Dashboard Release Pipeline

The release pipeline will use the artifacts created from the build pipeline and publish this to the stage(s) you define. Each stage will deploy the resources to the Azure subscription and resource group you specify in the deployment tasks.

The release uses variable groups and edits/adds variables to the groups, we will begin by creating a new variable group.

Variable Group

Create a variable group named {prefix}.Invictus.{stage} for all the stages (environments) and add at least one variable (eg: Invictus.Secrets.ApiKey1.Name = apikey1).

Make sure the Project Collection Build Service has Administrator access to these variable groups (Pipelines > Library > Security)

YAML Release Pipeline

This contains an example YAML pipeline to release the Invictus for Azure Dashboard, change the dashboard.release.yaml file according to your needs, for example change the needed environments and change the name of the build pipeline trigger:

resources:
  pipelines:
    # Name of the pipeline resource inside this workflow. Used to reference the pipeline resources later on (e.g. download artifacts).
  - pipeline: _build
    # Name of the pipeline in Azure Pipelines
    source: 'customer.azure.invictus.dashboard.build' 
    trigger: true

Also make sure to change the bicep template parameters according to your needs.

If you need to overwrite more bicep Template parameters make sure to add this to the deployScriptParameters. A complete list of Bicep Template parameters can be found here.

Afterwards add the dashboard.release.yaml in your DevOps environment as a pipeline.

Deploy Script Parameters

The following script parameters are used in the deploy script:

Mandatory Parameters

Argument name	Description
artifactsPath	Path on the DevOps agent where the downloaded Invictus artifacts are stored (publish and download build artifacts)
devOpsObjectId	Object ID of the service principal that's connected to the DevOps service connection, which will get the necessary role definitions to interact with Invictus' deployed resources (i.e. Key vault, Container registry) (Azure CLI task)
acrUsername	ACR credentials provided by Codit to pull Invictus images See build pipeline
acrPassword	ACR credentials provided by Codit to pull Invictus images See build pipeline
resourcePrefix	Prefix used for deployed Azure resources (i.e. invictus-{prefix}-vlt)
resourceGroupName	Name of Azure resource group where Invictus should be deployed
variableGroupName	DevOps variable group to write the Bicep outputs to (i.e. Invictus_CosmosDb_DbName)
azureActiveDirectoryClientId	See Azure AD Setup if AD enabled
azureActiveDirectoryTenantId	See Azure AD Setup if AD enabled
azureActiveDirectoryClientSecret	See Azure AD Setup if AD enabled
azureActiveDirectoryAudience	See Azure AD Setup if AD enabled
performSqlDataMigration	If value is 1 the data migration process will run, migrating SQL data to Cosmos DB. If the value is 0, the process will be skipped. See the migration guide for more details. Once data migration has been performed and verified, it is recommended to then set this value to 0 so that the migration process is skipped for all subsequent releases.
flowDataTTLInDays	Amount of days flow data can live in the database See import flow traces.
isProvisionedCosmos	If the value is 1, a Cosmos DB with provisioned throughput will be deployed. If the value is 0, a serverless Cosmos DB will be deployed instead. See the relevant section below for more details.
identityProviderApplicationId	See Container Authentication.
identityProviderClientSecret	See Container Authentication.

Optional Parameters

Argument name	Default value	Description
resourceGroupLocation	'West Europe'	Azure location where resources should be deployed
isAdDisabled	False	Boolean flag to indicate whether the Dashboard should use AD for authentication
additionalTemplateParameters	[]	Additional named parameters for the Bicep template you wish to override. More on this below.

override bicep parameters

The AdditionalTemplateParameters can be used to override the default values used by the Bicep template. You simply name the argument as the parameter. For example if you want to use a different servicePlanSku you would add -eventHubSkuName 'Standard' to the parameters of the ./Deploy.ps1 script.

