azure / aca-landing-zone-accelerator Goto Github PK

Currently these templates override the hostname on the application gateway. This is an anti-pattern which can break things like cookies and logins and stuff. The problem and why it's important NOT to do hostname override is described here: https://learn.microsoft.com/en-us/azure/architecture/best-practices/host-name-preservation

The problem in the current LZA templates is here: https://github.com/Azure/aca-landing-zone-accelerator/blob/4f6c5b29d08ccc89fce1f563a50037076c9db3b3/scenarios/aca-internal/terraform/modules/06-application-gateway/main.tf#L101C7-L101C43 (I haven't checked the bicep templates, but might be the same problem exists there as well).

I have a sample repo that configures the app gw correctly: https://github.com/Azure-Samples/azure-spring-apps-multi-zone/blob/df93abdb340323f13feb2f4231d0d0382f4031d1/tf-deploy/modules/appgw/main.tf#L62-L71 it has the ability to do this both with a self-signed and a proper cert.

Please approve or deny the tear-down of deployment GitHubAction-13

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/4600116807

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-33

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6041517150

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

What is the best way to deploy the container apps with blue green deployment option mentioned here https://learn.microsoft.com/en-us/azure/container-apps/blue-green-deployment?pivots=azure-cli

Can we modify the ACA bicep deployment file ? are there any sample available for the same?

Thank you!

Hello,

In the latest main version, c49ea0f file scenarios/aca-internal/terraform/modules/01-hub/main.tf

there is no mention of the jumpbox in the main.tf file, while the README.md file mentions you will deploy a jumpbox (which is optional)

After executing these steps you'll have the hub resource group (rg-lzaaca-hub-dev-reg, by default) populated with a regional virtual network, Azure Bastion, and jump box virtual machines.

Resources
Hub resource group
Hub virtual network
Azure Bastion (optional)
Jump box virtual machine (optional)

Am I missing something here? Apologies for any mistake, beginner here.

containerRegistryId and keyVaultId are not used by module 4 of bicep while the readme passes them as parameters.
the readme should be updated to reflect that.

Please approve or deny the tear-down of deployment GitHubAction-57

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/7261808998

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

az deployment sub create --template-file main.bicep --location northeurope --name myaca --parameters ./main.parameters.jsonc fials with this error message:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"Conflict","message":"{\r\n "status": "Failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n "message": "The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",\r\n "details": [\r\n {\r\n "code": "DeploymentFailed",\r\n "target": "/subscriptions/6d34783c-eef5-47cc-9f41-d73ddd326656/resourceGroups/rg-lzaaca-spoke-dev-neu/providers/Microsoft.Resources/deployments/supportingServices-zsoltaca-deployment",\r\n "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",\r\n "details": [\r\n {\r\n "code": "DeploymentNotFound",\r\n "message": "Deployment 'redisCache-z2f7mhg7ilgiw' could not be found."\r\n }\r\n ]\r\n }\r\n ]\r\n }\r\n}"}]}}

deployRedisCache in parameters file is false.

Hi,

I was wondering what's the rational to pick the host name from backend ACA in the application gateway backend setting? isn't that against Microsoft's recommendation? Why not using the self-signed cert in the backend ACA app?

I spent a few hours to install this repo to see exactly how you set that up but the custom domain was not setup in ACA.

Please approve or deny the tear-down of deployment GitHubAction-35

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6052993816

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Hi there,

I am going through the demo aca-internal using terraform at https://github.com/Azure/aca-landing-zone-accelerator/blob/main/scenarios/aca-internal/terraform/README.md

there is a critical error in 03-supporting-services. the error msg is llke below. i am working on the fix now. will check in PR asap.

