Azure Container Apps + Bicep 〜 こんな感じで運用しています

Transcript

1. Azure Container Apps + Bicep ͜Μͳײ͡Ͱӡ༻͍ͯ͠·͢ 2024/04/20 Global Azure 2024

   JCOMגࣜձࣾ Θͨͳ΂(@kaz_29)

2. WHO? ౉ลҰ޺ (Θͨͳ΂ ͔ͣͻΖ) @kaz_29 JCOMגࣜձࣾ

3. Agenda •Azure Container Apps •Bicep •Infrastructure as Code(IaC) •Continuous Delivery(CD)

4. Container Apps

5. Azure Container Apps ֓ཁ • ϑϧϚωʔδυk8sϕʔεͷΞϓϦέʔγϣϯϓϥοτϑΥʔϜ • KEDAΛར༻ͨ͠ಈతεέʔϦϯά HTTP /

   TCP / Azure Storage Queue / Azure Service Bus / Azure Event Hubs etc… • ϓϥϯ • Consumption Plan(ফඅ) • Dedicated(ઐ༻) • ैྔ՝ۚϫʔΫϩʔυϓϩϑΝΠϧ • ઐ༻ϫʔΫϩʔυϓϩϑΝΠϧ

6. Azure Container Apps ར༻Մೳͳ CPU ͱϝϞϦ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFDPOUBJOFSBQQTDPOUBJOFST

7. Azure Container Apps ࣮ߦ؀ڥͷΠϝʔδ CONTAINER APP 1 CONTAINER(S) REPLICA REVISION

   1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APP 2 CONTAINER(S) REPLICA REVISION 1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APPS ENVIRONMENT

8. Bicep

9. Bicep ֓ཁ • AzureϦιʔεΛσϓϩΠ༻ͷDSL • ߏจ͕؆ܿ • શͯͷϦιʔεɾόʔδϣϯΛαϙʔτ ϓϨϏϡʔ൛ͷαʔϏεͰ΋αϙʔτ͞Ε͍ͯΔ(ͱࢥ͏) •

   VSCodeͷBicep֦ு IntelliSence΍ߏจݕূͳͲͰޮ཰తʹฤूͰ͖Δ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQPWFSWJFX UBCTCJDFQ

10. Bicep αϯϓϧ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQPWFSWJFX UBCTCJDFQ param location string = resourceGroup().location param

    acrName string param acrSku string param encription string resource acrResource 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = { name: acrName location: location sku: { name: acrSku } properties: { adminUserEnabled: true encryption: { status: encription } dataEndpointEnabled: false } } output loginServer string = acrResource.properties.loginServer CJDFQBDSCJDFQ

11. Bicep αϯϓϧ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQPWFSWJFX UBCTCJDFQ param location string = resourceGroup().location param

    acrName string = 'exampleacr' param acrSku string = 'Standard' param encription string = 'disabled' module acr 'acr.bicep' = { name: 'example-acr' params: { location: location acrName: acrName acrSku: acrSku encription: encription } } $ az deployment group create \ -f ./bicep/acr-test.bicep \ -g $RESOURCE_GROUP_NAME CJDFQBDSUFTUCJDFQ

12. Infrastructure as Code(IaC)

13. BicepͰContainer Apps؀ڥΛߏங

14. BicepͰContainer Apps؀ڥΛߏங ैྔ՝ۚϫʔΫϩʔυϓϩϑΝΠϧ resource environment 'Microsoft.App/managedEnvironments@2023-05-01' = { name: environmentName

    location: location properties: { appLogsConfiguration: { destination: 'log-analytics' logAnalyticsConfiguration: { customerId: logAnalyticsWorkspace.properties.customerId sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey } } daprAIInstrumentationKey: appInsights.properties.InstrumentationKey zoneRedundant: false workloadProfiles: [{ name: 'Consumption' workloadProfileType: 'Consumption' }] } }

15. BicepͰContainer Apps؀ڥΛߏங ઐ༻ϫʔΫϩʔυϓϩϑΝΠϧ resource environment 'Microsoft.App/managedEnvironments@2023-05-01' = { name: environmentName

    location: location properties: { appLogsConfiguration: { destination: 'log-analytics' logAnalyticsConfiguration: { customerId: logAnalyticsWorkspace.properties.customerId sharedKey: logAnalyticsWorkspace.listKeys().primarySharedKey } } daprAIInstrumentationKey: appInsights.properties.InstrumentationKey zoneRedundant: true workloadProfiles: [{ name: 'myworkload' maximumCount: 10 minimumCount: 3 workloadProfileType: 'D4' }] } }

16. (JUIVC
    "DUJPOTͰͷϑϩʔΠϝʔδ OPS୲౰ Bicep Github 3. PR࡞੒ Diff 1. ίʔυ࡞੒ɾมߋ 2.

