Prod infra (#29)

* update the location of the prod secondary service bus

* updates for aca multi region

* App Config and secrets refactoring

* Prod environment infra updates (#26)

* fix: move acr to hub in prod

* fix: update app config to support prod

* fix: remove namespace from secrets in prod and update app config keys

* fix: add private endpoint and spoke vnet ids to service bus prod

* feat: add aca subnet to spoke

* Ensure unique name for Azure resources based on location

* Terraform - set the service bus secondary spoke vnet

* Terraform - set vm to a supported image

* Terraform - remove secrets from 2nd region.

* Configure App Config keys on the jump box

* Storage account replication

* update prod deployment readme

* install docker on jump box

* remove unused variable in terraform main.tfvars.json file

* prod infra for Azure Container Apps and Azure Container Registry

* Change default network rule to Deny for ACA

* add images for dev container

* add verification step for app config keys in the prod deployment readme

---------

Co-authored-by: Isabelle Bersano <[email protected]>

Author: nickdala

README.md

@@ -15,6 +15,50 @@ This repository contains a collection of patterns and best practices for buildin
 - [Maven 3.9.1](https://maven.apache.org/download.cgi)
 - [Protoc](https://grpc.io/docs/protoc-installation/)
 
+## Steps to deploy the reference implementation
+
+The following detailed deployment steps assume you are using a Dev Container inside Visual Studio Code.
+
+> For your convenience, we use Dev Containers with a fully-featured development environment. If you prefer to use another editor, we recommend installing the necessary [dependencies](./prerequisites.md) and skip to the deployment instructions starting in [Step 3](#3-log-in-to-azure).
+
+### 1. Clone the repo
+
+> For Windows users, we recommend using Windows Subsystem for Linux (WSL) to [improve Dev Container performance](https://code.visualstudio.com/remote/advancedcontainers/improve-performance).
+
+```pwsh
+wsl
+```
+
+Clone the repository and open the project using the Dev Container.
+
+```shell
+git clone https://github.com/Azure/modern-web-app-pattern-java
+
+cd modern-web-app-pattern-java
+```
+
+### 2. Open Dev Container in Visual Studio Code
+
+If required, ensure Docker Desktop is started. Open the repository folder in Visual Studio Code. You can do this from the command prompt:
+
+```shell
+code .
+```
+
+Once Visual Studio Code is launched, you should see a popup allowing you to click on the button **Reopen in Container**.
+
+![Reopen in Container](docs/assets/vscode-reopen-in-container.png)
+
+If you don't see the popup, open the Visual Studio Code Command Palette to execute the command. There are three ways to open the command palette:
+
+- For Mac users, use the keyboard shortcut ⇧⌘P
+- For Windows and Linux users, use Ctrl+Shift+P
+- From the Visual Studio Code top menu, navigate to View -> Command Palette.
+
+Once the command palette is open, search for `Dev Containers: Rebuild and Reopen in Container`.
+
+![WSL Ubuntu](docs/assets/vscode-reopen-in-container-command.png)
+
 ## Login to Azure
 
 Before deploying, you must be authenticated to Azure and have the appropriate subscription selected. Run the following command to authenticate:

docs/assets/vscode-reopen-in-container-command.png

@@ -11,7 +11,7 @@ terraform {
 resource "azurecaf_name" "container_app_environment_name" {
   name          = var.application_name
   resource_type = "azurerm_container_app_environment"
-  suffixes      = [var.environment]
+  suffixes      = [var.location, var.environment]
 }
 
 # Create Azure Container Apps Environment in Dev
@@ -39,7 +39,7 @@ resource "azurerm_container_app_environment" "container_app_environment_prod" {
   log_analytics_workspace_id = var.log_analytics_workspace_id
   zone_redundancy_enabled    = true
 
-  internal_load_balancer_enabled = var.isNetworkIsolated
+  internal_load_balancer_enabled = true
   infrastructure_subnet_id       = var.infrastructure_subnet_id
 
   workload_profile {
@@ -56,6 +56,7 @@ resource "azurerm_container_app" "container_app" {
   resource_group_name          = var.resource_group
   revision_mode                = "Single"
   workload_profile_name        = "Consumption"
+
   ingress {
     allow_insecure_connections = false
     external_enabled           = true
@@ -65,6 +66,7 @@ resource "azurerm_container_app" "container_app" {
       latest_revision = true
     }
   }
+
   tags = {
     "environment"      = var.environment
     "application-name" = var.application_name
@@ -139,19 +141,3 @@ resource "azurerm_container_app" "container_app" {
     }
   }
 }
-
-# Create Private DNS Zone for Azure Container Apps in Prod if internal load balancer is enabled
-
-resource "azurerm_private_dns_zone" "dns_for_aca" {
-  count               = var.environment == "prod" && var.isNetworkIsolated ? 1 : 0
-  name                = var.environment == "prod" ? azurerm_container_app_environment.container_app_environment_prod[0].default_domain : azurerm_container_app_environment.container_app_environment_dev[0].default_domain
-  resource_group_name = var.resource_group
-}
-
-resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_aca" {
-  count                 = var.environment == "prod" && var.isNetworkIsolated ? 1 : 0
-  name                  = "privatelink.azurecr.io"
-  private_dns_zone_name = azurerm_private_dns_zone.dns_for_aca[0].name
-  virtual_network_id    = var.spoke_vnet_id
-  resource_group_name   = var.resource_group
-}

docs/assets/vscode-reopen-in-container.png

@@ -1,3 +1,11 @@
 output "identity_principal_id" {
   value = azurerm_container_app.container_app.identity[0].principal_id
+}
+
+output "default_domain" {
+  value = length(azurerm_container_app_environment.container_app_environment_prod) > 0 ? azurerm_container_app_environment.container_app_environment_prod[0].default_domain : ""
+}
+
+output "static_ip_address" {
+  value = length(azurerm_container_app_environment.container_app_environment_prod) > 0 ? azurerm_container_app_environment.container_app_environment_prod[0].static_ip_address : ""
 }

infra/shared/terraform/modules/aca/main.tf

@@ -59,20 +59,10 @@ variable "email_response_queue_name" {
   description = "The name of the email response queue"
 }
 
