Last updated on Jan 12, 2026

Version: 1.0.0

Deployment Runbook

✅ Prerequisites

Before running the scripts:

1. Azure CLI

Azure CLI installed (latest recommended)
Logged in:

az login
az account show

2. Permissions

Contributor or Owner on the target subscription
Permission to create:
- VNet / Subnets
- Application Gateway
- Container Apps
- Private Endpoints
- Redis / Mongo

3. DNS / Domain (optional at bootstrap)

Decide your public domain (e.g. api.eqvn.com)
DNS mapping will eventually be:

APP_PUBLIC_DOMAIN  --->  APPGW_PUBLIC_FQDN

You can leave placeholder values during infra bootstrap.

4. TLS Certificate (PFX) for HTTPS

Prepare a valid PFX certificate for the public domain.
Store it securely (local path or pipeline secret mount).
Configure in 00_config.sh:

APPGW_PFX_PATH="path/to/your.pfx"
APPGW_PFX_PASSWORD="your-pfx-password"

⚠️ Do NOT commit real passwords into git. Use pipeline secret injection when possible.

5. Network Access

Outbound access to:
- management.azure.com
- login.microsoftonline.com
- *.azure.com
Corporate proxy configured if required.

EQ-PROD Azure Container Apps deployment scripts

📘 Configuration documentation

00_config.sh has grown over time. Use CONFIG.md to understand all variables and what you need to set.

CONFIG.md — human-readable config reference
00_config.sh — the actual values used by scripts

Do not commit secrets into 00_config.sh. Provide secrets via pipeline/env vars.

🔧 Make scripts executable (required once after unzip)

After extracting the package, run:

cd eq-prod-aca-deployment-scripts
chmod +x *.sh

Verify permissions:

ls -l *.sh

You should see executable flags (x) on all scripts.

If you are running on Windows PowerShell, use:
bash 01_rg.sh
instead of executing directly.

This folder is a section-by-section Bash package derived from your EQ-QA runbook and EQ-QA RG export.

What these scripts implement (from your docs)

Naming conventions like <branch>-<env>-resgroup and <branch><env>acr fileciteturn1file0L21-L48
VNET + delegated AppTier subnet for ACA Environment fileciteturn1file3L11-L22
ACA Environment creation with --internal-only true fileciteturn1file3L41-L44
AppGW WAF_v2 creation and cleanup steps fileciteturn1file2L1-L95
EQ-QA export references host-based listeners for:
- eq-qa.appvity.com
- eqservices-qa.appvity.com fileciteturn1file5L18-L45
Container Apps ports/images/volume mounts taken from EQ-QA export fileciteturn1file9L50-L87

How to run (recommended order)

Edit config once:
- 00_config.sh (already set with your names: eqvnacr, eqvnkv, eqvnstorage)
Export subscription id:
- `
Execute:
- bash 01_rg.sh
- bash 02_storage.sh
- bash 03_keyvault.sh
- bash 04_acr.sh
- bash 05_vnet_subnets.sh
- bash 06_log_aca_env.sh
- bash 07_storage_share.sh
- bash 10_containerapps_create.sh
- bash 11_identities_and_acr_pull.sh
- bash 12_apps_update_images_envs.sh
App Gateway:
- bash 13_appgw_create.sh
- export CERT_PFX_PATH="/path/to/prod.pfx"
- export CERT_PFX_PASSWORD="..."
- bash 14_appgw_config_backend.sh

Notes

Redis: EQ-QA export shows Redis Enterprise resources, while the DOCX uses classic az redis create. Script 08a_azure_cache_for_redis.sh or 08b_redis_enterprise.sh includes both options but leaves them commented until you choose.

MongoDB (vCore)

Run export MONGO_VCORE_ADMIN_PW='...' then bash 09_mongo_vcore.sh to create Cosmos DB for MongoDB vCore + Private Endpoint + DNS (mongocluster zone only).
Mongo vCore is deployed in eastasia.

App Gateway URL path map

Run bash 14_appgw_config_backend.sh (creates HTTPS listener)
Then run bash 15_appgw_url_path_map.sh to configure EQ-QA style path-based routing:
- /ups/, /numbering-service/, /ns-websocket/, /ns-mail/
- default -> backend-api

🍃 Mongo vCore note (schema quirks)

Even when you “don’t want HA”, some API versions require HA-related fields. The script 09_mongo_vcore.sh will:

send highAvailability.targetMode=Disabled for new-schema API versions
send nodeGroupSpecs.enableHa=false + diskSizeGB=<size> for old preview API versions

So it is still a no-HA deployment, but satisfies schema validation.

Config note: Edit all environment-specific values directly in 00_config.sh (USER EDITABLE VARIABLES section). No need to export variables manually before running scripts.

🌐 Domain configuration

Public access is via Application Gateway only.

Configure these in 00_config.sh (USER EDITABLE VARIABLES):

APP_PUBLIC_DOMAIN
Your public DNS name (e.g. api.eqvn.com).
APPGW_PUBLIC_FQDN
Azure-assigned FQDN of the Application Gateway
(e.g. eq-prod-appgw.southeastasia.cloudapp.azure.com).

DNS mapping:

APP_PUBLIC_DOMAIN  --->  APPGW_PUBLIC_FQDN

Used later for:

TLS certificate binding
Health probes
External validation

🧭 Architecture & Design Overview

For conceptual architecture and deployment philosophy, see:

👉 OVERVIEW.md

This explains how the platform is structured and how environments are modeled.

🏛 Architecture Diagrams

Detailed system architecture and diagrams are available in:

👉 ARCHITECTURE.md

🔧 Configure BRANCH / ENV

Edit 00_config.sh and set:

BRANCH = EQ / P2P / ...
ENV = DEV / QA / STAGE / PROD

Per-environment resources are derived from <branch>-<env> (lowercase).

✅ Prerequisites​

1. Azure CLI​

2. Permissions​

3. DNS / Domain (optional at bootstrap)​

4. TLS Certificate (PFX) for HTTPS​

5. Network Access​

EQ-PROD Azure Container Apps deployment scripts

📘 Configuration documentation​

🔧 Make scripts executable (required once after unzip)​

What these scripts implement (from your docs)​

How to run (recommended order)​

Notes​

MongoDB (vCore)​

App Gateway URL path map​

🍃 Mongo vCore note (schema quirks)​

🌐 Domain configuration​

🧭 Architecture & Design Overview​

🏛 Architecture Diagrams​

🔧 Configure BRANCH / ENV​