Azure Container Apps + Bicep ͜Μͳײ͡Ͱӡ༻͍ͯ͠·͢ 2024/04/20 Global Azure 2024 JCOMגࣜձࣾ Θͨͳ΂(@kaz_29)

WHO? ౉ลҰ޺ (Θͨͳ΂ ͔ͣͻΖ) @kaz_29 JCOMגࣜձࣾ

Agenda •Azure Container Apps •Bicep •Infrastructure as Code(IaC) •Continuous Delivery(CD)

Container Apps

Azure Container Apps ֓ཁ • ϑϧϚωʔδυk8sϕʔεͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜ • KEDAΛར༻ͨ͠ಈతεέʔϦϯά HTTP / TCP / Azure Storage Queue / Azure Service Bus / Azure Event Hubs etc… • ϓϥϯ • Consumption Plan(ফඅ) • Dedicated(ઐ༻) • ैྔ՝ۚϫʔΫϩʔυϓϩϑΝΠϧ • ઐ༻ϫʔΫϩʔυϓϩϑΝΠϧ

Azure Container Apps ར༻Մೳͳ CPU ͱϝϞϦ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFDPOUBJOFSBQQTDPOUBJOFST

Azure Container Apps ࣮ߦ؀ڥͷΠϝʔδ CONTAINER APP 1 CONTAINER(S) REPLICA REVISION 1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APP 2 CONTAINER(S) REPLICA REVISION 1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APPS ENVIRONMENT

Bicep

Bicep ֓ཁ • AzureϦιʔεΛσϓϩΠ༻ͷDSL • ߏจ͕؆ܿ • શͯͷϦιʔεɾόʔδϣϯΛαϙʔτ ϓϨϏϡʔ൛ͷαʔϏεͰ΋αϙʔτ͞Ε͍ͯΔ(ͱࢥ͏) • VSCodeͷBicep֦ு IntelliSence΍ߏจݕূͳͲͰޮ཰తʹฤूͰ͖Δ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQPWFSWJFX UBCTCJDFQ

Bicep αϯϓϧ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQPWFSWJFX UBCTCJDFQ param location string = resourceGroup().location param acrName string param acrSku string param encription string resource acrResource 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = { name: acrName location: location sku: { name: acrSku } properties: { adminUserEnabled: true encryption: { status: encription } dataEndpointEnabled: false } } output loginServer string = acrResource.properties.loginServer CJDFQBDSCJDFQ

Bicep αϯϓϧ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQPWFSWJFX UBCTCJDFQ param location string = resourceGroup().location param acrName string = 'exampleacr' param acrSku string = 'Standard' param encription string = 'disabled' module acr 'acr.bicep' = { name: 'example-acr' params: { location: location acrName: acrName acrSku: acrSku encription: encription } } $ az deployment group create \ -f ./bicep/acr-test.bicep \ -g $RESOURCE_GROUP_NAME CJDFQBDSUFTUCJDFQ

Infrastructure as Code(IaC)

BicepͰContainer Apps؀ڥΛߏங

BicepͰContainer Apps؀ڥΛߏங ैྔ՝ۚϫʔΫϩʔυϓϩϑΝΠϧ resource environment 'Microsoft.App/managedEnvironments@2023-05-01' = { name: environmentName location: location properties: { appLogsConfiguration: { destination: 'log-analytics' logAnalyticsConfiguration: { customerId: logAnalyticsWorkspace.properties.customerId sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey } } daprAIInstrumentationKey: appInsights.properties.InstrumentationKey zoneRedundant: false workloadProfiles: [{ name: 'Consumption' workloadProfileType: 'Consumption' }] } }

BicepͰContainer Apps؀ڥΛߏங ઐ༻ϫʔΫϩʔυϓϩϑΝΠϧ resource environment 'Microsoft.App/managedEnvironments@2023-05-01' = { name: environmentName location: location properties: { appLogsConfiguration: { destination: 'log-analytics' logAnalyticsConfiguration: { customerId: logAnalyticsWorkspace.properties.customerId sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey } } daprAIInstrumentationKey: appInsights.properties.InstrumentationKey zoneRedundant: true workloadProfiles: [{ name: 'myworkload' maximumCount: 10 minimumCount: 3 workloadProfileType: 'D4' }] } }

