azd 0.9.0

data/lib/generators/templates/infra/core/database/postgresql/flexibleserver.bicep

@@ -0,0 +1,81 @@
+metadata description = 'Creates an Azure Database for PostgreSQL - Flexible Server.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param sku object
+param storage object
+param administratorLogin string
+@secure()
+param administratorLoginPassword string
+param databaseNames array = []
+param allowAzureIPsFirewall bool = false
+param allowAllIPsFirewall bool = false
+param allowedSingleIPs array = []
+param azureExtensions array = []
+
+// PostgreSQL version
+param version string
+
+resource postgresServer 'Microsoft.DBforPostgreSQL/flexibleServers@2023-03-01-preview' = {
+  location: location
+  tags: tags
+  name: name
+  sku: sku
+  properties: {
+    version: version
+    administratorLogin: administratorLogin
+    administratorLoginPassword: administratorLoginPassword
+    storage: storage
+    highAvailability: {
+      mode: 'Disabled'
+    }
+
+  }
+
+  resource database 'databases' = [for name in databaseNames: {
+    name: name
+  }]
+}
+
+resource firewall_all 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = if (allowAllIPsFirewall) {
+  name: 'allow-all-IPs'
+  parent: postgresServer
+  properties: {
+    startIpAddress: '0.0.0.0'
+    endIpAddress: '255.255.255.255'
+  }
+}
+
+resource firewall_azure 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = if (allowAzureIPsFirewall) {
+  name: 'allow-all-azure-internal-IPs'
+  parent: postgresServer
+  properties: {
+    startIpAddress: '0.0.0.0'
+    endIpAddress: '0.0.0.0'
+  }
+}
+
+resource firewall_single 'Microsoft.DBforPostgreSQL/flexibleServers/firewallRules@2023-03-01-preview' = [for ip in allowedSingleIPs: {
+  name: 'allow-single-${replace(ip, '.', '')}'
+  parent: postgresServer
+  properties: {
+    startIpAddress: ip
+    endIpAddress: ip
+  }
+}]
+
+// Workaround issue https://github.com/Azure/bicep-types-az/issues/1507
+resource configurations 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2023-03-01-preview' = {
+  name: 'azure.extensions'
+  parent: postgresServer
+  properties: {
+    value: join(azureExtensions, ',')
+    source: 'user-override'
+  }
+  dependsOn: [
+    firewall_all
+  ]
+}
+
+output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName

data/lib/generators/templates/infra/core/database/sqlserver/sqlserver.bicep

@@ -0,0 +1,130 @@
+metadata description = 'Creates an Azure SQL Server instance.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param appUser string = 'appUser'
+param databaseName string
+param keyVaultName string
+param sqlAdmin string = 'sqlAdmin'
+param connectionStringKey string = 'AZURE-SQL-CONNECTION-STRING'
+
+@secure()
+param sqlAdminPassword string
+@secure()
+param appUserPassword string
+
+resource sqlServer 'Microsoft.Sql/servers@2022-05-01-preview' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    version: '12.0'
+    minimalTlsVersion: '1.2'
+    publicNetworkAccess: 'Enabled'
+    administratorLogin: sqlAdmin
+    administratorLoginPassword: sqlAdminPassword
+  }
+
+  resource database 'databases' = {
+    name: databaseName
+    location: location
+  }
+
+  resource firewall 'firewallRules' = {
+    name: 'Azure Services'
+    properties: {
+      // Allow all clients
+      // Note: range [0.0.0.0-0.0.0.0] means "allow all Azure-hosted clients only".
+      // This is not sufficient, because we also want to allow direct access from developer machine, for debugging purposes.
+      startIpAddress: '0.0.0.1'
+      endIpAddress: '255.255.255.254'
+    }
+  }
+}
+
+resource sqlDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
+  name: '${name}-deployment-script'
+  location: location
+  kind: 'AzureCLI'
+  properties: {
+    azCliVersion: '2.37.0'
+    retentionInterval: 'PT1H' // Retain the script resource for 1 hour after it ends running
+    timeout: 'PT5M' // Five minutes
+    cleanupPreference: 'OnSuccess'
+    environmentVariables: [
+      {
+        name: 'APPUSERNAME'
+        value: appUser
+      }
+      {
+        name: 'APPUSERPASSWORD'
+        secureValue: appUserPassword
+      }
+      {
+        name: 'DBNAME'
+        value: databaseName
+      }
+      {
+        name: 'DBSERVER'
+        value: sqlServer.properties.fullyQualifiedDomainName
+      }
+      {
+        name: 'SQLCMDPASSWORD'
+        secureValue: sqlAdminPassword
+      }
+      {
+        name: 'SQLADMIN'
+        value: sqlAdmin
+      }
+    ]
+
+    scriptContent: '''
+wget https://github.com/microsoft/go-sqlcmd/releases/download/v0.8.1/sqlcmd-v0.8.1-linux-x64.tar.bz2
+tar x -f sqlcmd-v0.8.1-linux-x64.tar.bz2 -C .
+
+cat <<SCRIPT_END > ./initDb.sql
+drop user if exists ${APPUSERNAME}
+go
+create user ${APPUSERNAME} with password = '${APPUSERPASSWORD}'
+go
+alter role db_owner add member ${APPUSERNAME}
+go
+SCRIPT_END
+
+./sqlcmd -S ${DBSERVER} -d ${DBNAME} -U ${SQLADMIN} -i ./initDb.sql
+    '''
+  }
+}
+
+resource sqlAdminPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  parent: keyVault
+  name: 'sqlAdminPassword'
+  properties: {
+    value: sqlAdminPassword
+  }
+}
+
+resource appUserPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  parent: keyVault
+  name: 'appUserPassword'
+  properties: {
+    value: appUserPassword
+  }
+}
+
+resource sqlAzureConnectionStringSercret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  parent: keyVault
+  name: connectionStringKey
+  properties: {
+    value: '${connectionString}; Password=${appUserPassword}'
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}
+
+var connectionString = 'Server=${sqlServer.properties.fullyQualifiedDomainName}; Database=${sqlServer::database.name}; User=${appUser}'
+output connectionStringKey string = connectionStringKey
+output databaseName string = sqlServer::database.name