-variable "isNetworkIsolated" {
-  type        = bool
-  description = "Indicates if the container app should be network isolated"
-  default     = false
-}
-
 variable "infrastructure_subnet_id" {
   type        = string
   description = "The ID of the subnet where the infrastructure resources should be created"
   default     = null
 }
 
-variable "spoke_vnet_id" {
-  type        = string
-  description = "The ID of the spoke VNET"
-  default     = null
-}
+

infra/shared/terraform/modules/aca/outputs.tf

@@ -84,38 +84,3 @@ resource "azurerm_role_assignment" "acr_contributor_user_role_assignement" {
   principal_id         = data.azuread_client_config.current.object_id
 }
 
-# Create Private DNS Zone and Endpoint for ACR
-
-resource "azurerm_private_dns_zone" "dns_for_acr" {
-  count               = var.environment == "prod" ? 1 : 0
-  name                = "privatelink.azurecr.io"
-  resource_group_name = var.resource_group
-}
-
-resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_acr" {
-  count                 = var.environment == "prod" ? 1 : 0
-  name                  = "privatelink.azurecr.io"
-  private_dns_zone_name = azurerm_private_dns_zone.dns_for_acr[0].name
-  virtual_network_id    = var.hub_vnet_id
-  resource_group_name   = var.resource_group
-}
-
-resource "azurerm_private_endpoint" "acr_pe" {
-  count               = var.environment == "prod" ? 1 : 0
-  name                = "private-endpoint-acr"
-  location            = var.location
-  resource_group_name = var.resource_group
-  subnet_id           = var.private_endpoint_subnet_id
-
-  private_dns_zone_group {
-    name                 = "privatednsacrzonegroup"
-    private_dns_zone_ids = [azurerm_private_dns_zone.dns_for_acr[0].id]
-  }
-
-  private_service_connection {
-    name                           = "peconnection-acr"
-    private_connection_resource_id = azurerm_container_registry.acr.id
-    is_manual_connection           = false
-    subresource_names              = ["registry"]
-  }
-}

infra/shared/terraform/modules/aca/variables.tf

@@ -3,6 +3,11 @@ output "acr_name" {
   description = "The Azure Container Registry Name."
 }
 
+output "acr_id" {
+  value       = azurerm_container_registry.acr.id
+  description = "The Azure Container Registry ID."
+}
+
 output "acr_login_server" {
   value       = azurerm_container_registry.acr.login_server
   description = "The Azure Container Registry Login Server."

infra/shared/terraform/modules/acr/main.tf

@@ -43,14 +43,3 @@ variable "georeplications" {
   default = []
 }
 
-variable "private_endpoint_subnet_id" {
-  type        = string
-  description = "The ID of the subnet where the private endpoint should be created"
-  default     = null
-}
-
-variable "hub_vnet_id" {
-  type        = string
-  description = "The ID of the Spoke VNET"
-  default     = null
-}

infra/shared/terraform/modules/acr/outputs.tf

@@ -13,7 +13,7 @@ data "azuread_client_config" "current" {}
 resource "azurecaf_name" "azurerm_app_config" {
   name          = var.application_name
   resource_type = "azurerm_app_configuration"
-  suffixes      = [var.environment]
+  suffixes      = [var.location, var.environment]
 }
 
 # Create Azure App Configuration
@@ -84,38 +84,3 @@ resource "azurerm_role_assignment" "azconfig_owner_user_role_assignment" {
   principal_id         = data.azuread_client_config.current.object_id
 }
 
-# Create Private DNS Zone and Endpoint for App Configuration
-
-resource "azurerm_private_dns_zone" "dns_for_azconfig" {
-  count               = var.environment == "prod" ? 1 : 0
-  name                = "privatelink.azconfig.io"
-  resource_group_name = var.resource_group
-}
-
-resource "azurerm_private_dns_zone_virtual_network_link" "virtual_network_link_azconfig" {
-  count                 = var.environment == "prod" ? 1 : 0
-  name                  = "privatelink.azconfig.io"
-  private_dns_zone_name = azurerm_private_dns_zone.dns_for_azconfig[0].name
-  virtual_network_id    = var.spoke_vnet_id
-  resource_group_name   = var.resource_group
-}
-
-resource "azurerm_private_endpoint" "azconfig_pe" {
-  count               = var.environment == "prod" ? 1 : 0
-  name                = "private-endpoint-ac"
-  location            = var.location
-  resource_group_name = var.resource_group
-  subnet_id           = var.private_endpoint_subnet_id
-
-  private_dns_zone_group {
-    name                 = "privatednsazconfigzonegroup"
-    private_dns_zone_ids = [azurerm_private_dns_zone.dns_for_azconfig[0].id]
-  }
-
-  private_service_connection {
-    name                           = "peconnection-azconfig"
-    private_connection_resource_id = azurerm_app_configuration.app_config.id
-    is_manual_connection           = false
-    subresource_names              = ["configurationStores"]
-  }
-}