(JUIVC"DUJPOTͰͷϑϩʔΠϝʔδ OPS୲౰ Bicep Github 3. PR࡞੒ Diff 1. ίʔυ࡞੒ɾมߋ 2. Push 4. work fl ow࣮ߦ 5. ࠩ෼Λऔಘ 6. ࠩ෼ΛPRίϝϯτʹ౤ߘ 8. ϓϩϏδϣχϯά༻ͷtagΛଧͭ Provision 9. work fl ow࣮ߦ OPS੹೚ऀ 7. Review Deployment protection Required reviewers 10. ঝೝ଴ͪ 11. Approve 12. มߋΛ൓ө

ࠩ෼औಘϫʔΫϑϩʔ ί υ ͷ ν Ϋ Ξ ΢ τ "[VSF ϩ ά Π ϯ #JDFQ ϑ Π ϧ ͷ จ ๏ ν Ϋ B[EFQMPZNFOUHSPVQXIBUJG Ͱ ࠩ ෼ औ ಘ 13 ί ϝ ϯ τ Λ ౤ ߘ

#JDFQσϓϩΠͷ8IBU*Gૢ࡞ ʙ Bicep ϑΝΠϧΛσϓϩΠ͢ΔલʹɺߦΘΕΔมߋΛϓϨϏϡʔͰ͖·͢ɻ Azure Resource Manager ͷ What-if ૢ࡞Λ࢖͏ͱɺBicep ϑΝΠϧΛσϓϩΠͨ͠৔߹ʹϦ ιʔε͕ͲͷΑ͏ʹมߋ͞ΕΔ͔Λ֬ೝͰ͖·͢ɻ what-if ૢ࡞Ͱ͸ɺطଘͷϦιʔε ʹର͍͔ͯ͠ͳΔมߋ΋ߦΘΕ·ͤΜɻ ୅ΘΓʹɺࢦఆͨ͠ Bicep ϑΝΠϧ͕σϓϩ Π͞Εͨ৔߹ͷมߋ͕༧ଌ͞Ε·͢ɻ what-if ૢ࡞͸ Azure PowerShellɺAzure CLIɺ·ͨ͸ REST API ૢ࡞Ͱ࢖༻Ͱ͖·͢ɻ What-if ͸ɺϦιʔε άϧʔϓɺαϒεΫϦϓγϣϯɺ؅ཧάϧʔϓɺςφϯτ Ϩϕϧ ͷσϓϩΠͰαϙʔτ͞Ε͍ͯ·͢ɻʙ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQEFQMPZXIBUJGΑΓҾ༻

#JDFQσϓϩΠͷ8IBU*Gૢ࡞

ࠩ෼औಘϫʔΫϑϩʔ name: Diff resources on: pull_request: types: [opened, synchronize, reopened] branches: - master env: RESOURCE_GROUP_NAME: container-apps-example-rg permissions: id-token: write contents: read pull-requests: write jobs: diff: name: Diff resources environment: name: diff runs-on: ubuntu-latest steps: - name: checkout uses: actions/checkout@v3 - name: Azure Login uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Lint bicep file uses: azure/CLI@v1 with: inlineScript: | az config set bicep.use_binary_from_path=False az bicep install az bicep lint -f ./bicep/container-apps-env.bicep - name: Diff Container Apps Env settings uses: azure/CLI@v1 with: inlineScript: | az config set bicep.use_binary_from_path=False az bicep install echo -e '## Container Apps Env\nResource \ and property changes details\n\n```' >> diff.txt az deployment group what-if \ -f ./bicep/container-apps-env.bicep \ --name "container-apps-diff" \ -g ${{ env.RESOURCE_GROUP_NAME }} \ | tee -a diff.txt echo -e '```\n\n\n' >> diff.txt - name: Post diff uses: marocchino/sticky-pull-request-comment@v1 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} header: header-of-comment path: ./diff.txt

