Merge pull request #290953 from hhunter-ms/hh-192446

[Dapr/ACA] Rework tutorials

Author: v-ccolin

articles/container-apps/TOC.yml

@@ -258,15 +258,25 @@
         displayName: Developing with Dapr overview
       - name: Get started
         items:
-        - name: Connect to Azure services via Dapr components
-          href: dapr-component-connection.md
-        - name: Enable Dapr
+        - name: Deploy using Azure CLI
+          href: microservices-dapr.md
+        - name: Deploy using ARM or Bicep
+          href: microservices-dapr-azure-resource-manager.md
+        - name: Enable Dapr on an existing container app
           href: enable-dapr.md
-      - name: Configure
+        - name: Deploy using the Dapr extension for Azure Functions
+          href: dapr-functions-extension.md
+      - name: Components
         items:
-        - name: Dapr components
+        - name: Components overview
           href: dapr-components.md
-        - name: Dapr component resiliency (preview)
+        - name: Connect to Azure or third-party services
+          href: dapr-component-connect-services.md
+        - name: Connect to Azure services via Azure portal
+          href: dapr-component-connection.md
+      - name: Configure
+        items:
+        - name: Set up Dapr resiliency policies (preview)
           href: dapr-component-resiliency.md
         - name: Scale Dapr apps with KEDA using Bicep
           href: dapr-keda-scaling.md
@@ -280,12 +290,6 @@
           href: microservices-dapr-bindings.md
         - name: Microservices communication using Dapr Service Invocation
           href: microservices-dapr-service-invoke.md
-        - name: Deploy using the Dapr extension for Azure Functions
-          href: dapr-functions-extension.md
-        - name: Deploy using Azure CLI
-          href: microservices-dapr.md
-        - name: Deploy using ARM or Bicep
-          href: microservices-dapr-azure-resource-manager.md
 - name: Networking, ingress, and network security
   items:
     - name: Architecture overview