    Push 4. work fl ow࣮ߦ 5. ࠩ෼Λऔಘ 6. ࠩ෼ΛPRίϝϯτʹ౤ߘ 8. ϓϩϏδϣχϯά༻ͷtagΛଧͭ Provision 9. work fl ow࣮ߦ OPS੹೚ऀ 7. Review Deployment protection Required reviewers 10. ঝೝ଴ͪ 11. Approve 12. มߋΛ൓ө

17. ࠩ෼औಘϫʔΫϑϩʔ ί υ ͷ ν Ϋ Ξ ΢ τ "[VSF

    ϩ ά Π ϯ #JDFQ ϑ Π ϧ ͷ จ ๏ ν Ϋ B[
    EFQMPZNFOU
    HSPVQ
    XIBUJG
    Ͱ ࠩ ෼ औ ಘ 13 ί ϝ ϯ τ Λ ౤ ߘ

18. #JDFQ
    σϓϩΠͷ
    8IBU*G
    ૢ࡞ ʙ Bicep ϑΝΠϧΛσϓϩΠ͢ΔલʹɺߦΘΕΔมߋΛϓϨϏϡʔͰ͖·͢ɻ Azure Resource Manager ͷ What-if ૢ࡞Λ࢖͏ͱɺBicep

    ϑΝΠϧΛσϓϩΠͨ͠৔߹ʹϦ ιʔε͕ͲͷΑ͏ʹมߋ͞ΕΔ͔Λ֬ೝͰ͖·͢ɻ what-if ૢ࡞Ͱ͸ɺطଘͷϦιʔε ʹର͍͔ͯ͠ͳΔมߋ΋ߦΘΕ·ͤΜɻ ୅ΘΓʹɺࢦఆͨ͠ Bicep ϑΝΠϧ͕σϓϩ Π͞Εͨ৔߹ͷมߋ͕༧ଌ͞Ε·͢ɻ what-if ૢ࡞͸ Azure PowerShellɺAzure CLIɺ·ͨ͸ REST API ૢ࡞Ͱ࢖༻Ͱ͖·͢ɻ What-if ͸ɺϦιʔε άϧʔϓɺαϒεΫϦϓγϣϯɺ؅ཧάϧʔϓɺςφϯτ Ϩϕϧ ͷσϓϩΠͰαϙʔτ͞Ε͍ͯ·͢ɻʙ IUUQTMFBSONJDSPTPGUDPNKBKQB[VSFB[VSFSFTPVSDFNBOBHFSCJDFQEFQMPZXIBUJG
    ΑΓҾ༻

19. #JDFQ
    σϓϩΠͷ
    8IBU*G
    ૢ࡞

20. ࠩ෼औಘϫʔΫϑϩʔ name: Diff resources on: pull_request: types: [opened, synchronize, reopened]

    branches: - master env: RESOURCE_GROUP_NAME: container-apps-example-rg permissions: id-token: write contents: read pull-requests: write jobs: diff: name: Diff resources environment: name: diff runs-on: ubuntu-latest steps: - name: checkout uses: actions/checkout@v3 - name: Azure Login uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Lint bicep file uses: azure/CLI@v1 with: inlineScript: | az config set bicep.use_binary_from_path=False az bicep install az bicep lint -f ./bicep/container-apps-env.bicep - name: Diff Container Apps Env settings uses: azure/CLI@v1 with: inlineScript: | az config set bicep.use_binary_from_path=False az bicep install echo -e '## Container Apps Env\n<details><summary>Resource \ and property changes details</summary>\n\n```' >> diff.txt az deployment group what-if \ -f ./bicep/container-apps-env.bicep \ --name "container-apps-diff" \ -g ${{ env.RESOURCE_GROUP_NAME }} \ | tee -a diff.txt echo -e '```\n</details>\n\n' >> diff.txt - name: Post diff uses: marocchino/sticky-pull-request-comment@v1 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} header: header-of-comment path: ./diff.txt