Continuous Delivery(CD) ܧଓతσϦόϦʔ

BicepͰContainer AppΛσϓϩΠ

BicepͰContainer AppΛσϓϩΠ param environmentName string = 'example-container-apps-env' param containerAppName string = 'example-app' param location string = resourceGroup().location param imageName string = 'example-app' param tagName string param acrUserName string @secure() param acrSecret string param revisionSuffix string param oldRevisionSuffix string param isExternalIngress bool = true @allowed([ 'multiple' 'single' ]) param revisionMode string = 'multiple' resource environment 'Microsoft.App/managedEnvironments@2022-03-01' existing = { name: environmentName } resource containerApp 'Microsoft.App/containerApps@2023-04-01-preview' = { name: containerAppName location: location properties: { workloadProfileName: 'Consumption' managedEnvironmentId: environment.id configuration: { activeRevisionsMode: revisionMode dapr:{ enabled:false } ingress: { external: isExternalIngress targetPort: 80 transport: 'auto' allowInsecure: false traffic: ((contains(revisionSuffix, oldRevisionSuffix)) ? [ { weight: 100 latestRevision: true } ] : [ { weight: 0 latestRevision: true } { weight: 100 revisionName: '${containerAppName}--${oldRevisionSuffix}' } ]) } ಈతͳ஋ ()"Ͱ౉͢ ॳճσϓϩΠ࣌༻

BicepͰContainer AppΛσϓϩΠ secrets: [ { name: 'acr-secret' value: acrSecret } ] registries: [ { server: '${acrUserName}.azurecr.io' username: acrUserName passwordSecretRef: 'acr-secret' } ] } template: { revisionSuffix: revisionSuffix containers: [ { image: '${acrUserName}.azurecr.io/${imageName}:${tagName}' name: containerAppName resources: { cpu: any('0.5') memory: '1Gi' } } ] scale: { minReplicas: 0 maxReplicas: 5 rules: [ { name: 'http-scaling-rule' http: { metadata: { concurrentRequests: '60' } } } ] } } } } output fqdn string = containerApp.properties.configuration.ingress.fqdn ίϯςφͷઃఆ εέʔϦϯάϧʔϧ

Azure Container Apps(࠶ܝ) ࣮ߦ؀ڥͷΠϝʔδ CONTAINER APP 1 CONTAINER(S) REPLICA REVISION 1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APP 2 CONTAINER(S) REPLICA REVISION 1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APPS ENVIRONMENT

#JDFQͰ$POUBJOFS"QQΛσϓϩΠ ϦϏδϣϯΛͲ͏ࢦఆ͢Δ͔ʁ w ೚ҙͷจࣈྻΛࢦఆՄೳ w Ͳͷίʔυ͔Λ༰қʹࣝผ͍ͨ͠ w ϦϙδτϦͷUBHΛྲྀ༻͢Δ w ϦϏδϣϯʹ͸ υοτ ͸࢖͑ͳ͍ w ҎԼͷΑ͏ʹม׵ͯ͠ར༻ v1.0.0 => v100

(JUIVC"DUJPOTͰͷϑϩʔΠϝʔδ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ ։ൃ୲౰ Github 3. PR࡞੒ ςετͳͲΛ࣮ߦ 1. ίʔυ࡞੒ɾมߋ 2. Push 4. work fl ow࣮ߦ 6. σϒϩΠ༻ͷtagΛଧͭ Deploy to Green 7. work fl ow࣮ߦ OPS୲౰ऀ 5. Review 9. ঝೝ଴ͪ 8. σϓϩΠ ։ൃνʔϜ 10. FlipΛঝೝ Build& Push Flip 11. ঝೝ଴ͪ Deactivate 12. DeactivateΛঝೝ

