Add PCS prod environment (#4040)

dotnet · Oct 15, 2024 · c36f058 · c36f058
1 parent 435787b
commit c36f058
Show file tree

Hide file tree

Showing 20 changed files with 345 additions and 95 deletions.
diff --git a/.vault-config/product-construction-int.yaml b/.vault-config/product-construction-int.yaml
@@ -4,28 +4,7 @@ storageLocation:
     subscription: e6b5f9f5-0ca4-4351-879b-014d78400ec2
     name: ProductConstructionInt
 
-references:
-  helixkv:
-    type: azure-key-vault
-    parameters:
-      subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1
-      name: helixkv
-
-  engkeyvault:
-    type: azure-key-vault
-    parameters:
-      subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1
-      name: engkeyvault
-
 secrets:
-  BotAccount-dotnet-bot-repo-PAT:
-    type: github-access-token
-    parameters:
-      gitHubBotAccountSecret: 
-        location: engkeyvault
-        name: BotAccount-dotnet-bot
-      gitHubBotAccountName: dotnet-bot
-
   github:
     type: github-app-secret
     parameters:

diff --git a/.vault-config/product-construction-prod.yaml b/.vault-config/product-construction-prod.yaml
@@ -0,0 +1,28 @@
+storageLocation:
+  type: azure-key-vault
+  parameters:
+    subscription: fbd6122a-9ad3-42e4-976e-bccb82486856
+    name: ProductConstructionProd
+
+references:
+  engkeyvault:
+    type: azure-key-vault
+    parameters:
+      subscription: a4fc5514-21a9-4296-bfaf-5c7ee7fa35d1
+      name: engkeyvault
+
+secrets:
+  BotAccount-dotnet-bot-repo-PAT:
+    type: github-access-token
+    parameters:
+      gitHubBotAccountSecret: 
+        location: engkeyvault
+        name: BotAccount-dotnet-bot
+      gitHubBotAccountName: dotnet-bot
+
+  github:
+    type: github-app-secret
+    parameters:
+      hasPrivateKey: true
+      hasWebhookSecret: false
+      hasOAuthSecret: true
diff --git a/azure-pipelines-product-construction-service.yml b/azure-pipelines-product-construction-service.yml
@@ -3,6 +3,7 @@ trigger:
   branches:
     include:
       - main
+      - production
 
 pr:
   branches:
@@ -47,10 +48,35 @@ variables:
     value: "Darc: Maestro Staging"
   - name: MaestroAppId
     value: $(MaestroStagingAppClientId)
-  - ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
+  - name: redisConnectionString
+    value: "product-construction-service-redis-int.redis.cache.windows.net:6380,ssl=true"
+- ${{ else }}:
+    - name: subscriptionId
+      value: fbd6122a-9ad3-42e4-976e-bccb82486856
+    - name: containerappName
+      value: product-construction-prod
+    - name: containerjobNames
+      value: sub-triggerer-twicedaily-prod,sub-triggerer-daily-prod,sub-triggerer-weekly-prod,longest-path-updater-job-prod,feed-cleaner-prod
+    - name: containerRegistryName
+      value: productconstructionprod
+    - name: containerappEnvironmentName
+      value: product-construction-service-env-prod
+    - name: containerappWorkspaceName
+      value: product-construction-service-workspace-prod
+    - name: dockerRegistryUrl
+      value: productconstructionprod.azurecr.io
+    - name: serviceConnectionName
+      value: ProductConstructionServiceDeploymentProd
+    - name: authServiceConnection
+      value: "Darc: Maestro Production"
+    - name: MaestroAppId
+      value: $(MaestroAppClientId)
+    - name: redisConnectionString
+      value: "product-construction-service-redis-prod.redis.cache.windows.net,ssl=true"
+- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
     - name: devBranchSuffix
       value:
-  - ${{ else }}:
+- ${{ else }}:
     - name: devBranchSuffix
       value: -dev
 
@@ -199,7 +225,7 @@ stages:
                   --azCliPath "$(azCliPath)" `
                   --isCi true `
                   --entraAppId $(MaestroAppId) `
-                  --redisConnectionString "product-construction-service-redis-int.redis.cache.windows.net:6380,ssl=true"
+                  --redisConnectionString $(redisConnectionString)
             displayName: Deploy container app
 