data/lib/generators/templates/infra/core/gateway/apim.bicep

@@ -0,0 +1,79 @@
+metadata description = 'Creates an Azure API Management instance.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('The email address of the owner of the service')
+@minLength(1)
+param publisherEmail string = 'noreply@microsoft.com'
+
+@description('The name of the owner of the service')
+@minLength(1)
+param publisherName string = 'n/a'
+
+@description('The pricing tier of this API Management service')
+@allowed([
+  'Consumption'
+  'Developer'
+  'Standard'
+  'Premium'
+])
+param sku string = 'Consumption'
+
+@description('The instance size of this API Management service.')
+@allowed([ 0, 1, 2 ])
+param skuCount int = 0
+
+@description('Azure Application Insights Name')
+param applicationInsightsName string
+
+resource apimService 'Microsoft.ApiManagement/service@2021-08-01' = {
+  name: name
+  location: location
+  tags: union(tags, { 'azd-service-name': name })
+  sku: {
+    name: sku
+    capacity: (sku == 'Consumption') ? 0 : ((sku == 'Developer') ? 1 : skuCount)
+  }
+  properties: {
+    publisherEmail: publisherEmail
+    publisherName: publisherName
+    // Custom properties are not supported for Consumption SKU
+    customProperties: sku == 'Consumption' ? {} : {
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_GCM_SHA256': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Ssl30': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11': 'false'
+      'Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Ssl30': 'false'
+    }
+  }
+}
+
+resource apimLogger 'Microsoft.ApiManagement/service/loggers@2021-12-01-preview' = if (!empty(applicationInsightsName)) {
+  name: 'app-insights-logger'
+  parent: apimService
+  properties: {
+    credentials: {
+      instrumentationKey: applicationInsights.properties.InstrumentationKey
+    }
+    description: 'Logger to Azure Application Insights'
+    isBuffered: false
+    loggerType: 'applicationInsights'
+    resourceId: applicationInsights.id
+  }
+}
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) {
+  name: applicationInsightsName
+}
+
+output apimServiceName string = apimService.name

data/lib/generators/templates/infra/core/host/aks-agent-pool.bicep

@@ -0,0 +1,18 @@
+metadata description = 'Adds an agent pool to an Azure Kubernetes Service (AKS) cluster.'
+param clusterName string
+
+@description('The agent pool name')
+param name string
+
+@description('The agent pool configuration')
+param config object
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-10-02-preview' existing = {
+  name: clusterName
+}
+
+resource nodePool 'Microsoft.ContainerService/managedClusters/agentPools@2023-10-02-preview' = {
+  parent: aksCluster
+  name: name
+  properties: config
+}

