Skip to content

Simplify infrastructure deployment with Bicep parameters and rename global resource group #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tjementum merged 12 commits into from
Nov 23, 2025
Merged

Simplify infrastructure deployment with Bicep parameters and rename global resource group #793

tjementum merged 12 commits into from
Nov 23, 2025

Conversation

@tjementum
Copy link
Member

@tjementum tjementum commented Nov 21, 2025
edited
Loading

Summary & Motivation

Replace inline Bicep parameter strings with structured .bicepparam files to simplify deployment scripts and improve maintainability. This eliminates manual parameter string construction and makes parameter management cleaner.

  • Add main-cluster.bicepparam file that reads all parameters from environment variables
  • Update deploy-cluster.sh to use bicep build-params command
  • Export all variables instead of constructing inline parameter strings
  • Rename global resource group from pxp-stage to pxp-stage-global to clarify these are globally shared resources
  • Rename all resource group variables to explicitly distinguish CLUSTER_RESOURCE_GROUP_NAME vs GLOBAL_RESOURCE_GROUP_NAME
  • Generate revision suffix in shell script using random hex to avoid Bicep newGuid() what-if validation limitations
  • Upgrade all Bicep modules to latest stable API versions
  • Remove unsupported softDeletePolicy from Container Registry
  • Suppress false positive BCP318 warnings in role assignment modules
  • Display DNS configuration instructions during Plan phase
  • Fix spelling errors in appGateway module name and issue templates
  • Fix bug from previous change where database migration comments were deleted across different self-contained systems

Downstream projects

  1. Create new global resource group and move resources

    The global resource group has been renamed from {uniquePrefix}-{environment} to {uniquePrefix}-{environment}-global (e.g., ppdemo-stageppdemo-stage-global) for better clarity. Resources keep their original names (e.g., ppdemo-stage).

    • Create the new resource group {uniquePrefix}-{environment}-global in Azure Portal
    • Move these 5 resources using "Move to another resource group":
      • Azure Container Registry (e.g., ppdemostage)
      • Application Insights (e.g., ppdemo-stage)
      • Log Analytics workspace (e.g., ppdemo-stage)
      • Application Insights Smart Detection (action group)
      • Smart detector alert rule (e.g., ppdemo-stage-failure-anomalies)

  2. Update self-contained system version exports

    In cloud-infrastructure/cluster/deploy-cluster.sh, update the resource group variable name in your self-contained system version export (all downstream projects have at least one self-contained system beyond Account Management and Back Office):

    -export YOUR_SELF_CONTAINED_SYSTEM_VERSION=$(get_active_version "your-self-contained-system-api" $RESOURCE_GROUP_NAME)
+export YOUR_SELF_CONTAINED_SYSTEM_VERSION=$(get_active_version "your-self-contained-system-api" $CLUSTER_RESOURCE_GROUP_NAME)

  3. Add revisionSuffix parameter to container app modules

    In cloud-infrastructure/cluster/main-cluster.bicep, add the revisionSuffix parameter to your self-contained system container app modules:

         userAssignedIdentityName: yourSelfContainedSystemIdentityName
     ingress: true
+    revisionSuffix: revisionSuffix
     environmentVariables: yourSelfContainedSystemEnvironmentVariables

  4. (Optional) Migrate custom API keys and secrets to bicepparam

    Only needed if you have custom API keys, client secrets, or service configurations beyond standard PlatformPlatform.

    In cloud-infrastructure/cluster/deploy-cluster.sh, ensure custom secrets are exported:

    +export YOUR_CUSTOM_API_KEY
+export YOUR_CUSTOM_CLIENT_SECRET

    In cloud-infrastructure/cluster/main-cluster.bicepparam, add entries for custom parameters that were in the inline DEPLOYMENT_PARAMETERS string:

    +param yourCustomApiKey = readEnvironmentVariable('YOUR_CUSTOM_API_KEY')
+param yourCustomClientSecret = readEnvironmentVariable('YOUR_CUSTOM_CLIENT_SECRET')

Checklist

  • I have added tests, or done manual regression tests
  • I have updated the documentation, if necessary

