Rollout 2024 12 18 (#4257)

dotnet · Dec 18, 2024 · 735c538 · 735c538
2 parents 5c20f1e + b6a5413
commit 735c538
Show file tree

Hide file tree

Showing 62 changed files with 1,205 additions and 370 deletions.
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "microsoft.dnceng.secretmanager": {
-      "version": "1.1.0-beta.24605.8",
+      "version": "1.1.0-beta.24610.1",
       "commands": [
         "secret-manager"
       ]
@@ -15,7 +15,7 @@
       ]
     },
     "microsoft.dnceng.configuration.bootstrap": {
-      "version": "1.1.0-beta.24605.8",
+      "version": "1.1.0-beta.24610.1",
       "commands": [
         "bootstrap-dnceng-configuration"
       ]

diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
@@ -115,13 +115,13 @@
       <Uri>https://github.com/dotnet/arcade</Uri>
       <Sha>3c7e11bf80279cde53a6251c4d0fa10e613fc739</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DncEng.SecretManager" Version="1.1.0-beta.24605.8">
+    <Dependency Name="Microsoft.DncEng.SecretManager" Version="1.1.0-beta.24610.1">
       <Uri>https://github.com/dotnet/dnceng</Uri>
-      <Sha>54066b7abcc2b7ec05ade63be8d91c44fcfc1c9d</Sha>
+      <Sha>c1d20b998e3d3c51ce4eaf9dfe1bcffda8562de1</Sha>
     </Dependency>
-    <Dependency Name="Microsoft.DncEng.Configuration.Bootstrap" Version="1.1.0-beta.24605.8">
+    <Dependency Name="Microsoft.DncEng.Configuration.Bootstrap" Version="1.1.0-beta.24610.1">
       <Uri>https://github.com/dotnet/dnceng</Uri>
-      <Sha>54066b7abcc2b7ec05ade63be8d91c44fcfc1c9d</Sha>
+      <Sha>c1d20b998e3d3c51ce4eaf9dfe1bcffda8562de1</Sha>
     </Dependency>
   </ToolsetDependencies>
 </Dependencies>
diff --git a/eng/Versions.props b/eng/Versions.props
@@ -37,8 +37,8 @@
     <MicrosoftDotNetWebAuthenticationVersion>1.1.0-beta.24606.1</MicrosoftDotNetWebAuthenticationVersion>
     <ServiceFabricMocksVersion>1.1.0-beta.24606.1</ServiceFabricMocksVersion>
     <CoreHealthMonitorVersion>1.1.0-beta.24606.1</CoreHealthMonitorVersion>
-    <MicrosoftDncEngSecretManagerVersion>1.1.0-beta.24605.8</MicrosoftDncEngSecretManagerVersion>
-    <MicrosoftDncEngConfigurationBootstrapVersion>1.1.0-beta.24605.8</MicrosoftDncEngConfigurationBootstrapVersion>
+    <MicrosoftDncEngSecretManagerVersion>1.1.0-beta.24610.1</MicrosoftDncEngSecretManagerVersion>
+    <MicrosoftDncEngConfigurationBootstrapVersion>1.1.0-beta.24610.1</MicrosoftDncEngConfigurationBootstrapVersion>
   </PropertyGroup>
   <!--Package names-->
   <PropertyGroup>

