Framework Release Pipeline
The release pipeline will use the artifacts created from the build pipeline and publish this to the stage(s) you define. Each stage will deploy the resources to the Azure subscription and resource group you specify in the deployment tasks.
Variable Group
Create a variable group named {prefix}.Invictus.{stage} for all the stages (environments) and add at least one variable (eg: Invictus.Secrets.ApiKey1.Name = apikey1).
Make sure the Project Collection Build Service has Administrator access to these variable groups (Pipelines > Library > Security)
YAML Pipeline
Next step is to add a YAML pipeline to release the Invictus for Azure Framework. Change the framework.release.yaml file according to your needs, for example change the needed environments and change the name of the build pipeline trigger:
resources:
pipelines:
# Name of the pipeline resource inside this workflow. Used to reference the pipeline resources later on (e.g. download artifacts).
- pipeline: _build
# Name of the build pipeline in Azure Pipelines
source: 'customer.azure.invictus.framework.build'
trigger: true
Also make sure to change the bicep template parameters according to your needs.
If you need to overwrite more bicep template parameters make sure to add this to the deployScriptParameters. A complete list of bicep template parameters can be found here.
Afterwards add the framework.release.yaml in your DevOps environment as a pipeline.
Deploy Script Parameters
The following script parameters are used in the deploy script:
Mandatory Parameters
| Argument name | Description |
|---|---|
artifactsPath | Path on the DevOps agent where the downloaded Invictus artifacts are stored (publish and download build artifacts) |
devOpsObjectId | Object ID of the service principal that's connected to the DevOps service connection, which will get the necessary role definitions to interact with Invictus' deployed resources (i.e. Key vault, Container registry) (Azure CLI task) |
resourcePrefix | Prefix used for deployed Azure resources (i.e. invictus-{prefix}-vlt) |
resourceGroupName | Name of Azure resource group where Invictus should be deployed |
variableGroupName | DevOps variable group to write the Bicep outputs to (i.e. Invictus_CosmosDb_DbName) |
identityProviderApplicationId | See Container App authentication |
identityProviderClientSecret | See Container App authentication |
Optional Parameters
| Argument name | Default value | Description |
|---|---|---|
resourceGroupLocation | 'West Europe' | Azure location where resources should be deployed |
additionalTemplateParameters | [] | Additional named parameters for the Bicep template you wish to override. More on this below. |
The AdditionalTemplateParameters can be used to override the default values used by the Bicep template. You simply name the argument as the parameter. For example if you want to use a different servicePlanSku you would add -eventHubSkuName "Standard" to the parameters of the powershell script.
Full YAML task example
- task: AzureCLI@2
displayName: 'Azure CLI'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
azureSubscription: '[YOUR_SERVICE_CONNECTION]'
addSpnToEnvironment: true
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
# Determine where the the provided Invictus 'Deploy.ps1' script is located
$artifactsPath = ${{ variables['Pipeline.Workspace'] }} + '/_build/framework'
$scriptPath = $artifactsPath + '/Deploy.ps1'
# Use your service connection's service principal Object ID
$objectId = (az ad sp show --id $env:servicePrincipalId | ConvertFrom-Json).id
& $scriptPath `
-artifactsPath $artifactsPath `
-version ${{parameters.Version}} `
-useBeta false `
-acrPath "invictusreleases.azurecr.io" `
-acrUsername 'admin' `
-acrPassword '<pass>' `
-resourcePrefix 'dev' `
-resourceGroupName 'my-client-dev-rg' `
-variableGroupName 'My.Client.Dev' `
-devOpsObjectId $objectId `
-identityProviderApplicationId '4b559bfb-871a-4013-bce9-829e3aeb6bdd' `
-identityProviderClientSecret '<pass>' `
Bicep Template Parameters
The below tables lists the parameters accepted by the Bicep template.
Top-level parameters
Resource-independent parameters that affect all resources in the deployed resource group.
| Parameter | Required | Default | Description |
|---|---|---|---|
resourcePrefix | Yes | Used as part of the default names for most resources. | |
devOpsObjectId | Yes | The object-id associated with the service principal of the enterprise application that's connected to the service connection on DevOps | |
containerAppsEnvironmentLocation | No | resourceGroup().location | Location of the ACA environment and Container Apps. |
containerAppsEnvironmentName | No | invictus-${resourcePrefix}-cae | The name of the Container App environment. |
App service parameters
Parameters related to the Azure Functions applications that are deployed.