21. Continuous Delivery(CD) ܧଓతσϦόϦʔ

22. BicepͰContainer AppΛσϓϩΠ

23. BicepͰContainer AppΛσϓϩΠ param environmentName string = 'example-container-apps-env' param containerAppName string

    = 'example-app' param location string = resourceGroup().location param imageName string = 'example-app' param tagName string param acrUserName string @secure() param acrSecret string param revisionSuffix string param oldRevisionSuffix string param isExternalIngress bool = true @allowed([ 'multiple' 'single' ]) param revisionMode string = 'multiple' resource environment 'Microsoft.App/managedEnvironments@2022-03-01' existing = { name: environmentName } resource containerApp 'Microsoft.App/containerApps@2023-04-01-preview' = { name: containerAppName location: location properties: { workloadProfileName: 'Consumption' managedEnvironmentId: environment.id configuration: { activeRevisionsMode: revisionMode dapr:{ enabled:false } ingress: { external: isExternalIngress targetPort: 80 transport: 'auto' allowInsecure: false traffic: ((contains(revisionSuffix, oldRevisionSuffix)) ? [ { weight: 100 latestRevision: true } ] : [ { weight: 0 latestRevision: true } { weight: 100 revisionName: '${containerAppName}--${oldRevisionSuffix}' } ]) } ಈతͳ஋ ()"Ͱ౉͢ ॳճσϓϩΠ࣌༻

24. BicepͰContainer AppΛσϓϩΠ secrets: [ { name: 'acr-secret' value: acrSecret }

    ] registries: [ { server: '${acrUserName}.azurecr.io' username: acrUserName passwordSecretRef: 'acr-secret' } ] } template: { revisionSuffix: revisionSuffix containers: [ { image: '${acrUserName}.azurecr.io/${imageName}:${tagName}' name: containerAppName resources: { cpu: any('0.5') memory: '1Gi' } } ] scale: { minReplicas: 0 maxReplicas: 5 rules: [ { name: 'http-scaling-rule' http: { metadata: { concurrentRequests: '60' } } } ] } } } } output fqdn string = containerApp.properties.configuration.ingress.fqdn ίϯςφͷઃఆ εέʔϦϯάϧʔϧ

25. Azure Container Apps(࠶ܝ) ࣮ߦ؀ڥͷΠϝʔδ CONTAINER APP 1 CONTAINER(S) REPLICA REVISION

    1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APP 2 CONTAINER(S) REPLICA REVISION 1 CONTAINER(S) REPLICA REVISION 2 CONTAINER APPS ENVIRONMENT

26. #JDFQͰ$POUBJOFS
    "QQΛσϓϩΠ ϦϏδϣϯΛͲ͏ࢦఆ͢Δ͔ʁ w ೚ҙͷจࣈྻΛࢦఆՄೳ
    w Ͳͷίʔυ͔Λ༰қʹࣝผ͍ͨ͠
    w ϦϙδτϦͷUBHΛྲྀ༻͢Δ
    w ϦϏδϣϯʹ͸
    
    

    υοτ ͸࢖͑ͳ͍
    w ҎԼͷΑ͏ʹม׵ͯ͠ར༻
    v1.0.0 => v100

27. (JUIVC
    "DUJPOTͰͷϑϩʔΠϝʔδ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ ։ൃ୲౰ Github 3. PR࡞੒ ςετͳͲΛ࣮ߦ 1. ίʔυ࡞੒ɾมߋ 2.