diff --git a/...service-templates/ProductConstructionService/ApplicationGateway/application-gateway.bicep b/...service-templates/ProductConstructionService/ApplicationGateway/application-gateway.bicep
@@ -0,0 +1,291 @@
+param appGwName string
+param location string
+param kvName string
+param appGwIdentityName string
+param certificateName string
+// Certificate Secret identifier, without the last paon)
+param certificateSecretIdShort string
+param virtualNetworkName string
+param appGwVirtualNetworkSubnetName string
+param nsgName string
+param publicIpAddressName string
+param frontendIpName string
+param httpPortName string
+param httpsPortName string 
+param pcsPool string
+param containerAppName string
+param backendHttpSettingName string
+param backendHttpsSettingName string
+param pcs80listener string
+param pcs443listener string
+param pcsRedirection string
+param pcs80rule string
+param pcs443rule string
+param containerEnvironmentName string
+param hostName string
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: kvName
+}
+
+resource containerApp 'Microsoft.App/containerApps@2023-04-01-preview' existing = { name: containerAppName }
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' existing = { name: virtualNetworkName }
+
+resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-11-01' existing = { name: nsgName }
+
+resource containerEnvironment 'Microsoft.App/managedEnvironments@2023-04-01-preview' existing = {
+  name: containerEnvironmentName
+}
+
+// subnet for the product application gateway
+resource appGatewaySubnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = {
+  name: appGwVirtualNetworkSubnetName 
+  parent: virtualNetwork
+  properties: {
+      addressPrefix: '10.0.2.0/24'
+      networkSecurityGroup: {
+          id: networkSecurityGroup.id
+      }
+  }
+}
+
+// subnet for the private link
+resource privateLinkSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-04-01' = {
+  name: 'privateLink'
+  parent: virtualNetwork
+  properties: {
+      addressPrefix: '10.0.3.0/24'
+      networkSecurityGroup: {
+          id: networkSecurityGroup.id
+      }
+      privateLinkServiceNetworkPolicies: 'Disabled'
+  }
+}
+
+resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-09-01' existing = {
+  name: publicIpAddressName
+}
+
+resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: appGwIdentityName
+  location: location
+}
+
+var certificateUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'db79e9a7-68ee-4b58-9aeb-b90e7c24fcba')
+var kvSecretUser = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
+
+resource appGwCertificateUserRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: keyVault
+  name: guid(subscription().id, resourceGroup().id, 'appGwCertUser')
+  properties: {
+      roleDefinitionId: certificateUserRole
+      principalType: 'ServicePrincipal'
+      principalId: appGwIdentity.properties.principalId
+  }
+}
+
+resource appGwSecretUserRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: keyVault
+  name: guid(subscription().id, resourceGroup().id, 'appGwSecretUser')
+  properties: {
+      roleDefinitionId: kvSecretUser
+      principalType: 'ServicePrincipal'
+      principalId: appGwIdentity.properties.principalId
+  }
+}
+
+module privateDnsZone './private-dns-zone.bicep' = {
+  name: 'privateDnsZone'
+  params: {
+    privateDnsZoneName: containerEnvironment.properties.defaultDomain
+    containerEnvStaticIp: containerEnvironment.properties.staticIp
+    virtualNetworkId: virtualNetwork.id
+  }
+}
+
+resource applicationGateway 'Microsoft.Network/applicationGateways@2023-04-01' = {
+  name: appGwName
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${appGwIdentity.id}' : {}
+    }
+  }
+  properties: {
+    sku: {
+      name: 'Standard_v2'
+      tier: 'Standard_v2'
+      capacity: 10
+    }
+    sslCertificates: [
+      {
+        name: certificateName
+        properties: {
+          keyVaultSecretId: certificateSecretIdShort
+        }
+      }
+    ]
+    gatewayIPConfigurations: [
+      {
+        name: 'appGwIpConfigurationName'
+        properties: {
+          subnet: {
+            id: appGatewaySubnet.id
+          }
+        }
+      }
+    ]
+    frontendIPConfigurations: [
+      {
+        name: frontendIpName
+        properties: {
+          publicIPAddress: {
+            id: publicIpAddress.id
+          }
+        }
+      }
+    ]
+    privateLinkConfigurations: [
+      {
+        name: 'privateLinkConfiguration'
+        properties: {
+          ipConfigurations: [
+            {
+              name: 'privateLinkIpConfiguration'
+              properties: {
+                subnet: {
+                  id: privateLinkSubnet.id
+                }
+                primary: true
+                privateIPAllocationMethod: 'Dynamic'