$*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ ί υ ͷ ν Ϋ Ξ ΢ τ ί ϯ ς φ Ϩ δ ε τ Ϧ ʹ ϩ ά Π ϯ λ ά ໊ Λ औ ಘ ί ϯ ς φ Λ build & push bicep ϑ Π ϧ Λ Artifact ʹ Ξ ϓ ϩ υ bicep ϑ Π ϧ Λ Artifact ͔ Β μ ΢ ϯ ϩ υ λ ά ໊ ͔ Β Ϧ Ϗ δ ϯ ໊ Λ ࡞ ੒ Azure ϩ ά Π ϯ ࣮ ߦ த ͷ Ϧ Ϗ δ ϯ Λ औ ಘ ৽ ͠ ͍ Ϧ Ϗ δ ϯ Λ σ ϓ ϩ Π (traf c: 0%) Azure ϩ ά Π ϯ ৽ چ ͷ Ϧ Ϗ δ ϯ ͷ traf c Λ ೖ ସ ͑ Azure ϩ ά Π ϯ چ Ϧ Ϗ δ ϯ Λ ࡟ আ Build Deploy Flip Deactivate ঝೝ ঝೝ

$*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ

$*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ

$*ͷϫʔΫϑϩʔ ()"+PC࣮ߦʹঝೝΛڬΉ

$*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ

$%ͷϫʔΫϑϩʔͷൈਮ - name: Deploy to containerapp uses: azure/CLI@v1 with: inlineScript: | az extension add --upgrade --name containerapp az config set bicep.use_binary_from_path=False az bicep install az deployment group create \ -f ./deploy.bicep \ -g ${{ env.RESOURCE_GROUP_NAME }} \ --name "${{ env.APP_NAME }}-${{ env.REVISION_SUFFIX }}" \ --parameters \ acrUserName=${{ secrets.AZURE_CONTAINER_REGISTRY_USERNAME }} \ acrSecret=${{ secrets.AZURE_CONTAINER_REGISTRY_PASSWORD }} \ tagName="${{ env.TAG }}" \ revisionSuffix=${{ env.REVISION_SUFFIX }} \ oldRevisionSuffix=${{ env.PREVIOUS_REVISION_NAME }} - name: Flip revisions uses: azure/CLI@v1 with: inlineScript: | az extension add --upgrade --name containerapp az containerapp ingress traffic set \ -g ${{ env.RESOURCE_GROUP_NAME }} \ -n ${{ env.APP_NAME }} \ --revision-weight \ ${{ env.APP_NAME }}--${{ needs.deploy.outputs.revision_suffix }}=100 \ ${{ env.APP_NAME }}--${{ needs.deploy.outputs.previous_revision_suffix }}=0 - name: Deactivate previous revision uses: azure/CLI@v1 with: inlineScript: | az extension add --upgrade --name containerapp az containerapp revision deactivate \ -g ${{ env.RESOURCE_GROUP_NAME }} \ -n ${{ env.APP_NAME }} \ --revision \ ${{ env.APP_NAME }}--${{ needs.deploy.outputs.previous_revision_suffix }} Deploy Flip Deactivate

·ͱΊ • Container Apps͸ͱͯ΋࢖͍΍͢αʔϏε • Webαʔό͚ͩͰͳ͘ɺQueueϫʔΧʔ΍Cron Jobͷ࣮ߦ΋Մೳ • ༷ʑͳεέʔϧϧʔϧͰॊೈʹautoscaleՄೳ • BicepΛར༻͢Δ͜ͱͰൺֱత؆୯ʹIaCΛ࣮ݱͰ͖Δ • what-ifͰࠩ෼Λ֬ೝͭͭ͠ίʔυϨϏϡʔ • Github ActionsʹదٓঝೝΛڬΉ͜ͱͰݖݶΛ෼཭ͯ҆͠શʹࣗಈԽ

͓͠·͍ IUUQTHJUIVCDPNLB[DPOUBJOFSBQQTFYBNQMF