Rename resource group variables to explicitly distinguish cluster and global resource groups

Author: tjementum

.github/workflows/_deploy-container.yml

@@ -100,15 +100,16 @@ jobs:
 
       - name: Deploy Container
         run: |
+          CLUSTER_RESOURCE_GROUP_NAME="${{ env.UNIQUE_PREFIX }}-${{ env.ENVIRONMENT }}-${{ env.CLUSTER_LOCATION_ACRONYM }}"
           SUFFIX=$(echo "${{ inputs.version }}" | sed 's/\./-/g')
-          az containerapp update --name ${{ inputs.image_name }} --resource-group "${{ env.UNIQUE_PREFIX }}-${{ env.ENVIRONMENT }}-${{ env.CLUSTER_LOCATION_ACRONYM }}" --image "${{ env.UNIQUE_PREFIX }}${{ env.ENVIRONMENT }}.azurecr.io/${{ inputs.image_name }}:${{ inputs.version }}" --revision-suffix $SUFFIX
+          az containerapp update --name ${{ inputs.image_name }} --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --image "${{ env.UNIQUE_PREFIX }}${{ env.ENVIRONMENT }}.azurecr.io/${{ inputs.image_name }}:${{ inputs.version }}" --revision-suffix $SUFFIX
 
           echo "Waiting for the new revision to be active..."
           for i in {1..10}; do
             sleep 15
 
-            RUNNING_STATUS=$(az containerapp revision list --name ${{ inputs.image_name }} --resource-group "${{ env.UNIQUE_PREFIX }}-${{ env.ENVIRONMENT }}-${{ env.CLUSTER_LOCATION_ACRONYM }}" --query "[?contains(name, '$SUFFIX')].properties.runningState" --output tsv)
-            HEALTH_STATUS=$(az containerapp revision list --name ${{ inputs.image_name }} --resource-group "${{ env.UNIQUE_PREFIX }}-${{ env.ENVIRONMENT }}-${{ env.CLUSTER_LOCATION_ACRONYM }}" --query "[?contains(name, '$SUFFIX')].properties.healthState" --output tsv)
+            RUNNING_STATUS=$(az containerapp revision list --name ${{ inputs.image_name }} --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --query "[?contains(name, '$SUFFIX')].properties.runningState" --output tsv)
+            HEALTH_STATUS=$(az containerapp revision list --name ${{ inputs.image_name }} --resource-group "$CLUSTER_RESOURCE_GROUP_NAME" --query "[?contains(name, '$SUFFIX')].properties.healthState" --output tsv)
             if [[ "$HEALTH_STATUS" == "Healthy" ]]; then
               echo "New revision is healthy. Running state: $RUNNING_STATUS"
               exit 0

.github/workflows/_deploy-infrastructure.yml

@@ -83,17 +83,17 @@ jobs:
       - name: Show DNS Configuration
         if: ${{ inputs.domain_name != '' && inputs.domain_name != '-' }}
         run: |
-          RESOURCE_GROUP_NAME="${{ inputs.unique_prefix }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}"
+          CLUSTER_RESOURCE_GROUP_NAME="${{ inputs.unique_prefix }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}"
 
           # Try to get the Container Apps Environment details
-          env_details=$(az containerapp env show --name $RESOURCE_GROUP_NAME --resource-group $RESOURCE_GROUP_NAME 2>&1 || echo "")
+          env_details=$(az containerapp env show --name $CLUSTER_RESOURCE_GROUP_NAME --resource-group $CLUSTER_RESOURCE_GROUP_NAME 2>&1 || echo "")
 
           if [[ "$env_details" != "" ]] && [[ "$env_details" != *"ResourceNotFound"* ]] && [[ "$env_details" != *"ResourceGroupNotFound"* ]]; then
             custom_domain_verification_id=$(echo "$env_details" | jq -r '.properties.customDomainConfiguration.customDomainVerificationId')
             default_domain=$(echo "$env_details" | jq -r '.properties.defaultDomain')
 
             # Check if app-gateway already has the custom domain configured
-            app_gateway_details=$(az containerapp show --name app-gateway --resource-group $RESOURCE_GROUP_NAME 2>&1 || echo "")
+            app_gateway_details=$(az containerapp show --name app-gateway --resource-group $CLUSTER_RESOURCE_GROUP_NAME 2>&1 || echo "")
             custom_domains=$(echo "$app_gateway_details" | jq -r '.properties.configuration.ingress.customDomains // []')
 
             if [[ "$custom_domains" != "[]" ]] && [[ "$custom_domains" != "null" ]]; then

.github/workflows/_migrate-database.yml

@@ -51,7 +51,7 @@ jobs:
     env:
       UNIQUE_PREFIX: ${{ vars.UNIQUE_PREFIX }}
       TENANT_ID: ${{ vars.TENANT_ID }}
-      RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
+      CLUSTER_RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
       SQL_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
       SQL_SERVER_FQDN: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}.database.windows.net
 
