Provision Azure Managed Grafana workspace #6304
Conversation
| - task: AzureCLI@2 | ||
| displayName: 'Validate Bicep Template' | ||
| inputs: | ||
| azureSubscription: '${{ parameters.ServiceConnectionName }}' | ||
| scriptType: 'ps' | ||
| scriptLocation: 'inlineScript' | ||
| inlineScript: | | ||
| Write-Host "Validating Grafana Bicep template..." | ||
| if (!(Test-Path "eng/deployment/azure-managed-grafana.bicep")) { | ||
| throw "Bicep template not found: azure-managed-grafana.bicep" | ||
| } | ||
| az bicep build --file eng/deployment/azure-managed-grafana.bicep | ||
| if ($LASTEXITCODE -ne 0) { | ||
| throw "Bicep template validation failed" | ||
| } | ||
| Write-Host "SUCCESS: Bicep template validation successful" |
There was a problem hiding this comment.
Feels like this task should also happen earlier when the rest of the code is built and tested. And this should probably also happen even in PRs.
There was a problem hiding this comment.
This has been added the build stage and pr pipeline
| GrafanaWorkspaceName: dnceng-grafana-staging | ||
| GrafanaKeyVault: dnceng-grafana-int-kv | ||
| GrafanaVariableGroup: Dnceng-Managed-Grafana-Staging-Vg | ||
| ServiceConnectionClientId: 4ad9ae35-2d42-4245-a954-9003b7e31349 |
There was a problem hiding this comment.
What are these service connections? Tell me more about them.
There was a problem hiding this comment.
The GrafanaWorkspaceName is the name of the Grafana instance in azure.
The GrafanaKeyVault, GrafanaVariableGroup and ServiceConnectionClientId are not in use and can be deleted.
There was a problem hiding this comment.
Any thoughts about using this file (or at least this pattern) to also deploy all the things necessary for Grafana? Like the keyvaults, identities and their permissions?
There was a problem hiding this comment.
None currently. I can start working on this
There was a problem hiding this comment.
This is good but I see that it's only a part of what is required for a full functioning Grafana installation. Do you have any docs or scripts or anything that describe the rest of this? Those will be helpful in this review so I can see that this code fits properly with that plan.
| # Verify role assignments | ||
| Write-Host "Checking role assignments..." | ||
| $roleAssignments = az role assignment list --scope $workspace.id --query '[].{principalId:principalId, roleDefinitionName:roleDefinitionName}' 2>$null | ConvertFrom-Json | ||
| if ($roleAssignments) { | ||
| $roleAssignments | ForEach-Object { | ||
| Write-Host " Role: $($_.roleDefinitionName) - Principal: $($_.principalId)" | ||
| } | ||
| } else { | ||
| Write-Host " No role assignments found" | ||
| } |
There was a problem hiding this comment.
I like the idea of "verify role assignments" but this seems to just be printing out assignments. It's not actually verifying anything.
2 participants
No description provided.