Apim cache refactor

Gordonby · Dec 24, 2021 · 1696867 · 1696867
1 parent a08e629
commit 1696867
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 21 deletions.
diff --git a/bicep/application/icecreamratings.bicep b/bicep/application/icecreamratings.bicep
@@ -1,18 +1,26 @@
 @description('The name seed for all your other resources.')
-param resNameSeed string = 'icecre4'
+param resNameSeed string = 'icecre7'
 
-@description('The application name of the Function App')
+@description('The short application name of the Function App')
 param appName string = 'ratings'
 
 @allowed([
-  'dev'
-  'prod'
+  'dev' //Small scale, no protection or backup
+  'pre-prod' //Large scale, no protection or backup
+  'prod' //Large scale, with production and backup
 ])
+@description('The type of environment being deployed')
 param environment string = 'dev'
 
+@description('The name of the CosmosDb collection to create for the app')
 param cosmosDbCollecionName string = appName
 
-var isProdEnvironment = environment == 'prod'
+@description('The collection partitionkey')
+param cosmosDbPartitionKey string = 'productId'
+
+@description('Logic to leverage environment protection like SoftDelete')
+var environmentProtectionAndBackup = environment == 'prod'
+
 @description('Creating the serverless app stack')
 module serverlessapp '../archetype/apimCosmosApp.bicep' = {
   name: 'serverlessapp-${resNameSeed}'
@@ -21,15 +29,16 @@ module serverlessapp '../archetype/apimCosmosApp.bicep' = {
     appName: appName
     apiManagementSku: 'Consumption'
     AppGitRepoUrl: 'https://github.com/oh-sless-t2/ice-cream-rating-api'
-    enableKeyVaultSoftDelete: isProdEnvironment
+    enableKeyVaultSoftDelete: environmentProtectionAndBackup
     cosmosDbDatabaseName: 'icecream'
     cosmosDbCollectionName: cosmosDbCollecionName
-    cosmosDbPartitionKey: 'productId'
+    cosmosDbPartitionKey: cosmosDbPartitionKey
+    restrictTrafficToJustAPIM: environment != 'dev'
   }
 }
 
-@description('Create a web test on the functionApp')
-module webTest '../foundation/appinsightswebtest.bicep' = {
+@description('Create a web test on the functionApp itself, will only work if functionApp is not APIM IP restricted (dev environment)')
+module webTest '../foundation/appinsightswebtest.bicep' = if(environment == 'dev') {
   name: 'WebTest-${appName}'
   params: {
     Name: appName

diff --git a/bicep/archetype/apimCosmosApp.bicep b/bicep/archetype/apimCosmosApp.bicep
@@ -105,6 +105,8 @@ module cosmos '../foundation/cosmos-sql.bicep' = {
     AppIdentityRG: resourceGroup().name
     capacityMode: cosmosDbCapacityMode
     freeTier: cosmosDbFreeTier
+    keyvaultName: akv.outputs.name
+    keyvaultConnectionStringSecretName: '${appName}CosmosDbConnectionString'
   }
 }
 

diff --git a/bicep/foundation/apim-cacheconfig.bicep b/bicep/foundation/apim-cacheconfig.bicep
@@ -0,0 +1,23 @@
+param apimName string
+param redisName string
+
+resource apim 'Microsoft.ApiManagement/service@2021-04-01-preview' existing = {
+  name: apimName
+}
+
+resource redis 'Microsoft.Cache/redis@2020-12-01' existing = {
+  name: redisName
+}
+
+var redisconnectionstring = '${redis.properties.hostName}:${redis.properties.sslPort},password=${redis.listKeys().primaryKey},ssl=True,abortConnect=False'
+
+resource apimcache 'Microsoft.ApiManagement/service/caches@2021-04-01-preview' = {
+  name: resourceGroup().location
+  parent: apim
+  properties: {
+    useFromLocation: resourceGroup().location
+    description: redis.properties.hostName
+    resourceId: '${environment().resourceManager}${substring(redis.id,1)}'
+    connectionString: redisconnectionstring
+  }
+}
diff --git a/bicep/foundation/apim.bicep b/bicep/foundation/apim.bicep
@@ -100,17 +100,12 @@ module redis 'redis.bicep' = if(useRedisCache) {
 //   }
 // }
 
-
-var redisconnectionstring = '${redis.outputs.hostName}:${redis.outputs.sslPort},password=${listKeys('Microsoft.Cache/redis/${redisName}','2020-12-01').primaryKey},ssl=True,abortConnect=False'
-
-resource apimcache 'Microsoft.ApiManagement/service/caches@2021-04-01-preview' = if(useRedisCache) {
-  name: resourceGroup().location
-  parent: apim
-  properties: {
-    useFromLocation: resourceGroup().location
-    description: redis.outputs.hostName
-    resourceId: redis.outputs.redisfullresourceid
-    connectionString: redisconnectionstring
+@description('We need to use a module for the config to ensure both Redis and APIM have been created to avoid prematurely invoking ListKeys, and to avoid using outputs for keys/secrets')
+module apimRedisCacheConfig 'apim-cacheconfig.bicep' = if(useRedisCache) {
+  name: 'ApimCacheConfig'
+  params: {
+    redisName: redis.outputs.name
+    apimName: apim.name
   }
 }
 

diff --git a/bicep/foundation/kv.bicep b/bicep/foundation/kv.bicep
@@ -39,4 +39,4 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' =  {
     enableSoftDelete: enableSoftDelete
   }
 }
-
+output name string = kvName
diff --git a/bicep/foundation/redis.bicep b/bicep/foundation/redis.bicep
@@ -44,6 +44,7 @@ resource diags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
   }
 }
 
+output name string = redis.name
 output hostName string = redis.properties.hostName
 output sslPort int = redis.properties.sslPort
 output id string = redis.id
-Original file line number
+Diff line change
@@ Expand Up / @@ -39,4 +39,4 @@ resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = { @@
         enableSoftDelete: enableSoftDelete
       }
     }
+    output name string = kvName