diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index aafe6f8a1a..08a92eb9b6 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -43,6 +43,7 @@ /avm/res/app/container-app/ @Azure/avm-res-app-containerapp-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/app/job/ @Azure/avm-res-app-job-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/app/managed-environment/ @Azure/avm-res-app-managedenvironment-module-owners-bicep @Azure/avm-module-reviewers-bicep +/avm/res/app/session-pool/ @Azure/avm-res-app-sessionpool-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/app-configuration/configuration-store/ @Azure/avm-res-appconfiguration-configurationstore-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/automation/automation-account/ @Azure/avm-res-automation-automationaccount-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/res/azure-stack-hci/cluster/ @Azure/avm-res-azurestackhci-cluster-module-owners-bicep @Azure/avm-module-reviewers-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index ed4b8fb00d..2dd1ba254e 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -79,6 +79,7 @@ body: - "avm/res/app/container-app" - "avm/res/app/job" - "avm/res/app/managed-environment" + - "avm/res/app/session-pool" - "avm/res/automation/automation-account" - "avm/res/azure-stack-hci/cluster" - "avm/res/batch/batch-account" diff --git a/.github/workflows/avm.res.app.session-pool.yml b/.github/workflows/avm.res.app.session-pool.yml new file mode 100644 index 0000000000..4ab8010119 --- /dev/null +++ b/.github/workflows/avm.res.app.session-pool.yml @@ -0,0 +1,88 @@ +name: "avm.res.app.session-pool" + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + customLocation: + type: string + description: "Default location overwrite (e.g., eastus)" + required: false + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.res.app.session-pool.yml" + - "avm/res/app/session-pool/**" + - "utilities/pipelines/**" + - "!utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/res/app/session-pool" + workflowPath: ".github/workflows/avm.res.app.session-pool.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit diff --git a/avm/res/app/session-pool/README.md b/avm/res/app/session-pool/README.md new file mode 100644 index 0000000000..c4b1b1db46 --- /dev/null +++ b/avm/res/app/session-pool/README.md @@ -0,0 +1,878 @@ +# Container App Session Pool `[Microsoft.App/sessionPools]` + +This module deploys a Container App Session Pool. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.App/sessionPools` | [2024-10-02-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.App/2024-10-02-preview/sessionPools) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/res/app/session-pool:`. + +- [Using only defaults](#example-1-using-only-defaults) +- [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) + +### Example 1: _Using only defaults_ + +This instance deploys the module with the minimum set of required parameters. + + +
+ +via Bicep module + +```bicep +module sessionPool 'br/public:avm/res/app/session-pool:' = { + name: 'sessionPoolDeployment' + params: { + // Required parameters + containerType: 'PythonLTS' + name: 'aspmin001' + // Non-required parameters + location: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containerType": { + "value": "PythonLTS" + }, + "name": { + "value": "aspmin001" + }, + // Non-required parameters + "location": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/app/session-pool:' + +// Required parameters +param containerType = 'PythonLTS' +param name = 'aspmin001' +// Non-required parameters +param location = '' +``` + +
+

+ +### Example 2: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + + +

+ +via Bicep module + +```bicep +module sessionPool 'br/public:avm/res/app/session-pool:' = { + name: 'sessionPoolDeployment' + params: { + // Required parameters + containerType: 'PythonLTS' + name: 'aspmax001' + // Non-required parameters + cooldownPeriodInSeconds: 350 + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentitySettings: [ + { + identity: '' + lifecycle: 'Main' + } + ] + maxConcurrentSessions: 6 + poolManagementType: 'Dynamic' + readySessionInstances: 1 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Azure ContainerApps Session Executor' + } + ] + sessionNetworkStatus: 'EgressDisabled' + tags: { + resourceType: 'Session Pool' + } + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containerType": { + "value": "PythonLTS" + }, + "name": { + "value": "aspmax001" + }, + // Non-required parameters + "cooldownPeriodInSeconds": { + "value": 350 + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentitySettings": { + "value": [ + { + "identity": "", + "lifecycle": "Main" + } + ] + }, + "maxConcurrentSessions": { + "value": 6 + }, + "poolManagementType": { + "value": "Dynamic" + }, + "readySessionInstances": { + "value": 1 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Azure ContainerApps Session Executor" + } + ] + }, + "sessionNetworkStatus": { + "value": "EgressDisabled" + }, + "tags": { + "value": { + "resourceType": "Session Pool" + } + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/app/session-pool:' + +// Required parameters +param containerType = 'PythonLTS' +param name = 'aspmax001' +// Non-required parameters +param cooldownPeriodInSeconds = 350 +param location = '' +param lock = { + kind: 'CanNotDelete' + name: 'myCustomLockName' +} +param managedIdentitySettings = [ + { + identity: '' + lifecycle: 'Main' + } +] +param maxConcurrentSessions = 6 +param poolManagementType = 'Dynamic' +param readySessionInstances = 1 +param roleAssignments = [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Azure ContainerApps Session Executor' + } +] +param sessionNetworkStatus = 'EgressDisabled' +param tags = { + resourceType: 'Session Pool' +} +``` + +
