Create the resource group where all the resources will reside
Inside that resource group create a storage account
Create a KeyVault
Create a Azure SQL Server and inside it create a Azure SQL Database (use SQL authentication)
The password you will save as a secret in the keyvault with the following secret name:
mssql-password
Create a Azure App Registration and fill in the Redirect URI with the following value:
https://<dns label used below>.<location>.azurecontainer.io/login/oauth2/code/azure
On the App Roles section you can create the bplm admin and executive roles which you can later use to control users access to the Lakehouse Monitor
Create a client secret for your Application and save the secret in the KeyVault you’ve created with the following secret name
msft-provider-auth-secret
Create a managed Identity that will be used by the Application to communicate to the keyvault and storage account.
Add the necessary access policy on the Keyvault so the managed identity is able to list and read secrets from it.
For SSL communication you can use one of these two options:
Create YAML definition for the containers
apiVersion: '2019-12-01' location: <location> name: <name of your container instance> properties: containers: - name: lakehouse-monitor properties: environmentVariables: - name: APPLICATION_LOG_HTTPHEADER value: false - name: APPSERVICE_URL value: <FQDN> - name: AZURE_KEYVAULT_ENABLED value: true - name: AZURE_KEYVAULT_TENANTID value: <KV tenantID> - name: AZURE_KEYVAULT_URI value: <KV URL> - name: AZURE_MANAGED_IDENTITY_ID value: <managed identity objectID> - name: AZURE_MANAGED_IDENTITY_APP_ID value: <managed identity clientID> - name: LOG_LEVEL value: info - name: LOG_LEVEL_APP value: info - name: LOG_LEVEL_HTTP_HEADERS value: error - name: USE_SP_FOR_BACKGROUND_PROCESSORS value: true - name: USE_SP_FOR_STORAGE_ACCOUNT value: true - name: MICROSOFT_PROVIDER_AUTHENTICATION_SECRET value: ${msft-provider-auth-secret} - name: SERVICE_PRINCIPAL_CLIENT_SECRET value: ${msft-provider-auth-secret} - name: SERVICE_PRINCIPAL_CLIENTID value: <sp clientID> - name: SERVICE_PRINCIPAL_OBJECTID value: <sp objectID> - name: SERVICE_PRINCIPAL_TENANTID value: <sp tenantID> - name: SQL_DATABASE value: <sql database name> - name: SQL_SERVER_HOST value: <sql server host> - name: SQL_USER value: <sql username> - name: SQL_PASSWORD value: ${mssql-password} - name: STORAGE_AZURE_ACCOUNT value: <storage account name> - name: STORAGE_AZURE_CONTAINER value: lakehouse-monitor - name: CLOUD_PROVIDER value: azure - name: AUTHENTICATION_PROVIDER value: active-directory - name: SERVER_SERVLET_SESSION_PERSISTENT value: true - name: SERVER_SSL_ENABLED value: false - name: METRIC_PROCESSING_ENABLED value: true - name: METRIC_PROCESSOR_DOCTOR_INITIAL_DELAY value: PT1M - name: CONSUMPTION_USE_PREFILTER value: false - name: ADMIN_APP_ROLE value: <admin role value> - name: EXECUTIVE_APP_ROLE value: <executive role value> - name: AUTHORIZATION_CACHE_TIMEOUT value: 1800 - name: SERVER_PORT value: 80 image: blueprint.azurecr.io/bpcs/lakehouse-optimizer:2.1 ports: - port: 80 resources: requests: cpu: 4 memoryInGB: 8 volumeMounts: - mountPath: /var/log name: logs - name: nginx-with-ssl properties: image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine ports: - port: 443 protocol: TCP resources: requests: cpu: 1.0 memoryInGB: 1.5 volumeMounts: - name: nginx-config mountPath: /etc/nginx imageRegistryCredentials: - server: blueprint.azurecr.io username: <ACR Username> password: <ACR Password> osType: Linux restartPolicy: Always ipAddress: type: Public ports: - port: 443 dnsNameLabel: <dns label> volumes: - name: nginx-config secret: ssl.crt: <BASE64 enc ssl.crt> ssl.key: <BASE64 enc ssl.key> nginx.conf: <BASE64 enc nginx.conf> - name: logs azureFile: sharename: <name of share for the logs> storageAccountName: <storage account name where the share is created> storageAccountKey: <storage account key> tags: {} type: Microsoft.ContainerInstance/containerGroups
Create the containers
az container create --resource-group <resource group name created in step 6> --assign-identity <managed identity to be used> --name <aci name> --file deploy.yaml
General
Content
Integrations
Add Comment