Full YAML task example

- task: AzureCLI@2
  displayName: 'Azure CLI'
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
  inputs:
    azureSubscription: '[YOUR_SERVICE_CONNECTION]'
    addSpnToEnvironment: true
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |

      # Determine where the the provided Invictus 'Deploy.ps1' script is located
      $artifactsPath = ${{ variables['Pipeline.Workspace'] }} + '/_build/dashboard' 
      $scriptPath = $artifactsPath + '/Deploy.ps1'

      # Use your service connection's service principal Object ID
      $objectId = (az ad sp show --id $env:servicePrincipalId | ConvertFrom-Json).id

      & $scriptPath `
        -artifactsPath $artifactsPath `
        -acrPath 'invictusreleases.azurecr.io' `
        -useBeta false `
        -acrUsername 'admin' `
        -acrPassword '<pass>' `
        -resourcePrefix 'dev' `
        -resourceGroupName 'my-client-dev-rg' `
        -variableGroupName 'My.Client.Dev' `
        -devOpsObjectId $objectId `
        -performSqlDataMigration 0 `
        -isProvisionedCosmos 0 `
        -azureActiveDirectoryClientId '4b559bfb-871a-4013-bce9-829e3aeb6bdd' `
        -azureActiveDirectoryTenantId '97a944a1-04a0-45d2-b2f3-c424755c4167' `
        -azureActiveDirectoryClientSecret '<pass>' `
        -azureActiveDirectoryAudience 'https://contoso.com' `
        -identityProviderApplicationId 'c84d34ea-f169-4787-a4af-81750debda0b' `
        -identityProviderClientSecret '<pass>' `
        -isProvisionedCosmos 1 `
        -flowDataTTLInDays 90

Bicep Template Parameters

The below tables lists the parameters accepted by the Bicep template.

Show VNET options

Top-level parameters

Resource-independent parameters that affect all resources in the deployed resource group.

Parameter	Required	Default	Description
resourcePrefix	Yes		Prefix used for deployed Azure resources (i.e. invictus-{prefix}-vlt)
devOpsObjectId	Yes		Object ID of the service principal that's connected to the DevOps service connection, which will get the necessary role definitions to interact with Invictus' deployed resources (i.e. Key vault, Container registry) (Azure CLI task)
containerAppsEnvironmentLocation	No	resourceGroup().location	Location of the ACA environment and Container Apps.
containerAppsEnvironmentName	No	invictus-${resourcePrefix}-cae	The name of the Container App environment.

Active Directory parameters

Parameters related to the Azure Active Directory where the groups are synced from.

Parameter	Required	Default	Description
azureActiveDirectoryClientId	Yes		Client AAD ID required to enable AAD for dashboard
azureActiveDirectoryTenantId	Yes		Tenant AAD ID required to enable AAD for dashboard
azureActiveDirectoryClientSecret	Yes		Required for AD Login
AzureActiveDirectoryAudience	Yes		Required for AD Login
isAdDisabled	No	0	isAdDisabled true or false

App service parameters

Parameters related to the applications that are deployed, mostly Azure Functions.

Function names

Parameter	Required	Default	Description
invictusDashboardWebAppName	No	invictus-{resourcePrefix}-invictusdashboard-v2	Name for the dashboard web application
invictusDashboardGatewayFunctionName	No	invictus-{resourcePrefix}-dashboardgateway	Name for Azure Function
invictusImportJobFunctionName	No	invictus-{resourcePrefix}-invictusimportjob	Name for Azure Function
invictusCacheImportJobFunctionName	No	invictus-{resourcePrefix}-cacheimportjob	Name for Azure Function
invictusStoreImportJobFunctionName	No	invictus-{resourcePrefix}-storeimportjob	Name for Azure Function
invictusFlowHandlerFunctionName	No	invictus-{resourcePrefix}-flowhandlerjob	Name for Azure Function
invictusGenericReceiverFunctionName	No	invictus-{resourcePrefix}-genericreceiver	Name for Azure Function
invictusHttpReceiverFunctionName	No	invictus-{resourcePrefix}-httpreceiver	Name for Azure Function
invictusDatabaseManagerFunctionName	No	invictus-{resourcePrefix}-database-storeimportjob	Name for Azure Function
invictusDataFactoryReceiverFunctionName	No	invictus-{resourcePrefix}-datafactoryreceiver	Name for Azure Function