@@ -82,7 +82,7 @@ jobs:
       - name: Open Firewall
         working-directory: cloud-infrastructure/cluster
         env:
-          RESOURCE_GROUP_NAME: ${{ env.RESOURCE_GROUP_NAME }}
+          CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
           SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
           SQL_DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh open
@@ -142,7 +142,7 @@ jobs:
         if: always()
         working-directory: cloud-infrastructure/cluster
         env:
-          RESOURCE_GROUP_NAME: ${{ env.RESOURCE_GROUP_NAME }}
+          CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
           SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
           SQL_DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh close
@@ -238,7 +238,7 @@ jobs:
     env:
       UNIQUE_PREFIX: ${{ vars.UNIQUE_PREFIX }}
       TENANT_ID: ${{ vars.TENANT_ID }}
-      RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
+      CLUSTER_RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
       SQL_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
       SQL_SERVER_FQDN: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}.database.windows.net
 
@@ -269,7 +269,7 @@ jobs:
       - name: Open Firewall
         working-directory: cloud-infrastructure/cluster
         env:
-          RESOURCE_GROUP_NAME: ${{ env.RESOURCE_GROUP_NAME }}
+          CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
           SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
           SQL_DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh open
@@ -289,7 +289,7 @@ jobs:
         if: always()
         working-directory: cloud-infrastructure/cluster
         env:
-          RESOURCE_GROUP_NAME: ${{ env.RESOURCE_GROUP_NAME }}
+          CLUSTER_RESOURCE_GROUP_NAME: ${{ env.CLUSTER_RESOURCE_GROUP_NAME }}
           SQL_SERVER_NAME: ${{ env.SQL_SERVER_NAME }}
           SQL_DATABASE_NAME: ${{ inputs.database_name }}
         run: bash ./firewall.sh close

cloud-infrastructure/README.md

@@ -58,9 +58,10 @@ Examples of cluster-specific resources:
 - Communication Service: `ppdemo-stage-weu`, `ppdemo-prod-eus2`
 - Storage Accounts: `ppdemostageweuacctmgmt`, `ppdemoprodweudiagnostic`
 
-Examples of environment-specific resources:
-- Application Insights: `ppdemo-stage`, `ppdemo-prod`
-- Log Analytics workspace: `ppdemo-stage`, `ppdemo-prod`
+Examples of global resources (shared across all clusters in an environment):
+- Resource Group: `ppdemo-stage-global`, `ppdemo-prod-global`
+- Application Insights: `ppdemo-stage-global`, `ppdemo-prod-global`
+- Log Analytics workspace: `ppdemo-stage-global`, `ppdemo-prod-global`
 - Container Registry: `ppdemostage`, `ppdemoprod`
 
 All Azure resources are tagged with `environment` (e.g., `stage`, `prod`) and `managed-by` (e.g., `bicep`, `manual`) for easier cost tracking and resource management.

cloud-infrastructure/cluster/deploy-cluster.sh

@@ -32,12 +32,12 @@ export DOMAIN_NAME
 export SQL_ADMIN_OBJECT_ID
 
 export CONTAINER_REGISTRY_NAME=$UNIQUE_PREFIX$ENVIRONMENT
-export ENVIRONMENT_RESOURCE_GROUP_NAME="$UNIQUE_PREFIX-$ENVIRONMENT"
-export RESOURCE_GROUP_NAME="$ENVIRONMENT_RESOURCE_GROUP_NAME-$CLUSTER_LOCATION_ACRONYM"
+export GLOBAL_RESOURCE_GROUP_NAME="$UNIQUE_PREFIX-$ENVIRONMENT-global"
+export CLUSTER_RESOURCE_GROUP_NAME="$UNIQUE_PREFIX-$ENVIRONMENT-$CLUSTER_LOCATION_ACRONYM"
 
-export APP_GATEWAY_VERSION=$(get_active_version "app-gateway" $RESOURCE_GROUP_NAME)
-export ACCOUNT_MANAGEMENT_VERSION=$(get_active_version "account-management-api" $RESOURCE_GROUP_NAME) # The version from the API is use for both API and Workers
-export BACK_OFFICE_VERSION=$(get_active_version "back-office-api" $RESOURCE_GROUP_NAME) # The version from the API is use for both API and Workers
+export APP_GATEWAY_VERSION=$(get_active_version "app-gateway" $CLUSTER_RESOURCE_GROUP_NAME)
+export ACCOUNT_MANAGEMENT_VERSION=$(get_active_version "account-management-api" $CLUSTER_RESOURCE_GROUP_NAME) # The version from the API is use for both API and Workers
+export BACK_OFFICE_VERSION=$(get_active_version "back-office-api" $CLUSTER_RESOURCE_GROUP_NAME) # The version from the API is use for both API and Workers
 
 az extension add --name application-insights --allow-preview true --only-show-errors
 
@@ -56,7 +56,7 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
 bicep build-params ./main-cluster.bicepparam --outfile ./main-cluster.parameters.json
 
