azd 0.9.0

data/lib/generators/templates/infra/core/host/aks.bicep

@@ -0,0 +1,280 @@
+metadata description = 'Creates an Azure Kubernetes Service (AKS) cluster with a system agent pool as well as an additional user agent pool.'
+@description('The name for the AKS managed cluster')
+param name string
+
+@description('The name for the Azure container registry (ACR)')
+param containerRegistryName string
+
+@description('The name of the connected log analytics workspace')
+param logAnalyticsName string = ''
+
+@description('The name of the keyvault to grant access')
+param keyVaultName string
+
+@description('The Azure region/location for the AKS resources')
+param location string = resourceGroup().location
+
+@description('Custom tags to apply to the AKS resources')
+param tags object = {}
+
+@description('AKS add-ons configuration')
+param addOns object = {
+  azurePolicy: {
+    enabled: true
+    config: {
+      version: 'v2'
+    }
+  }
+  keyVault: {
+    enabled: true
+    config: {
+      enableSecretRotation: 'true'
+      rotationPollInterval: '2m'
+    }
+  }
+  openServiceMesh: {
+    enabled: false
+    config: {}
+  }
+  omsAgent: {
+    enabled: true
+    config: {}
+  }
+  applicationGateway: {
+    enabled: false
+    config: {}
+  }
+}
+
+@description('The managed cluster SKU.')
+@allowed([ 'Free', 'Paid', 'Standard' ])
+param sku string = 'Free'
+
+@description('The load balancer SKU to use for ingress into the AKS cluster')
+@allowed([ 'basic', 'standard' ])
+param loadBalancerSku string = 'standard'
+
+@description('Network plugin used for building the Kubernetes network.')
+@allowed([ 'azure', 'kubenet', 'none' ])
+param networkPlugin string = 'azure'
+
+@description('Network policy used for building the Kubernetes network.')
+@allowed([ 'azure', 'calico' ])
+param networkPolicy string = 'azure'
+
+@description('The DNS prefix to associate with the AKS cluster')
+param dnsPrefix string = ''
+
+@description('The name of the resource group for the managed resources of the AKS cluster')
+param nodeResourceGroupName string = ''
+
+@allowed([
+  'CostOptimised'
+  'Standard'
+  'HighSpec'
+  'Custom'
+])
+@description('The System Pool Preset sizing')
+param systemPoolType string = 'CostOptimised'
+
+@allowed([
+  ''
+  'CostOptimised'
+  'Standard'
+  'HighSpec'
+  'Custom'
+])
+@description('The User Pool Preset sizing')
+param agentPoolType string = ''
+
+// Configure system / user agent pools
+@description('Custom configuration of system node pool')
+param systemPoolConfig object = {}
+@description('Custom configuration of user node pool')
+param agentPoolConfig object = {}
+
+@description('Id of the user or app to assign application roles')
+param principalId string = ''
+
+@description('Kubernetes Version')
+param kubernetesVersion string = '1.27.7'
+
+@description('The Tenant ID associated to the Azure Active Directory')
+param aadTenantId string = tenant().tenantId
+
+@description('Whether RBAC is enabled for local accounts')
+param enableRbac bool = true
+
+@description('If set to true, getting static credentials will be disabled for this cluster.')
+param disableLocalAccounts bool = false
+
+@description('Enable RBAC using AAD')
+param enableAzureRbac bool = false
+
+// Add-ons
+@description('Whether web app routing (preview) add-on is enabled')
+param webAppRoutingAddon bool = true
+
+// Configure AKS add-ons
+var omsAgentConfig = (!empty(logAnalyticsName) && !empty(addOns.omsAgent) && addOns.omsAgent.enabled) ? union(
+  addOns.omsAgent,
+  {
+    config: {
+      logAnalyticsWorkspaceResourceID: logAnalytics.id
+    }
+  }
+) : {}
+
+var addOnsConfig = union(
+  (!empty(addOns.azurePolicy) && addOns.azurePolicy.enabled) ? { azurepolicy: addOns.azurePolicy } : {},
+  (!empty(addOns.keyVault) && addOns.keyVault.enabled) ? { azureKeyvaultSecretsProvider: addOns.keyVault } : {},
+  (!empty(addOns.openServiceMesh) && addOns.openServiceMesh.enabled) ? { openServiceMesh: addOns.openServiceMesh } : {},
+  (!empty(addOns.omsAgent) && addOns.omsAgent.enabled) ? { omsagent: omsAgentConfig } : {},
+  (!empty(addOns.applicationGateway) && addOns.applicationGateway.enabled) ? { ingressApplicationGateway: addOns.applicationGateway } : {}
+)
+