Function deployment

Parameter	Required	Default	Description
servicePlanName	No	invictus-{resourcePrefix}-appplan-linux	Name for the service plan which will host the APIs
servicePlanSkuName	No	S1	Size for the App Plan, the value of "I1" needs to be passed to install an isolated plan.
servicePlanSkuCapacity	No	1	The SKU capacity setting for the App Plan

Storage parameters

Parameters related to the data that is stored throughout Invictus.

Cosmos

Parameter	Required	Default	Description
cosmosAccountName	No	invictus-{resourcePrefix}-cosmos-serverless/provisoned	Name for Cosmos account
cosmosDatabaseName	No	InvictusDashboard	Name for Cosmos database
isProvisionedCosmos	Yes	0 (:true)	isProvisionedCosmos true or false

Provisioned Throughput vs Serverless Cosmos DB

Aspect	Serverless in Production	Provisioned Throughput in Production
Cost-Efficiency	Optimized for variable workloads; scales down during low activity to reduce cost	Costs are fixed based on allocated RU/s; autoscale introduces a min-max pricing range
Traffic Handling	Ideal for sporadic or bursty traffic patterns	Suitable for consistently high or predictable workloads
Scalability	Auto-scales based on workload; FlowData and WorkFlowEvents most affected	RU/s can be manually adjusted for high-volume needs
Usage Suitability	Best for unpredictable workloads with fluctuating volume	Best for stable, high-throughput scenarios
Collections Behavior	FlowData and WorkFlowEvents auto-scale with data insertion	FlowData and WorkFlowEvents have fixed RU/s with autoscale range

Always evaluate your application's needs and monitor performance to ensure the chosen capacity model meets expectations in the production environment.

Default Settings for Provisioned Throughput

Collection	RU/s	Autoscale
Audits	500	No
DashboardSettings	500	No
Users	500	No
Groups	500	No
Statistics	500	No
FolderFlows	500	No
FlowData	2000	Yes
WorkflowEvent	2000	Yes
MessageContent	2000	Yes

Storage account

Parameter	Required	Default	Description
storageAccountName	No	invictus{resourcePrefix}store	Name for the Azure Storage resource. Dashes (-) will be removed from {resourcePrefix}
storageAccountType	No	Standard_LRS	The Storage account StorageAccountSkuType
messageStatusCacheDeleteAfterDays	No	30	The number of days without modification for the message status cache to be deleted

Cleaning data

Parameter	Required	Default	Description
flowDataTTLInDays	Yes		A positive integer value which represents the amount of days flow data can live in the database
statisticsCutOffDays	No	-3	The number of days in the past that homepage statistics will recalculate
cleanupJobIntervalInMinutes	No	1440	Interval in minutes for the cleanup job
workFlowCleanupJobIntervalInMinutes	No	180	Interval in minutes for the workflowevent cleanup job
dataWorkFlowCleanupMaxRetentionDays	No	90	Max number of days the WorkFlowEvent data is stored

Messaging parameters

Parameters related to the messaging resources that import the flow information into storage.

