that will be applied to all resources')
+param tags object = {}
+
+var resourceToken = uniqueString(resourceGroup().id)
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: 'mi-${resourceToken}'
+  location: location
+  tags: tags
+}
+
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
+  name: replace('acr-${resourceToken}', '-', '')
+  location: location
+  sku: {
+    name: 'Basic'
+  }
+  tags: tags
+}
+
+resource caeMiRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(containerRegistry.id, managedIdentity.id, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d'))
+  scope: containerRegistry
+  properties: {
+    principalId: managedIdentity.properties.principalId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId:  subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+  }
+}
+
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: 'law-${resourceToken}'
+  location: location
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+  }
+  tags: tags
+}
+
+resource containerAppEnvironment 'Microsoft.App/managedEnvironments@2024-02-02-preview' = {
+  name: 'cae-${resourceToken}'
+  location: location
+  properties: {
+    workloadProfiles: [{
+      workloadProfileType: 'Consumption'
+      name: 'consumption'
+    }]
+    appLogsConfiguration: {
+      destination: 'log-analytics'
+      logAnalyticsConfiguration: {
+        customerId: logAnalyticsWorkspace.properties.customerId
+        sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey
+      }
+    }
+  }
+  tags: tags
+
+  resource aspireDashboard 'dotNetComponents' = {
+    name: 'aspire-dashboard'
+    properties: {
+      componentType: 'AspireDashboard'
+    }
+  }
+
+}
+
+output MANAGED_IDENTITY_CLIENT_ID string = managedIdentity.properties.clientId
+output MANAGED_IDENTITY_NAME string = managedIdentity.name
+output MANAGED_IDENTITY_PRINCIPAL_ID string = managedIdentity.properties.principalId
+output AZURE_LOG_ANALYTICS_WORKSPACE_NAME string = logAnalyticsWorkspace.name
+output AZURE_LOG_ANALYTICS_WORKSPACE_ID string = logAnalyticsWorkspace.id
+output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerRegistry.properties.loginServer
+output AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID string = managedIdentity.id
+output AZURE_CONTAINER_REGISTRY_NAME string = containerRegistry.name
+output AZURE_CONTAINER_APPS_ENVIRONMENT_NAME string = containerAppEnvironment.name
+output AZURE_CONTAINER_APPS_ENVIRONMENT_ID string = containerAppEnvironment.id
+output AZURE_CONTAINER_APPS_ENVIRONMENT_DEFAULT_DOMAIN string = containerAppEnvironment.properties.defaultDomain

infra/web-identity/web-identity.module.bicep

@@ -0,0 +1,15 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource web_identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: take('web_identity-${uniqueString(resourceGroup().id)}', 128)
+  location: location
+}
+
+output id string = web_identity.id
+
+output clientId string = web_identity.properties.clientId
+
+output principalId string = web_identity.properties.principalId
+
+output principalName string = web_identity.name

infra/web-roles-azure-storage/web-roles-azure-storage.module.bicep

@@ -0,0 +1,40 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+param azure_storage_outputs_name string
+
+param principalId string
+
+resource azure_storage 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
+  name: azure_storage_outputs_name
+}
+
+resource azure_storage_StorageBlobDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(azure_storage.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))
+  properties: {
+    principalId: principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+    principalType: 'ServicePrincipal'
+  }
+  scope: azure_storage
+}
+
+resource azure_storage_StorageTableDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(azure_storage.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))
+  properties: {
+    principalId: principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')
+    principalType: 'ServicePrincipal'
+  }
+  scope: azure_storage
+}
+
+resource azure_storage_StorageQueueDataContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(azure_storage.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))
+  properties: {
+    principalId: principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')
+    principalType: 'ServicePrincipal'
+  }
+  scope: azure_storage
+}