{ "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.44.1.10279", "templateHash": "13032531868249592283" } }, "parameters": { "arpioAccountId": { "type": "string", "metadata": { "description": "The Arpio account ID for which this deployment is being created" } }, "arpioAppPrincipalId": { "type": "string", "metadata": { "description": "The objectId of the Arpio app service principal" } }, "arpioAppClientId": { "type": "string", "metadata": { "description": "The client ID of the Entra application allowed to call the Azure Function" } }, "delegateImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate:latest", "metadata": { "description": "Delegate image" } }, "delegateJobsImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate-jobs:latest", "metadata": { "description": "Delegate jobs image" } }, "location": { "type": "string", "metadata": { "description": "Location for all resources" } }, "recoveryEndpoints": { "type": "array", "metadata": { "description": "List of recovery endpoints, where each is an object with subscriptionId and location properties" } }, "arpioTags": { "type": "object", "defaultValue": { "arpio:account-id": "[parameters('arpioAccountId')]", "arpio:access-resource": "[format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]" }, "metadata": { "description": "Tags to add to all resources" } } }, "resources": [ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]" }, { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[format('ArpioPrimaryData-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]" }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioPrimaryAccess', parameters('arpioAccountId'), subscription().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(subscription().id, parameters('location')))]", "description": "Read-only access to all Azure resources via Resource Manager", "type": "CustomRole", "permissions": [ { "actions": [ "*/read" ], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.ContainerRegistry/registries/catalog/read", "Microsoft.ContainerRegistry/registries/repositories/metadata/read" ], "notDataActions": [ "Microsoft.KeyVault/vaults/secrets/getSecret/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.ContainerRegistry/registries/repositories/content/read" ] } ], "assignableScopes": [ "[subscription().id]" ] } }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioPrimaryDelegateAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(subscription().id, parameters('location')))]", "description": "Access granted to the Arpio primary environment delegate", "type": "CustomRole", "permissions": [ { "actions": [ "*/read", "Microsoft.Web/register/action", "Microsoft.Compute/restorePointCollections/delete", "Microsoft.Compute/restorePointCollections/write", "Microsoft.Compute/restorePointCollections/restorePoints/delete", "Microsoft.Compute/restorePointCollections/restorePoints/write", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/snapshots/delete", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/virtualMachines/write", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Resources/deployments/write", "Microsoft.Storage/storageAccounts/blobServices/write", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write", "Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/publish/action" ], "notActions": [], "dataActions": [ "Microsoft.ContainerService/managedClusters/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.KeyVault/vaults/secrets/getSecret/action" ] } ], "assignableScopes": [ "[subscription().id]" ] } }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioRecoveryToPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioRecoveryToPrimaryDelegateAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(subscription().id, parameters('location')))]", "description": "Access granted to the Arpio recovery delegate to access primary resources", "type": "CustomRole", "permissions": [ { "actions": [ "*/read", "Microsoft.Compute/snapshots/beginGetAccess/action", "Microsoft.Compute/snapshots/endGetAccess/action", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Compute/disks/endGetAccess/action", "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action", "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/endGetAccess/action", "Microsoft.Sql/servers/databases/write", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", "Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/publish/action", "Microsoft.App/containerApps/listSecrets/action", "Microsoft.App/jobs/listSecrets/action" ], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/secrets/readMetadata/action", "Microsoft.KeyVault/vaults/secrets/getSecret/action", "Microsoft.KeyVault/vaults/certificates/read", "Microsoft.ContainerRegistry/registries/repositories/metadata/read", "Microsoft.ContainerRegistry/registries/repositories/content/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" ] } ], "assignableScopes": [ "[subscription().id]" ] } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(parameters('arpioAppPrincipalId'), guid('ArpioPrimaryAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "principalId": "[parameters('arpioAppPrincipalId')]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid('ArpioDelegateIdentity', guid('ArpioPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), 'Microsoft.Resources/deployments', format('arpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), '2025-04-01').outputs.delegatePrincipalId.value]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))), 'Microsoft.Resources/deployments', format('arpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location')))]", "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]" ] }, { "copy": { "name": "recoveryDelegateRoleAssignments", "count": "[length(parameters('recoveryEndpoints'))]" }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid('ArpioRecoveryDelegateIdentity', guid('ArpioPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')), parameters('recoveryEndpoints')[copyIndex()].subscriptionId, parameters('recoveryEndpoints')[copyIndex()].location)]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryToPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('recoveryEndpoints')[copyIndex()].subscriptionId, format('ArpioRecoveryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('recoveryEndpoints')[copyIndex()].location)), 'Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioRecoveryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]", "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioRecoveryToPrimaryDelegateAccess', parameters('arpioAccountId'), subscription().id, parameters('location')))]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2025-04-01", "name": "[format('arpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "resourceGroup": "[format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location'))]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "arpioAccountId": { "value": "[parameters('arpioAccountId')]" }, "arpioAppClientId": { "value": "[parameters('arpioAppClientId')]" }, "delegateImage": { "value": "[parameters('delegateImage')]" }, "delegateJobsImage": { "value": "[parameters('delegateJobsImage')]" }, "arpioTags": { "value": "[parameters('arpioTags')]" }, "recoveryEndpoints": { "value": "[parameters('recoveryEndpoints')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.44.1.10279", "templateHash": "4050011703042358750" } }, "parameters": { "arpioAccountId": { "type": "string", "metadata": { "description": "The Arpio account ID for which this deployment is being created" } }, "arpioAppClientId": { "type": "string", "metadata": { "description": "The client ID of the Entra application allowed to call the Azure Function" } }, "delegateImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate:latest", "metadata": { "description": "Delegate image" } }, "delegateJobsImage": { "type": "string", "defaultValue": "arpio.azurecr.io/arpio-azure-delegate-jobs:latest", "metadata": { "description": "Delegate jobs image" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources" } }, "arpioTags": { "type": "object", "metadata": { "description": "Tags to add to all resources" } }, "recoveryEndpoints": { "type": "array", "metadata": { "description": "List of recovery endpoints, where each is an object with subscriptionId and location properties" } } }, "variables": { "copy": [ { "name": "recoveryEncryptionKeys", "count": "[length(parameters('recoveryEndpoints'))]", "input": { "subscriptionId": "[parameters('recoveryEndpoints')[copyIndex('recoveryEncryptionKeys')].subscriptionId]", "location": "[parameters('recoveryEndpoints')[copyIndex('recoveryEncryptionKeys')].location]", "keyUrl": "[format('https://arpio-rec-{0}{1}/keys/EncryptionKey', uniqueString(format('/subscriptions/{0}/resourceGroups/ArpioRecoveryAccess-{1}-{2}', parameters('recoveryEndpoints')[copyIndex('recoveryEncryptionKeys')].subscriptionId, parameters('arpioAccountId'), parameters('recoveryEndpoints')[copyIndex('recoveryEncryptionKeys')].location), parameters('arpioAccountId')), environment().suffixes.keyvaultDns)]" } } ] }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "ArpioPrimaryDelegate", "location": "[parameters('location')]", "tags": "[parameters('arpioTags')]" }, { "type": "Microsoft.OperationalInsights/workspaces", "apiVersion": "2022-10-01", "name": "ArpioPrimaryLogs", "location": "[parameters('location')]", "properties": { "sku": { "name": "PerGB2018" }, "retentionInDays": 30 } }, { "type": "Microsoft.Insights/components", "apiVersion": "2020-02-02", "name": "ArpioPrimaryInsights", "location": "[parameters('location')]", "kind": "web", "tags": "[parameters('arpioTags')]", "properties": { "Application_Type": "web", "WorkspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioPrimaryLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioPrimaryLogs')]" ] }, { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2023-01-01", "name": "[format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))]", "location": "[parameters('location')]", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2", "tags": "[parameters('arpioTags')]", "properties": { "minimumTlsVersion": "TLS1_2", "allowBlobPublicAccess": false, "allowSharedKeyAccess": false, "supportsHttpsTrafficOnly": true, "encryption": { "services": { "blob": { "enabled": true } }, "keySource": "Microsoft.Storage" } } }, { "type": "Microsoft.Storage/storageAccounts/queueServices", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default', 'tasks')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/queueServices', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/queueServices/queues", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default', 'jobs')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/queueServices', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/tableServices", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Storage/storageAccounts/tableServices/tables", "apiVersion": "2023-01-01", "name": "[format('{0}/{1}/{2}', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default', 'tasks')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/tableServices', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))), 'default')]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]", "name": "[guid(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.App/managedEnvironments", "apiVersion": "2024-10-02-preview", "name": "arpio-primary-env", "location": "[parameters('location')]", "tags": "[parameters('arpioTags')]", "properties": { "publicNetworkAccess": "Enabled", "workloadProfiles": [ { "name": "Consumption", "workloadProfileType": "Consumption" } ], "appLogsConfiguration": { "destination": "log-analytics", "logAnalyticsConfiguration": { "customerId": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioPrimaryLogs'), '2022-10-01').customerId]", "sharedKey": "[listKeys(resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioPrimaryLogs'), '2022-10-01').primarySharedKey]" } } }, "dependsOn": [ "[resourceId('Microsoft.OperationalInsights/workspaces', 'ArpioPrimaryLogs')]" ] }, { "type": "Microsoft.App/containerApps", "apiVersion": "2025-07-01", "name": "arpio-primary-delegate", "location": "[parameters('location')]", "tags": "[parameters('arpioTags')]", "kind": "functionapp", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'))]": {} } }, "properties": { "managedEnvironmentId": "[resourceId('Microsoft.App/managedEnvironments', 'arpio-primary-env')]", "configuration": { "ingress": { "external": true, "targetPort": 80, "allowInsecure": false, "traffic": [ { "latestRevision": true, "weight": 100 } ] } }, "template": { "containers": [ { "name": "arpio-delegate", "image": "[parameters('delegateImage')]", "env": [ { "name": "AzureWebJobsStorage__accountName", "value": "[format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))]" }, { "name": "AzureWebJobsStorage__credential", "value": "managedidentity" }, { "name": "AzureWebJobsStorage__clientId", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').clientId]" }, { "name": "DELEGATE_TYPE", "value": "primary" }, { "name": "DELEGATE_IMAGE", "value": "[parameters('delegateImage')]" }, { "name": "AZURE_CLIENT_ID", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').clientId]" }, { "name": "PRINCIPAL_ID", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').principalId]" }, { "name": "IDENTITY_ID", "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]" }, { "name": "TENANT_ID", "value": "[tenant().tenantId]" }, { "name": "ARPIO_APP_CLIENT_ID", "value": "[parameters('arpioAppClientId')]" }, { "name": "FUNCTIONS_WORKER_RUNTIME", "value": "python" }, { "name": "PYTHON_THREADPOOL_THREAD_COUNT", "value": "32" }, { "name": "ARPIO_ACCOUNT_ID", "value": "[parameters('arpioAccountId')]" }, { "name": "SUBSCRIPTION_ID", "value": "[subscription().subscriptionId]" }, { "name": "ACCESS_RESOURCE_GROUP", "value": "[resourceGroup().name]" }, { "name": "AUTHORIZED_ENDPOINTS", "value": "[string(parameters('recoveryEndpoints'))]" }, { "name": "RECOVERY_ENCRYPTION_KEYS", "value": "[string(variables('recoveryEncryptionKeys'))]" }, { "name": "REGION", "value": "[parameters('location')]" }, { "name": "SCRATCH_STORAGE_BLOB_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.blob]" }, { "name": "SCRATCH_STORAGE_TABLE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.table]" }, { "name": "SCRATCH_STORAGE_QUEUE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.queue]" }, { "name": "APPLICATIONINSIGHTS_CONNECTION_STRING", "value": "[reference(resourceId('Microsoft.Insights/components', 'ArpioPrimaryInsights'), '2020-02-02').ConnectionString]" } ], "resources": { "cpu": "[json('1.0')]", "memory": "2Gi" } } ], "scale": { "minReplicas": 0, "maxReplicas": 100 } } }, "dependsOn": [ "[resourceId('Microsoft.Insights/components', 'ArpioPrimaryInsights')]", "[resourceId('Microsoft.App/managedEnvironments', 'arpio-primary-env')]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.App/containerApps/authConfigs", "apiVersion": "2025-02-02-preview", "name": "[format('{0}/{1}', 'arpio-primary-delegate', 'current')]", "properties": { "platform": { "enabled": true }, "identityProviders": { "azureActiveDirectory": { "enabled": true, "registration": { "clientId": "[parameters('arpioAppClientId')]", "openIdIssuer": "[format('https://login.microsoftonline.com/{0}/v2.0', tenant().tenantId)]" }, "validation": { "allowedAudiences": [ "[parameters('arpioAppClientId')]" ] } } } }, "dependsOn": [ "[resourceId('Microsoft.App/containerApps', 'arpio-primary-delegate')]" ] }, { "type": "Microsoft.App/jobs", "apiVersion": "2024-10-02-preview", "name": "arpio-primary-delegate-job", "tags": "[parameters('arpioTags')]", "location": "[parameters('location')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'))]": {} } }, "properties": { "environmentId": "[resourceId('Microsoft.App/managedEnvironments', 'arpio-primary-env')]", "configuration": { "triggerType": "Event", "replicaTimeout": 86400, "replicaRetryLimit": 0, "eventTriggerConfig": { "replicaCompletionCount": 1, "parallelism": 1, "scale": { "minExecutions": 0, "maxExecutions": 100, "pollingInterval": 10, "rules": [ { "name": "queue-based-scaling", "type": "azure-queue", "metadata": { "queueName": "jobs", "queueLength": "1", "queueLengthStrategy": "visibleonly", "accountName": "[format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))]" }, "identity": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]" } ] } } }, "template": { "containers": [ { "name": "arpio-delegate-job", "image": "[parameters('delegateJobsImage')]", "env": [ { "name": "DELEGATE_TYPE", "value": "primary" }, { "name": "AZURE_CLIENT_ID", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').clientId]" }, { "name": "ARPIO_ACCOUNT_ID", "value": "[parameters('arpioAccountId')]" }, { "name": "SUBSCRIPTION_ID", "value": "[subscription().subscriptionId]" }, { "name": "AUTHORIZED_ENDPOINTS", "value": "[string(parameters('recoveryEndpoints'))]" }, { "name": "RECOVERY_ENCRYPTION_KEYS", "value": "[string(variables('recoveryEncryptionKeys'))]" }, { "name": "REGION", "value": "[parameters('location')]" }, { "name": "SCRATCH_STORAGE_BLOB_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.blob]" }, { "name": "SCRATCH_STORAGE_TABLE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.table]" }, { "name": "SCRATCH_STORAGE_QUEUE_URL", "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId')))), '2023-01-01').primaryEndpoints.queue]" } ], "resources": { "cpu": "[json('0.25')]", "memory": "0.5Gi" } } ] } }, "dependsOn": [ "[resourceId('Microsoft.App/managedEnvironments', 'arpio-primary-env')]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]", "[resourceId('Microsoft.Storage/storageAccounts', format('arpiodel{0}', uniqueString(resourceGroup().id, 'arpio-primary', parameters('arpioAccountId'))))]" ] }, { "type": "Microsoft.Authorization/roleDefinitions", "apiVersion": "2022-04-01", "name": "[guid('ArpioPrimaryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location'))]", "properties": { "roleName": "[format('ArpioPrimaryDelegateRGAccess-{0}-{1}', parameters('arpioAccountId'), uniqueString(resourceGroup().id, parameters('location')))]", "description": "Access granted to the Arpio primary delegate scoped to the access resource group. This allows the primary delegate to create and manage additional private delegates as needed.", "type": "CustomRole", "permissions": [ { "actions": [ "*/read", "Microsoft.Network/virtualNetworks/*", "Microsoft.Web/sites/*", "Microsoft.Web/serverfarms/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.Resources/deployments/delete", "Microsoft.Resources/deployments/write", "Microsoft.Resources/deploymentStacks/delete", "Microsoft.Resources/deploymentStacks/write", "Microsoft.ContainerInstance/containerGroups/*" ], "notActions": [], "dataActions": [], "notDataActions": [] } ], "assignableScopes": [ "[resourceGroup().id]" ] } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid('ArpioDelegateIdentity', guid('ArpioPrimaryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]", "properties": { "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.Authorization/roleDefinitions', guid('ArpioPrimaryDelegateRGAccess', parameters('arpioAccountId'), resourceGroup().id, parameters('location')))]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate')]" ] } ], "outputs": { "delegatePrincipalId": { "type": "string", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'ArpioPrimaryDelegate'), '2023-01-31').principalId]" }, "delegateAppId": { "type": "string", "value": "[resourceId('Microsoft.App/containerApps', 'arpio-primary-delegate')]" }, "delegateAppFQDN": { "type": "string", "value": "[reference(resourceId('Microsoft.App/containerApps', 'arpio-primary-delegate'), '2025-07-01').configuration.ingress.fqdn]" }, "applicationInsightsConnectionString": { "type": "string", "value": "[reference(resourceId('Microsoft.Insights/components', 'ArpioPrimaryInsights'), '2020-02-02').ConnectionString]" } } } }, "dependsOn": [ "[subscriptionResourceId('Microsoft.Resources/resourceGroups', format('ArpioPrimaryAccess-{0}-{1}', parameters('arpioAccountId'), parameters('location')))]" ] } ] }