@tjementum tjementum self-assigned this Nov 21, 2025
@tjementum tjementum added Enhancement New feature or request Deploy to Staging Set this label on pull requests to deploy code or infrastructure to the Staging environment labels Nov 21, 2025
@tjementum tjementum requested a review from a team as a code owner November 21, 2025 20:15
@tjementum tjementum moved this to 🏗 In Progress in Kanban board Nov 21, 2025
@tjementum tjementum force-pushed the infrastructure-optimizations branch 14 times, most recently from f5d7567 to 6b6023f Compare November 22, 2025 14:19
@github-actions
Copy link

github-actions bot commented Nov 22, 2025

Approve Database Migration back-office database on stage

The following pending migration(s) will be applied to the database when approved:

  • Initial (20250217000000_Initial)

Migration Script

IF OBJECT_ID(N'[__EFMigrationsHistory]') IS NULL
BEGIN
    CREATE TABLE [__EFMigrationsHistory] (
        [MigrationId] nvarchar(150) NOT NULL,
        [ProductVersion] nvarchar(32) NOT NULL,
        CONSTRAINT [PK___EFMigrationsHistory] PRIMARY KEY ([MigrationId])
    );
END;
GO

BEGIN TRANSACTION;
IF NOT EXISTS (
    SELECT * FROM [__EFMigrationsHistory]
    WHERE [MigrationId] = N'20250217000000_Initial'
)
BEGIN
    INSERT INTO [__EFMigrationsHistory] ([MigrationId], [ProductVersion])
    VALUES (N'20250217000000_Initial', N'9.0.10');
END;

COMMIT;
GO

@tjementum tjementum force-pushed the infrastructure-optimizations branch 4 times, most recently from a587ee5 to 8c4c743 Compare November 22, 2025 18:09
@tjementum tjementum removed the Deploy to Staging Set this label on pull requests to deploy code or infrastructure to the Staging environment label Nov 22, 2025
@tjementum tjementum changed the title Simplify infrastructure deployment with Bicep parameters and single-step custom domain setup Simplify infrastructure deployment with Bicep parameters and rename global resource group Nov 22, 2025
@tjementum tjementum force-pushed the infrastructure-optimizations branch from 8c4c743 to 81d8753 Compare November 22, 2025 23:41
@tjementum tjementum force-pushed the infrastructure-optimizations branch from 81d8753 to 6e2476e Compare November 23, 2025 00:02
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 23, 2025

Please retry analysis of this Pull-Request directly on SonarQube Cloud

@tjementum tjementum merged commit a1e14c5 into main Nov 23, 2025
22 of 29 checks passed
@tjementum tjementum deleted the infrastructure-optimizations branch November 23, 2025 00:07
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in Kanban board Nov 23, 2025
@tjementum tjementum mentioned this pull request Dec 11, 2025
Merged
2 tasks
tjementum added a commit that referenced this pull request Dec 11, 2025
@tjementum
Fix production deployments failing due to missing -global suffix in s…
519753f 
…taging registry reference (#803)

### Summary & Motivation

Fix production container deployments failing to import images from the
staging registry. The `STAGING_REGISTRY_ID` in `_deploy-container.yml`
was missing the `-global` suffix in the resource group name, a bug
introduced in #793 when the global resource group was renamed. This is
currently preventing all deployments to production.

- Update resource group reference from `{prefix}-stage` to
`{prefix}-stage-global` to match the actual location of the staging
container registry

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary
@tjementum tjementum mentioned this pull request Dec 16, 2025
Merged
2 tasks
tjementum added a commit that referenced this pull request Dec 16, 2025
@tjementum
Fix antiforgery token errors by restoring autoConfigureDataProtection…
092ab22 
… in Azure Container Apps (#804)

### Summary & Motivation

Upgrade the Azure Container Apps API version from `2025-07-01` (stable)
to `2025-10-02-preview` to restore the `autoConfigureDataProtection`
runtime setting for .NET containers.

When upgrading to the stable `2025-07-01` API version in PR #793, the
`autoConfigureDataProtection` feature was inadvertently lost because it
remains a preview-only feature not included in stable releases. This
change reverts to a preview API version that supports this feature,
which enables automatic configuration of ASP.NET Data Protection keys
across all container apps in an environment - essential for antiforgery
token validation when multiple container apps (AppGateway,
account-management, back-office, etc.) need to share encrypted tokens.

The learning here is that stable API versions may not include all
preview features that the infrastructure depends on. When upgrading API
versions, verify that preview features are still available or
consciously choose to remain on a preview version until the required
features become stable.

### Checklist

- [x] I have added tests, or done manual regression tests
- [x] I have updated the documentation, if necessary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tjementum tjementum

Labels

Enhancement New feature or request

Projects

Kanban board
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tjementum