│ Error: creating Private Endpoint (Subscription: "c7936011-6c67-4e5d-b9c2-a2fafe6ce3e3"
│ Resource Group Name: "rg-victoraca-spoke-dev-eus"
│ Private Endpoint Name: "pep-kv-victoraca-sAdxN-dev-eus"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: InvalidResourceReference: Resource /subscriptions/c7936011-6c67-4e5d-b9c2-a2fafe6ce3e3/resourceGroups/RG-VICTORACA-SPOKE-DEV-EUS/providers/Microsoft.Network/virtualNetworks/VNET-VICTORACA-DEV-EUS-SPOKE referenced by resource /subscriptions/c7936011-6c67-4e5d-b9c2-a2fafe6ce3e3/resourceGroups/rg-victoraca-spoke-dev-eus/providers/Microsoft.Network/privateEndpoints/pep-kv-victoraca-sAdxN-dev-eus was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
│
│ with module.keyVault.module.keyVaultPrivateEndpoints.azurerm_private_endpoint.pe,
│ on ../../../../shared/terraform/modules/networking/private-endpoints/main.tf line 1, in resource "azurerm_private_endpoint" "pe":
│ 1: resource "azurerm_private_endpoint" "pe" {
│
╵
╷
│ Error: creating Private Endpoint (Subscription: "c7936011-6c67-4e5d-b9c2-a2fafe6ce3e3"
│ Resource Group Name: "rg-victoraca-spoke-dev-eus"
│ Private Endpoint Name: "pep-crvictoracasadxndeveus"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: InvalidResourceReference: Resource /subscriptions/c7936011-6c67-4e5d-b9c2-a2fafe6ce3e3/resourceGroups/RG-VICTORACA-SPOKE-DEV-EUS/providers/Microsoft.Network/virtualNetworks/VNET-VICTORACA-DEV-EUS-SPOKE referenced by resource /subscriptions/c7936011-6c67-4e5d-b9c2-a2fafe6ce3e3/resourceGroups/rg-victoraca-spoke-dev-eus/providers/Microsoft.Network/privateEndpoints/pep-crvictoracasadxndeveus was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
│
│ with module.containerRegistry.module.containerRegistryPrivateEndpoints.azurerm_private_endpoint.pe,
│ on ../../../../shared/terraform/modules/networking/private-endpoints/main.tf line 1, in resource "azurerm_private_endpoint" "pe":
│ 1: resource "azurerm_private_endpoint" "pe" {

I forked the repo. When I run the GitHub action it creates a bunch of LBs , possibly leftover from another deployment library, instead of an ACA app deployed in VNET internal mode . What am I doing wrong?

There is an ACA environment but there is no app, and there is no sign of AppGW and AFD. Hub and spoke artefacts are ok.

To add more context, even though i see all steps in the deployments have completed successfully , I see this error message in the deployment log in GitHub action:

Error: WARNING: /home/runner/work/WiseACAOps/WiseACAOps/scenarios/shared/bicep/private-networking.bicep(49,11) : Warning BCP334: The provided value has no configured minimum length and may be too short to assign to a target with a configured minimum length of 2.
/home/runner/work/WiseACAOps/WiseACAOps/scenarios/shared/bicep/private-networking.bicep(49,11) : Warning BCP335: The provided value has no configured maximum length and may be too long to assign to a target with a configured maximum length of 64

Please approve or deny the tear-down of deployment GitHubAction-28

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6036264408

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

I'm trying to update the scenario to use Front Door in place of Application Gateway but having problems with the Front Door module. I've had to fix some of the Terraform scripts, for example, in https://github.com/Azure/aca-landing-zone-accelerator/blob/main/scenarios/aca-internal/terraform/modules/06-front-door/local.tf

containerAppsDefaultDomainArray   = split(var.containerAppsDefaultDomainName, ".")
containerAppsNameIdentifier       = local.containerAppsDefaultDomainArray[index(local.containerAppsDefaultDomainArray, var.location)]

should be:

containerAppsDefaultDomainArray   = split(".", var.containerAppsDefaultDomainName)
containerAppsNameIdentifier       = local.containerAppsDefaultDomainArray[index(local.containerAppsDefaultDomainArray, var.location)-1]

which makes me wonder if this module has been tested?