+

+ +### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module sessionPool 'br/public:avm/res/app/session-pool:' = { + name: 'sessionPoolDeployment' + params: { + // Required parameters + containerType: 'PythonLTS' + name: 'aspwaf001' + // Non-required parameters + location: '' + sessionNetworkStatus: 'EgressDisabled' + tags: { + resourceType: 'Session Pool' + } + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containerType": { + "value": "PythonLTS" + }, + "name": { + "value": "aspwaf001" + }, + // Non-required parameters + "location": { + "value": "" + }, + "sessionNetworkStatus": { + "value": "EgressDisabled" + }, + "tags": { + "value": { + "resourceType": "Session Pool" + } + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/app/session-pool:' + +// Required parameters +param containerType = 'PythonLTS' +param name = 'aspwaf001' +// Non-required parameters +param location = '' +param sessionNetworkStatus = 'EgressDisabled' +param tags = { + resourceType: 'Session Pool' +} +``` + +
+

+ +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containerType`](#parameter-containertype) | string | The container type of the sessions. | +| [`name`](#parameter-name) | string | Name of the Container App Session Pool. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`containers`](#parameter-containers) | array | Custom container definitions. Only required if containerType is CustomContainer. | +| [`cooldownPeriodInSeconds`](#parameter-cooldownperiodinseconds) | int | The cooldown period of a session in seconds. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`environmentId`](#parameter-environmentid) | string | Resource ID of the session pool's environment. | +| [`location`](#parameter-location) | string | Location for all Resources. | +| [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | +| [`managedIdentitySettings`](#parameter-managedidentitysettings) | array | Settings for a Managed Identity that is assigned to the Session pool. | +| [`maxConcurrentSessions`](#parameter-maxconcurrentsessions) | int | The maximum count of sessions at the same time. | +| [`poolManagementType`](#parameter-poolmanagementtype) | string | The pool management type of the session pool. Defaults to Dynamic. | +| [`readySessionInstances`](#parameter-readysessioninstances) | int | The minimum count of ready session instances. | +| [`registryCredentials`](#parameter-registrycredentials) | object | Container registry credentials. Only required if containerType is CustomContainer and the container registry requires authentication. | +| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | +| [`sessionNetworkStatus`](#parameter-sessionnetworkstatus) | string | Network status for the sessions. Defaults to EgressDisabled. | +| [`tags`](#parameter-tags) | object | Tags of the Automation Account resource. | +| [`targetIngressPort`](#parameter-targetingressport) | int | Required if containerType == 'CustomContainer'. Target port in containers for traffic from ingress. Only required if containerType is CustomContainer. | + +### Parameter: `containerType` + +The container type of the sessions. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'CustomContainer' + 'PythonLTS' + ] + ``` + +### Parameter: `name` + +Name of the Container App Session Pool. + +- Required: Yes +- Type: string + +### Parameter: `containers` + +Custom container definitions. Only required if containerType is CustomContainer. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`image`](#parameter-containersimage) | string | Container image tag. | +| [`name`](#parameter-containersname) | string | Custom container name. | +| [`resources`](#parameter-containersresources) | object | Container resource requirements. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`args`](#parameter-containersargs) | array | Container start command arguments. | +| [`command`](#parameter-containerscommand) | array | Container start command. | +| [`env`](#parameter-containersenv) | array | Container environment variables. | + +### Parameter: `containers.image` + +Container image tag. + +- Required: Yes +- Type: string + +### Parameter: `containers.name` + +Custom container name. + +- Required: Yes +- Type: string + +### Parameter: `containers.resources` + +Container resource requirements. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`cpu`](#parameter-containersresourcescpu) | string | Required CPU in cores, e.g. 0.5. | +| [`memory`](#parameter-containersresourcesmemory) | string | Required memory, e.g. "1.25Gi". | + +### Parameter: `containers.resources.cpu` + +Required CPU in cores, e.g. 0.5. + +- Required: Yes +- Type: string + +### Parameter: `containers.resources.memory` + +Required memory, e.g. "1.25Gi". + +- Required: Yes +- Type: string + +### Parameter: `containers.args` + +Container start command arguments. + +- Required: No +- Type: array + +### Parameter: `containers.command` + +Container start command. + +- Required: No +- Type: array + +### Parameter: `containers.env` + +Container environment variables. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-containersenvname) | string | Environment variable name. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`secretRef`](#parameter-containersenvsecretref) | string | Required if value is not set. Name of the Container App secret from which to pull the environment variable value. | +| [`value`](#parameter-containersenvvalue) | string | Required if secretRef is not set. Non-secret environment variable value. | + +### Parameter: `containers.env.name` + +Environment variable name. + +- Required: Yes +- Type: string + +### Parameter: `containers.env.secretRef` + +Required if value is not set. Name of the Container App secret from which to pull the environment variable value. + +- Required: No +- Type: string + +### Parameter: `containers.env.value` + +Required if secretRef is not set. Non-secret environment variable value. + +- Required: No +- Type: string + +### Parameter: `cooldownPeriodInSeconds` + +The cooldown period of a session in seconds. + +- Required: No +- Type: int +- Default: `300` + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `environmentId` + +Resource ID of the session pool's environment. + +- Required: No +- Type: string + +### Parameter: `location` + +Location for all Resources. + +- Required: No +- Type: string +- Default: `[resourceGroup().location]` + +### Parameter: `lock` + +The lock settings of the service. + +- Required: No +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`kind`](#parameter-lockkind) | string | Specify the type of lock. | +| [`name`](#parameter-lockname) | string | Specify the name of lock. | + +### Parameter: `lock.kind` + +Specify the type of lock. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'CanNotDelete' + 'None' + 'ReadOnly' + ] + ``` + +### Parameter: `lock.name` + +Specify the name of lock. + +- Required: No +- Type: string + +### Parameter: `managedIdentities` + +The managed identity definition for this resource. + +- Required: No +- Type: object + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | + +### Parameter: `managedIdentities.systemAssigned` + +Enables system assigned managed identity on the resource. + +- Required: No +- Type: bool + +### Parameter: `managedIdentities.userAssignedResourceIds` + +The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. + +- Required: No +- Type: array + +### Parameter: `managedIdentitySettings` + +Settings for a Managed Identity that is assigned to the Session pool. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`identity`](#parameter-managedidentitysettingsidentity) | string | The resource ID of a user-assigned managed identity that is assigned to the Session Pool, or "system" for system-assigned identity. | +| [`lifecycle`](#parameter-managedidentitysettingslifecycle) | string | Use to select the lifecycle stages of a Session Pool during which the Managed Identity should be available. Valid values: "All", "Init", "Main", "None". | + +### Parameter: `managedIdentitySettings.identity` + +The resource ID of a user-assigned managed identity that is assigned to the Session Pool, or "system" for system-assigned identity. + +- Required: Yes +- Type: string + +### Parameter: `managedIdentitySettings.lifecycle` + +Use to select the lifecycle stages of a Session Pool during which the Managed Identity should be available. Valid values: "All", "Init", "Main", "None". + +- Required: Yes +- Type: string + +### Parameter: `maxConcurrentSessions` + +The maximum count of sessions at the same time. + +- Required: No +- Type: int +- Default: `5` + +### Parameter: `poolManagementType` + +The pool management type of the session pool. Defaults to Dynamic. + +- Required: No +- Type: string +- Default: `'Dynamic'` +- Allowed: + ```Bicep + [ + 'Dynamic' + 'Manual' + ] + ``` + +### Parameter: `readySessionInstances` + +The minimum count of ready session instances. + +- Required: No +- Type: int + +### Parameter: `registryCredentials` + +Container registry credentials. Only required if containerType is CustomContainer and the container registry requires authentication. + +- Required: No +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`server`](#parameter-registrycredentialsserver) | string | Container registry server. | +| [`username`](#parameter-registrycredentialsusername) | string | Container registry username. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`identity`](#parameter-registrycredentialsidentity) | string | A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use "system". | +| [`passwordSecretRef`](#parameter-registrycredentialspasswordsecretref) | string | The name of the secret that contains the registry login password. Not used if identity is specified. | + +### Parameter: `registryCredentials.server` + +Container registry server. + +- Required: Yes +- Type: string + +### Parameter: `registryCredentials.username` + +Container registry username. + +- Required: Yes +- Type: string + +### Parameter: `registryCredentials.identity` + +A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use "system". + +- Required: No +- Type: string + +### Parameter: `registryCredentials.passwordSecretRef` + +The name of the secret that contains the registry login password. Not used if identity is specified. + +- Required: No +- Type: string + +### Parameter: `roleAssignments` + +Array of role assignments to create. + +- Required: No +- Type: array +- Roles configurable by name: + - `'Azure ContainerApps Session Executor'` + - `'Container Apps SessionPools Contributor'` + - `'Container Apps SessionPools Reader'` + - `'Contributor'` + - `'Owner'` + - `'Reader'` + - `'Role Based Access Control Administrator'` + - `'User Access Administrator'` + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`principalId`](#parameter-roleassignmentsprincipalid) | string | The principal ID of the principal (user/group/identity) to assign the role to. | +| [`roleDefinitionIdOrName`](#parameter-roleassignmentsroledefinitionidorname) | string | The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`condition`](#parameter-roleassignmentscondition) | string | The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container". | +| [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | +| [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | +| [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`name`](#parameter-roleassignmentsname) | string | The name (as GUID) of the role assignment. If not provided, a GUID will be generated. | +| [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | + +### Parameter: `roleAssignments.principalId` + +The principal ID of the principal (user/group/identity) to assign the role to. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.roleDefinitionIdOrName` + +The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. + +- Required: Yes +- Type: string + +### Parameter: `roleAssignments.condition` + +The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container". + +- Required: No +- Type: string + +### Parameter: `roleAssignments.conditionVersion` + +Version of the condition. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + '2.0' + ] + ``` + +### Parameter: `roleAssignments.delegatedManagedIdentityResourceId` + +The Resource Id of the delegated managed identity resource. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.description` + +The description of the role assignment. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.name` + +The name (as GUID) of the role assignment. If not provided, a GUID will be generated. + +- Required: No +- Type: string + +### Parameter: `roleAssignments.principalType` + +The principal type of the assigned principal ID. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'Device' + 'ForeignGroup' + 'Group' + 'ServicePrincipal' + 'User' + ] + ``` + +### Parameter: `sessionNetworkStatus` + +Network status for the sessions. Defaults to EgressDisabled. + +- Required: No +- Type: string +- Default: `'EgressDisabled'` +- Allowed: + ```Bicep + [ + 'EgressDisabled' + 'EgressEnabled' + ] + ``` + +### Parameter: `tags` + +Tags of the Automation Account resource. + +- Required: No +- Type: object + +### Parameter: `targetIngressPort` + +Required if containerType == 'CustomContainer'. Target port in containers for traffic from ingress. Only required if containerType is CustomContainer. + +- Required: No +- Type: int + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `managementEndpoint` | string | The management endpoint of the session pool. | +| `name` | string | The name of the session pool. | +| `resourceGroupName` | string | The name of the resource group in which the session pool was created. | +| `resourceId` | string | The resource ID of the deployed session pool. | +| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/res/app/session-pool/main.bicep b/avm/res/app/session-pool/main.bicep new file mode 100644 index 0000000000..bd37c80d76 --- /dev/null +++ b/avm/res/app/session-pool/main.bicep @@ -0,0 +1,283 @@ +metadata name = 'Container App Session Pool' +metadata description = 'This module deploys a Container App Session Pool.' + +@description('Required. Name of the Container App Session Pool.') +param name string + +@description('Optional. Location for all Resources.') +param location string = resourceGroup().location + +@description('Required. The container type of the sessions.') +@allowed(['PythonLTS', 'CustomContainer']) +param containerType string + +@description('Optional. Custom container definitions. Only required if containerType is CustomContainer.') +param containers sessionContainerType[]? + +@description('Optional. Required if containerType == \'CustomContainer\'. Target port in containers for traffic from ingress. Only required if containerType is CustomContainer.') +param targetIngressPort int? + +@description('Optional. Container registry credentials. Only required if containerType is CustomContainer and the container registry requires authentication.') +param registryCredentials sessionRegistryCredentialsType? + +@description('Optional. The cooldown period of a session in seconds.') +param cooldownPeriodInSeconds int = 300 + +@description('Optional. The maximum count of sessions at the same time.') +param maxConcurrentSessions int = 5 + +@description('Optional. The