Migrating to Invictus for Azure v6
In v6 we uses containerized API's instead of Web API's and Azure Functions. This means that the endpoints for the Dashboard and API's such as the PubSub and Transco components changes.
The PubSub v1, Transco v1 and Matrix v1 components are not available anymore in v6.
Preparing Environment
Create new Azure DevOps variable libraries for Invictus for Azure v6
Create new/independent Azure DevOps variable libraries to support the coexistence of both old and new versions in the same environment and to ease the migration from one to the other.
If you have a library with the name invictus.{environment} create a new one with the name invictus.containerized.{environment} and change your Invictus for Azure pipelines to use the new libraries.
Create an application registration in Azure Active Directory/Entra ID
Go to Azure Active Directory/Entra ID and create a new application registration for the Invictus for Azure API's. Authentication with the Invictus for Azure API's happens via this application.
Create a new client secret for this application (and save it, as you will need it later).
Deploying New Version
⬇️ Download latest version of
Invictus-GetSources.ps1
Pipeline/Bicep parameters changes, please follow the installation guides to see the current supported parameters:
- Pipelines now requires Ubuntu agent.
- Components are using Azure Container Apps:
- App Scaling: verify if our default app scaling parameters match your need.
- Multiple Revision mode: older revisions could clutter environment. Consider using our revisions clean-up script in an Azure DevOps pipeline.
After Deployment
- 🛡️ Give Invictus access to client's Azure Logic Apps
- 🔀 Update redirect URLs of the app registration (Azure Active Directory/Entra ID login into the Dashboard needs the new Dashboard Gateway URL.)
Update your Azure Logic Apps parameters files
Make sure to update your Logic App parameters files to represent the new components.
"invictus": {
"value": {
"monitoring": {
"eventHub": {
"name": "#{Invictus.Monitoring.EventHub.Name}#",
"accessRuleId": "#{Invictus.Monitoring.EventHub.AccessRuleId}#"
}
},
"framework": {
"pubSub": {
- "v1": {
- "definitionUrl": "#{Invictus.Framework.PubSub.V1.DefinitionUrl}#",
- "publishUrl": "#{Invictus.Framework.PubSub.V1.PublishUrl}#",
- "subscribeUrl": "#{Invictus.Framework.PubSub.V1.SubscribeUrl}#",
- "acknowledgeUrl": "#{Invictus.Framework.PubSub.V1.AcknowledgeUrl}#"
- }
+ "v2": {
+ "publishUrl": "#{Invictus.Framework.PubSub.V2.Publish.Url}#",
+ "subscribeUrl": "#{Invictus.Framework.PubSub.V2.Subscribe.Url}#",
+ "acknowledgeUrl": "#{Invictus.Framework.PubSub.V2.Acknowledge.Url}#"
+ }
},
- "matrix": {
- "v1": {
- "definitionUrl": "#{Invictus.Framework.Matrix.V1.DefinitionUrl}#",
- "matrixUrl": "#{Invictus.Framework.Matrix.V1.MatrixUrl}#",
- "basicMatrixUrl": "#{Invictus.Framework.Matrix.V1.BasicMatrixUrl}#"
- }
- },
"transco": {
- "v1": {
- "definitionUrl": "#{Invictus.Framework.Transco.V1.DefinitionUrl}#",
- "transcoUrl": "#{Invictus.Framework.Transco.V1.TranscoUrl}#"
- }
+ "v2": {
+ "transcoJsonUrl": "#{Invictus.Framework.Transco.V2.TranscoJson.Url}#",
+ "transcoXmlUrl": "#{Invictus.Framework.Transco.V2.TranscoXml.Url}#",
+ "basicMatrixUrl": "#{Invictus.Framework.Transco.V2.MatrixBasicPromote.Url}#"
+ }
}
},
+ "authentication": {
+ "audience": "api://#{Invictus.Containers.Client.Id}#"
+ }
}
}
Update your Azure Logic Apps Invictus API authentication
The Invictus for Azure API's now requires an access token in the Authorization header of the HTTP request instead of a function key. Implement this on the HTTP action in your Logic App as follows:
"authentication": {
"audience": "[parameters('invictus').authentication.audience]",
"identity": "[parameters('infra').managedIdentity.id]",
"type": "ManagedServiceIdentity"
}
In this example we are using a user assigned managed identity (of which we have specified the application ID in the customApplicationIds in the Invictus for Azure pipelines) and using the application id from the newly created app registration as the audience.
Invictus for Azure user assigned managed identity can be auto-created, but keep in mind that Logic Apps only supports a single user assigned managed identity. If you already have one in your environment make sure to keep using that one.
Remove old/unused Azure resources
invictus-{prefix}-dashboardinvictus-{prefix}-dashboardgatewayinvictus-{prefix}-cacheimportjobinvictus-{prefix}-database-storeimportjobinvictus-{prefix}-datafactoryreceiverinvictus-{prefix}-flowhandlerjobinvictus-{prefix}-invictusimportjobinvictus-{prefix}-storeimportjobinvictus-{prefix}-appplan-linuxinvictus-{prefix}-importjobappins
After migrating your Azure Logic Apps to Invictus for Azure v6, you can also remove the following resources:
invictus-{prefix}-matrixappinvictus-{prefix}-pubsubappinvictus-{prefix}-transcoappinvictus-{prefix}-exceptionhandlerinvictus-{prefix}-genericreceiverinvictus-{prefix}-httpreceiverinvictus-{prefix}-pubsub-v2invictus-{prefix}-timesequencerinvictus-{prefix}-regextranslatorinvictus-{prefix}-sequencecontrollerinvictus-{prefix}-transco-v2invictus-{prefix}-xmljsonconverterinvictus-{prefix}-xsdvalidatorinvictus-{prefix}-appplaninvictus-{prefix}-consumptionplan
Remove lingering role assignments
The v6 installation will result in many lingering role assignments named Unknown. You can delete them.
Common Migration Issues
Operating system not supportedYour release pipeline agent must be a linux agent, for example vmImage: 'ubuntu-latest'
Invalid ContainerApp name....The length must be between 2 and 32 characters inclusive.If you are overriding the default app names, the provided name might be too long, as the Azure Container App name limit is lower than for function apps.