+// Link to existing log analytics workspace when available
+resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' existing = if (!empty(logAnalyticsName)) {
+  name: logAnalyticsName
+}
+
+var systemPoolSpec = !empty(systemPoolConfig) ? systemPoolConfig : nodePoolPresets[systemPoolType]
+
+// Create the primary AKS cluster resources and system node pool
+module managedCluster 'aks-managed-cluster.bicep' = {
+  name: 'managed-cluster'
+  params: {
+    name: name
+    location: location
+    tags: tags
+    systemPoolConfig: union(
+      { name: 'npsystem', mode: 'System' },
+      nodePoolBase,
+      systemPoolSpec
+    )
+    nodeResourceGroupName: nodeResourceGroupName
+    sku: sku
+    dnsPrefix: dnsPrefix
+    kubernetesVersion: kubernetesVersion
+    addOns: addOnsConfig
+    workspaceId: !empty(logAnalyticsName) ? logAnalytics.id : ''
+    enableAad: enableAzureRbac && aadTenantId != ''
+    disableLocalAccounts: disableLocalAccounts
+    aadTenantId: aadTenantId
+    enableRbac: enableRbac
+    enableAzureRbac: enableAzureRbac
+    webAppRoutingAddon: webAppRoutingAddon
+    loadBalancerSku: loadBalancerSku
+    networkPlugin: networkPlugin
+    networkPolicy: networkPolicy
+  }
+}
+
+var hasAgentPool = !empty(agentPoolConfig) || !empty(agentPoolType)
+var agentPoolSpec = hasAgentPool && !empty(agentPoolConfig) ? agentPoolConfig : empty(agentPoolType) ? {} : nodePoolPresets[agentPoolType]
+
+// Create additional user agent pool when specified
+module agentPool 'aks-agent-pool.bicep' = if (hasAgentPool) {
+  name: 'aks-node-pool'
+  params: {
+    clusterName: managedCluster.outputs.clusterName
+    name: 'npuserpool'
+    config: union({ name: 'npuser', mode: 'User' }, nodePoolBase, agentPoolSpec)
+  }
+}
+
+// Creates container registry (ACR)
+module containerRegistry 'container-registry.bicep' = {
+  name: 'container-registry'
+  params: {
+    name: containerRegistryName
+    location: location
+    tags: tags
+    workspaceId: !empty(logAnalyticsName) ? logAnalytics.id : ''
+  }
+}
+
+// Grant ACR Pull access from cluster managed identity to container registry
+module containerRegistryAccess '../security/registry-access.bicep' = {
+  name: 'cluster-container-registry-access'
+  params: {
+    containerRegistryName: containerRegistry.outputs.name
+    principalId: managedCluster.outputs.clusterIdentity.objectId
+  }
+}
+
+// Give AKS cluster access to the specified principal
+module clusterAccess '../security/aks-managed-cluster-access.bicep' = if (enableAzureRbac || disableLocalAccounts) {
+  name: 'cluster-access'
+  params: {
+    clusterName: managedCluster.outputs.clusterName
+    principalId: principalId
+  }
+}
+
+// Give the AKS Cluster access to KeyVault
+module clusterKeyVaultAccess '../security/keyvault-access.bicep' = {
+  name: 'cluster-keyvault-access'
+  params: {
+    keyVaultName: keyVaultName
+    principalId: managedCluster.outputs.clusterIdentity.objectId
+  }
+}
+
+// Helpers for node pool configuration
+var nodePoolBase = {
+  osType: 'Linux'
+  maxPods: 30
+  type: 'VirtualMachineScaleSets'
+  upgradeSettings: {
+    maxSurge: '33%'
+  }
+}
+
+var nodePoolPresets = {
+  CostOptimised: {
+    vmSize: 'Standard_B4ms'
+    count: 1
+    minCount: 1
+    maxCount: 3
+    enableAutoScaling: true
+    availabilityZones: []
+  }
+  Standard: {
+    vmSize: 'Standard_DS2_v2'
+    count: 3
+    minCount: 3
+    maxCount: 5
+    enableAutoScaling: true
+    availabilityZones: [
+      '1'
+      '2'
+      '3'
+    ]
+  }
+  HighSpec: {
+    vmSize: 'Standard_D4s_v3'
+    count: 3
+    minCount: 3
+    maxCount: 5
+    enableAutoScaling: true
+    availabilityZones: [
+      '1'
+      '2'
+      '3'
+    ]
+  }
+}
+
+// Module outputs
+@description('The resource name of the AKS cluster')
+output clusterName string = managedCluster.outputs.clusterName
+
+@description('The AKS cluster identity')
+output clusterIdentity object = managedCluster.outputs.clusterIdentity
+
+@description('The resource name of the ACR')
+output containerRegistryName string = containerRegistry.outputs.name
+
+@description('The login server for the container registry')
+output containerRegistryLoginServer string = containerRegistry.outputs.loginServer

