feat: New Container App Job module plus Container App updates (#178)

* New Container App Job module plus Container App updates

* Add ADO template to start job

* [DTOSS-8589] Fix container app RG data source error (#179)

* Add lowercase virtual network name

New resources should be created with lowercase name

* Fix error container app error when the RG is not created

The data source was relying on the resource group existence and failing
when building an environment from scratch

* Add logging and exit only once job completes

* Ammend variables in line with other modules

* Update docs

* Update terraform docs (#181)

* Merge with main

* Docs updates

---------

Co-authored-by: Colin Saliceti <[email protected]>

Author: rfk-nc

.azuredevops/templates/steps/app-container-job-start.yaml

@@ -0,0 +1,69 @@
+---
+
+parameters:
+  - name: serviceConnection
+    type: string
+  - name: targetSubscriptionId
+    type: string
+  - name: resourceGroupName
+    type: string
+  - name: jobName
+    type: string
+  - name: waitForCompletion
+    type: boolean
+    default: true
+
+steps:
+  - task: AzureCLI@2
+    name: apply_database_changes
+    displayName: Apply database changes
+    inputs:
+      azureSubscription: ${{ parameters.serviceConnection }}
+      addSpnToEnvironment: true
+      failOnStandardError: false
+      scriptType: bash
+      scriptLocation: inlineScript
+      inlineScript: |
+        # Exit immediately if a command exits with a non-zero status
+        set -eo pipefail
+
+        az account set -s ${{ parameters.targetSubscriptionId }}
+
+        JOB_NAME="${{ parameters.jobName }}"
+        RESOURCE_GROUP_NAME="${{ parameters.resourceGroupName }}"
+
+        POLLING_INTERVAL_SECONDS=5
+        MAX_POLLING_ATTEMPTS=60
+        CURRENT_ATTEMPT=0
+
+        echo "##[section]Starting Container App Job: ${JOB_NAME} in Resource Group: ${RESOURCE_GROUP_NAME}"
+
+        # Start the container app job and capture the execution name
+        JOB_EXECUTION_NAME=$(az containerapp job start --name ${JOB_NAME} --resource-group ${RESOURCE_GROUP_NAME} --query name -o tsv)
+
+        # If we need to wait for job completion, poll for job execution status and only exit step once completed
+        if [[ "${{ parameters.waitForCompletion }}" == "True" ]]; then
+          while true; do
+            JOB_STATUS=$(az containerapp job execution show --name ${JOB_NAME} --job-execution-name ${JOB_EXECUTION_NAME} --resource-group ${RESOURCE_GROUP_NAME} --query properties.status -o tsv)
+
+            echo "Job execution status after $((CURRENT_ATTEMPT * POLLING_INTERVAL_SECONDS)) seconds: $JOB_STATUS"
+
+            if [[ "$JOB_STATUS" == "Succeeded" ]]; then
+              break
+            elif [[ "$JOB_STATUS" == "Failed" ]]; then
+              echo "##[error]Job failed."
+              exit 1
+            elif [[ "$JOB_STATUS" == "Cancelled" ]]; then
+              echo "##[warning]Job was cancelled."
+              exit 1
+            fi
+            sleep $POLLING_INTERVAL_SECONDS
+
+            # Increment the current attempt counter to ensure we don't exceed the maximum polling attempts
+            CURRENT_ATTEMPT=$((CURRENT_ATTEMPT + 1))
+            if [[ $CURRENT_ATTEMPT -ge $MAX_POLLING_ATTEMPTS ]]; then
+              echo "##[error]Max polling attempts of $MAX_POLLING_ATTEMPTS reached. Exiting."
+              exit 1
+            fi
+          done
+        fi

.azuredevops/templates/steps/apply-database-changes.yaml

@@ -11,6 +11,7 @@ This repository contains terraform modules and Azure devops pipeline steps to de
 - [baseline](infrastructure/modules/baseline/README.md)
 - [container-app](infrastructure/modules/container-app/README.md)
 - [container-app-environment](infrastructure/modules/container-app-environment/README.md)
+- [container-app-job](infrastructure/modules/container-app-job/README.md)
 - [container-registry](infrastructure/modules/container-registry/README.md)
 - [diagnostic-settings](infrastructure/modules/diagnostic-settings/README.md)
 - [dns-a-record](infrastructure/modules/dns-a-record/README.md)

README.md

@@ -9,6 +9,8 @@ resource "azurerm_container_app_environment" "main" {
 }
 
 module "apex-record" {
+  count = var.private_dns_zone_rg_name != null ? 1 : 0
+
   source = "../private-dns-a-record"
   providers = {
     azurerm = azurerm.dns
@@ -22,6 +24,8 @@ module "apex-record" {
 }
 
 module "wildcard-record" {
+  count = var.private_dns_zone_rg_name != null ? 1 : 0
+
   source = "../private-dns-a-record"
   providers = {
     azurerm = azurerm.dns

infrastructure/modules/container-app-environment/main.tf

@@ -16,12 +16,6 @@ Description: Name of the container app environment.
 