Function names
| Parameter | Required | Default | Description |
|---|---|---|---|
timesequencerFunctionName | No | invictus-{resourcePrefix}-timesequencer | Name for the time sequencer function |
sequenceControllerFunctionName | No | invictus-{resourcePrefix}-sequencecontroller | Name for the Sequence Controller function |
xmlJsonConverterFunctionName | No | invictus-{resourcePrefix}-xmljsonconverter | Name for the XmlJson Converter function |
xsdValidatorFunctionName | No | invictus-{resourcePrefix}-xsdvalidator | Name for the XSD Validator function |
regexTranslatorFunctionName | No | invictus-{resourcePrefix}-regextranslator | Name for the Regex Translator function |
transcoV2FunctionName | No | invictus-{resourcePrefix}-transco-v2 | Name for the TranscoV2 function |
pubsubV2FunctionName | No | invictus-{resourcePrefix}-pubsub-v2 | Name for the PubSubV2 function |
exceptionHandlerFunctionName | No | invictus-{resourcePrefix}-exceptionhandler | Name for the Exception Handler function |
Function deployment
| Parameter | Required | Default | Description |
|---|---|---|---|
servicePlanName | No | invictus-{resourcePrefix}-appplan | Name for the service plan which will host the APIs |
Storage parameters
Parameters related to data that is stored during the component's interaction.
| Parameter | Required | Default | Description |
|---|---|---|---|
storageAccountName | No | invictus{resourcePrefix}store | Name for the Azure Storage Account resource. Any dashes (-) will be removed from {resourcePrefix} |
blobContainerPrefix | No | invictus | Prefix set for Azure Blob Storage containers for pubsub |
storageAccountType | No | Standard_LRS | The Storage account StorageAccountSkuType |
Messaging parameters
Parameters related to the messaging components, like PubSub.
| Parameter | Required | Default | Description |
|---|---|---|---|
serviceBusNamespaceName | No | invictus-{resourcePrefix}-sbs | Name for the Service Bus Namespace resource |
serviceBusSkuName | No | Standard or Premium if VNET enabled | Name for the Service Bus SKU |
serviceBusMessageTimeToLiveMinutes | No | -1 | Time messages should be stored on Service Bus before being archived |
Secret parameters
Parameters related to the security and secret management of the deployed applications.
| Parameter | Required | Default | Description |
|---|---|---|---|
keyVaultName | No | invictus-{resourcePrefix}-vlt | Name for the Key Vault Service Namespace resource |
keyVaultEnablePurgeProtection | No | null | If true, enables key vault purge protection. Once enabled, this property can never be disabled. |
identityProviderClientSecret | Yes | AAD App Registration client secret required for Azure Container Apps Identity Provider authentication | |
identityProviderApplicationId | Yes | AAD Application ID for MSI Authentication of Azure Container Apps |
Observability parameters
Parameters related to telemetry tracking of the deployed applications.
| Parameter | Required | Default | Description |
|---|---|---|---|
appInsightsName | No | invictus-{resourcePrefix}-appins | Name for the Application Insights resource |
Scaling parameters
Azure Container Apps allow for flexible scaling customization. In Invictus we have provided default scaling values which can be customized according to your scenario.
Container Apps have the ability to scale down to zero replicas. This is a great cost-saving option especially for components which are not used at all. A Container App scaled to zero will automatically scale out when triggered, however this may take up to a few minutes to complete. This could prove to be an issue in scenarios with limited timeout e.g. logic apps with 120 seconds timeout. In such cases there is no option but to set a minimum replica count of 1.
| Parameter | Required |
|---|---|
timeSequencerScaling | No |
exceptionHandlerScaling | No |
pubSubV2Scaling | No |
regexTranslatorScaling | No |
sequenceControllerScaling | No |
transcoV2Scaling | No |
xmlJsonConverterScaling | No |
xsdValidatorScaling | No |
Each of the above parameters accepts an object:
{
scaleMinReplicas: int
scaleMaxReplicas: int
cpuResources: string
memoryResources: string
}
| Parameter value | Default | Description |
|---|---|---|
scaleMinReplicas | 0 | The lowest number of replicas the Container App will scale in to. |
scaleMaxReplicas | 1 | The highest number of replicas the Container App will scale out to. |
cpuResources | 0.5 | The amount of cpu resources to dedicate for the container resource. See here for allowed values. |
memoryResources | 1.0Gi | The amount of memory resources to dedicate for the container resource. See here for allowed values. |
concurrentRequests | 10 | When the number of HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the maxReplicas amount. See here fore allowed values. |