Skip to main content

Installing Invictus Dashboard

  1. Prerequisites

    obtain access Shared

    To access the resources stored on Azure Storage and Azure Container Registry you have to request an SAS-token and ACR Password from coditproducts@codit.eu.

    Container revisions

    We use Multiple Revision mode in our Container App deployments, which means that older revisions could clutter the Container App Environment. We provide a clean-up script that should be run after logging in on the correct subscription, but can be ran in Azure DevOps Pipelines as well.

    Include VNET support Shared

    Invictus includes functionality which allows all its resources to run within an Azure Virtual Network (VNET).

    Required deployment

    • An Azure Virtual Network

      • Including two subnets, one each for:
        • Private Endpoints
        • Container App Environment
      • The subnets must have the following services enabled
        • Microsoft.AzureCosmosDB
        • Microsoft.EventHub
        • Microsoft.KeyVault
        • Microsoft.ServiceBus
        • Microsoft.Storage
      • The Container App subnet must also have the delegation Microsoft.App/environments

    • Private DNS Zones (Bicep template)

      • privatelink.azurecr.io
      • privatelink.blob.core.windows.net
      • privatelink.file.core.windows.net
      • privatelink.mongo.cosmos.azure.com
      • privatelink.queue.core.windows.net
      • privatelink.servicebus.windows.net
      • privatelink.table.core.windows.net
      • privatelink.table.cosmos.azure.com
      • privatelink.vaultcore.azure.net
      • privatelink.{regionName}.azurecontainerapps.io
    • To be able to deploy the app code from an Azure DevOps pipeline you will need a self hosted agent running on the same VNET with the following software installed:
    • PowerShell
    • Azure PowerShell
    • Bicep CLI

    Required role assignment

    If the Invictus resources and the VNET are on different resource groups, then you need to assign the role of Network Contributor to the Invictus resource group onto the VNET resource group.

  2. Download

    Include the Dashboard in your release package to deploy the Invictus Dashboard together with your customer solution.

    Save installation script to your repository Shared

    The Invictus-GetSources.ps1 script will pull the latest Invictus resources needed to deploy the Dashboard.

    Add variables to variable group Shared

    Invictus installation requires secrets for authentication. Codit Software provides these for you. Create a variable group for them:

    • {'{prefix}'}.Invictus.Installation
      • Invictus.Installation.StorageAccount.Name: invictusreleases
      • Invictus.Installation.StorageAccount.Dashboard.SasToken: value provided by Codit Software
      • Invictus.Installation.StorageAccount.Framework.SasToken: value provided by Codit Software (if you're also deploying the Framework)
      • Infra.Environment.ACRUsername: value provided by Codit Software
      • Infra.Environment.ACRPassword: value provided by Codit Software

    Add YAML build pipeline

    Add a YAML pipeline to build the Invictus for Azure Dashboard. Change the following example file according to your needs, for example change the trigger path:

      paths:
        include:
        - /src/customer.azure.invictus
    Full YAML build pipeline example
    pr: none
    trigger:
      branches:
        include:
        - main
        - feature/*
      paths:
        include:
        - /src/customer.azure.invictus

    parameters:
    - name: Version
      displayName: Invictus Version
      type: string
      default: '*'
    - name: useBeta
      displayName: Use Beta
      type: string
      default: $False

    pool:
      vmImage: 'windows-latest'

    stages:
    - stage: Package
      displayName: Package
      dependsOn: []
      variables:
      - group: prefix.invictus.installation
      jobs:
      - job: publish
        displayName: Build and Publish Dashboard
        steps:
        - checkout: self
          clean: true
          persistCredentials: true

        - task: PowerShell@2
          displayName: 'Pull Invictus sources'
          inputs:
            targetType: filePath
            filePath: './scripts/Invictus-GetSources.ps1'
            arguments: >
              -StorageAccountName '$(Invictus.Installation.StorageAccount.Name)'
              -StorageSasToken '$(Invictus.Installation.StorageAccount.Dashboard.SasToken)'
              -StorageContainerName 'dashboard-v2'
              -SaveLocation '$(Build.ArtifactStagingDirectory)'
              -UseBeta ${{parameters.useBeta}}
              -Version ${{ parameters.version }}
                  
