AzDO merge for branch azdo-pre-release-3223#24
Merged
katriendg merged 6 commits intopre-releasefrom Sep 1, 2025
Merged
Conversation
…nd update conditions fo... **PR to merge main to pre-release** feat(pipeline): add pre-release stage and update conditions for PR builds - Include pre-release branch in triggers - Define pre-release build stage with specific conditions - Adjust PR build conditions to exclude pre-release branch ---- #### AI description (iteration 1) #### PR Classification New feature enhancing the pipeline by adding a pre-release build stage and refining build conditions. #### PR Summary This PR introduces a dedicated pre-release stage to support a new branch structure for preview features while updating the PR build conditions to exclude pre-release builds. - `/azure-pipelines.yml`: Added the "Pre-Release Build" stage with a MegaLinter job and a condition to run for the pre-release branch. - `/azure-pipelines.yml`: Introduced the `isPreRelease` variable and updated the PR stage condition and branch trigger to account for the pre-release branch. <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot --> Related work items: #1305 ---- #### AI description (iteration 1) #### PR Classification This pull request introduces a new feature by enhancing the CI/CD pipeline to support a pre-release branch structure. #### PR Summary The changes add a dedicated pre-release build stage and update branch handling in the pipelines to enable preview feature development without affecting the main branch. Key updates include: - Updates in `/.azdo/pipelines/github-pull.yml` to parameterize branch names (using `sourceBranch`) and switch the repository directory from `Iac-for-the-Edge` to `edge-ai`. - Modifications in `azure-pipelines.yml` to add a new PreRelease stage, update trigger conditions, and define the `isPreRelease` variable. - Changes in `/.azdo/pipelines/github-push.yml` to adjust branch naming and PR creation logic for both main and pre-release branches. Related work items: #1305
…025-07-01-preview API (pre-release branch) PR into `pre-release` branch, not `main` as it's not on GA track yet. This pull request upgrades Azure IoT Operations components to use the latest 2025-07-01-preview API version and introduces ADR (Azure Device Registry) Namespace support for improved asset and device management. - **feat**(_iot-ops_): upgraded API version from 2025-04-01 to 2025-07-01-preview for all Azure IoT Operations resources including instances, brokers, dataflow profiles, and endpoints - **feat**(_data_): added ADR Namespace module with messaging endpoint configuration, managed identity support, and flexible parameter options for namespace creation and management - **feat**(_iot-ops_): integrated ADR Namespace support into IoT Operations instances with conditional reference handling and updated OPC UA Simulator to use new device-based endpoint configuration - **feat**(_iot-ops_): enhanced broker configuration with persistence support for disk-backed message storage, including encryption, retention policies, and dynamic control settings - **fix**(_messaging_): updated API version for Event Grid and Event Hub dataflow endpoints to 2025-07-01-preview for consistency with other IoT Operations components - **fix**(_iot-ops_): updated extension versions across components - AIO extension to 1.2.36 preview, Container Storage to 2.6.0, AIO Platform to 0.7.25, and Secret Store to 0.10.0 - **fix**(_observability_): upgraded Grafana major version from 10 to 11 for improved monitoring capabilities - **fix**(_bicep_): added location parameter to attribution resources and corrected network security group resource reference from creation to existing ## Important - All blueprints now include shouldCreateAdrNamespace parameter set to true by default to enable the new namespace functionality - Extension version updates may require cluster restart or re-deployment depending on the specific component 🚀 - Generated by Copilot ---- #### AI description (iteration 1) #### PR Classification This pull request upgrades Azure IoT Operations to the 2025-07-01-preview API and integrates ADR Namespace support across the Bicep IaC templates. #### PR Summary The changes update multiple IoC and blueprint modules to use the new preview API while adding ADR Namespace functionality and new type definitions for broker persistence. Key changes include: - **`src/100-edge/110-iot-ops/bicep/types.bicep`** – Added new type definitions (e.g., BrokerPersistence, ADR Namespace messaging types) and updated extension versions. - **`src/000-cloud/030-data/bicep/modules/adr-namespace.bicep`** – Introduced a new module for deploying an ADR Namespace. - **IoT Ops module files (e.g., `iot-ops-instance.bicep`, `opc-ua-simulator-asset.bicep`)** – Updated API versions from 2025-04-01 to 2025-07-01-preview and integrated new ADR Namespace parameters and outputs. - **Blueprint README and main blueprint files** – Revised parameters, outputs, and defaults (including Grafana version bump from 10 to 11) to reflect th...