           - task: AzureCLI@2

diff --git a/eng/service-templates/ProductConstructionService/container-environment.bicep b/eng/service-templates/ProductConstructionService/container-environment.bicep
@@ -4,6 +4,8 @@ param containerEnvironmentName string
 param productConstructionServiceSubnetId string
 param infrastructureResourceGroupName string
 param applicationInsightsName string
+param containerAppsManagedEnvironmentsContributor string
+param deploymentIdentityPrincipalId string
 
 resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
   name: logAnalyticsName
@@ -57,5 +59,15 @@ resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
     }
 }
 
+resource deploymentSubscriptionTriggererContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    scope: containerEnvironment
+    name: guid(subscription().id, resourceGroup().id, containerAppsManagedEnvironmentsContributor)
+    properties: {
+        roleDefinitionId: containerAppsManagedEnvironmentsContributor
+        principalType: 'ServicePrincipal'
+        principalId: deploymentIdentityPrincipalId
+    }
+  }
+
 output applicationInsightsConnectionString string = applicationInsights.properties.ConnectionString
 output containerEnvironmentId string = containerEnvironment.id
diff --git a/eng/service-templates/ProductConstructionService/managed-identities.bicep b/eng/service-templates/ProductConstructionService/managed-identities.bicep
@@ -4,6 +4,7 @@ param pcsIdentityName string
 param subscriptionTriggererIdentityName string
 param longestBuildPathUpdaterIdentityName string
 param feedCleanerIdentityName string
+param contributorRole string
 
 resource deploymentIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: deploymentIdentityName
@@ -30,6 +31,16 @@ resource feedCleanerIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2
   location: location
 }
 
+resource pcsIdentityContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: pcsIdentity
+  name: guid(subscription().id, resourceGroup().id, contributorRole)
+  properties: {
+      roleDefinitionId: contributorRole
+      principalType: 'ServicePrincipal'
+      principalId: deploymentIdentity.properties.principalId
+  }
+}
+
 output pcsIdentityPrincipalId string = pcsIdentity.properties.principalId
 output pcsIdentityId string = pcsIdentity.id
 output deploymentIdentityPrincipalId string = deploymentIdentity.properties.principalId

diff --git a/eng/service-templates/ProductConstructionService/production.bicepparam b/eng/service-templates/ProductConstructionService/production.bicepparam
@@ -0,0 +1,55 @@
+using 'provision.bicep'
+
+param location = 'westus2'
+
+param containerRegistryName = 'productconstructionprod'
+
+param containerCpuCoreCount = '1.0'
+
+param containerMemory = '2Gi'
+
+param aspnetcoreEnvironment = 'Production'
+
+param applicationInsightsName = 'product-construction-service-ai-prod'
+
+param keyVaultName = 'ProductConstructionProd'
+
+param azureCacheRedisName = 'product-construction-service-redis-prod'
+
+param logAnalyticsName = 'product-construction-service-workspace-prod'
+
+param containerEnvironmentName = 'product-construction-service-env-prod'
+
+param productConstructionServiceName = 'product-construction-prod'
+
+param storageAccountName = 'productconstructionprod'
+
+param pcsIdentityName = 'ProductConstructionServiceProd'
+
+param deploymentIdentityName = 'ProductConstructionServiceDeploymentProd'
+
+param containerImageName = 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+
+param virtualNetworkName = 'product-construction-service-vnet-prod'
+
+param productConstructionServiceSubnetName = 'product-construction-service-subnet'
+
+param subscriptionTriggererIdentityName = 'SubscriptionTriggererProd'
+
+param subscriptionTriggererWeeklyJobName = 'sub-triggerer-weekly-prod'
+
+param subscriptionTriggererTwiceDailyJobName = 'sub-triggerer-twicedaily-prod'
+
+param subscriptionTriggererDailyJobName = 'sub-triggerer-daily-prod'
+
+param longestBuildPathUpdaterIdentityName = 'LongestBuildPathUpdaterProd'
+
+param longestBuildPathUpdaterJobName = 'longest-path-updater-job-prod'
+
+param feedCleanerJobName = 'feed-cleaner-prod'
+
+param feedCleanerIdentityName = 'FeedCleanerProd'
+
+param networkSecurityGroupName = 'product-construction-service-nsg-prod'
+
+param infrastructureResourceGroupName = 'product-construction-service-ip-prod'
diff --git a/eng/service-templates/ProductConstructionService/provision.bicep b/eng/service-templates/ProductConstructionService/provision.bicep
@@ -1,94 +1,94 @@
 @minLength(1)
 @description('Primary location for all resources')
-param location string = 'westus2'
+param location string
 
