< Previous Challenge - Home - Next Challenge >
As per the diagram below, the TollBooth application is composed of multiple Azure “Platform As A Service” (aka PaaS) services including:
The TollBooth application’s Azure Function source code is just one piece of the overall solution. That code depends on each of these PaaS services being deployed in Azure and configured properly.
In this challenge, you must provision & configure each of the PaaS resources in Azure before you can start developing & deploying the TollBooth application’s Azure Functions code in the next challenge. Each of the Azure PaaS services have secrets that the Azure Function application code needs to access those services. You will also configure Key Vault to host those secrets and grant permission to the Azure Function application so it can access those keys.
While deploying each resource is a challenge in and of itself, there are two high-level tasks for this challenge:
In this challenge, you will provision a blob storage account using the Hot tier, and create two containers within to store uploaded photos and exported CSV files. You will then provision two Function Apps instances, one you will host the “App” function code, and one will host the “Events” function code. Next, you will create a new Event Grid topic. After that, you will create an Azure Cosmos DB account with two collections. Then, you will provision a new Cognitive Services Computer Vision API service (aka Azure AI Vision Service) for applying object character recognition (OCR) on the license plates. Lastly, you will implement Key Vault for secure some of the resource keys.
TIP: It is recommended that you ensure all resources use the same resource group for easier cleanup.
TIP: Deploy resources in the same region as the resource group.
TIP: Remember that some resources need to have unique names.
TIP: Record names and keys as you go, you will need these later.
You can deploy the resources however you like (Azure Portal, Bicep, Azure CLI, Terraform, etc). However, it is a good idea to use the Azure Portal so that you can learn the available settings for each resource.
Create the resources in Azure according the following specifications:
LicensePlates
Processed
/licensePlateText
LicensePlates
NeedsManualReview
/fileName
images
export
App
in the name)
Events
in the name)
Each of the Azure PaaS services have secrets that the Azure Function application code needs to access those services. The easy thing would be to just put those secrets in the source code so the functions can access each service. However, the easy way is rarely the CORRECT way to do things.
NOTE: Placing secrets in plain-text code files could result in your company or organization being in the news headlines for all the wrong reasons.
It is a best practice to store secrets in a key management service like Azure Key Vault, and then have the application request those secret values from Key Vault on demand as needed. This solution has multiple benefits, including:
With the Key Vault you created above, you will need to complete the following tasks:
Secret Name | Value |
computerVisionApiKey |
Computer Vision API key |
eventGridTopicKey |
Event Grid Topic access key |
cosmosDBAuthorizationKey |
Cosmos DB Primary Key |
cosmosDBConnectionString |
Cosmos DB Primary Connection String |
blobStorageConnection |
Blob storage connection string |
HINT: You have to configure a Managed Identity for the Function to be able to read from the Key Vault secrets using Azure RBAC.
HINT: Secrets can be referenced in Azure Portal using a specially formatted Secret URI. Also, the Secret URI must finish with a trailing “/” when not referring a version. For example: @Microsoft.KeyVault(SecretUri=https://wth-serverless-kv.vault.azure.net/secrets/blobStorageConnection/)
HINT: Configure the RBAC role “KeyVault Administrator” for yourself, to read and write secrets via the portal, which is a more privileged role than the “KeyVault Secrets User” role that the functions will use to just read secrets using a Managed Identity.