        - task: PublishPipelineArtifact@1
          inputs:
            TargetPath: $(Build.ArtifactStagingDirectory)
            ArtifactName: dashboard-v2
            publishLocation: 'pipeline'

  3. Deploy

    Create variable group Shared

    Create a variable group (recommended: {prefix}.Invictus.{env}) for each the environments. The deployment uses this variable group and edits/adds variables based on the Bicep deployment output.

    permit build service access to variable groups

    Make sure the Project Collection Build Service has Administrator access to these variable groups (Pipelines > Library > Security)

    Use Deploy.ps1 script for deployment

    The Deploy.ps1 PowerShell script is available in the downloaded Invictus sources. This should be the main point of contact for deploying Invictus products.

    Least-privileged Azure role assignments for the deploying identity

    The identity running the Bicep deployment (the service principal used by your Azure DevOps service connection) needs the following least-privileged roles assigned on the target resource group or subscription:

    RoleWhy It's Needed
    Container Apps ContributorCreate/update Container Apps environments, apps, authentication configurations and job definitions.
    Azure Event Hubs OwnerCreate/update Event Hubs namespaces, hubs and network rule sets.
    Container Registry ContributorCreate/update Azure Container Registry instances, locks and network settings.
    DocumentDB Account ContributorCreate/update Cosmos DB accounts, MongoDB databases and collections.
    Managed Identity ContributorCreate/update user-assigned managed identities for Container Apps and functions.
    Key Vault AdministratorCreate/update Key Vaults, access policies and network ACLs.
    Log Analytics ContributorCreate/update Log Analytics workspaces and list workspace keys.
    Monitoring ContributorCreate/update Application Insights components and associated locks.
    Network ContributorCreate/update private endpoints, VNET subnets and private DNS zone groups.
    ReaderRead existing Private DNS zones when linking DNS zone groups for private endpoints.
    Service Bus Data OwnerCreate/update Service Bus namespaces, queues and network rule sets.
    Storage Account ContributorCreate/update storage accounts, file shares, blob and table services.
    User Access AdministratorCreate role assignments (Microsoft.Authorization/roleAssignments) and resource locks.

    Mandatory Parameters

    Argument nameDescription
    arcNameThe name of the Azure Container Registry name to deploy the container images to. (Make sure to override also the containerRegistryName BICEP parameter if you want a custom name.)
    arcUsernameThe username credential to authenticate the Docker CLI.
    arcPasswordThe password credential to authenticate into the Docker CLI.
    resourcePrefixPrefix used for deployed Azure resources (ex. invictus-{prefix}-vlt)
    resourceGroupNameName of Azure resource group where Invictus deploys to.
    variableGroupNameDevOps variable group to write the Bicep outputs to (ex. Invictus_CosmosDb_DbName)
    azureActiveDirectoryClientIdSee Microsoft Entra ID Setup if enabled.
    azureActiveDirectoryTenantIdSee Microsoft Entra ID Setup if enabled.
    azureActiveDirectoryClientSecretSee Microsoft Entra ID Setup if enabled.
    azureActiveDirectoryAudienceSee Microsoft Entra ID Setup if enabled.
    performSqlDataMigrationIf value is 1 the data migration process will run, migrating SQL data to Cosmos DB. If the value is 0, the installation skips this process. See the migration guide for more details. Once the installation performed the data migration and you verified the outcome, set this value to 0 so the installation skips the migration process for all future deployments.
    flowDataTTLInDaysAmount of days flow traces can live in the database
    See import flow traces.
    isProvisionedCosmosIf the value is 1, the installation deploys a Cosmos DB with provisioned throughput. Otherwise, a serverless Cosmos DB. How to choose between provisioned and serverless.
    identityProviderApplicationIdSee Container Authentication.
    identityProviderClientSecretSee Container Authentication.
    useBetaIndicates the environment of the Azure Container App registry where the deployment gets its container images.