    Push 4. work fl ow࣮ߦ 6. σϒϩΠ༻ͷtagΛଧͭ Deploy to Green 7. work fl ow࣮ߦ OPS୲౰ऀ 5. Review 9. ঝೝ଴ͪ 8. σϓϩΠ ։ൃνʔϜ 10. FlipΛঝೝ Build& Push Flip 11. ঝೝ଴ͪ Deactivate 12. DeactivateΛঝೝ

28. $*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ ί υ ͷ ν Ϋ Ξ ΢ τ

    ί ϯ ς φ Ϩ δ ε τ Ϧ ʹ ϩ ά Π ϯ λ ά ໊ Λ औ ಘ ί ϯ ς φ Λ build & push bicep ϑ Π ϧ Λ Artifact ʹ Ξ ϓ ϩ υ bicep ϑ Π ϧ Λ Artifact ͔ Β μ ΢ ϯ ϩ υ λ ά ໊ ͔ Β Ϧ Ϗ δ ϯ ໊ Λ ࡞ ੒ Azure ϩ ά Π ϯ ࣮ ߦ த ͷ Ϧ Ϗ δ ϯ Λ औ ಘ ৽ ͠ ͍ Ϧ Ϗ δ ϯ Λ σ ϓ ϩ Π (traf c: 0%) Azure ϩ ά Π ϯ ৽ چ ͷ Ϧ Ϗ δ ϯ ͷ traf c Λ ೖ ସ ͑ Azure ϩ ά Π ϯ چ Ϧ Ϗ δ ϯ Λ ࡟ আ Build Deploy Flip Deactivate ঝೝ ঝೝ

29. $*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ

30. $*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ

31. $*ͷϫʔΫϑϩʔ ()"
    +PC࣮ߦʹঝೝΛڬΉ

32. $*ͷϫʔΫϑϩʔ ϦϏδϣϯΛར༻ͨ͠#(σϓϩΠϝϯτ

33. $%ͷϫʔΫϑϩʔͷൈਮ - name: Deploy to containerapp uses: azure/CLI@v1 with: inlineScript:

    | az extension add --upgrade --name containerapp az config set bicep.use_binary_from_path=False az bicep install az deployment group create \ -f ./deploy.bicep \ -g ${{ env.RESOURCE_GROUP_NAME }} \ --name "${{ env.APP_NAME }}-${{ env.REVISION_SUFFIX }}" \ --parameters \ acrUserName=${{ secrets.AZURE_CONTAINER_REGISTRY_USERNAME }} \ acrSecret=${{ secrets.AZURE_CONTAINER_REGISTRY_PASSWORD }} \ tagName="${{ env.TAG }}" \ revisionSuffix=${{ env.REVISION_SUFFIX }} \ oldRevisionSuffix=${{ env.PREVIOUS_REVISION_NAME }} - name: Flip revisions uses: azure/CLI@v1 with: inlineScript: | az extension add --upgrade --name containerapp az containerapp ingress traffic set \ -g ${{ env.RESOURCE_GROUP_NAME }} \ -n ${{ env.APP_NAME }} \ --revision-weight \ ${{ env.APP_NAME }}--${{ needs.deploy.outputs.revision_suffix }}=100 \ ${{ env.APP_NAME }}--${{ needs.deploy.outputs.previous_revision_suffix }}=0 - name: Deactivate previous revision uses: azure/CLI@v1 with: inlineScript: | az extension add --upgrade --name containerapp az containerapp revision deactivate \ -g ${{ env.RESOURCE_GROUP_NAME }} \ -n ${{ env.APP_NAME }} \ --revision \ ${{ env.APP_NAME }}--${{ needs.deploy.outputs.previous_revision_suffix }} Deploy Flip Deactivate

34. ·ͱΊ • Container Apps͸ͱͯ΋࢖͍΍͢αʔϏε • Webαʔό͚ͩͰͳ͘ɺQueueϫʔΧʔ΍Cron Jobͷ࣮ߦ΋Մೳ • ༷ʑͳεέʔϧϧʔϧͰॊೈʹautoscaleՄೳ •

    BicepΛར༻͢Δ͜ͱͰൺֱత؆୯ʹIaCΛ࣮ݱͰ͖Δ • what-ifͰࠩ෼Λ֬ೝͭͭ͠ίʔυϨϏϡʔ • Github ActionsʹదٓঝೝΛڬΉ͜ͱͰݖݶΛ෼཭ͯ҆͠શʹࣗಈԽ

35. ͓͠·͍ IUUQTHJUIVCDPNLB[DPOUBJOFSBQQTFYBNQMF