Anyway after fixing some of the scripts I'm having problems when creating the Private Link Service. Here's the Terraform output:

╷
│ Error: creating Private Link Service: (Name "pls-fd-sbox-lz-01" / Resource Group "rg-sbox-spoke-lz-01"): network.PrivateLinkServicesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="PrivateLinkServiceCannotBeCreatedInSubnetThatHasNetworkPoliciesEnabled" Message="Private link service /subscriptions/***/resourceGroups/rg-sbox-spoke-lz-01/providers/Microsoft.Network/privateLinkServices/pls-fd-sbox-lz-01 cannot be created in a subnet /subscriptions/***/resourceGroups/rg-sbox-spoke-lz-01/providers/Microsoft.Network/virtualNetworks/vnet-sbox-spoke-01/subnets/snet-infra since it has private link service network policies enabled." Details=[]
│ 
│   with module.frontDoor.module.frontDoor.azurerm_private_link_service.privateLinkService,
│   on modules/frontdoor/main.tf line 6, in resource "azurerm_private_link_service" "privateLinkService":
│    6: resource "azurerm_private_link_service" "privateLinkService" ***
│ 
╵

I've looked around and I've found no complete solution for creating private ACA with Front Door through Private Link. The closest is https://github.com/microsoft/azure-container-apps/wiki/Create-a-private-ACA-environment-with-Azure-Front-Door

Do you have any guidance on this? Would love to get this working and happy to raise a PR for the fixes.

I am new to this can someone help me setup two Aca environments in two regions using this architecture?

Hi,
The landing zone accelerator does not mention the IP restriction functionality: https://learn.microsoft.com/en-us/azure/container-apps/ip-restrictions?pivots=azure-portal

In some scenarios, it makes sense to have a public facing container app rather than putting it behind an application gateway. It would thus be nice to have some discussions and recommendations regarding such a scenario.
Thank you.

Please approve or deny the tear-down of deployment GitHubAction-47

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6169394816

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-12

Workflow is pending manual review.
URL: https://github.com/Azure/ACA-Landing-Zone-Accelerator/actions/runs/4435228381

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Following the steps highlighted by the README.md in the root folder using terraform :

• Create storage account
• Review terraform.tfvars
• Try to execute terraform plan

It says clientIP is not provided in sub modules, i'm assuming i should be able to provision it using default value.

codespace ➜ .../aca-landing-zone-accelerator/scenarios/aca-internal/terraform (main) $ terraform plan --var-file terraform.tfvars -out tfplan
╷
│ Error: Missing required argument
│ 
│   on main.tf line 35, in module "supportingServices":
│   35: module "supportingServices" {
│ 
│ The argument "clientIP" is required, but no definition was found.

Please approve or deny the tear-down of deployment GitHubAction-53

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/7211486521

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-23

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/5832638072

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-36

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6066427639

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-7

Workflow is pending manual review.
URL: https://github.com/Azure/ACA-Landing-Zone-Accelerator/actions/runs/4425359910

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Getting the below error and pipeline fails. Any idea what is this error ?

2023-10-19T17:15:48.3222392Z ##[error]WARNING: /home/vsts/work/1/s/scenarios/shared/bicep/network/application-gateway.bicep(250,27) : Warning no-deployments-resources: Resource 'defaultTelemetry' of type 'Microsoft.Resources/deployments@2021-04-01' should instead be declared as a Bicep module. [https://aka.ms/bicep/linter/no-deployments-resources]
/home/vsts/work/1/s/scenarios/shared/bicep/role-assignments/role-assignment.bicep(34,33) : Warning no-deployments-resources: Resource 'resourceRoleAssignment' of type 'Microsoft.Resources/deployments@2021-04-01' should instead be declared as a Bicep module. [https://aka.ms/bicep/linter/no-deployments-resources]
/home/vsts/work/1/s/scenarios/aca-internal/bicep/modules/04-container-apps-environment/deploy.aca-environment.bicep(155,30) : Warning no-deployments-resources: Resource 'telemetrydeployment' of type 'Microsoft.Resources/deployments@2021-04-01' should instead be declared as a Bicep module. [https://aka.ms/bicep/linter/no-deployments-resources]