    Optional Parameters

    Argument nameDefault valueDescription
    artifactsPath$PSScriptRootPath on the DevOps agent where you downloaded the Invictus artifacts
    (publish and download build artifacts)
    resourceGroupLocation'West Europe'Azure location where you want the Invictus resources deployed.
    isAdDisabledFalseBoolean flag to activate Entra ID authentication in the Dashboard.
    additionalTemplateParameters[]Optional named parameters for the Bicep template you wish to override. More on this below.
    versionlatestVersion of the published Invictus artifacts that the deployment should download and deploy on the client environment.
    Full YAML task example
    - task: AzureCLI@2
      displayName: 'Azure CLI'
      env:
        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
      inputs:
        azureSubscription: '[YOUR_SERVICE_CONNECTION]'
        scriptType: 'pscore'
        scriptLocation: 'inlineScript'
        inlineScript: |

          # Determine where the the provided Invictus 'Deploy.ps1' script is located
          $artifactsPath = ${{ variables['Pipeline.Workspace'] }} + '/_build/dashboard' 
          $scriptPath = $artifactsPath + '/Deploy.ps1'

          & $scriptPath `
            -artifactsPath $artifactsPath `
            -acrPath 'invictusreleases.azurecr.io' `
            -useBeta false `
            -acrUsername 'admin' `
            -acrPassword '<pass>' `
            -resourcePrefix 'dev' `
            -resourceGroupName 'my-client-dev-rg' `
            -variableGroupName 'My.Client.Dev' `
            -performSqlDataMigration 0 `
            -isProvisionedCosmos 0 `
            -azureActiveDirectoryClientId '4b559bfb-871a-4013-bce9-829e3aeb6bdd' `
            -azureActiveDirectoryTenantId '97a944a1-04a0-45d2-b2f3-c424755c4167' `
            -azureActiveDirectoryClientSecret '<pass>' `
            -azureActiveDirectoryAudience 'https://contoso.com' `
            -identityProviderApplicationId 'c84d34ea-f169-4787-a4af-81750debda0b' `
            -identityProviderClientSecret '<pass>' `
            -isProvisionedCosmos 1 `
            -flowDataTTLInDays 90
    Full YAML release pipeline example
    pr: none
    trigger: none

    resources:
      pipelines:
        # Name of the pipeline resource inside this workflow. Used to reference the pipeline resources later on (e.g. download artifacts).
      - pipeline: _build
        # Name of the pipeline in Azure Pipelines
        source: 'customer.azure.invictus.dashboard.build' 
        trigger: true

    parameters:
      - name: "Version"
        type: string
        default: "latest"
      - name: "UseBeta"
        type: string
        default: "$false"

    pool:
      vmImage: 'ubuntu-latest'

    stages: 
    - stage: deploy_dev
      displayName: 'Deploy to Development'
      variables:
      - group: infra.dev
      - group: prefix.invictus.dev
      - group: prefix.invictus.installation
      jobs:
      - deployment: deploy_development
        displayName: 'Deploy to Development'
        environment: Development
        strategy:
          runOnce:
            deploy:
              steps:
              - download: '_build'
                displayName: Download Artifact
              - task: AzureCLI@2
                env:
                  SYSTEM_ACCESSTOKEN: $(System.AccessToken)
                inputs:
                  azureSubscription: 'NameOfYourServiceConnection'
                  scriptType: 'pscore'
                  scriptLocation: 'scriptPath'
                  ScriptPath: '$(Pipeline.Workspace)/_build/dashboard-v2/Deploy.ps1'
                  ScriptArguments: '-version ${{parameters.Version}} -useBeta ${{parameters.UseBeta}} -acrPath "invictusreleases.azurecr.io" -acrUsername $(Infra.Environment.ACRUsername) -acrPassword $(Infra.Environment.ACRPassword) -resourcePrefix $(Infra.Environment.ResourcePrefix) -artifactsPath $(Pipeline.Workspace)/_build/dashboard-v2 -resourceGroupName $(Infra.Environment.ResourceGroup) -variableGroupName invictus.$(Infra.Environment.ShortName) -devOpsObjectId "$(Infra.DevOps.Object.Id)" -azureActiveDirectoryClientId "$(Infra.AzAD.Client.Id)" -azureActiveDirectoryTenantId "$(Infra.DevOps.Tenant.Id)" -azureActiveDirectoryClientSecret "$(Infra.AzAD.Client.Secret)" -azureActiveDirectoryAudience "$(Infra.AzAd.Audience)" -identityProviderApplicationId "$(Infra.AzAD.Client.IdentityProviderApplicationId)"  -identityProviderClientSecret "$(Infra.AzAD.Client.IdentityProviderClientSecret)" -performSqlDataMigration 0 -isProvisionedCosmos 0 -flowDataTTLInDays 90 -containerAppsEnvironmentLocation "$(Infra.Environment.ContainerAppsEnvironmentLocation)"'