 @minLength(5)
 @maxLength(50)
 @description('Name of the Azure Container Registry resource into which container images will be published')
-param containerRegistryName string = 'productconstructionint'
+param containerRegistryName string
 
 @description('CPU cores allocated to a single container instance')
-param containerCpuCoreCount string = '1.0'
+param containerCpuCoreCount string
 
 @description('Memory allocated to a single container instance')
-param containerMemory string = '2Gi'
+param containerMemory string
 
 @description('aspnetcore environment')
 @allowed([
     'Development'
     'Staging'
     'Production'
 ])
-param aspnetcoreEnvironment string = 'Staging'
+param aspnetcoreEnvironment string
 
 @description('Name of the application insights resource')
-param applicationInsightsName string = 'product-construction-service-ai-int'
+param applicationInsightsName string
 
 @description('Key Vault name')
-param keyVaultName string = 'ProductConstructionInt'
+param keyVaultName string
 
 @description('Dev Key Vault name')
-param devKeyVaultName string = 'ProductConstructionDev'
+param devKeyVaultName string = ''
 
 @description('Azure Cache for Redis name')
-param azureCacheRedisName string = 'product-construction-service-redis-int'
+param azureCacheRedisName string
 
 @description('Log analytics workspace name')
-param logAnalyticsName string = 'product-construction-service-workspace-int'
+param logAnalyticsName string
 
 @description('Name of the container apps environment')
-param containerEnvironmentName string = 'product-construction-service-env-int'
+param containerEnvironmentName string
 
 @description('Product construction service API name')
-param productConstructionServiceName string = 'product-construction-int'
+param productConstructionServiceName string
 
 @description('Storage account name')
-param storageAccountName string = 'productconstructionint'
+param storageAccountName string
 
 @description('Name of the MI used for the PCS container app')
-param pcsIdentityName string = 'ProductConstructionServiceInt'
+param pcsIdentityName string
 
 @description('Name of the identity used for the PCS deployment')
-param deploymentIdentityName string = 'ProductConstructionServiceDeploymentInt'
+param deploymentIdentityName string
 
 @description('Bicep requires an image when creating a containerapp. Using a dummy image for that.')
-param containerImageName string = 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest'
+param containerImageName string
 
 @description('Virtual network name')
-param virtualNetworkName string = 'product-construction-service-vnet-int'
+param virtualNetworkName string
 
 @description('Product construction service subnet name')
-param productConstructionServiceSubnetName string = 'product-construction-service-subnet'
+param productConstructionServiceSubnetName string
 
 @description('Subscription Triggerer Identity name')
-param subscriptionTriggererIdentityName string = 'SubscriptionTriggererInt'
+param subscriptionTriggererIdentityName string
 
 @description('Subscription Triggerer Weekly Job name')
-param subscriptionTriggererWeeklyJobName string = 'sub-triggerer-weekly-int'
+param subscriptionTriggererWeeklyJobName string
 
 @description('Subscription Triggerer Twice Daily Job name')
-param subscriptionTriggererTwiceDailyJobName string = 'sub-triggerer-twicedaily-int'
+param subscriptionTriggererTwiceDailyJobName string
 
 @description('Subscription Triggerer Daily Job name')
-param subscriptionTriggererDailyJobName string = 'sub-triggerer-daily-int'
+param subscriptionTriggererDailyJobName string
 