minimum count of ready session instances.') +param readySessionInstances int? + +@description('Optional. Network status for the sessions. Defaults to EgressDisabled.') +@allowed(['EgressEnabled', 'EgressDisabled']) +param sessionNetworkStatus string = 'EgressDisabled' + +@description('Optional. The pool management type of the session pool. Defaults to Dynamic.') +@allowed(['Dynamic', 'Manual']) +param poolManagementType string = 'Dynamic' + +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +@description('Optional. The lock settings of the service.') +param lock lockType? + +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +@description('Optional. Array of role assignments to create.') +param roleAssignments roleAssignmentType[]? + +import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentityAllType? + +@description('Optional. Settings for a Managed Identity that is assigned to the Session pool.') +param managedIdentitySettings managedIdentitySettingType[]? + +@description('Optional. Resource ID of the session pool\'s environment.') +param environmentId string? + +@description('Optional. Tags of the Automation Account resource.') +param tags object? + +@description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +var formattedUserAssignedIdentities = reduce( + map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), + {}, + (cur, next) => union(cur, next) +) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} } + +var identity = !empty(managedIdentities) + ? { + type: (managedIdentities.?systemAssigned ?? false) + ? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') + : (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None') + userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null + } + : null + +var builtInRoleNames = { + 'Azure ContainerApps Session Executor': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + '0fb8eba5-a2bb-4abe-b1c1-49dfad359bb0' + ) + 'Container Apps SessionPools Contributor': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + 'f7669afb-68b2-44b4-9c5f-6d2a47fddda0' + ) + 'Container Apps SessionPools Reader': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + 'af61e8fc-2633-4b95-bed3-421ad6826515' + ) + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + 'f58310d9-a9f6-439a-9e8d-f62e7b41a168' + ) + 'User Access Administrator': subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + ) +} + +var formattedRoleAssignments = [ + for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, { + roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains( + roleAssignment.roleDefinitionIdOrName, + '/providers/Microsoft.Authorization/roleDefinitions/' + ) + ? roleAssignment.roleDefinitionIdOrName + : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)) + }) +] + +#disable-next-line no-deployments-resources +resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) { + name: '46d3xbcp.res.app-sessionpool.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '#_moduleVersion_#.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + +resource sessionPool 'Microsoft.App/sessionPools@2024-10-02-preview' = { + name: name + location: location + identity: identity + properties: { + containerType: containerType + environmentId: environmentId + customContainerTemplate: containerType == 'CustomContainer' + ? { + containers: containers + ingress: { + targetPort: targetIngressPort + } + registryCredentials: registryCredentials + } + : null + dynamicPoolConfiguration: { + cooldownPeriodInSeconds: cooldownPeriodInSeconds + executionType: 'Timed' + } + managedIdentitySettings: managedIdentitySettings + scaleConfiguration: { + maxConcurrentSessions: maxConcurrentSessions + readySessionInstances: readySessionInstances + } + sessionNetworkConfiguration: { + status: sessionNetworkStatus + } + poolManagementType: poolManagementType + } + tags: tags +} + +resource sessionPool_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' + ? 'Cannot delete resource or child resources.' + : 'Cannot delete or modify the resource or child resources.' + } + scope: sessionPool +} + +resource sessionPool_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ + for (roleAssignment, index) in (formattedRoleAssignments ?? []): { + name: roleAssignment.?name ?? guid(sessionPool.id, roleAssignment.principalId, roleAssignment.roleDefinitionId) + properties: { + roleDefinitionId: roleAssignment.roleDefinitionId + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType + condition: roleAssignment.?condition + conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set + delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId + } + scope: sessionPool + } +] + +@description('The name of the session pool.') +output name string = sessionPool.name + +@description('The resource ID of the deployed session pool.') +output resourceId string = sessionPool.id + +@description('The name of the resource group in which the session pool was created.') +output resourceGroupName string = resourceGroup().name + +@description('The management endpoint of the session pool.') +output managementEndpoint string = sessionPool.properties.poolManagementEndpoint + +@description('The principal ID of the system assigned identity.') +output systemAssignedMIPrincipalId string = sessionPool.?identity.?principalId ?? '' + +// =============== // +// Definitions // +// =============== // + +@export() +@description('Optional. Custom container definition.') +type sessionContainerType = { + @description('Optional. Container start command arguments.') + args: string[]? + + @description('Optional. Container start command.') + command: string[]? + + @description('Optional. Container environment variables.') + env: sessionContainerEnvType[]? + + @description('Required. Container image tag.') + image: string + + @description('Required. Custom container name.') + name: string + + @description('Required. Container resource requirements.') + resources: sessionContainerResourceType +} + +@export() +@description('Optional. Environment variable definition for a container. Only used with custom containers.') +type sessionContainerEnvType = { + @description('Required. Environment variable name.') + name: string + + @description('Optional. Required if value is not set. Name of the Container App secret from which to pull the environment variable value.') + secretRef: string? + + @description('Optional. Required if secretRef is not set. Non-secret environment variable value.') + value: string? +} + +@export() +@description('Optional. Container resource requirements. Only used with custom containers.') +type sessionContainerResourceType = { + @description('Required. Required CPU in cores, e.g. 0.5.') + cpu: string + + @description('Required. Required memory, e.g. "1.25Gi".') + memory: string +} + +@export() +@description('Optional. Container registry credentials. Only used with custom containers.') +type sessionRegistryCredentialsType = { + @description('Optional. A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use "system".') + identity: string? + + @description('Optional. The name of the secret that contains the registry login password. Not used if identity is specified.') + passwordSecretRef: string? + + @description('Required. Container registry server.') + server: string + + @description('Required. Container registry username.') + username: string +} + +@export() +@description('Optional. Managed Identity settings for the session pool.') +type managedIdentitySettingType = { + @description('Required. The resource ID of a user-assigned managed identity that is assigned to the Session Pool, or "system" for system-assigned identity.') + identity: string + + @description('Required. Use to select the lifecycle stages of a Session Pool during which the Managed Identity should be available. Valid values: "All", "Init", "Main", "None".') + lifecycle: string +} diff --git a/avm/res/app/session-pool/main.json b/avm/res/app/session-pool/main.json new file mode 100644 index 0000000000..ceba343cb1 --- /dev/null +++ b/avm/res/app/session-pool/main.json @@ -0,0 +1,601 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.31.92.45157", + "templateHash": "11243086501777108136" + }, + "name": "Container App Session Pool", + "description": "This module deploys a Container App Session Pool." + }, + "definitions": { + "sessionContainerType": { + "type": "object", + "properties": { + "args": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Container start command arguments." + } + }, + "command": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Container start command." + } + }, + "env": { + "type": "array", + "items": { + "$ref": "#/definitions/sessionContainerEnvType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Container environment variables." + } + }, + "image": { + "type": "string", + "metadata": { + "description": "Required. Container image tag." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. Custom container name." + } + }, + "resources": { + "$ref": "#/definitions/sessionContainerResourceType", + "metadata": { + "description": "Required. Container resource requirements." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "Optional. Custom container definition." + } + }, + "sessionContainerEnvType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Environment variable name." + } + }, + "secretRef": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Required if value is not set. Name of the Container App secret from which to pull the environment variable value." + } + }, + "value": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Required if secretRef is not set. Non-secret environment variable value." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "Optional. Environment variable definition for a container. Only used with custom containers." + } + }, + "sessionContainerResourceType": { + "type": "object", + "properties": { + "cpu": { + "type": "string", + "metadata": { + "description": "Required. Required CPU in cores, e.g. 0.5." + } + }, + "memory": { + "type": "string", + "metadata": { + "description": "Required. Required memory, e.g. \"1.25Gi\"." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "Optional. Container resource requirements. Only used with custom containers." + } + }, + "sessionRegistryCredentialsType": { + "type": "object", + "properties": { + "identity": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A Managed Identity to use to authenticate with Azure Container Registry. For user-assigned identities, use the full user-assigned identity Resource ID. For system-assigned identities, use \"system\"." + } + }, + "passwordSecretRef": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the secret that contains the registry login password. Not used if identity is specified." + } + }, + "server": { + "type": "string", + "metadata": { + "description": "Required. Container registry server." + } + }, + "username": { + "type": "string", + "metadata": { + "description": "Required. Container registry username." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "Optional. Container registry credentials. Only used with custom containers." + } + }, + "managedIdentitySettingType": { + "type": "object", + "properties": { + "identity": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a user-assigned managed identity that is assigned to the Session Pool, or \"system\" for system-assigned identity." + } + }, + "lifecycle": { + "type": "string", + "metadata": { + "description": "Required. Use to select the lifecycle stages of a Session Pool during which the Managed Identity should be available. Valid values: \"All\", \"Init\", \"Main\", \"None\"." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "Optional. Managed Identity settings for the session pool." + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + } + } + }, + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + } + } + }, + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + } + } + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the Container App Session Pool." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all Resources." + } + }, + "containerType": { + "type": "string", + "allowedValues": [ + "PythonLTS", + "CustomContainer" + ], + "metadata": { + "description": "Required. The container type of the sessions." + } + }, + "containers": { + "type": "array", + "items": { + "$ref": "#/definitions/sessionContainerType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom container definitions. Only required if containerType is CustomContainer." + } + }, + "targetIngressPort": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. Required if containerType == 'CustomContainer'. Target port in containers for traffic from ingress. Only required if containerType is CustomContainer." + } + }, + "registryCredentials": { + "$ref": "#/definitions/sessionRegistryCredentialsType", + "nullable": true, + "metadata": { + "description": "Optional. Container registry credentials. Only required if containerType is CustomContainer and the container registry requires authentication." + } + }, + "cooldownPeriodInSeconds": { + "type": "int", + "defaultValue": 300, + "metadata": { + "description": "Optional. The cooldown period of a session in seconds." + } + }, + "maxConcurrentSessions": { + "type": "int", + "defaultValue": 5, + "metadata": { + "description": "Optional. The maximum count of sessions at the same time." + } + }, + "readySessionInstances": { + "type": "int", + "nullable": true, + "metadata": { + "description": "Optional. The minimum count of ready session instances." + } + }, + "sessionNetworkStatus": { + "type": "string", + "defaultValue": "EgressDisabled", + "allowedValues": [ + "EgressEnabled", + "EgressDisabled" + ], + "metadata": { + "description": "Optional. Network status for the sessions. Defaults to EgressDisabled." + } + }, + "poolManagementType": { + "type": "string", + "defaultValue": "Dynamic", + "allowedValues": [ + "Dynamic", + "Manual" + ], + "metadata": { + "description": "Optional. The pool management type of the session pool. Defaults to Dynamic." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource." + } + }, + "managedIdentitySettings": { + "type": "array", + "items": { + "$ref": "#/definitions/managedIdentitySettingType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Settings for a Managed Identity that is assigned to the Session pool." + } + }, + "environmentId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the session pool's environment." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the Automation Account resource." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ], + "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", + "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", + "builtInRoleNames": { + "Azure ContainerApps Session Executor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fb8eba5-a2bb-4abe-b1c1-49dfad359bb0')]", + "Container Apps SessionPools Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7669afb-68b2-44b4-9c5f-6d2a47fddda0')]", + "Container Apps SessionPools Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'af61e8fc-2633-4b95-bed3-421ad6826515')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.app-sessionpool.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "#_moduleVersion_#.