Solution creation
This section shows you how you can orchestrate a deployment using multiple resource modules.
Note: In the below examples, we assume you leverage Bicep as your primary DSL (domain specific language).
There are several open-source repositories that leverage the CARML library today. Alongside the examples, we provide you with below, the referenced repositories are a good reference on how you can leverage CARML for larger solutions.
| Repository | Description |
|---|---|
| AVD Accelerator | AVD Accelerator deployment automation to simplify the setup of AVD (Azure Virtual Desktop) |
| AKS Baseline Automation | Repository for the AKS Landing Zone Accelerator program's Automation reference implementation |
| DevOps Self-Hosted | - Create & maintain images with a pipeline using the Azure Image Builder service - Deploy & maintain Azure DevOps Self-Hosted agent pools with a pipeline using Virtual Machine Scale Set |
When it comes to deploying multi-module solutions (applications/workloads/environments/landing zone accelerators/etc.), we can differentiate two types of orchestration methods:
-
Template-orchestration: These types of deployments reference individual modules from a 'main' Bicep or ARM/JSON template and use the capabilities of this template to pass parameters & orchestrate the deployments. By default, deployments are run in parallel by the Azure Resource Manager, while accounting for all dependencies defined. With this approach, the deploying pipeline only needs one deployment job that triggers the template's deployment.
-
Pipeline-orchestration: This approach uses the platform specific pipeline capabilities (for example, pipeline jobs) to trigger the deployment of individual modules, where each job deploys one module. By defining dependencies in between jobs you can make sure your resources are deployed in order. Parallelization is achieved by using a pool of pipeline agents that run the jobs, while accounting for all dependencies defined.
Both the template-orchestration, as well as pipeline-orchestration may run a validation and subsequent deployment in the same Azure subscription. This subscription should be the subscription where you want to host your production solution. However, you can extend the concept and for example, deploy the solution first to an integration and then a production subscription.
The template-orchestrated approach means using a main or so-called master template for deploying resources in Azure. This template will only contain nested deployments, where the modules - instead of directly embedding their content into the master template - will be referenced by the master template.
With this approach, modules need to be stored in an available location, where the Azure Resource Manager (ARM) can access them. This can be achieved by storing the module templates in an accessible location like local, Template Specs or the Bicep Registry.
In an enterprise environment, the recommended approach is to store these master templates in a private environment, only accessible by enterprise resources. Thus, only trusted authorities can have access to these files.
Once you start building a solution using this library, you may wonder how best to start. Following, you can find some points that can accelerate your experience:
- Use the VS-Code extension for Bicep to enable DSL-native features such as auto-complete. Metadata implemented in the modules are automatically loaded through the extension.
- Use the readme
- If you don't know how to use an object/array parameter, you can check if the module's ReadMe file specifies any 'Parameter Usage' block for the given parameter (example) - or - check the module's
Deployment Examples(example). - In general, take note of the
Deployment Examplesspecified in each module's ReadMe file, as they provide you with rich & tested examples of how a given module can be deployed (example). An easy way to get started is to copy one of the examples and then adjust it to your needs.
- If you don't know how to use an object/array parameter, you can check if the module's ReadMe file specifies any 'Parameter Usage' block for the given parameter (example) - or - check the module's
- Note the outputs that are returned by each module.
- If an output you need isn't available, you have 2 choices:
- Add the missing output to the module
- Reference the deployed resource using the
existingkeyword (Note: You cannot reference the same resource as both a new deployment &existing. To make this work, you have to move theexistingreference into it's own.bicepfile).
- If an output you need isn't available, you have 2 choices:
Referencing local files
The following example shows how you could orchestrate a deployment of multiple resources using local module references. In this example, we will deploy a resource group with a Network Security Group (NSG), and use them in a subsequent VNET deployment.
targetScope = 'subscription'
// ================ //
// Input Parameters //
// ================ //
// RG parameters
@description('Optional. The name of the resource group to deploy')
param resourceGroupName string = 'validation-rg'
@description('Optional. The location to deploy into')
param location string = deployment().location
// NSG parameters
@description('Optional. The name of the vnet to deploy')
param networkSecurityGroupName string = 'LocalFilesDemoNsg'
// VNET parameters
@description('Optional. The name of the vnet to deploy')
param vnetName string = 'LocalFilesDemoVnet'
@description('Optional. An Array of 1 or more IP Address Prefixes for the Virtual Network.')
param vNetAddressPrefixes array = [
'10.0.0.0/16'
]
@description('Optional. An Array of subnets to deploy to the Virual Network.')
param subnets array = [
{
name: 'PrimarySubnet'
addressPrefix: '10.0.0.0/24'
networkSecurityGroupName: networkSecurityGroupName
}
{
name: 'SecondarySubnet'
addressPrefix: '10.0.1.0/24'
networkSecurityGroupName: networkSecurityGroupName
}
]
// =========== //
// Deployments //
// =========== //
// Resource Group
module rg '../arm/Microsoft.Resources/resourceGroups/deploy.bicep' = {
name: 'registry-rg'
params: {
name: resourceGroupName
location: location
}
}
// Network Security Group
module nsg '../arm/Microsoft.Network/networkSecurityGroups/deploy.bicep' = {
name: 'registry-nsg'
scope: resourceGroup(resourceGroupName)
params: {
name: networkSecurityGroupName
}
dependsOn: [
rg
]
}
// Virtual Network
module vnet '../arm/Microsoft.Network/virtualNetworks/deploy.bicep' = {
name: 'registry-vnet'
scope: resourceGroup(resourceGroupName)
params: {
name: vnetName
addressPrefixes: vNetAddressPrefixes
subnets: subnets
}
dependsOn: [
nsg
rg
]
}Referencing a Private Bicep Registry
The following example shows how you could orchestrate a deployment of multiple resources using modules from a private Bicep Registry. In this example, we will deploy a resource group with a Network Security Group (NSG), and use them in a subsequent VNET deployment.
Note: the preferred method to publish modules to the Bicep registry is to leverage the CI environment provided in this repository. However, this option may not be applicable to all scenarios (ref e.g., the Consume library section). As an alternative, the same
Publish-ModuleToPrivateBicepRegistry.ps1script leveraged by the publishing step of the CI environment pipeline can also be run locally.
targetScope = 'subscription'
// ================ //
// Input Parameters //
// ================ //
// RG parameters
@description('Optional. The name of the resource group to deploy')
param resourceGroupName string = 'validation-rg'
@description('Optional. The location to deploy into')
param location string = deployment().location
// NSG parameters
@description('Optional. The name of the vnet to deploy')
param networkSecurityGroupName string = 'BicepRegistryDemoNsg'
// VNET parameters
@description('Optional. The name of the vnet to deploy')
param vnetName string = 'BicepRegistryDemoVnet'
@description('Optional. An Array of 1 or more IP Address Prefixes for the Virtual Network.')
param vNetAddressPrefixes array = [
'10.0.0.0/16'
]
@description('Optional. An Array of subnets to deploy to the Virual Network.')
param subnets array = [
{
name: 'PrimarySubnet'
addressPrefix: '10.0.0.0/24'
networkSecurityGroupName: networkSecurityGroupName
}
{
name: 'SecondarySubnet'
addressPrefix: '10.0.1.0/24'
networkSecurityGroupName: networkSecurityGroupName
}
]
// =========== //
// Deployments //
// =========== //
// Resource Group
module rg 'br/modules:microsoft.resources.resourcegroups:0.4.735' = {
name: 'registry-rg'
params: {
name: resourceGroupName
location: location
}
}
// Network Security Group
module nsg 'br/modules:microsoft.network.networksecuritygroups:0.4.735' = {
name: 'registry-nsg'
scope: resourceGroup(resourceGroupName)
params: {
name: networkSecurityGroupName
}
dependsOn: [
rg
]
}
// Virtual Network
module vnet 'br/modules:microsoft.network.virtualnetworks:0.4.735' = {
name: 'registry-vnet'
scope: resourceGroup(resourceGroupName)
params: {
name: vnetName
addressPrefixes: vNetAddressPrefixes
subnets: subnets
}
dependsOn: [
nsg
rg
]
}The example assumes you are using a bicepconfig.json configuration file like:
{
"moduleAliases": {
"br": {
"modules": {
"registry": "<registryName>.azurecr.io",
"modulePath": "bicep/modules"
}
}
}
}Referencing Template-Specs
The following example shows how you could orchestrate a deployment of multiple resources using template specs. In this example, we will deploy a resource group with a Network Security Group (NSG), and use them in a subsequent VNET deployment.
Note: the preferred method to publish modules to template-specs is to leverage the CI environment provided in this repository. However, this option may not be applicable to all scenarios (ref e.g., the Consume library section). As an alternative, the same Publish-ModuleToTemplateSpec.ps1 script leveraged by the publishing step of the CI environment pipeline can also be run locally.
targetScope = 'subscription'
// ================ //
// Input Parameters //
// ================ //
// RG parameters
@description('Optional. The name of the resource group to deploy')
param resourceGroupName string = 'validation-rg'
@description('Optional. The location to deploy into')
param location string = deployment().location
// Network Security Group parameters
@description('Optional. The name of the vnet to deploy')
param networkSecurityGroupName string = 'TemplateSpecDemoNsg'
// Virtual Network parameters
@description('Optional. The name of the vnet to deploy')
param vnetName string = 'TemplateSpecDemoVnet'
@description('Optional. An Array of 1 or more IP Address Prefixes for the Virtual Network.')
param vNetAddressPrefixes array = [
'10.0.0.0/16'
]
@description('Optional. An Array of subnets to deploy to the Virual Network.')