+              }
+            }
+          ]
+        }
+      }
+    ]
+    frontendPorts: [
+      {
+        name: httpPortName
+        properties: {
+          port: 80
+        }
+      }
+      {
+        name: httpsPortName
+        properties: {
+          port: 443
+        }
+      }
+    ]
+    backendAddressPools: [
+      {
+        name: pcsPool
+        properties: {
+          backendAddresses: [
+            {
+              fqdn: containerApp.properties.configuration.ingress.fqdn
+            }
+          ]
+        }
+      }
+    ]
+    backendHttpSettingsCollection: [
+      {
+        name: backendHttpsSettingName
+        properties: {
+          port: 443
+          protocol: 'Https'
+          cookieBasedAffinity: 'Disabled'
+          pickHostNameFromBackendAddress: true
+          requestTimeout: 60
+        }
+      }
+      {
+        name: backendHttpSettingName
+        properties: {
+          port: 80
+          protocol: 'Http'
+          cookieBasedAffinity: 'Disabled'
+          pickHostNameFromBackendAddress: true
+          requestTimeout: 60
+        }
+      }
+    ]
+    httpListeners: [
+      {
+        name: pcs80listener
+        properties: {
+          frontendIPConfiguration: {
+            id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', appGwName, frontendIpName)
+          }
+          frontendPort: {
+            id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', appGwName, httpPortName)
+          }
+          protocol: 'Http'
+          hostName: hostName
+        }
+      }
+      {
+        name: pcs443listener
+        properties: {
+          frontendIPConfiguration: {
+            id: resourceId('Microsoft.Network/applicationGateways/frontendIPConfigurations', appGwName, frontendIpName)
+          }
+          frontendPort: {
+            id: resourceId('Microsoft.Network/applicationGateways/frontendPorts', appGwName, httpsPortName)
+          }
+          protocol: 'Https'
+          sslCertificate: {
+            id: resourceId('Microsoft.Network/applicationGateways/sslCertificates', appGwName, certificateName)
+          }
+          hostName: hostName
+        }
+      }
+    ]
+    redirectConfigurations: [
+      {
+        name: pcsRedirection
+        properties: {
+          redirectType: 'Permanent'
+          targetListener: {
+            id: resourceId('Microsoft.Network/applicationGateways/httpListeners', appGwName, pcs443listener)
+          }
+          includePath: true
+          includeQueryString: true
+        }
+      }
+    ]
+    requestRoutingRules: [
+      {
+        name: pcs80rule
+        properties: {
+          priority: 1
+          httpListener: {
+            id: resourceId('Microsoft.Network/applicationGateways/httpListeners', appGwName, pcs80listener)
+          }
+          redirectConfiguration: {
+            id: resourceId('Microsoft.Network/applicationGateways/redirectConfigurations', appGwName, pcsRedirection)
+          }
+        }
+      }
+      {
+        name: pcs443rule
+        properties: {
+          priority: 2
+          httpListener: {
+            id: resourceId('Microsoft.Network/applicationGateways/httpListeners', appGwName, pcs443listener)
+          }
+          backendAddressPool: {
+            id: resourceId('Microsoft.Network/applicationGateways/backendAddressPools', appGwName, pcsPool)
+          }
+          backendHttpSettings: {
+            id: resourceId('Microsoft.Network/applicationGateways/backendHttpSettingsCollection', appGwName, backendHttpsSettingName)
+          }
+        }
+      }
+    ]
+  }
+}
diff --git a/eng/service-templates/ProductConstructionService/ApplicationGateway/private-dns-zone.bicep b/eng/service-templates/ProductConstructionService/ApplicationGateway/private-dns-zone.bicep
@@ -0,0 +1,46 @@
+param privateDnsZoneName string 
+param containerEnvStaticIp string
+param virtualNetworkId string
+
+resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: privateDnsZoneName
+  location: 'global'
+}
+
+resource starRecordSet 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
+  name: '*'
+  parent: privateDnsZone
+  properties: {
+    ttl: 3600
+    aRecords: [
+      { 
+        ipv4Address: containerEnvStaticIp
+      }
+    ]
+  }
+}
+
+resource atRecordSet 'Microsoft.Network/privateDnsZones/A@2020-06-01' = {
+  name: '@'
+  parent: privateDnsZone
+  properties: {
+    ttl: 3600
+    aRecords: [
+      { 
+        ipv4Address: containerEnvStaticIp
+      }
+    ]
+  }
+}
+
+resource symbolicname 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2024-06-01' = {
+  name: 'pcs-pdns-link'
+  parent: privateDnsZone
+  location: 'global'
+  properties: {
+    registrationEnabled: false
+    virtualNetwork: {
+      id: virtualNetworkId
+    }
+  }
+}