articles/container-apps/dapr-component-connect-services.md

@@ -0,0 +1,139 @@
+---
+title: Connect to other Azure or third-party services via Dapr components
+description: Learn more about connecting Dapr components with Azure and external services.
+ms.author: hannahhunter
+author: hhunter-ms
+ms.service: azure-container-apps
+ms.custom: build-2023
+ms.topic: conceptual
+ms.date: 12/10/2024
+---
+
+# Connect to other Azure or third-party services via Dapr components
+
+Securely establish connections to Azure and third-party services for Dapr components using managed identity or Azure Key Vault secret stores. 
+
+Before getting started, [learn more about the offered support for Dapr components.][supported-dapr-components]
+
+## Recommendations
+
+Whenever possible, it's recommended that you use Azure components that provide managed identity support for the most secure connection. Use Azure Key Vault secret stores *only* when managed identity authentication isn't supported. 
+
+| Service type | Recommendation |
+| ------------ | -------------- |
+| Azure component with managed identity support | [Use the managed identity flow (recommended)](#using-managed-identity-recommended) |
+| Azure component without managed identity support | [Use an Azure Key Vault secret store](#azure-key-vault-secret-stores) |
+| Non-Azure components | [Use an Azure Key Vault secret store](#azure-key-vault-secret-stores) |
+
+
+## Using managed identity (recommended)
+
+For Azure-hosted services, Dapr can use [the managed identity of the scoped container apps][aca-managed-id] to authenticate to the backend service provider. When using managed identity, you don't need to include secret information in a component manifest. **Using managed identity is recommended** as it eliminates storage of sensitive input in components and doesn't require managing a secret store.
+
+> [!NOTE]
+> The `azureClientId` metadata field (the client ID of the managed identity) is **required** for any component authenticating with user-assigned managed identity.
+
+## Using a Dapr secret store component reference
+
+When you create Dapr components for non-Entra ID enabled services or components that don't support managed identity authentication, certain metadata fields require sensitive input values. For this approach, retrieve these secrets by referencing an existing Dapr secret store component that securely accesses secret information.
+
+To set up a reference:
+
+1. [Create a Dapr secret store component using the Azure Container Apps schema.](#creating-a-dapr-secret-store-component) The component type for all supported Dapr secret stores begins with `secretstores.`.
+1. [Create extra components (as needed) which reference the Dapr secret store component](#referencing-dapr-secret-store-components) you created to retrieve the sensitive metadata input.
+
+### Creating a Dapr secret store component
+
+When creating a secret store component in Azure Container Apps, you can provide sensitive information in the metadata section in either of the following ways:
+
+- [For an **Azure Key Vault secret store**,](#using-managed-identity-recommended) use managed identity to establish the connection. 
+- [For **non-Azure secret stores**,](#platform-managed-kubernetes-secrets) use platform-managed Kubernetes secrets that are defined directly as part of the component manifest.
+
+#### Azure Key Vault secret stores
+
+The following component schema showcases the simplest possible secret store configuration using an Azure Key Vault secret store. `publisher-app` and `subscriber-app` are configured to both have a system or user-assigned managed identity with appropriate permissions on the Azure Key Vault instance.
+
+```yaml
+componentType: secretstores.azure.keyvault
+version: v1
+metadata:
+  - name: vaultName
+    value: [your_keyvault_name]
+  - name: azureEnvironment
+    value: "AZUREPUBLICCLOUD"
+  - name: azureClientId # Only required for authenticating user-assigned managed identity
+    value: [your_managed_identity_client_id]
+scopes:
+  - publisher-app
+  - subscriber-app
+```
+
+#### Platform-managed Kubernetes secrets
+
+As an alternative to Kubernetes secrets, Local environment variables, and Local file Dapr secret stores, Azure Container Apps provides a platform-managed approach for creating and leveraging Kubernetes secrets. This approach can be used to connect to non-Azure services or in dev/test scenarios for quickly deploying components via the CLI without setting up a secret store or managed identity.
+
+This component configuration defines the sensitive value as a secret parameter that can be referenced from the metadata section. 
+
+```yaml
+componentType: secretstores.azure.keyvault
+version: v1
+metadata:
+  - name: vaultName
+    value: [your_keyvault_name]
+  - name: azureEnvironment
+    value: "AZUREPUBLICCLOUD"
+  - name: azureTenantId
+    value: "[your_tenant_id]"
+  - name: azureClientId 
+    value: "[your_client_id]"
+  - name: azureClientSecret
+    secretRef: azClientSecret
+secrets:
+  - name: azClientSecret
+    value: "[your_client_secret]"
+scopes:
+  - publisher-app
+  - subscriber-app
+```
+
+### Referencing Dapr secret store components
+
+Once you [create a Dapr secret store using one of the previous approaches](#creating-a-dapr-secret-store-component), you can reference that secret store from other Dapr components in the same environment. The following example demonstrates using Entra ID authentication.
+
+```yaml
+componentType: pubsub.azure.servicebus.queue
+version: v1
+secretStoreComponent: "[your_secret_store_name]"
+metadata:
+  - name: namespaceName
+    # Required when using Azure Authentication.
+    # Must be a fully-qualified domain name
+    value: "[your_servicebus_namespace.servicebus.windows.net]"
+  - name: azureTenantId
+    value: "[your_tenant_id]"
+  - name: azureClientId 
+    value: "[your_client_id]"
+  - name: azureClientSecret
+    secretRef: azClientSecret
+scopes:
+  - publisher-app
+  - subscriber-app
+```
+
+## Next steps
+
+[Learn how to set Dapr component resiliency.][dapr-resiliency]
+
+<!-- Links Internal -->
+
+[dapr-component-connection]: ./dapr-component-connection.md
+[dapr-keda]: ./dapr-keda-scaling.md
+[aca-managed-id]: ./managed-identity.md
+[dapr-resiliency]: ./dapr-component-resiliency.md
+[dapr-components-connect-services]: ./dapr-component-connect-services.md
+[supported-dapr-components]: ./dapr-overview.md#dapr-components
+[dapr-component]: ./dapr-components.md
+
+<!-- Links External -->
+
+[dapr-component-spec]: https://docs.dapr.io/reference/resource-specs/

articles/container-apps/dapr-component-connection.md

@@ -6,15 +6,15 @@ ms.author: hannahhunter
 ms.reviewer: nickgreenf
 ms.service: azure-container-apps
 ms.topic: how-to 
-ms.date: 08/02/2024
+ms.date: 12/11/2024
 ms.custom: template-tutorial, service-connector, build-2023, engagement
 ---
 
 # Connect to Azure services via Dapr components in the Azure portal
 
-You can easily connect Dapr APIs to backing Azure services using a combination of [Service Connector](../service-connector/overview.md) and [Dapr](https://docs.dapr.io/). This feature creates Dapr components on your behalf with valid metadata and authenticated identity to access the Azure service.  
+You can easily connect Dapr APIs to [backing Azure services](./dapr-overview.md#dapr-components) using a combination of [Service Connector](../service-connector/overview.md) and [Dapr](https://docs.dapr.io/). This feature creates Dapr components on your behalf with valid metadata and authenticated identity to access the Azure service.  
 
