README.md

Bicep Deployment

This directory contains the Bicep templates and a deployment script for provisioning Azure services in LocalStack for Azure. For further details about the sample application, refer to the Azure Web App with Custom Docker Image.

Prerequisites

Before deploying this solution, ensure you have the following tools installed:

• LocalStack for Azure: Local Azure cloud emulator for development and testing
• Visual Studio Code: Code editor installed on one of the supported platforms
• Bicep extension: VS Code extension for Bicep language support and IntelliSense
• Docker: Container runtime required for LocalStack and building the custom image
• Azure CLI: Azure command-line interface
• Azlocal CLI: LocalStack Azure CLI wrapper
• jq: JSON processor for scripting and parsing command outputs

Installing azlocal CLI

The deploy.sh Bash script uses the azlocal CLI instead of the standard Azure CLI to work with LocalStack. Install it using:

pip install azlocal

For more information, see Get started with the az tool on LocalStack.

Architecture Overview

The deploy.sh script creates the Azure Resource Group for all the Azure resources. The deployment is split into two Bicep phases with an image push step between them.

First Bicep Deployment

In this phase, the acr.bicep template deploys:

1. Azure Container Registry: A fully-managed container registry service based on the open-source Docker platform used to hold the container image used by the web app.
2. Azure Log Analytics Workspace: Centralizes diagnostic logs and metrics from all resources in the solution.

Container Image Push

After the first Bicep deployment, the script builds the container image locally from the src/Dockerfile and pushes it to the Azure Container Registry.

Second Bicep Deployment

The main.bicep template deploys the remaining resources:

1. Azure Virtual Network: Hosts two subnets:
   • app-subnet: Dedicated to regional VNet integration with the Web App.
   • pe-subnet: Used for hosting Azure Private Endpoints.
2. Azure Private DNS Zone: Handles DNS resolution for the Azure Container Registry Private Endpoint within the virtual network.
3. Azure Private Endpoint: Secures network access to the Azure Container Registry via a private IP within the VNet.
4. Azure NAT Gateway: Provides deterministic outbound connectivity for the Web App. Included for completeness; the sample app does not call any external services.
5. Azure Network Security Group: Enforces inbound and outbound traffic rules across the virtual network's subnets.
6. Azure App Service Plan: The underlying compute tier that hosts the web application.
7. User-Assigned Managed Identity: Assigned the AcrPull role on the Azure Container Registry, enabling the Web App to pull the container image without storing credentials.
8. Azure Web App: Runs the Python Flask application from the custom container image stored in the Azure Container Registry.

The provisioning process assigns the user-defined managed identity to the web app and uses its credentials to access the Azure Container Registry to pull the container image. The AcrPull role is assigned to the managed identity with the Azure Container Registry as the scope.

For more information on the sample application, see Azure Web App with Custom Docker Image.

Configuration

Before deploying the main.bicep template, update the main.bicepparam file with your specific values:

using 'main.bicep'

param prefix = 'local'
param suffix = 'test'
param imageName = 'custom-image-webapp'
param imageTag = 'v1'
param tags = {
  environment: 'test'
  project: 'custom-image-webapp'
}

Provisioning Scripts

See deploy.sh for the complete deployment automation. The script performs:

• Detects environment (LocalStack vs Azure Cloud) and uses appropriate CLI
• Creates resource group if it doesn't exist
• Optionally validates the Bicep template
• Optionally runs what-if deployment for preview
• Deploys acr.bicep to provision the Azure Container Registry and Log Analytics Workspace
• Extracts deployment outputs (ACR name, ACR login server)
• Builds the container image locally and pushes it to the Azure Container Registry
• Deploys main.bicep with parameters from main.bicepparam to provision the remaining resources
• Extracts deployment outputs (Web App name, App Service Plan name, Managed Identity name)

Deployment

You can set up the Azure emulator by utilizing the LocalStack for Azure Docker image. Before starting, ensure you have a valid LOCALSTACK_AUTH_TOKEN to access the Azure emulator. Refer to the Auth Token guide to obtain your Auth Token and specify it in the LOCALSTACK_AUTH_TOKEN environment variable. The Azure Docker image is available on the LocalStack Docker Hub. To pull the Azure Docker image, execute the following command:

docker pull localstack/localstack-azure-alpha

Start the LocalStack Azure emulator using the localstack CLI, execute the following command:

# Set the authentication token
export LOCALSTACK_AUTH_TOKEN=<your_auth_token>

# Start the LocalStack Azure emulator
IMAGE_NAME=localstack/localstack-azure-alpha localstack start -d
localstack wait -t 60

# Route all Azure CLI calls to the LocalStack Azure emulator
azlocal start-interception

Navigate to the bicep folder:

cd samples/web-app-custom-image/python/bicep

Make the script executable:

chmod +x deploy.sh

Run the deployment script:

./deploy.sh

Validation

Once the deployment completes, run the validate.sh script to confirm that all resources were provisioned and configured as expected:

#!/bin/bash
set -euo pipefail

PREFIX='local'
SUFFIX='test'
RESOURCE_GROUP_NAME="${PREFIX}-rg"
ACR_NAME="${PREFIX}acr${SUFFIX}"
MANAGED_IDENTITY_NAME="${PREFIX}-identity-${SUFFIX}"
APP_SERVICE_PLAN_NAME="${PREFIX}-app-service-plan-${SUFFIX}"
WEB_APP_NAME="${PREFIX}-webapp-${SUFFIX}"
VIRTUAL_NETWORK_NAME="${PREFIX}-vnet-${SUFFIX}"
PRIVATE_DNS_ZONE_NAME="privatelink.azurecr.io"
PRIVATE_ENDPOINT_NAME="${PREFIX}-acr-pe-${SUFFIX}"
WEB_APP_SUBNET_NSG_NAME="${PREFIX}-webapp-subnet-nsg-${SUFFIX}"
PE_SUBNET_NSG_NAME="${PREFIX}-pe-subnet-nsg-${SUFFIX}"
NAT_GATEWAY_NAME="${PREFIX}-nat-gateway-${SUFFIX}"
PIP_PREFIX_NAME="${PREFIX}-nat-gateway-pip-prefix-${SUFFIX}"
LOG_ANALYTICS_NAME="${PREFIX}-log-analytics-${SUFFIX}"

# Check resource group
echo -e "[$RESOURCE_GROUP_NAME] resource group:\n"
az group show \
	--name "$RESOURCE_GROUP_NAME" \
	--output table

# Check managed identity
echo -e "[$MANAGED_IDENTITY_NAME] managed identity:\n"
az identity show \
	--name "$MANAGED_IDENTITY_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

# Check App Service Plan
echo -e "\n[$APP_SERVICE_PLAN_NAME] App Service Plan:\n"
az appservice plan show \
	--name "$APP_SERVICE_PLAN_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

# Check Azure Container Registry
echo -e "\n[$ACR_NAME] Azure Container Registry:\n"
az acr show \
	--name "$ACR_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

# Check Azure Web App
echo -e "\n[$WEB_APP_NAME] Web App:\n"
az webapp show \
	--name "$WEB_APP_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--query "{name:name, state:state, defaultHostName:defaultHostName, kind:kind}" \
	--output table

# Check App Settings
echo -e "\n[$WEB_APP_NAME] app settings:\n"
az webapp config appsettings list \
	--name "$WEB_APP_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--query "[?name=='IMAGE_NAME' || name=='APP_NAME' || name=='WEBSITES_PORT']" \
	--output table

# Check Virtual Network
echo -e "\n[$VIRTUAL_NETWORK_NAME] virtual network:\n"
az network vnet show \
	--name "$VIRTUAL_NETWORK_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Private DNS Zone
echo -e "\n[$PRIVATE_DNS_ZONE_NAME] private dns zone:\n"
az network private-dns zone show \
	--name "$PRIVATE_DNS_ZONE_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--query '{Name:name,ResourceGroup:resourceGroup,RecordSets:recordSets,VirtualNetworkLinks:virtualNetworkLinks}' \
	--output table \
	--only-show-errors

# Check Private Endpoint
echo -e "\n[$PRIVATE_ENDPOINT_NAME] private endpoint:\n"
az network private-endpoint show \
	--name "$PRIVATE_ENDPOINT_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Web App Subnet NSG
echo -e "\n[$WEB_APP_SUBNET_NSG_NAME] network security group:\n"
az network nsg show \
	--name "$WEB_APP_SUBNET_NSG_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Private Endpoint Subnet NSG
echo -e "\n[$PE_SUBNET_NSG_NAME] network security group:\n"
az network nsg show \
	--name "$PE_SUBNET_NSG_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check NAT Gateway
echo -e "\n[$NAT_GATEWAY_NAME] nat gateway:\n"
az network nat gateway show \
	--name "$NAT_GATEWAY_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Public IP Prefix
echo -e "\n[$PIP_PREFIX_NAME] public ip prefix:\n"
az network public-ip prefix show \
	--name "$PIP_PREFIX_NAME" \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table \
	--only-show-errors

# Check Log Analytics Workspace
echo -e "\n[$LOG_ANALYTICS_NAME] log analytics workspace:\n"
az monitor log-analytics workspace show \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--workspace-name "$LOG_ANALYTICS_NAME" \
	--query '{Name:name,Location:location,ResourceGroup:resourceGroup}' \
	--output table \
	--only-show-errors

echo -e "\nResources in [$RESOURCE_GROUP_NAME]:\n"
az resource list \
	--resource-group "$RESOURCE_GROUP_NAME" \
	--output table

Cleanup

To destroy all created resources:

# Delete resource group and all contained resources
az group delete --name local-rg --yes --no-wait

# Verify deletion
az group list --output table

This will remove all Azure resources created by the Bicep deployment script.

Related Documentation

• Azure Bicep Documentation
• Bicep Language Reference
• LocalStack for Azure Documentation