param subnets array = [
{
name: 'PrimarySubnet'
addressPrefix: '10.0.0.0/24'
networkSecurityGroupName: networkSecurityGroupName
}
{
name: 'SecondarySubnet'
addressPrefix: '10.0.1.0/24'
networkSecurityGroupName: networkSecurityGroupName
}
]
// =========== //
// Deployments //
// =========== //
// Resource Group
module rg 'ts/modules:microsoft.resources.resourcegroups:0.4.735' = {
name: 'rgDeployment'
params: {
name: resourceGroupName
location: location
}
}
// Network Security Group
module nsg 'ts/modules:microsoft.network.networksecuritygroups:0.4.735' = {
name: 'nsgDeployment'
scope: resourceGroup(resourceGroupName)
params: {
name: networkSecurityGroupName
}
dependsOn: [
rg
]
}
// Virtual Network
module vnet 'ts/modules:microsoft.network.virtualnetworks:0.4.735' = {
name: 'vnetDeployment'
scope: resourceGroup(resourceGroupName)
params: {
name: vnetName
addressPrefixes: vNetAddressPrefixes
subnets : subnets
}
dependsOn: [
rg
nsg
]
}The example assumes you are using a bicepconfig.json configuration file like:
{
"moduleAliases": {
"ts": {
"modules": {
"subscription": "<<subscriptionId>>",
"resourceGroup": "artifacts-rg"
}
}
}
}
The modules provided in this repo can be orchestrated to create more complex infrastructures, and as such, reusable solutions or products. To deploy resources, the pipeline-orchestration approach leverages the modules & pipeline templates of the 'ResourceModules' repository. Each pipeline job deploys one instance of a resource and the order of resources deployed in a multi-module solution is controlled by specifying dependencies in the pipeline itself.
GitHub Sample solution for multi-repository approach
- Below, you can find an example which makes use of multiple repositories to orchestrate the deployment (also known as a multi-repository approach) in GitHub.
- It fetches the public Azure/ResourceModules repo for consuming bicep modules and uses the parameter files present in the private Contoso/MultiRepoTest repo for deploying infrastructure.
- This example is creating a Resource group, an NSG and a VNet -
- Job: Deploy multi-repo solution
- Checkout 'Azure/ResourceModules' repo at root of the agent
- Set environment variables for the agent
- Checkout 'contoso/MultiRepoTest' repo containing the parameter files in a nested folder - "MultiRepoTestParentFolder"
- Deploy resource group in target Azure subscription
- Deploy network security group
- Deploy virtual network A
- Job: Deploy multi-repo solution
name: 'Multi-Repo solution deployment'
on:
push:
branches:
- main
paths:
- 'network-hub-rg/Parameters/**'
- '.github/workflows/network-hub.yml'
env:
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
removeDeployment: false
variablesPath: 'global.variables.yml'
jobs:
job_deploy_multi_repo_solution:
runs-on: ubuntu-20.04
name: 'Deploy multi-repo solution'
steps:
- name: 'Checkout ResourceModules repo at the root location'
uses: actions/checkout@v2
with:
repository: 'Azure/ResourceModules'
fetch-depth: 0
- name: Set environment variables
uses: ./.github/actions/templates/setEnvironmentVariables
with:
variablesPath: ${{ env.variablesPath }}
- name: 'Checkout MultiRepoTest repo in a nested MultiRepoTestParentFolder'
uses: actions/checkout@v2
with:
repository: 'contoso/MultiRepoTest'
fetch-depth: 0
path: 'MultiRepoTestParentFolder'
- name: 'Deploy resource group'
uses: ./.github/actions/templates/validateModuleDeployment
with:
templateFilePath: './arm/Microsoft.Resources/resourceGroups/deploy.bicep'
parameterFilePath: './MultiRepoTestParentFolder/network-hub-rg/Parameters/ResourceGroup/parameters.json'
location: '${{ env.defaultLocation }}'
resourceGroupName: '${{ env.resourceGroupName }}'
subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
removeDeployment: $(removeDeployment)
- name: 'Deploy network security group'
uses: ./.github/actions/templates/validateModuleDeployment
with:
templateFilePath: './arm/Microsoft.Network/networkSecurityGroups/deploy.bicep'
parameterFilePath: './MultiRepoTestParentFolder/network-hub-rg/Parameters/NetworkSecurityGroups/parameters.json'
location: '${{ env.defaultLocation }}'
resourceGroupName: '${{ env.resourceGroupName }}'
subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
removeDeployment: $(removeDeployment)
- name: 'Deploy virtual network A'
uses: ./.github/actions/templates/validateModuleDeployment
with:
templateFilePath: './arm/Microsoft.Network/virtualNetworks/deploy.bicep'
parameterFilePath: './MultiRepoTestParentFolder/network-hub-rg/Parameters/VirtualNetwork/vnet-A.parameters.json'
location: '${{ env.defaultLocation }}'
resourceGroupName: '${{ env.resourceGroupName }}'
subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
removeDeployment: $(removeDeployment)
- 'Azure/ResourceModules' repo has been checked out at the root location intentionally because GitHub Actions expect the underlying utility scripts and variables at a specific location.
- 'contoso/MultiRepoTest' repo has been checked out in a nested folder, called "MultiRepoTestParentFolder", to distinguish it from the folders of the other repo in the agent, but can also be downloaded at the root location if desired.