data/lib/generators/templates/infra/core/host/appservice-appsettings.bicep

@@ -0,0 +1,17 @@
+metadata description = 'Updates app settings for an Azure App Service.'
+@description('The name of the app service resource within the current resource group scope')
+param name string
+
+@description('The app settings to be applied to the app service')
+@secure()
+param appSettings object
+
+resource appService 'Microsoft.Web/sites@2022-03-01' existing = {
+  name: name
+}
+
+resource settings 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'appsettings'
+  parent: appService
+  properties: appSettings
+}

data/lib/generators/templates/infra/core/host/appservice.bicep

@@ -0,0 +1,123 @@
+metadata description = 'Creates an Azure App Service in an existing Azure App Service plan.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+// Reference Properties
+param applicationInsightsName string = ''
+param appServicePlanId string
+param keyVaultName string = ''
+param managedIdentity bool = !empty(keyVaultName)
+
+// Runtime Properties
+@allowed([
+  'dotnet', 'dotnetcore', 'dotnet-isolated', 'node', 'python', 'java', 'powershell', 'custom'
+])
+param runtimeName string
+param runtimeNameAndVersion string = '${runtimeName}|${runtimeVersion}'
+param runtimeVersion string
+
+// Microsoft.Web/sites Properties
+param kind string = 'app,linux'
+
+// Microsoft.Web/sites/config
+param allowedOrigins array = []
+param alwaysOn bool = true
+param appCommandLine string = ''
+@secure()
+param appSettings object = {}
+param clientAffinityEnabled bool = false
+param enableOryxBuild bool = contains(kind, 'linux')
+param functionAppScaleLimit int = -1
+param linuxFxVersion string = runtimeNameAndVersion
+param minimumElasticInstanceCount int = -1
+param numberOfWorkers int = -1
+param scmDoBuildDuringDeployment bool = false
+param use32BitWorkerProcess bool = false
+param ftpsState string = 'FtpsOnly'
+param healthCheckPath string = ''
+
+resource appService 'Microsoft.Web/sites@2022-03-01' = {
+  name: name
+  location: location
+  tags: tags
+  kind: kind
+  properties: {
+    serverFarmId: appServicePlanId
+    siteConfig: {
+      linuxFxVersion: linuxFxVersion
+      alwaysOn: alwaysOn
+      ftpsState: ftpsState
+      minTlsVersion: '1.2'
+      appCommandLine: appCommandLine
+      numberOfWorkers: numberOfWorkers != -1 ? numberOfWorkers : null
+      minimumElasticInstanceCount: minimumElasticInstanceCount != -1 ? minimumElasticInstanceCount : null
+      use32BitWorkerProcess: use32BitWorkerProcess
+      functionAppScaleLimit: functionAppScaleLimit != -1 ? functionAppScaleLimit : null
+      healthCheckPath: healthCheckPath
+      cors: {
+        allowedOrigins: union([ 'https://portal.azure.com', 'https://ms.portal.azure.com' ], allowedOrigins)
+      }
+    }
+    clientAffinityEnabled: clientAffinityEnabled
+    httpsOnly: true
+  }
+
+  identity: { type: managedIdentity ? 'SystemAssigned' : 'None' }
+
+  resource basicPublishingCredentialsPoliciesFtp 'basicPublishingCredentialsPolicies' = {
+    name: 'ftp'
+    properties: {
+      allow: false
+    }
+  }
+
+  resource basicPublishingCredentialsPoliciesScm 'basicPublishingCredentialsPolicies' = {
+    name: 'scm'
+    properties: {
+      allow: false
+    }
+  }
+}
+
+// Updates to the single Microsoft.sites/web/config resources that need to be performed sequentially
+// sites/web/config 'appsettings'
+module configAppSettings 'appservice-appsettings.bicep' = {
+  name: '${name}-appSettings'
+  params: {
+    name: appService.name
+    appSettings: union(appSettings,
+      {
+        SCM_DO_BUILD_DURING_DEPLOYMENT: string(scmDoBuildDuringDeployment)
+        ENABLE_ORYX_BUILD: string(enableOryxBuild)
+      },
+      runtimeName == 'python' && appCommandLine == '' ? { PYTHON_ENABLE_GUNICORN_MULTIWORKERS: 'true'} : {},
+      !empty(applicationInsightsName) ? { APPLICATIONINSIGHTS_CONNECTION_STRING: applicationInsights.properties.ConnectionString } : {},
+      !empty(keyVaultName) ? { AZURE_KEY_VAULT_ENDPOINT: keyVault.properties.vaultUri } : {})
+  }
+}
+
+// sites/web/config 'logs'
+resource configLogs 'Microsoft.Web/sites/config@2022-03-01' = {
+  name: 'logs'
+  parent: appService
+  properties: {
+    applicationLogs: { fileSystem: { level: 'Verbose' } }
+    detailedErrorMessages: { enabled: true }
+    failedRequestsTracing: { enabled: true }
+    httpLogs: { fileSystem: { enabled: true, retentionInDays: 1, retentionInMb: 35 } }
+  }
+  dependsOn: [configAppSettings]
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = if (!(empty(keyVaultName))) {
+  name: keyVaultName
+}
+
+resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) {
+  name: applicationInsightsName
+}
+
+output identityPrincipalId string = managedIdentity ? appService.identity.principalId : ''
+output name string = appService.name
+output uri string = 'https://${appService.properties.defaultHostName}'