data/lib/generators/templates/infra/core/host/aks-managed-cluster.bicep

@@ -0,0 +1,140 @@
+metadata description = 'Creates an Azure Kubernetes Service (AKS) cluster with a system agent pool.'
+@description('The name for the AKS managed cluster')
+param name string
+
+@description('The name of the resource group for the managed resources of the AKS cluster')
+param nodeResourceGroupName string = ''
+
+@description('The Azure region/location for the AKS resources')
+param location string = resourceGroup().location
+
+@description('Custom tags to apply to the AKS resources')
+param tags object = {}
+
+@description('Kubernetes Version')
+param kubernetesVersion string = '1.27.7'
+
+@description('Whether RBAC is enabled for local accounts')
+param enableRbac bool = true
+
+// Add-ons
+@description('Whether web app routing (preview) add-on is enabled')
+param webAppRoutingAddon bool = true
+
+// AAD Integration
+@description('Enable Azure Active Directory integration')
+param enableAad bool = false
+
+@description('Enable RBAC using AAD')
+param enableAzureRbac bool = false
+
+@description('The Tenant ID associated to the Azure Active Directory')
+param aadTenantId string = tenant().tenantId
+
+@description('The load balancer SKU to use for ingress into the AKS cluster')
+@allowed([ 'basic', 'standard' ])
+param loadBalancerSku string = 'standard'
+
+@description('Network plugin used for building the Kubernetes network.')
+@allowed([ 'azure', 'kubenet', 'none' ])
+param networkPlugin string = 'azure'
+
+@description('Network policy used for building the Kubernetes network.')
+@allowed([ 'azure', 'calico' ])
+param networkPolicy string = 'azure'
+
+@description('If set to true, getting static credentials will be disabled for this cluster.')
+param disableLocalAccounts bool = false
+
+@description('The managed cluster SKU.')
+@allowed([ 'Free', 'Paid', 'Standard' ])
+param sku string = 'Free'
+
+@description('Configuration of AKS add-ons')
+param addOns object = {}
+
+@description('The log analytics workspace id used for logging & monitoring')
+param workspaceId string = ''
+
+@description('The node pool configuration for the System agent pool')
+param systemPoolConfig object
+
+@description('The DNS prefix to associate with the AKS cluster')
+param dnsPrefix string = ''
+
+resource aks 'Microsoft.ContainerService/managedClusters@2023-10-02-preview' = {
+  name: name
+  location: location
+  tags: tags
+  identity: {
+    type: 'SystemAssigned'
+  }
+  sku: {
+    name: 'Base'
+    tier: sku
+  }
+  properties: {
+    nodeResourceGroup: !empty(nodeResourceGroupName) ? nodeResourceGroupName : 'rg-mc-${name}'
+    kubernetesVersion: kubernetesVersion
+    dnsPrefix: empty(dnsPrefix) ? '${name}-dns' : dnsPrefix
+    enableRBAC: enableRbac
+    aadProfile: enableAad ? {
+      managed: true
+      enableAzureRBAC: enableAzureRbac
+      tenantID: aadTenantId
+    } : null
+    agentPoolProfiles: [
+      systemPoolConfig
+    ]
+    networkProfile: {
+      loadBalancerSku: loadBalancerSku
+      networkPlugin: networkPlugin
+      networkPolicy: networkPolicy
+    }
+    disableLocalAccounts: disableLocalAccounts && enableAad
+    addonProfiles: addOns
+    ingressProfile: {
+      webAppRouting: {
+        enabled: webAppRoutingAddon
+      }
+    }
+  }
+}
+
+var aksDiagCategories = [
+  'cluster-autoscaler'
+  'kube-controller-manager'
+  'kube-audit-admin'
+  'guard'
+]
+
+// TODO: Update diagnostics to be its own module
+// Blocking issue: https://github.com/Azure/bicep/issues/622
+// Unable to pass in a `resource` scope or unable to use string interpolation in resource types
+resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(workspaceId)) {
+  name: 'aks-diagnostics'
+  scope: aks
+  properties: {
+    workspaceId: workspaceId
+    logs: [for category in aksDiagCategories: {
+      category: category
+      enabled: true
+    }]
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
+      }
+    ]
+  }
+}
+
+@description('The resource name of the AKS cluster')
+output clusterName string = aks.name
+
+@description('The AKS cluster identity')
+output clusterIdentity object = {
+  clientId: aks.properties.identityProfile.kubeletidentity.clientId
+  objectId: aks.properties.identityProfile.kubeletidentity.objectId
+  resourceId: aks.properties.identityProfile.kubeletidentity.resourceId
+}