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "sessionPool": { + "type": "Microsoft.App/sessionPools", + "apiVersion": "2024-10-02-preview", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "identity": "[variables('identity')]", + "properties": { + "containerType": "[parameters('containerType')]", + "environmentId": "[parameters('environmentId')]", + "customContainerTemplate": "[if(equals(parameters('containerType'), 'CustomContainer'), createObject('containers', parameters('containers'), 'ingress', createObject('targetPort', parameters('targetIngressPort')), 'registryCredentials', parameters('registryCredentials')), null())]", + "dynamicPoolConfiguration": { + "cooldownPeriodInSeconds": "[parameters('cooldownPeriodInSeconds')]", + "executionType": "Timed" + }, + "managedIdentitySettings": "[parameters('managedIdentitySettings')]", + "scaleConfiguration": { + "maxConcurrentSessions": "[parameters('maxConcurrentSessions')]", + "readySessionInstances": "[parameters('readySessionInstances')]" + }, + "sessionNetworkConfiguration": { + "status": "[parameters('sessionNetworkStatus')]" + }, + "poolManagementType": "[parameters('poolManagementType')]" + }, + "tags": "[parameters('tags')]" + }, + "sessionPool_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.App/sessionPools/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "sessionPool" + ] + }, + "sessionPool_roleAssignments": { + "copy": { + "name": "sessionPool_roleAssignments", + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.App/sessionPools/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.App/sessionPools', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "properties": { + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "sessionPool" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the session pool." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed session pool." + }, + "value": "[resourceId('Microsoft.App/sessionPools', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group in which the session pool was created." + }, + "value": "[resourceGroup().name]" + }, + "managementEndpoint": { + "type": "string", + "metadata": { + "description": "The management endpoint of the session pool." + }, + "value": "[reference('sessionPool').poolManagementEndpoint]" + }, + "systemAssignedMIPrincipalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the system assigned identity." + }, + "value": "[coalesce(tryGet(tryGet(reference('sessionPool', '2024-10-02-preview', 'full'), 'identity'), 'principalId'), '')]" + } + } +} \ No newline at end of file diff --git a/avm/res/app/session-pool/tests/e2e/defaults/main.test.bicep b/avm/res/app/session-pool/tests/e2e/defaults/main.test.bicep new file mode 100644 index 0000000000..3c9d108665 --- /dev/null +++ b/avm/res/app/session-pool/tests/e2e/defaults/main.test.bicep @@ -0,0 +1,50 @@ +targetScope = 'subscription' + +metadata name = 'Using only defaults' +metadata description = 'This instance deploys the module with the minimum set of required parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.session-pool-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aspmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// ================= // +// General resources // +// ================= // +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + containerType: 'PythonLTS' + } + } +] diff --git a/avm/res/app/session-pool/tests/e2e/max/dependencies.bicep b/avm/res/app/session-pool/tests/e2e/max/dependencies.bicep new file mode 100644 index 0000000000..a73969ae10 --- /dev/null +++ b/avm/res/app/session-pool/tests/e2e/max/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to be created.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/app/session-pool/tests/e2e/max/main.test.bicep b/avm/res/app/session-pool/tests/e2e/max/main.test.bicep new file mode 100644 index 0000000000..1d5f073ab3 --- /dev/null +++ b/avm/res/app/session-pool/tests/e2e/max/main.test.bicep @@ -0,0 +1,84 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.session-pool-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aspmax' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// ================= // +// General resources // +// ================= // +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + managedIdentityName: 'dep-${namePrefix}-mi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + containerType: 'PythonLTS' + tags: { + resourceType: 'Session Pool' + } + cooldownPeriodInSeconds: 350 + maxConcurrentSessions: 6 + readySessionInstances: 1 + sessionNetworkStatus: 'EgressDisabled' + poolManagementType: 'Dynamic' + managedIdentitySettings: [ + { + identity: nestedDependencies.outputs.managedIdentityResourceId + lifecycle: 'Main' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Azure ContainerApps Session Executor' + principalType: 'ServicePrincipal' + } + ] + } + } +] diff --git a/avm/res/app/session-pool/tests/e2e/waf-aligned/main.test.bicep b/avm/res/app/session-pool/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..925c44814d --- /dev/null +++ b/avm/res/app/session-pool/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,54 @@ +targetScope = 'subscription' + +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.session-pool-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aspwaf' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// ================= // +// General resources // +// ================= // +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + containerType: 'PythonLTS' + tags: { + resourceType: 'Session Pool' + } + sessionNetworkStatus: 'EgressDisabled' + } + } +] diff --git a/avm/res/app/session-pool/version.json b/avm/res/app/session-pool/version.json new file mode 100644 index 0000000000..7fa401bdf7 --- /dev/null +++ b/avm/res/app/session-pool/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +}