Skip to main content

Dashboard Release Pipeline

The release pipeline will use the artifacts created from the build pipeline and publish this to the stage(s) you define. Each stage will deploy the resources to the Azure subscription and resource group you specify in the deployment tasks.

The release uses variable groups and edits/adds variables to the groups, we will begin by creating a new variable group.

Variable Group

Create a variable group named {prefix}.Invictus.{stage} for all the stages (environments) and add at least one variable (eg: Invictus.Secrets.ApiKey1.Name = apikey1).

Make sure the Project Collection Build Service has Administrator access to these variable groups (Pipelines > Library > Security)

Library Security

YAML Release Pipeline

Add the files and folders from this location to your DevOps repo. This contains an example YAML pipeline to release the Invictus for Azure Dashboard, change the dashboard.release.yaml file according to your needs, for example change the needed environments and change the name of the build pipeline trigger:

resources:
  pipelines:
    # Name of the pipeline resource inside this workflow. Used to reference the pipeline resources later on (e.g. download artifacts).
  - pipeline: _build
    # Name of the pipeline in Azure Pipelines
    source: 'customer.azure.invictus.dashboard.build' 
    trigger: true

Make sure to replace the azureSubscription value with the name of your serviceconnection as this value cannot be parameterized

Also make sure to change the bicep template parameters according to your needs.

If you need to overwrite more bicep Template parameters make sure to add this to the deployScriptParameters. A complete list of Bicep Template parameters can be found here.

Afterwards add the dashboard.release.yaml in your DevOps environment as a pipeline.

Deploy Script Arguments

The following script arguments are used in the deploy script:

  • Mandatory Arguments

    • artifactsPath: $(ArtifactsPath)
    • devOpsObjectId: The Enterprise Application Object ID of the service principal thats connected to the DevOps service connection.
    • acrUsername: The ACR username provided by Codit. As defined in build pipeline step.
    • acrPassword: The ACR password provided by Codit. As defined in build pipeline step.
    • resourcePrefix: $(Infra.Environment.ShortName)-$(Infra.Environment.Region.Primary.ShortName)-$(Infra.Environment.Customer.ShortName)
    • resourceGroupName: name of the Azure Resource Group. Include the variable $(Infra.Environment.ShortName) to make this environment specific.
    • variableGroupName: The name of the variable group. Include the variable $(Infra.Environment.ShortName) to make this environment specific.
    • azureActiveDirectoryClientId: Value can be obtained by following this guide: Azure AD Setup. Leave empty if AD will be disabled.
    • azureActiveDirectoryTenantId: Value can be obtained by following this guide: Azure AD Setup. Leave empty if AD will be disabled.
    • azureActiveDirectoryClientSecret: Value can be obtained by following this guide: Azure AD Setup. Leave empty if AD will be disabled.
    • azureActiveDirectoryAudience: Value can be obtained by following this guide: Azure AD Setup. Leave empty if AD will be disabled.
    • performSqlDataMigration: If value is 1 the data migration process will run, migrating SQL data to Cosmos DB. If the value is 0, the process will be skipped. See the migration guide for more details. Once data migration has been performed and verified, it is recommended to then set this value to 0 so that the migration process is skipped for all subsequent releases.
    • flowDataTTLInDays: A positive integer value which represents the amount of days flow data can live in the database. More info here.
    • isProvisionedCosmos: If the value is 1, a Cosmos DB with provisioned throughput will be deployed. If the value is 0, a serverless Cosmos DB will be deployed instead. See the relevant section below for more details.
    • identityProviderClientSecret: Value can be obtained by following this guide: Container Authentication.
    • identityProviderApplicationId: Value can be obtained by following this guide: Container Authentication.

  • Optional Arguments

    • artifactsPathScripts: uses ArtifactsPath when not specified.
    • resourceGroupLocation: $(Infra.Environment.Region.Primary) or 'West Europe' when not specified.
    • isAdDisabled: If the value is 1, the option to log into the dashboard with AAD will be removed.
    • additionalTemplateParameters: Additional named parameters for the arm template you wish to override. More on this below.

The AdditionalTemplateParameters argument are named arguments you can use to override the default values used by the ARM template. You simply name the argument as the parameter. For example if you want to use a different servicePlanSku you would add -eventHubSkuName "Standard" to the arguments of the powershell script.

Note that resourcePrefix and accessPolicies are overridden by the script, so no need to include that in the arguments.

Complete example of the arguments (note the use of -devOpsObjectId as an additional parameter):

PS> $(ArtifactsPath)/Deploy.ps1 `
  -artifactsPath "$(ArtifactsPath)" `
  -acrPath "invictusreleases.azurecr.io" `
  -acrUsername "$(Infra.Environment.ACRUsername)" `
  -acrPassword "$(Infra.Environment.ACRPassword)" `
  -resourcePrefix "$(Infra.Environment.ResourcePrefix)" `
  -resourceGroupName "$(Infra.Environment.ResourceGroup)" `
  -variableGroupName "Software.Infra.$(Infra.Environment.ShortName)" `
  -resourceGroupLocation "$(Infra.Environment.Region.Primary)" `
  -devOpsObjectId $(Infra.DevOps.Object.Id) `
  -performSqlDataMigration 0 `
  -isProvisionedCosmos 0 `
  -azureActiveDirectoryClientId "[YOUR_CLIENT_ID_HERE]" `
  -azureActiveDirectoryTenantId "[YOUR_TENANT_ID_HERE]" `
  -azureActiveDirectoryClientSecret "[YOUR_SECRET_HERE]" `
  -azureActiveDirectoryAudience "[YOUR_AUDIENCE_HERE]" `
  -identityProviderApplicationId "$(Infra.Environment.IdentityProviderApplicationId)" `
  -identityProviderClientSecret "$(Infra.Environment.IdentityProviderClientSecret)" `
  -containerAppsEnvironmentLocation "$(Infra.Environment.ContainerAppsEnvironmentLocation)" `
  -isProvisionedCosmos 1 `
  -flowDataTTLInDays 90

Provisoned Throughput vs Serverless Cosmos DB

Provisioned Throughput: You specify a fixed amount of resources (RU/s) for your database, ensuring predictable performance. Best for steady workloads.

Serverless: Capacity scales automatically based on actual usage, paying only for resources used per request. Cost-effective for variable traffic (high / low usage) and infrequently accessed data.

When to use Provisioned Throughput vs Serverless Cosmos DB

Serverless in Production

  • Cost-Efficiency for Variable Workloads: Suitable for scenarios with varying input volume loads, automatically scaling down during periods of low activity to optimize cost.
  • Sporadic Traffic: Ideal for situations where the volume fluctuates or experiences occasional bursts of traffic, such as higher volume during specific hours and lower volume at other times.
  • Agile and Scalable: Collections are auto-scaled, with FlowData and WorkFlowEvents being the most affected collections when data is inserted.

Provisioned Throughput in Production

  • Fixed RU/s Allocation: Collections are allocated a defined RU/s, requiring consistent usage to make the most of the provisioned capacity.
  • Adjustable RU/s for High Volume Processing: RU/s can be increased to accommodate very high volume processing requirements, ensuring optimal performance.
  • Predictable Costs: Costs are fixed based on the allocated RU/s. However, for FlowData and WorkFlowEvents, since they are set to autoscale, there is a minimum and maximum price based on usage.

Always evaluate your application's needs and monitor performance to ensure the chosen capacity model meets expectations in the production environment.

Default Settings for Provisioned Throughput

CollectionRU/sAutoscale
Audits500No
DashboardSettings500No
Users500No
Groups500No
Statistics500No
FolderFlows500No
FlowData2000Yes
WorkflowEvent2000Yes
MessageContent2000Yes

Bicep Template Parameters

The below tables lists the parameters accepted by the Bicep template.

Top-level parameters

Resource-independent parameters that affect all resources in the deployed resource group.

ParameterRequiredDefaultDescription
resourcePrefixYesused as part of the default names for most resources
devOpsObjectIdYesThe object-id associated with the service principal of the enterprise application that's connected to the service connection on DevOps
ParameterRequiredDefaultDescription
enableVnetSupport (VNET)YesfalseUsed to toggle VNET functionality on or off
vnetResourceGroupName (VNET)YesThe name of the resource group on Azure where the VNET is located
vnetName (VNET)YesThe name of the VNET resource
privateEndpointSubnetName (VNET)YesThe name of the subnet to be used to connect the private endpoint resources
containerAppEnvironmentSubnetName (VNET)YesThe name of the subnet to be used to connect the container app environment
caeVnetInfraRgName (VNET)NoAuto-Generated by AzureOverrides the name of the Azure auto-generated RG for Container App Environment infra
dnsZoneSubscriptionId (VNET)NoSubscription ID of scopeThe subscription ID of the private DNS zones.
dnsZoneResourceGroupName (VNET)NoVNET RG nameThe resource group name of where the private DNS zones are located.

Active Directory parameters

Parameters related to the Azure Active Directory where the groups are synced from.

ParameterRequiredDefaultDescription
azureActiveDirectoryClientIdYesClient AAD ID required to enable AAD for dashboard
azureActiveDirectoryTenantIdYesTenant AAD ID required to enable AAD for dashboard
azureActiveDirectoryClientSecretYesRequired for AD Login
AzureActiveDirectoryAudienceYesRequired for AD Login
isAdDisabledNo0isAdDisabled true or false

App service parameters

Parameters related to the applications that are deployed, mostly Azure Functions.

ParameterRequiredDefaultDescription
invictusDashboardWebAppNameNoinvictus-{resourcePrefix}-invictusdashboard-v2Name for the dashboard web application
invictusDashboardGatewayFunctionNameNoinvictus-{resourcePrefix}-dashboardgatewayName for Azure Function
invictusImportJobFunctionNameNoinvictus-{resourcePrefix}-invictusimportjobName for Azure Function
invictusCacheImportJobFunctionNameNoinvictus-{resourcePrefix}-cacheimportjobName for Azure Function
invictusStoreImportJobFunctionNameNoinvictus-{resourcePrefix}-storeimportjobName for Azure Function
invictusFlowHandlerFunctionNameNoinvictus-{resourcePrefix}-flowhandlerjobName for Azure Function
invictusGenericReceiverFunctionNameNoinvictus-{resourcePrefix}-genericreceiverName for Azure Function
invictusHttpReceiverFunctionNameNoinvictus-{resourcePrefix}-httpreceiverName for Azure Function
invictusDatabaseManagerFunctionNameNoinvictus-{resourcePrefix}-database-storeimportjobName for Azure Function
invictusDataFactoryReceiverFunctionNameNoinvictus-{resourcePrefix}-datafactoryreceiverName for Azure Function
ParameterRequiredDefaultDescription
statisticsCutOffDaysNo-3The number of days in the past that homepage statistics will recalculate
ParameterRequiredDefaultDescription
servicePlanNameNoinvictus-{resourcePrefix}-appplan-linuxName for the service plan which will host the APIs
servicePlanSkuNameNoS1Size for the App Plan, the value of "I1" needs to be passed to install an isolated plan.
servicePlanSkuCapacityNo1The SKU capacity setting for the App Plan

Storage parameters

Parameters related to the data that is stored throughout Invictus.

ParameterRequiredDefaultDescription
cosmosAccountNameNoinvictus-{resourcePrefix}-cosmos-serverless/provisonedName for Cosmos account
cosmosDatabaseNameNoInvictusDashboardName for Cosmos database
isProvisionedCosmosYes0 (: true)isProvisionedCosmos true or false
cosmosDbSubnets (VNET)Yes[]An array of string. The values need to match the subnet names on the VNET.
ParameterRequiredDefaultDescription
storageAccountNameNoinvictus{resourcePrefix}storeName for the Azure Storage resource. Dashes (-) will be removed from {resourcePrefix}
storageAccountTypeNoStandard_LRSThe Storage account StorageAccountSkuType
messageStatusCacheDeleteAfterDaysNo30The number of days without modification for the message status cache to be deleted
storageAccountSubnets (VNET)Yes[]An array of string. The values need to match the subnet names on the VNET
disableStorageAccountPublicNetworkAccess (VNET)NofalseIf true, the Invictus storage account will not be accessible from a public network.
storageAccountMinimumTLSVersion (VNET)NoTLS1_2Set the required TLS value for the storage account. Accepted values: TLS1_0, TLS1_1, TLS1_2
ParameterRequiredDefaultDescription
flowDataTTLInDaysYesA positive integer value which represents the amount of days flow data can live in the database
cleanupJobIntervalInMinutesNo1440Interval in minutes for the cleanup job
workFlowCleanupJobIntervalInMinutesNo180Interval in minutes for the workflowevent cleanup job
dataWorkFlowCleanupMaxRetentionDaysNo90Max number of days the WorkFlowEvent data is stored

Messaging parameters

Parameters related to the messaging resources that import the flow information into storage.

ParameterRequiredDefaultDescription
serviceBusNamespaceNameNoinvictus-{resourcePrefix}-sbsName for the Service Bus Namespace resource
serviceBusSkuNameNoStandard or Premium if VNET enabledName for the Service Bus SKU
serviceBusSubnets (VNET)Yes[]An array of string. The values need to match the subnet names on the VNET
ParameterRequiredDefaultDescription
eventHubNamespaceNameNoinvictus-{resourcePrefix}-evnmName for the Event Hub Namespace resource
eventHubSkuNameNoBasicThe SKU name of the EventHub Namespace
eventHubSkuTierNoBasicThe Tier name for the EventHub Namespace
eventHubSkuCapacityNo1The SKU capacity for the EventHub Namespace
eventHubAutoInflateNofalseThe EventHub setting to enable auto-inflate
eventHubMaxThroughputUnitsNo0Max throughput setting for EventHub
eventHubMessageRetentionInDaysNo1The number of days EventHub will retain messages. Note: eventHubSkuName and eventHubSkuTier must be set to Standard to exceed 1 day of retention.
eventHubSubnets (VNET)Yes[]An array of string. The values need to match the subnet names on the VNET
ParameterRequiredDefaultDescription
eventHubNameNoinvictus-{resourcePrefix}-evhbName for the Event Hub created on the Namespace
eventHubNameV2Noinvictus-{resourcePrefix}-evhb-v2Name for the Event Hub for standard LA's created on the Namespace
workflowEventHubNameNoinvictus-{resourcePrefix}-workflow-evhbEventHub name for the import job
dataMergeWorkflowEventHubNameNoinvictus-{resourcePrefix}-mergeddata-evhbEventHub name for the data merge import job
sideTasksWorkflowEventHubNameNoinvictus-{resourcePrefix}-sidetasks-evhbEventHub name for the side tasks
dataFactoryEventHubNameNoinvictus-{resourcePrefix}-df-evhbEventHub name for the data factory import job
genericEventHubNameNoinvictus-{resourcePrefix}-genericreceiver-evhbEventHub name for the import job

Secret parameters

Parameters related to the security of the deployed applications.

ParameterRequiredDefaultDescription
keyVaultNameNoinvictus-{resourcePrefix}-vltName for the Key Vault Service Namespace resource
keyVaultEnablePurgeProtectionNonullIf true, enables key vault purge protection. Once enabled, this property can never be disabled.
jwtSecretTokenNoGenerated on first useJWT Secret used for login
keyVaultSubnets (VNET)Yes[]An array of string. The values need to match the subnet names on the VNET

Observability parameters

Parameters related to the observability of the deployed applications.

ParameterRequiredDefaultDescription
appInsightsNameNoinvictus-{resourcePrefix}-appinsName for the Application Insights resource
alertingAppInsightsNameNoinvictus-{resourcePrefix}-alertingappinsName for the Application Insights resource used for alerting
importjobAppInsightsNameNoinvictus-{resourcePrefix}-importjobappinsName for Application Insights used by importjob
appInsightsSamplingPercentageNo1The sampling percentage for the Application Insights resource
importJobAppInsightsSamplingPercentageNo1The sampling percentage for the import job Application Insights resource

Scaling parameters

Azure Container Apps allow for flexible scaling customization. In Invictus we have provided default scaling values which can be customized according to your scenario.

Container Apps have the ability to scale down to zero replicas. This is a great cost-saving option especially for components which are not used at all. A container app scaled to zero will automatically scale out when triggered, however this may take up to a few minutes to complete. This could prove to be an issue in scenarios with limited timeout e.g. logic apps with 120 seconds timeout. In such cases there is no option but to set a minimum replica count of 1.

ParameterRequired
dashboardScalingNo
dashboardGatewayScalingNo
cacheImportJobScalingNo
dbImportJobScalingNo
datafactoryReceiverScalingNo
flowhandlerScalingNo
genericReceiverScalingNo
httpReceiverScalingNo
importJobScalingNo
storeImportJobScalingNo

Each of the above parameters accepts an object:

{
  scaleMinReplicas: int
  scaleMaxReplicas: int
  cpuResources: string
  memoryResources: string
}
Parameter valueDescription
scaleMinReplicasThe lowest number of replicas the Container App will scale in to.
scaleMaxReplicasThe highest number of replicas the Container App will scale out to.
cpuResourcesThe amount of cpu resources to dedicate for the container resource. See here for allowed values.
memoryResourcesThe amount of memory resources to dedicate for the container resource. See here for allowed values.