 Type: `string`
 
-### <a name="input_private_dns_zone_rg_name"></a> [private\_dns\_zone\_rg\_name](#input\_private\_dns\_zone\_rg\_name)
-
-Description: Name of the hub resource group where the private DNS zone is located.
-
-Type: `string`
-
 ### <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name)
 
 Description: Name of the resource group to create the container app environment in.
@@ -46,6 +40,14 @@ Type: `string`
 
 Default: `"UK South"`
 
+### <a name="input_private_dns_zone_rg_name"></a> [private\_dns\_zone\_rg\_name](#input\_private\_dns\_zone\_rg\_name)
+
+Description: Name of the hub resource group where the private DNS zone is located. This is only required if adding custom DNS records, for instance when hosting container apps with an HTTP ingress..
+
+Type: `string`
+
+Default: `null`
+
 ### <a name="input_zone_redundancy_enabled"></a> [zone\_redundancy\_enabled](#input\_zone\_redundancy\_enabled)
 
 Description: Enable availability zone redundancy for the container app environment. Should be set to true in production.

infrastructure/modules/container-app-environment/tfdocs.md

@@ -26,7 +26,8 @@ variable "vnet_integration_subnet_id" {
 
 variable "private_dns_zone_rg_name" {
   type        = string
-  description = "Name of the hub resource group where the private DNS zone is located."
+  description = "Name of the hub resource group where the private DNS zone is located. This is only required if adding custom DNS records, for instance when hosting container apps with an HTTP ingress."
+  default     = null
 }
 
 variable "zone_redundancy_enabled" {

infrastructure/modules/container-app-environment/variables.tf

@@ -0,0 +1,49 @@
+# container-app
+
+Deploy an [Azure container app job](https://learn.microsoft.com/en-us/azure/container-apps/jobs) to a [Container app environment](https://learn.microsoft.com/en-us/azure/container-apps/environment) in order to run container workloads that do not require ingress or web access. The container app job can be triggered manually or via an event source, such as a timer or message queue. The job will not automatically run following deployment or update of the resources and the job can stop upon completion if the application code contains an exit code. It can be run again on demand via the Azure portal, CLI, or API.
+
+Integrates with the [container-app-environment module](../container-app-environment/).
+
+See also the following ADO template step that can be used to trigger a container app job run: [app-container-job-start.yaml](../../../.azuredevops/templates/steps/app-container-job-start.yaml).
+
+## Terraform documentation
+For the list of inputs, outputs, resources... check the [terraform module documentation](tfdocs.md).
+
+## Usage
+Create the common container app environment:
+```hcl
+module "container-app-environment" {
+  source = "../../../dtos-devops-templates/infrastructure/modules/container-app-environment"
+
+  name                       = "manage-breast-screening-${var.environment}"
+  resource_group_name        = var.resource_group_name
+  location                   = var.location
+  log_analytics_workspace_id = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id
+  vnet_integration_subnet_id = module.container_app_subnet.id
+}
+```
+
+Create a container app job to run an image pulled from Azure Container Registry (ACR). The job will run in the container app environment and can be triggered manually or via an event source:
+```hcl
+module "container-app-job" {
+
+  source = "../../../dtos-devops-templates/infrastructure/modules/container-app-job"
+
+  name                         = "ca-workload-name-${var.environment}"
+  resource_group_name          = var.resource_group_name
+  location                     = var.location
+  container_app_environment_id = module.container-app-environment.id
+
+  # List of user assigned managed identities to assign to the container app job so it can authenticate against e.g. database, key vault, etc:
+  user_assigned_identity_ids   = var.user_assigned_identity_ids
+
+  acr_login_server        = data.azurerm_container_registry.acr.login_server
+  acr_managed_identity_id = var.acr_managed_identity_id
+  docker_image            = "${data.azurerm_container_registry.acr.login_server}/${var.docker_image}:${var.docker_env_tag}"
+
+  environment_variables = {
+    "ENVIRONMENT_VAR" = var.environment_var
+  }
+}
+```
+

infrastructure/modules/container-app-job/README.md

@@ -0,0 +1,59 @@
+# Merge the identities passed in via a variables:
+locals {
+  all_identity_ids = concat([var.acr_managed_identity_id], var.user_assigned_identity_ids)
+}
+
+resource "azurerm_container_app_job" "this" {
+  name                = var.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  container_app_environment_id = var.container_app_environment_id
+  replica_timeout_in_seconds   = var.replica_timeout_in_seconds
+  replica_retry_limit          = var.replica_retry_limit
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = local.all_identity_ids
+  }
+
+  # Configure manual trigger for on-demand execution via CLI
+  manual_trigger_config {
+    parallelism              = var.job_parallelism
+    replica_completion_count = var.replica_completion_count
+  }
+
+  # Define the container template for the job.
+  template {
+
+    container {
+      name   = var.name
+      image  = var.docker_image
+      cpu    = local.cpu
+      memory = local.memory
+
+      # Optional: Command to execute in the container.
+      command = var.container_command
+      args    = var.container_args
+
+      # Optional: Environment variables for the container.
+      dynamic "env" {
+        for_each = var.environment_variables
+        content {
+          name  = env.key
+          value = env.value
+        }
+      }
+    }
+  }
+
+  # Optional: Configure private registry access using Managed Identity
+  dynamic "registry" {
+    for_each = var.acr_login_server != null && var.acr_managed_identity_id != null ? [1] : []
+
+    content {
+      server   = var.acr_login_server
+      identity = var.acr_managed_identity_id
+    }
+  }
+}