data/lib/generators/templates/infra/core/host/appserviceplan.bicep

@@ -0,0 +1,22 @@
+metadata description = 'Creates an Azure App Service plan.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param kind string = ''
+param reserved bool = true
+param sku object
+
+resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
+  name: name
+  location: location
+  tags: tags
+  sku: sku
+  kind: kind
+  properties: {
+    reserved: reserved
+  }
+}
+
+output id string = appServicePlan.id
+output name string = appServicePlan.name

data/lib/generators/templates/infra/core/host/container-app-upsert.bicep

@@ -0,0 +1,109 @@
+metadata description = 'Creates or updates an existing Azure Container App.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+@description('The environment name for the container apps')
+param containerAppsEnvironmentName string
+
+@description('The number of CPU cores allocated to a single container instance, e.g., 0.5')
+param containerCpuCoreCount string = '0.5'
+
+@description('The maximum number of replicas to run. Must be at least 1.')
+@minValue(1)
+param containerMaxReplicas int = 10
+
+@description('The amount of memory allocated to a single container instance, e.g., 1Gi')
+param containerMemory string = '1.0Gi'
+
+@description('The minimum number of replicas to run. Must be at least 1.')
+@minValue(0)
+param containerMinReplicas int = 1
+
+@description('The name of the container')
+param containerName string = 'main'
+
+@description('The name of the container registry')
+param containerRegistryName string = ''
+
+@description('Hostname suffix for container registry. Set when deploying to sovereign clouds')
+param containerRegistryHostSuffix string = 'azurecr.io'
+
+@allowed([ 'http', 'grpc' ])
+@description('The protocol used by Dapr to connect to the app, e.g., HTTP or gRPC')
+param daprAppProtocol string = 'http'
+
+@description('Enable or disable Dapr for the container app')
+param daprEnabled bool = false
+
+@description('The Dapr app ID')
+param daprAppId string = containerName
+
+@description('Specifies if the resource already exists')
+param exists bool = false
+
+@description('Specifies if Ingress is enabled for the container app')
+param ingressEnabled bool = true
+
+@description('The type of identity for the resource')
+@allowed([ 'None', 'SystemAssigned', 'UserAssigned' ])
+param identityType string = 'None'
+
+@description('The name of the user-assigned identity')
+param identityName string = ''
+
+@description('The name of the container image')
+param imageName string = ''
+
+@description('The secrets required for the container')
+param secrets array = []
+
+@description('The environment variables for the container')
+param env array = []
+
+@description('Specifies if the resource ingress is exposed externally')
+param external bool = true
+
+@description('The service binds associated with the container')
+param serviceBinds array = []
+
+@description('The target port for the container')
+param targetPort int = 80
+
+resource existingApp 'Microsoft.App/containerApps@2023-05-02-preview' existing = if (exists) {
+  name: name
+}
+
+module app 'container-app.bicep' = {
+  name: '${deployment().name}-update'
+  params: {
+    name: name
+    location: location
+    tags: tags
+    identityType: identityType
+    identityName: identityName
+    ingressEnabled: ingressEnabled
+    containerName: containerName
+    containerAppsEnvironmentName: containerAppsEnvironmentName
+    containerRegistryName: containerRegistryName
+    containerRegistryHostSuffix: containerRegistryHostSuffix
+    containerCpuCoreCount: containerCpuCoreCount
+    containerMemory: containerMemory
+    containerMinReplicas: containerMinReplicas
+    containerMaxReplicas: containerMaxReplicas
+    daprEnabled: daprEnabled
+    daprAppId: daprAppId
+    daprAppProtocol: daprAppProtocol
+    secrets: secrets
+    external: external
+    env: env
+    imageName: !empty(imageName) ? imageName : exists ? existingApp.properties.template.containers[0].image : ''
+    targetPort: targetPort
+    serviceBinds: serviceBinds
+  }
+}
+
+output defaultDomain string = app.outputs.defaultDomain
+output imageName string = app.outputs.imageName
+output name string = app.outputs.name
+output uri string = app.outputs.uri