2023-10-19T17:15:48.3241907Z ##[error]Script has output to stderr. Failing as failOnStdErr is set to true.

module 3,4,5 and 6 uses "az deployment group create -l " command to deploy the resources. this command does not accept location as parameter natively like az deployment sub. the readme for those modules should be updated to reflect that and the location should be passed instead using -p

Please approve or deny the tear-down of deployment GitHubAction-31

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6039763756

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

I'm running scenario with App Gateway as an alternative to Front Door because of separate issue #114

When creating a cert in KV I'm getting an access issue:

╷
│ Error: checking for presence of existing Secret "agwcert" (Key Vault "https://kv-sbox-lz-uy2qx.vault.azure.net/"): keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Public network access is disabled and request is not from a trusted service nor via an approved private link.\r\nCaller: appid=***;oid=ed2bd1f9-d1ff-43f4-8c04-b9ccc91635df;iss=[https://sts.windows.net/***/\r\nVault:](https://sts.windows.net/***//r/nVault:) kv-sbox-lz-uY2QX;location=australiaeast" InnerError=***"code":"ForbiddenByConnection"***
│ 
│   with module.applicationGateway.module.appGatewayAddCertificates.azurerm_key_vault_secret.sslCertSecret,
│   on modules/application-gateway/certificate-config/main.tf line 12, in resource "azurerm_key_vault_secret" "sslCertSecret":
│   12: resource "azurerm_key_vault_secret" "sslCertSecret" ***
│ 
╵

I'm confused with the docs:

If you provide your client IP address, the Public IP address of the machine executing the Terraform deployment, it will be added to the Network ACL for the KeyVault used to house the Application Gateway certificate and it will allow you to proceed through the entire deployment.
If you would like to keep the KeyVault fully private, you will need to comment out the Application Gateway module in the [main.tf](https://file+.vscode-resource.vscode-cdn.net/home/neil/code/dbc/dbc.lz/terraform/main.tf) and leave the clientIP value blank in your tfvars file. Follow the [instructions for deploying Application Gateway separately on your jump box](https://file+.vscode-resource.vscode-cdn.net/home/neil/code/dbc/dbc.lz/terraform/modules/06-application-gateway/main.tf).

I'm trying to run Terraform in a GitHub Actions workflow and the Service Principal has owner role with subscription scope. It mentions commenting out the App Gateway module. Do you really mean this? You can't create App GW with SP?

Exposing ACA through PL and AFD is not a supported scenario yet. However this is the setup shown in the overall architecture image.
Also, all Bicep and TF templates use Application Gateway with WAF as reverse proxy.

So basically, the overall architecture image should be fixed.

Please approve or deny the tear-down of deployment GitHubAction-11

Workflow is pending manual review.
URL: https://github.com/Azure/ACA-Landing-Zone-Accelerator/actions/runs/4426357092

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-8

Workflow is pending manual review.
URL: https://github.com/Azure/ACA-Landing-Zone-Accelerator/actions/runs/4425558077

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Configured the parameter file as default setting to deploy hello world app. I am not seeing it is getting deployed and no App Gateway deployed. Pipeline itself completed successfully. If this needs to be configured separately any guidelines on how to deploy Frontdoor or App Gateway using ADO or Github pipelines ?

The script jumpbox-setup.sh is dedicated to the sample app Fine Collection Service and is nor shared nor reusable for other workload. It should be in the Fine Collection Service sample app folder.

Please approve or deny the tear-down of deployment GitHubAction-32

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6041488964

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-35

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6052993816

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-30

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6037955653

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-44

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/6086522776

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.

Please approve or deny the tear-down of deployment GitHubAction-17

Workflow is pending manual review.
URL: https://github.com/Azure/aca-landing-zone-accelerator/actions/runs/5810109800

Required approvers: [thotheod aarthiem kpantos]

Respond "approved", "approve", "lgtm", "yes" to continue workflow or "denied", "deny", "no" to cancel.