Updated getting started doc to include section for using existing resources. #200
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -99,3 +99,71 @@ This command creates and configures a Symphony project that includes a code repo | |
| | CI-Destroy main workflow | an Azure devops pipeline or a GitHub action ,based on the selected tool in cmd, to destroy a previously deployed environment using the CI-Deploy workflow. | Azure devOps/GitHub | | ||
| |AZURE_CREDENTIALS Secret | GitHub Secret to store the Symphony **Reader Service Principal** credentials used by the Workflows to access the Symphony KeyVault | GitHub | | ||
| |Symphony-KV Service Connection | Azure DevOps ARM Service connection using **Reader Service Principal** credentials used by the pipelines to access the Symphony KeyVault | Azure DevOps | | ||
|
|
||
| ## Using Existing Resources | ||
|
|
||
| Existing resources can be used with Symphony. The resources, however will need to follow a specific naming convention. To use existing resources you will need to create a `symphony.json` in a top level `.symphony` folder. A prefix and suffix value is required. Below is an basic example of that file: | ||
|
|
||
| ``` json | ||
| { | ||
| "prefix": "{prefix}", | ||
| "suffix": "{suffix}" | ||
| } | ||
| ``` | ||
|
|
||
| The pre-created resources must follow the current naming convention. | ||
|
|
||
| | Resource | naming convention | | ||
|
There was a problem hiding this comment. Please add more detailed description for each resource features. the keyvault expect a group of secrets with specific names. The container registry stores the sample app 'eshop on web' api, and web images. Those needs to be created based on a certain commid Id from the eshop repo symphony/scripts/install/provision.sh Line 319 in c60ab3a There was a problem hiding this comment. When running Symphony provision with pre-created resources like a keyvault, it won't create the keyvault but I'm sure it will still make the secrets. Same for the other resources. The containers will be created for the storage accounts and the images will be pushed to the pre-created ACR. I can double check though. There was a problem hiding this comment. @malcmiller - Even if symphony provision can create those secrets, part of "bring your own" dependencies is allowing users to skip provision entirely. We need to document everything that needs to be done in lieu of symphony provision and that includes setting up secrets and service principals. |
||
| | ----------------------------- | ------------------- | | ||
| | Resource Group | rg-{prefix}-{suffix} | | ||
| | Keyvault | kv-{prefix}-{suffix} | | ||
| | state storage account | sastate{prefix}{suffix} | | ||
| | backup state storage account | sastatebkup{prefix}{suffix} | | ||
| | container registry | cr{prefix}{suffix} | | ||
|
|
||
| ### Existing Keyvault | ||
|
|
||
| When using an existing keyvault the following secrets must be present. | ||
|
|
||
| | Name | description | | ||
| | ----------------------------- | ------------------- | | ||
| | stateStorageAccount | name of the storage account that contains the tfstate | | ||
|
There was a problem hiding this comment. please add a note here that those secrets (stateStorageAccount, stateStorageAccountBackup, stateContainer, and stateRg) are needed only if you provision Symphony for terraform. |
||
| | stateStorageAccountBackup | name of the backup storage account that contains the tfstate | | ||
| | stateContainer | name of the container that contains the tfstate file | | ||
| | stateRg | resource group containing the storage account | | ||
| | clientId | service principal client id | | ||
| | clientSecret | service principal client secret | | ||
| | subscriptionId | service principal subscription ID | | ||
| | tenantId | service principal tenant ID | | ||
| | readerClientId | reader service principal client id | | ||
| | readerClientSecret | reader service principal client id | | ||
| | readerSubscriptionId | reader service principal client id | | ||
| | readerTenantId | reader service principal client id | | ||
|
|
||
|
There was a problem hiding this comment. add a section about the service principals. The owner service principal is the one used to access the env subscription on which resources will be deployed. While the reader service principal is used to create GH Secret or Azure DevOps service connection to access the Symphony Key vault. The reader Service principal needs to have policy permissions to (get list backup restore) the vault secrets. |
||
| ### Existing Storage Accounts | ||
|
|
||
| When using an existing State Storage Account or Backup State Storage Account, a container name tfstate must be present. | ||
|
|
||
| ### Existing Container Registry | ||
|
There was a problem hiding this comment. I would leave a note here that ACR is only needed for the canonical application that we ship and is not part of symphony core itself. |
||
|
|
||
| When the acr is deployed using symphony, eshop images will be pushed. One for the API and one for the Web. The repo can be cloned from here: `https://github.com/dotnet-architecture/eShopOnWeb.git`. You can then build and push the containers to your acr. Below are some commands to start with: | ||
|
|
||
| ```bash | ||
| RG_NAME=${Enter your resource group name} | ||
| CR_NAME=${Enter your container registry name} | ||
|
|
||
| APP_REPO="https://github.com/dotnet-architecture/eShopOnWeb.git" | ||
| APP_COMMIT="a72dd77" | ||
| APP_WEB_NAME="eshopwebmvc" | ||
| APP_WEB_DOCKERFILE="src/Web/Dockerfile" | ||
| APP_API_NAME="eshoppublicapi" | ||
| APP_API_DOCKERFILE="src/PublicApi/Dockerfile" | ||
|
|
||
| git clone "${APP_REPO}" "_app" | ||
|
|
||
| git checkout "${APP_COMMIT}" | ||
|
|
||
| az acr build --image "${APP_WEB_NAME}:${APP_COMMIT}" --registry "${CR_NAME}" --resource-group "${RG_NAME}" --file "${APP_WEB_DOCKERFILE}" . | ||
|
|
||
| az acr build --image "${APP_API_NAME}:${APP_COMMIT}" --registry "${CR_NAME}" --resource-group "${RG_NAME}" --file "${APP_API_DOCKERFILE}" . | ||
| ``` | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also add a note that instead of using symphony provision a user can use existing resources, basically making it clear that this replaces the need to run
symphony provision