…ons to version 2507 (pre-release branch) **Note**: This is a merge to `pre-release` branch. This Terraform focused IaC update introduces support for Azure IoT Operations version 2507 with the new namespaced Device Registry model, enhancing asset and device management capabilities while maintaining backward compatibility with legacy configurations. - **feat**(_iot-ops_): Upgrade AIO instance version from 1.1.59 (integration) to 1.2.36 (preview) and API version from 2025-04-01 to 2025-07-01-preview - **feat**(_iot-ops_): Add MQTT broker persistence configuration support with comprehensive settings for retention policies, state store configurations, subscriber queue policies, and persistent volume claim specifications - **feat**(_data_): Introduce Azure Device Registry namespace module with messaging endpoints configuration and system-assigned identity support - **feat**(_assets_): Implement namespaced Device Registry model with new device and asset resources alongside legacy asset endpoint profiles for backward compatibility - **feat**(_messaging_): Update dataflow endpoint API versions from 2024-11-01 to 2025-07-01-preview for Event Grid, Event Hub, and Fabric RTI components - **feat**(_terraform_): Update component versions including Edge Storage Accelerator (2.5.3 → 2.6.0) and Secret Sync Controller (0.9.4 → 0.10.0) - **refactor**(_blueprints_): update all blueprint configurations to utilize namespaced devices and assets while maintaining backward compatibility with legacy asset endpoint profiles for existing deployments. All blueprints also use new variables for ADR namespace integration. ## Important - **Breaking Change**: The new namespaced Device Registry model introduces different variable structures for devices and assets. All new deployments only expose and create the new types. - **Backward Compatibility**: Legacy asset endpoint profiles and assets remain supported for existing deployments, though not exposed directly by the blueprints, just via the components. - **API Version Change**: Azure IoT Operations now uses 2025-07-01-preview API version which requires schema validation to be disabled when using `azapi` in Terraform ## Follow-up Tasks - Update deployment documentation to reflect the new namespaced Device Registry model - Consider migration path for existing deployments using legacy asset configurations - Validate schema validation re-enablement when azapi provider supports 2025-07-01-preview � - Generated by Copilot ---- #### AI description (iteration 1) #### PR Classification This pull request upgrades the Azure IoT Operations Terraform components and blueprints to version 2507 in the pre-release branch. #### PR Summary The changes update resource API versions and configuration logic for IoT Operations, transition legacy asset definitions to a new namespaced model, and add support for deploying an Azure Device Registry namespace. - **`src/100-edge/110-iot-ops/terraform/modules/iot-ops-instance/main.tf`**: Updated API version references from “202...
…or secret sync to instance assignment for 2507 pre-release **Note: this is a PR to `pre-release` branch** This pull request consolidates secret synchronization functionality and fixes several deployment issues across Azure IoT Operations Bicep templates and Terraform modules. The Secret sync for pre-release has changes detected in CLI and new Instance assignment (`defaultSecretProviderClassRef`) missed in the initial pre-release implementation. For Bicep only, the changes streamline the architecture by eliminating the separate post-deployment module and integrating all secret sync functionality directly into the main IoT Operations instance module. - **fix**(_iot-ops_): Integrated secret provider class creation into the main IoT Operations instance module, removing the separate iotOpsInstancePost module for better maintainability and addressing interdependencies - **feat**(_iot-ops_): Wired the Secret Provider Class (SPC) into the AIO Instance through the defaultSecretProviderClassRef.resourceId property to enable proper secret synchronization - **fix**(_iot-ops_): Enhanced output safety by implementing null-coalescing operators for all module outputs to handle optional properties gracefully and prevent deployment failures - **feat**(_iot-ops_): Updated Terraform Secret Provider Class naming to use generated SPC name based on cluster, resource group, and instance name hash for consistency with Azure IoT Operations CLI patterns - **fix**(_blueprints_): Added missing location property to attribution deployments in blueprint main.bicep files to ensure proper resource attribution - **fix**(_kubernetes_): Corrected network security group resource declaration from creation to existing reference in network.bicep module ## Notes - The iotOpsInstancePost module has been completely removed as its functionality is now handled within the main iot-ops-instance.bicep module - Federated identity credentials for both SSE and AIO service accounts are now created within the consolidated module - All blueprint README files have been cleaned up to remove references to the deprecated Bicep iotOpsInstancePost module 🔧 - Generated by Copilot ---- #### AI description (iteration 1) #### PR Classification This pull request is a bug fix that addresses the missing secret provider class reference for IoT Operations secret sync in the 2507 pre-release. #### PR Summary The changes consolidate secret sync logic by removing the obsolete iotOpsInstancePost module and integrating default secret provider class assignment into the main IoT Operations module while improving output handling and configuration parameters. - `src/100-edge/110-iot-ops/bicep/main.bicep`: Updated output expressions with null-safe operations and refined deployment conditions. - `src/100-edge/110-iot-ops/bicep/modules/iot-ops-instance.bicep`: Added secret sync parameters and resources (federated identity credentials and a default secret provider class) to set the missing defaultSecretProviderClassRef. - `src/100-edge/110-iot-ops/terraform/modules/iot-ops-i...