-In this guide, you'll connect Dapr Pub/Sub API to an Azure Service Bus by:
+In this guide, you connect Dapr Pub/Sub API to an Azure Service Bus by:
 > [!div class="checklist"]
 > - Select pub/sub as the API 
 > - Specify Azure Service Bus as the service and required properties like namespace, queue name, and identity
@@ -45,7 +45,7 @@ For example, for a pub/sub Azure Service Bus component, you'll start with the fo
 
 | Field | Example | Description |
 | ----- | ------- | ----------- |
-| Component name | mycomponent | Enter a name for your Dapr component. The name must match the component referenced in your application code. |
+| Component name | `mycomponent` | Enter a name for your Dapr component. The name must match the component referenced in your application code. |
 | Building block | Pub/sub | Select the [building block/API](https://docs.dapr.io/developing-applications/building-blocks/) for your component from the drop-down. |
 | Component type | Service Bus | Select a component type from the drop-down. |
 
@@ -54,9 +54,9 @@ The component creation pane populates with different fields depending on the bui
 | Field | Example | Description |
 | ----- | ------- | ----------- |
 | Subscription | My subscription | Select your Azure subscription |
-| Namespace | mynamespace | Select the Service Bus namespace |
+| Namespace | `mynamespace` | Select the Service Bus namespace |
 | Authentication | User assigned managed identity | Select the subscription that contains the component you're looking for. Recommended: User assigned managed identity. |
-| User assigned managed identity | testidentity | Select an existing identity from the drop-down. If you don’t  already have one, you can create a new managed identity client ID. |  
+| User assigned managed identity | `testidentity` | Select an existing identity from the drop-down. If you don’t  already have one, you can create a new managed identity client ID. |  
 
 :::image type="content" source="media/dapr-component-connection/add-pubsub-component.png" alt-text="Screenshot of the Azure platform showing the Basics tab of adding a Dapr Pub/sub component.":::
 
@@ -101,10 +101,10 @@ You can then check the YAML/Bicep artifact into a repo and recreate it outside o
 
 ## Next steps
 
-[Enable Dapr on your container apps.](./enable-dapr.md)
+[Learn how to set Dapr component resiliency.](./dapr-component-resiliency.md)
 
 ## Related links
 
 Learn more about:
 - [Using Dapr with Azure Container Apps](./dapr-overview.md)
-- [Connecting to cloud services using Service Connector](./service-connector.md)
+- [Connecting to cloud services using Service Connector](./service-connector.md)

articles/container-apps/dapr-components.md

@@ -6,7 +6,7 @@ author: hhunter-ms
 ms.service: azure-container-apps
 ms.custom: build-2023
 ms.topic: conceptual
-ms.date: 09/23/2024
+ms.date: 12/03/2024
 ---
 
 # Dapr components in Azure Container Apps
@@ -17,7 +17,7 @@ Dapr components in container apps are environment-level resources that:
 
 - Can provide a pluggable abstraction model for connecting to supporting external services.
 - Can be shared across container apps or scoped to specific container apps.
-- Can use Dapr secrets to securely retrieve configuration metadata.
+- Can use [Dapr secrets][dapr-components-connect-services] to securely retrieve configuration metadata.
 
 In this guide, you learn how to configure Dapr components for your Azure Container Apps services. 
 