 DEPLOYMENT_COMMAND="az deployment sub create"
-DEPLOYMENT_PARAMETERS="-l $CLUSTER_LOCATION -n $CURRENT_DATE-$RESOURCE_GROUP_NAME --output json -f ./main-cluster.bicep -p ./main-cluster.parameters.json"
+DEPLOYMENT_PARAMETERS="-l $CLUSTER_LOCATION -n $CURRENT_DATE-$CLUSTER_RESOURCE_GROUP_NAME --output json -f ./main-cluster.bicep -p ./main-cluster.parameters.json"
 
 . ../deploy.sh
 
@@ -74,7 +74,7 @@ then
   # Check for the specific error message indicating that DNS Records are missing
   if [[ $cleaned_output == *"InvalidCustomHostNameValidation"* ]] || [[ $cleaned_output == *"FailedCnameValidation"* ]]; then
     # Get details about the container apps environment to provide DNS configuration instructions
-    env_details=$(az containerapp env show --name $RESOURCE_GROUP_NAME --resource-group $RESOURCE_GROUP_NAME)
+    env_details=$(az containerapp env show --name $CLUSTER_RESOURCE_GROUP_NAME --resource-group $CLUSTER_RESOURCE_GROUP_NAME)
 
     # Extract the customDomainVerificationId and defaultDomain from the container apps environment
     custom_domain_verification_id=$(echo "$env_details" | jq -r '.properties.customDomainConfiguration.customDomainVerificationId')

cloud-infrastructure/cluster/firewall.sh

@@ -4,8 +4,8 @@ FIREWALL_RULE_NAME="GitHub Action Workflows - ${SQL_DATABASE_NAME} - Only active
 if [[ "$1" == "open" ]]
 then
     echo "$(date +"%Y-%m-%dT%H:%M:%S") Add the IP $IP_ADDRESS to the SQL Server firewall on server $SQL_SERVER_NAME for database $SQL_DATABASE_NAME"
-    az sql server firewall-rule create --resource-group $RESOURCE_GROUP_NAME --server $SQL_SERVER_NAME --name "$FIREWALL_RULE_NAME" --start-ip-address $IP_ADDRESS --end-ip-address $IP_ADDRESS
+    az sql server firewall-rule create --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server $SQL_SERVER_NAME --name "$FIREWALL_RULE_NAME" --start-ip-address $IP_ADDRESS --end-ip-address $IP_ADDRESS
 else
     echo "$(date +"%Y-%m-%dT%H:%M:%S") Delete the IP $IP_ADDRESS from the SQL Server firewall on server $SQL_SERVER_NAME for database $SQL_DATABASE_NAME"
-    az sql server firewall-rule delete --resource-group $RESOURCE_GROUP_NAME --server $SQL_SERVER_NAME --name "$FIREWALL_RULE_NAME"
+    az sql server firewall-rule delete --resource-group $CLUSTER_RESOURCE_GROUP_NAME --server $SQL_SERVER_NAME --name "$FIREWALL_RULE_NAME"
 fi

cloud-infrastructure/cluster/grant-database-permissions.sh

@@ -4,9 +4,9 @@ CLUSTER_LOCATION_ACRONYM=$3
 SQL_DATABASE_NAME=$4
 MANAGEMENT_IDENTITY_CLIENT_ID=$5
 
-RESOURCE_GROUP_NAME=$UNIQUE_PREFIX-$ENVIRONMENT-$CLUSTER_LOCATION_ACRONYM
-MANAGED_IDENTITY_NAME=$RESOURCE_GROUP_NAME-$4
-SQL_SERVER_NAME=$RESOURCE_GROUP_NAME
+CLUSTER_RESOURCE_GROUP_NAME=$UNIQUE_PREFIX-$ENVIRONMENT-$CLUSTER_LOCATION_ACRONYM
+MANAGED_IDENTITY_NAME=$CLUSTER_RESOURCE_GROUP_NAME-$4
+SQL_SERVER_NAME=$CLUSTER_RESOURCE_GROUP_NAME
 SQL_SERVER=$SQL_SERVER_NAME.database.windows.net
 
 cd "$(dirname "${BASH_SOURCE[0]}")"
@@ -26,7 +26,7 @@ SID=$(awk -v id="$SID" 'BEGIN {
     substr(id,17)
 }') # Reverse the byte order for the first three sections of the GUID and concatenate
 
-echo "$(date +"%Y-%m-%dT%H:%M:%S") Granting $MANAGED_IDENTITY_NAME (ID: $SID) in Recource group $RESOURCE_GROUP_NAME permissions on $SQL_SERVER/$SQL_DATABASE_NAME database"
+echo "$(date +"%Y-%m-%dT%H:%M:%S") Granting $MANAGED_IDENTITY_NAME (ID: $SID) in Resource group $CLUSTER_RESOURCE_GROUP_NAME permissions on $SQL_SERVER/$SQL_DATABASE_NAME database"
 
 # Execute the SQL script using mssql-scripter. Pass the script as a heredoc to sqlcmd to allow for complex SQL.
 sqlcmd -S $SQL_SERVER -d $SQL_DATABASE_NAME --authentication-method=ActiveDirectoryDefault --exit-on-error << EOF