katriendg
approved these changes
Sep 1, 2025
Collaborator
katriendg
left a comment
katriendg
left a comment
There was a problem hiding this comment.
Pre-release approve merge
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 17, 2026
…ources ## Summary Add diagnostic settings across blueprint resources, per CRISP security review findings LT-4 (Medium). Supports Threat #24: Insufficient logging and monitoring. Defender for Cloud (LT-1) is intentionally **not** managed here — it's subscription-scoped and should be enforced via Azure Policy by platform teams. ### Changes **Diagnostic Settings (LT-4)** — `azurerm_monitor_diagnostic_setting` in each component: - **Key Vault**: AuditEvent + AllMetrics - **ACR**: ContainerRegistryRepositoryEvents, ContainerRegistryLoginEvents + AllMetrics - **Event Grid**: allLogs + AllMetrics - **Event Hubs**: allLogs + AllMetrics ### Scope - Components: `010-security-identity`, `060-acr`, `040-messaging` - Blueprints: full-single-node, full-multi-node, azure-local, only-cloud, robotics - 19 files changed, 227 insertions ### Design Decisions - Diagnostics gated by `should_enable_diagnostic_settings` (bool) + `log_analytics_workspace_id` — enabled automatically when blueprints wire observability - Component-level ownership: each module manages its own diagnostic settings - Defender left to Azure Policy to avoid subscription-scoped side effects on `terraform destroy` ### Deploy Validation (2026-04-08) Rebased on `dev` and deployed 3 affected blueprints in parallel: | Blueprint | Region | Diagnostic Settings | Result | |---|---|---|---| | full-single-node-cluster | eastus2 | ✅ KV, ACR, EG, EH | All diagnostic resources created. IoT Ops proxy timeout (pre-existing) | | only-cloud-single-node-cluster | westus2 | ✅ ACR, EG, EH | All diagnostic resources created. KV contacts timeout (pre-existing transient) | | robotics | westus3 | ✅ ACR, EG, EH, KV | All diagnostic resources created. Grafana SSL EOF (pre-existing transient) | All diagnostic settings deployed successfully. All failures are pre-existing environmental issues unrelated to this change. Skipped: `full-multi-node-cluster` (pre-existing count issue), `azure-local` (requires HCI hardware). Fixes AB#1984 ---- #### AI description (iteration 5) #### PR Classification Feature enhancement to add diagnostic settings for Azure blueprint resources (ACR, Key Vault, Event Grid, Event Hubs) to address CRISP security findings LT-4 regarding insufficient logging and monitoring. #### PR Summary This PR implements diagnostic settings across Key Vault, ACR, Event Grid, and Event Hubs modules to enable audit logging and metrics collection to Log Analytics workspaces, addressing security compliance gaps. All changes are gated by optional variables and wire the Log Analytics workspace ID from observability modules through blueprint configurations. - Added `azurerm_monitor_diagnostic_setting` resources in `main.tf` files for Key Vault (AuditEvent), ACR (ContainerRegistryRepositoryEvents, ContainerRegistryLoginEvents), Event Grid (allLogs), and Event Hubs (allLogs) with AllMetrics enabled - Introduced `log_analytics_workspace_id` and `should_enable_diagnostic_settings` variables across all affected modules ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sync from AzDO - IaC for the Edge repo having the following changes: Merged PR 430: fix(iot-ops): Pre-release update Terraform and Bicep for secret sync to instance assignment for 2507 pre-release