@@ -71,110 +71,7 @@ scopes:
 ```
 
 > [!NOTE]
-> Dapr component scopes correspond to the Dapr application ID of a container app, not the container app name.
-
-## Connecting to external services via Dapr
-
-There are a few approaches supported in container apps to securely establish connections to external services for Dapr components.
-
-1. [Using managed identity](#using-managed-identity)
-1. Using a Dapr secret store component reference by creating either:
-   - [An Azure Key Vault secret store](#azure-key-vault-secret-stores), which uses managed identity, or
-   - [Platform-Managed Kubernetes secrets](#platform-managed-kubernetes-secrets)
-
-### Using managed identity
-
-For Azure-hosted services, Dapr can use [the managed identity of the scoped container apps][aca-managed-id] to authenticate to the backend service provider. When using managed identity, you don't need to include secret information in a component manifest. Using managed identity is preferred as it eliminates storage of sensitive input in components and doesn't require managing a secret store.
-
-> [!NOTE]
-> The `azureClientId` metadata field (the client ID of the managed identity) is **required** for any component authenticating with user-assigned managed identity.
-
-### Using a Dapr secret store component reference
-
-When you create Dapr components for non-Entra ID enabled services, certain metadata fields require sensitive input values. The recommended approach for retrieving these secrets is to reference an existing Dapr secret store component that securely accesses secret information.
-
-To set up a reference:
-
-1. [Create a Dapr secret store component using the Azure Container Apps schema.](#creating-a-dapr-secret-store-component) The component type for all supported Dapr secret stores begins with `secretstores.`.
-1. [Create extra components (as needed) which reference the Dapr secret store component](#referencing-dapr-secret-store-components) you created to retrieve the sensitive metadata input.
-
-#### Creating a Dapr secret store component
-
-When creating a secret store component in Azure Container Apps, you can provide sensitive information in the metadata section in either of the following ways:
-
-- [For an **Azure Key Vault secret store**,](#using-managed-identity) use managed identity to establish the connection. 
-- [For **non-Azure secret stores**,](#platform-managed-kubernetes-secrets) use platform-managed Kubernetes secrets that are defined directly as part of the component manifest.
-
-##### Azure Key Vault secret stores
-
-The following component showcases the simplest possible secret store configuration using an Azure Key Vault secret store. In this example, publisher and subscriber applications are configured to both have a system or user-assigned managed identity with appropriate permissions on the Azure Key Vault instance.
-
-```yaml
-componentType: secretstores.azure.keyvault
-version: v1
-metadata:
-  - name: vaultName
-    value: [your_keyvault_name]
-  - name: azureEnvironment
-    value: "AZUREPUBLICCLOUD"
-  - name: azureClientId # Only required for authenticating user-assigned managed identity
-    value: [your_managed_identity_client_id]
-scopes:
-  - publisher-app
-  - subscriber-app
-```
-
-##### Platform-managed Kubernetes secrets
-
-Kubernetes secrets, Local environment variables, and Local file Dapr secret stores aren't supported in Azure Container Apps. As an alternative for the upstream Dapr default Kubernetes secret store, Azure Container Apps provides a platform-managed approach for creating and leveraging Kubernetes secrets.
-
-This component configuration defines the sensitive value as a secret parameter that can be referenced from the metadata section. This approach can be used to connect to non-Azure services or in dev/test scenarios for quickly deploying components via the CLI without setting up a secret store or managed identity.
-
-```yaml
-componentType: secretstores.azure.keyvault
-version: v1
-metadata:
-  - name: vaultName
-    value: [your_keyvault_name]
-  - name: azureEnvironment
-    value: "AZUREPUBLICCLOUD"
-  - name: azureTenantId
-    value: "[your_tenant_id]"
-  - name: azureClientId 
-    value: "[your_client_id]"
-  - name: azureClientSecret
-    secretRef: azClientSecret
-secrets:
-  - name: azClientSecret
-    value: "[your_client_secret]"
-scopes:
-  - publisher-app
-  - subscriber-app
-```
-
-#### Referencing Dapr secret store components
-
-Once you [create a Dapr secret store using one of the previous approaches](#creating-a-dapr-secret-store-component), you can reference that secret store from other Dapr components in the same environment. The following example demonstrates using Entra ID authentication.
-
-```yaml
-componentType: pubsub.azure.servicebus.queue
-version: v1
-secretStoreComponent: "[your_secret_store_name]"
-metadata:
-  - name: namespaceName
-    # Required when using Azure Authentication.
-    # Must be a fully-qualified domain name
-    value: "[your_servicebus_namespace.servicebus.windows.net]"
-  - name: azureTenantId
-    value: "[your_tenant_id]"
-  - name: azureClientId 
-    value: "[your_client_id]"
-  - name: azureClientSecret
-    secretRef: azClientSecret
-scopes:
-  - publisher-app
-  - subscriber-app
-```
+> Dapr component scopes provide better security measures and correspond to the Dapr application ID of a container app, not the container app name.
 
 ## Component examples
 
@@ -277,16 +174,17 @@ This resource defines a Dapr component called `dapr-pubsub` via ARM.
 
 ## Next steps
 
-[Learn how to set Dapr component resiliency.][dapr-resiliency]
+[Learn how to connect to Azure and external services via Dapr components.][dapr-components-connect-services]
 
 <!-- Links Internal -->
 
 [dapr-component-connection]: ./dapr-component-connection.md
 [dapr-keda]: ./dapr-keda-scaling.md
 [aca-managed-id]: ./managed-identity.md
 [dapr-resiliency]: ./dapr-component-resiliency.md
+[dapr-components-connect-services]: ./dapr-component-connect-services.md
+[dapr-component]: ./dapr-overview.md#dapr-components
 
 <!-- Links External -->
 
-[dapr-component]: https://docs.dapr.io/concepts/components-concept/
 [dapr-component-spec]: https://docs.dapr.io/reference/resource-specs/