Service Bus

Parameter	Required	Default	Description
serviceBusNamespaceName	No	invictus-{resourcePrefix}-sbs	Name for the Service Bus Namespace resource
serviceBusSkuName	No	Standard or Premium if VNET enabled	Name for the Service Bus SKU

Event Hubs

Namespace

Parameter	Required	Default	Description
eventHubNamespaceName	No	invictus-{resourcePrefix}-evnm	Name for the Event Hub Namespace resource
eventHubSkuName	No	Basic	The SKU name of the EventHub Namespace
eventHubSkuTier	No	Basic	The Tier name for the EventHub Namespace
eventHubSkuCapacity	No	1	The SKU capacity for the EventHub Namespace
eventHubAutoInflate	No	false	The EventHub setting to enable auto-inflate
eventHubMaxThroughputUnits	No	0	Max throughput setting for EventHub
eventHubMessageRetentionInDays	No	1	The number of days EventHub will retain messages. Note: eventHubSkuName and eventHubSkuTier must be set to Standard to exceed 1 day of retention.

Hubs

Parameter	Required	Default	Description
eventHubName	No	invictus-{resourcePrefix}-evhb	Name for the Event Hub created on the Namespace
eventHubNameV2	No	invictus-{resourcePrefix}-evhb-v2	Name for the Event Hub for standard LA's created on the Namespace
workflowEventHubName	No	invictus-{resourcePrefix}-workflow-evhb	EventHub name for the import job
dataMergeWorkflowEventHubName	No	invictus-{resourcePrefix}-mergeddata-evhb	EventHub name for the data merge import job
sideTasksWorkflowEventHubName	No	invictus-{resourcePrefix}-sidetasks-evhb	EventHub name for the side tasks
dataFactoryEventHubName	No	invictus-{resourcePrefix}-df-evhb	EventHub name for the data factory import job
genericEventHubName	No	invictus-{resourcePrefix}-genericreceiver-evhb	EventHub name for the import job

Secret parameters

Parameters related to the security of the deployed applications.

Parameter	Required	Default	Description
keyVaultName	No	invictus-{resourcePrefix}-vlt	Name for the Key Vault Service Namespace resource
keyVaultEnablePurgeProtection	No	null	If true, enables key vault purge protection. Once enabled, this property can never be disabled.
jwtSecretToken	No	Generated on first use	JWT Secret used for login

Observability parameters

Parameters related to the observability of the deployed applications.

Parameter	Required	Default	Description
appInsightsName	No	invictus-{resourcePrefix}-appins	Name for the Application Insights resource
alertingAppInsightsName	No	invictus-{resourcePrefix}-alertingappins	Name for the Application Insights resource used for alerting
importjobAppInsightsName	No	invictus-{resourcePrefix}-importjobappins	Name for Application Insights used by importjob
appInsightsSamplingPercentage	No	1	The sampling percentage for the Application Insights resource
importJobAppInsightsSamplingPercentage	No	1	The sampling percentage for the import job Application Insights resource

Scaling parameters

Azure Container Apps allow for flexible scaling customization. In Invictus we have provided default scaling values which can be customized according to your scenario.

Container Apps have the ability to scale down to zero replicas. This is a great cost-saving option especially for components which are not used at all. An Azure Container App scaled to zero will automatically scale out when triggered, however this may take up to a few minutes to complete. This could prove to be an issue in scenarios with limited timeout e.g. logic apps with 120 seconds timeout. In such cases there is no option but to set a minimum replica count of 1.

Parameter	Required
dashboardScaling	No
dashboardGatewayScaling	No
cacheImportJobScaling	No
dbImportJobScaling	No
datafactoryReceiverScaling	No
flowhandlerScaling	No
genericReceiverScaling	No
httpReceiverScaling	No
importJobScaling	No
storeImportJobScaling	No

Each of the above parameters accepts an object:

{
  scaleMinReplicas: int
  scaleMaxReplicas: int
  cpuResources: string
  memoryResources: string
}

Parameter value	Description
scaleMinReplicas	The lowest number of replicas the Container App will scale in to.
scaleMaxReplicas	The highest number of replicas the Container App will scale out to.
cpuResources	The amount of cpu resources to dedicate for the container resource. See here for allowed values.
memoryResources	The amount of memory resources to dedicate for the container resource. See here for allowed values.