 @description('Longest Build Path Updater Identity Name')
-param longestBuildPathUpdaterIdentityName string = 'LongestBuildPathUpdaterInt'
+param longestBuildPathUpdaterIdentityName string
 
 @description('Longest Build Path Updater Job Name')
-param longestBuildPathUpdaterJobName string = 'longest-path-updater-job-int'
+param longestBuildPathUpdaterJobName string
 
 @description('Feed Cleaner Job name')
-param feedCleanerJobName string = 'feed-cleaner-int'
+param feedCleanerJobName string
 
 @description('Feed Cleaner Identity name')
-param feedCleanerIdentityName string = 'FeedCleanerInt'
+param feedCleanerIdentityName string
 
 @description('Network security group name')
-param networkSecurityGroupName string = 'product-construction-service-nsg-int'
+param networkSecurityGroupName string
 
 @description('Resource group where PCS IP resources will be created')
-param infrastructureResourceGroupName string = 'product-construction-service-ip-int'
+param infrastructureResourceGroupName string
 
 // azure system role for setting up acr pull access
 var acrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
@@ -104,6 +104,10 @@ var contributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefini
 var blobContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
 // Key Vault Crypto User role
 var kvCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
+// Reader role
+var readerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+// Container Apps ManagedEnvironments Contributor Role
+var containerAppsManagedEnvironmentsContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '57cc5028-e6a7-4284-868d-0611c5923f8d')
 
 module networkSecurityGroupModule 'nsg.bicep' = {
     name: 'networkSecurityGroupModule'
@@ -132,6 +136,8 @@ module containerEnvironmentModule 'container-environment.bicep' = {
         productConstructionServiceSubnetId: virtualNetworkModule.outputs.productConstructionServiceSubnetId
         infrastructureResourceGroupName: infrastructureResourceGroupName
         applicationInsightsName: applicationInsightsName
+        containerAppsManagedEnvironmentsContributor: containerAppsManagedEnvironmentsContributor
+        deploymentIdentityPrincipalId: managedIdentitiesModule.outputs.deploymentIdentityPrincipalId
     }
 }
 
@@ -144,6 +150,7 @@ module managedIdentitiesModule 'managed-identities.bicep' = {
         subscriptionTriggererIdentityName: subscriptionTriggererIdentityName
         longestBuildPathUpdaterIdentityName: longestBuildPathUpdaterIdentityName
         feedCleanerIdentityName: feedCleanerIdentityName
+        contributorRole: contributorRole
     }
 }
 

diff --git a/eng/service-templates/ProductConstructionService/provision.ps1 b/eng/service-templates/ProductConstructionService/provision.ps1
@@ -1,11 +1,12 @@
 param(
-    [Parameter(Mandatory=$true)][string]$subscriptionName
+    [Parameter(Mandatory=$true)][string]$subscriptionName,
+    [Parameter(Mandatory=$true)][string]$bicepparamFileName
 )
 
 az account set --subscription $subscriptionName
 
 # creates a resource group `product-construction-service` in West US 2
 az group create --name product-construction-service --location "West US 2"
 
-$provisionFilePath = Join-Path -Path $PSScriptRoot -ChildPath "provision.bicep"
-az deployment group create --resource-group product-construction-service --template-file $provisionFilePath --name deploy
+$paramFile = Join-Path -Path $PSScriptRoot -ChildPath $bicepparamFileName
+az deployment group create --resource-group product-construction-service --parameters $paramFile --name deploy
diff --git a/eng/service-templates/ProductConstructionService/redis.bicep b/eng/service-templates/ProductConstructionService/redis.bicep
@@ -34,7 +34,7 @@ resource pcsRedisDataContributorRoleAssignment 'Microsoft.Cache/redis/accessPoli
 
 // allow redis cache read / write access to the service's identity
 resource deploymentRedisDataContributorRoleAssignment 'Microsoft.Cache/redis/accessPolicyAssignments@2024-03-01' = {
-  name: guid(subscription().id, resourceGroup().id, 'pcsDataContributor')
+  name: guid(subscription().id, resourceGroup().id, 'deploymentDataContributor')
   parent: redisCache
   properties: {
       accessPolicyName: 'Data Contributor'