Azure DevOps Lab

MICROSOFT AZURE

Module 8. Azure container services.

Home tasks

This document contains privileged and/or confidential information and may not be
Legal Notice:
disclosed, distributed or reproduced without the prior written permission of EPAM®.

CONFIDENTIAL | Effective Date: 01-Sept-23

 CONTENTS
MICROSOFT AZURE ................................................................................................. 1
1. AGENDA ............................................................................................................ 3
2. ACCEPTANCE CRITERIA ........................................................................................... 3
3. TASK ................................................................................................................ 3
4. TASK RESULT ...................................................................................................... 5
5. USEFUL LINKS...................................................................................................... 6

CONFIDENTIAL | Effective Date: 01-Sept-23 2

1. AGENDA
The problem of an application failing to run correctly when moved from one environment to
another is as old as software development itself. Such problems typically arise due to differences in
configuration underlying library requirements and other dependencies.
Containers address this problem by providing a lightweight, immutable infrastructure for
application packaging and deployment. An application or service, its dependencies, and its
configuration are packaged together as a container image. The containerized application can be tested
as a unit and deployed as a container image instance to the host operating system.
There are many options for teams to build and deploy cloud native and containerized
applications on Azure. There are many options for teams to build and deploy cloud native and
containerized applications on Azure.
In this task, you will get acquainted with the following Azure Container services:
• Azure Container Registry
• Azure Container Instance
• Web App for Containers
• Azure Container Apps
• Azure Kubernetes Service
Every Azure resource has pros and cons. There's no perfect solution for every use case and
every team.
In this task we are asking you to build production design and reproduce the typical steps which
you will be in touch working some Azure Container resources. In the task you need to automate
provisioning for mentioned above azure resources by means of Terraform. You will build and deploy a
simple application in these Azure services via Terraform as well.
Please use useful links to do your homework successfully.

2. ACCEPTANCE CRITERIA
1. Homework corresponds to task details, requirements and attachment recommendations.
2. Terraform configuration has normal view and meets all requirements and best practices studied
on previous modules.
3. Terraform configuration for each Azure resources must be as a module.
4. A tutor should be able to execute your Terraform configuration without modifications. Any
hardcode that can affect re-run must be fixed. If your code is related some how to OS (or
shell), inform about it your tutor and provide description why you did.
5. Minimal Terraform version is 1.5.0.
6. All resource names should use a common name pattern and be aligned with Azure abbreviation
examples. No resource names are hardcoded
7. TF configuration has usable outputs, that are used to access to resources, such as storage
account name, vault name, cdn endpoint, etc.

3. TASK
1. Create Terraform configuration that provisions the following resources:
a. Azure Redis Cache
b. Azure Container Registry
c. Azure Key Vault
Redis password and Redis Url must be saved in Key Vault as a secrets.

CONFIDENTIAL | Effective Date: 01-Sept-23 3

 2. Add in Terraform configuration block that builds Docker image using the Dockerfile provided
below, and upload built image to Azure Container Registry. Any sensitive values (such as ACR
admin key should be provided dynamically)
Dockerfile content:
# Use an official Python runtime as a parent image
FROM python:3.11-slim
# Set the working directory to /app
WORKDIR /app
# Copy the current directory contents into the container at /app
COPY . /app
# Install any needed packages specified in requirements.txt
RUN pip install --trusted-host pypi.python.org -r requirements.txt
# Make port 80 available to the world outside this container
EXPOSE 8080
# Define environment variable
ENV NAME World
# Run app.py when the container launches
CMD ["python", "app.py"]
Requirements.txt content:
Flask
Redis
App.py content:
from flask import Flask
from redis import Redis, RedisError
import os
import socket

# Connect to Redis
redis = Redis(host=os.getenv("REDIS_URL","localhost"),
port=os.getenv("REDIS_PORT","6379"), db=0, password=os.getenv("REDIS_PWD",""),
ssl=os.getenv("REDIS_SSL_MODE",True))

app = Flask(__name__)

@app.route("/")
def hello():
try:
visits = redis.incr("counter")
except RedisError:
visits = "<i>cannot connect to Redis, counter disabled</i>"

html = "<h3>Hello from {name}!</h3>" \

"<b>Hostname:</b> {hostname}<br/>" \
"<b>Visits:</b> {visits}"
return html.format(name=os.getenv("CREATOR"), hostname=socket.gethostname(),
visits=visits)

if __name__ == "__main__":
app.run(host='0.0.0.0', port=8080)

CONFIDENTIAL | Effective Date: 01-Sept-23 4

 3. Update your Terraform configuration to create Azure Container Instance which will host a
container from the image built earlier. All sensitive variables must be provided to ACI as
secure_environment_variables (when it is possible).
Define “CREATOR” variable for container with value “Azure_Container_Instance”
Keep in mind that the Docker container works in pair with Azure Redis, and required
parameters must be provided to container during the initialization (see app.py)
Application must be accessible via HTTP/HTTPs from the internet.
4. Update your Terraform configuration to create Azure Kubernetes Service integrated with Azure
KeyVault created above, and which will host a container from the image built earlier.
Define “CREATOR” variable for container with value “K8S”.
Pods in k8s should obtain secrets form KeyVault during the initialization. Use “Access with a
user-assigned managed identity” approach. Optionally you can use Azure AD workload identity
to get access to KeyVault instead of UMI.
5. Deploy the image built earlier to k8s. You can update your Terraform configuration to deploy
Docker image(optionally) or just connect to k8s and deploy using k8s manifests. Sensitive
variable must be stored in KeyVault in any case. Application must available from the internet
at least via IP address.

4. TASK RESULT

A result of this task is a running applications on different Azure services such as ACI, WebAPP,
Container APP and AKS that are available by IP address or URLs.
For instance

Archive .zip with your source code named: <name-surname>-<module number> uploaded to learn
portal

CONFIDENTIAL | Effective Date: 01-Sept-23 5

5. USEFUL LINKS
Dockerfile reference | Docker Docs
Provisioner: local-exec | Terraform | HashiCorp Developer
Quickstart - Create registry in portal - Azure Container Registry | Microsoft Learn
Welcome to Flask — Flask Documentation (2.3.x) (palletsprojects.com)
What is Azure Key Vault? | Microsoft Learn
What is Azure Cache for Redis? | Microsoft Learn
Quickstart: Create an Azure Container Instance with a public IP address using Terraform - Azure
Container Instances | Microsoft Learn
Deploy and run a containerized web app with Azure App Service - Training | Microsoft Learn
Azure Container Apps overview | Microsoft Learn
Quickstart: Create an Azure Kubernetes Service (AKS) cluster by using Terraform - Azure Kubernetes
Service | Microsoft Learn
null_resource | Resources | hashicorp/null | Terraform | Terraform Registry
azurerm_container_app - Cannot deploy container with ingress enabled · Issue #20435 ·
hashicorp/terraform-provider-azurerm · GitHub
Use Key Vault references - Azure App Service | Microsoft Learn
Use the Azure Key Vault Provider for Secrets Store CSI Driver for Azure Kubernetes Service (AKS)
secrets - Azure Kubernetes Service | Microsoft Learn
Provide an access identity to the Azure Key Vault Provider for Secrets Store CSI Driver for Azure
Kubernetes Service (AKS) secrets - Azure Kubernetes Service | Microsoft Learn
Provide an access identity to the Azure Key Vault Provider for Secrets Store CSI Driver for Azure
Kubernetes Service (AKS) secrets - Azure Kubernetes Service | Microsoft Learn

CONFIDENTIAL | Effective Date: 01-Sept-23 6