Bicep Application Gateway

[aqibismail2024]

Issue During the deployment of a child resource within a parent environment, such as deploying a pre-production environment to share resources with the production environment, an observation has been made wherein the configuration of the shared Application Gateway gets replaced with the configuration of the child resources configuration.

The suggested solution involves consolidating both pre-production and production configurations into the same script to mitigate this issue. However, this approach becomes challenging when managing multiple environments, as encountered in scenarios where 3-4 environments share resources.

To Reproduce Steps to reproduce the behavior:

1. Create an application gateway in Bicep with the required configuration.
2. Deploy the 'parent' resources application gateway.
3. Modify the values within the application gateway to accommodate the child environment.
4. Redeploy the application gateway, resulting in the replacement of the parent application gateway configuration with the new configuration.

Additional context Efforts are aimed at avoiding reliance on additional scripting outside of Bicep.

[ahelland]

"deploying a pre-production environment to share resources with the production environment" - optimizing for cost and not separation of duties are we? :)

Application Gateway is no fun to work with in IaC, but that is primarily a resource provider issue not Bicep.

If you're not able to do a big bang deployment upfront with all the configs and need to break it up the flow is generally:

• Create AGW
• Import AGW
• Apply new settings combining with the pre-existing values you imported.

If you have nonprod and prod you could of course do the import and re-apply expanded into several steps which is going to be a brittle process. (So, I don't recommend that.)

Depending on the complexity of the config you could duplicate across deployment pipelines:

• www-prod.contoso.com frontend pointing to prod.contoso.local on the backend
• www-nonprod.contoso.com frontend pointing to nonprod.contoso.local on the backend.

This way they will not break each other. (Maybe even move into a shared pipeline since the resource is shared.)

Or create x number of gateways and just template the Bicep to work across environment if you're not that cost sensitive.

Since you're not sharing specifics it's hard for me to into detail on what works and what doesn't, but that's my general take on it.