    - stage: deploy_prd
      displayName: 'Deploy to Production'
      dependsOn: deploy_acc
      variables:
      - group: infra.prd
      - group: prefix.invictus.prd
      - group: prefix.invictus.installation
      jobs:
      - deployment: deploy_prd
        displayName: 'Deploy to Production'
        environment: Production
        strategy:
          runOnce:
            deploy:
              steps:
              - download: '_build'
                displayName: Download Artifact
              - task: AzureCLI@2
                env:
                  SYSTEM_ACCESSTOKEN: $(System.AccessToken)
                inputs:
                  azureSubscription: 'NameOfYourServiceConnection'
                  scriptType: 'pscore'
                  scriptLocation: 'scriptPath'
                  ScriptPath: '$(Pipeline.Workspace)/_build/dashboard-v2/Deploy.ps1'
                  ScriptArguments: '-version ${{parameters.Version}} -useBeta ${{parameters.UseBeta}} -acrPath "invictusreleases.azurecr.io" -acrUsername $(Infra.Environment.ACRUsername) -acrPassword $(Infra.Environment.ACRPassword) -resourcePrefix $(Infra.Environment.ResourcePrefix) -artifactsPath $(Pipeline.Workspace)/_build/dashboard-v2 -resourceGroupName $(Infra.Environment.ResourceGroup) -variableGroupName invictus.$(Infra.Environment.ShortName) -devOpsObjectId "$(Infra.DevOps.Object.Id)" -azureActiveDirectoryClientId "$(Infra.AzAD.Client.Id)" -azureActiveDirectoryTenantId "$(Infra.DevOps.Tenant.Id)" -azureActiveDirectoryClientSecret "$(Infra.AzAD.Client.Secret)" -azureActiveDirectoryAudience "$(Infra.AzAd.Audience)" -identityProviderApplicationId "$(Infra.AzAD.Client.IdentityProviderApplicationId)"  -identityProviderClientSecret "$(Infra.AzAD.Client.IdentityProviderClientSecret)" -performSqlDataMigration 0 -isProvisionedCosmos 0 -flowDataTTLInDays 90 -containerAppsEnvironmentLocation "$(Infra.Environment.ContainerAppsEnvironmentLocation)"'

    Bicep Template Parameters

    Showing 121 parameters
    NameDescriptionTags
    acaIdentityName
    default: invictus-${resourcePrefix}-aca-identity

    The name of the user-assigned identity that pulls the container images from the Azure Container Registry.

    		container-apps
    alertingAppInsightsName
    default: invictus-${resourcePrefix}-alertingappins

    The name of the Azure Application Insights resource that holds the alerts which the Dashboard stores for client-created flows.

    		monitoring
    allowStorageAccountSharedKeyAccess
    default: null

    Indicates whether the shared Azure Storage Account allows authentication via a shared key access.

    		storagesecurity
    appInsightsName
    default: invictus-${resourcePrefix}-appins

    The name of the Azure Application Insights resource that tracks the general telemetry of the Dashboard backend infrastructure.

    		monitoring
    appInsightsSamplingPercentage
    default: 1

    The sampling percentage for the Azure Application Insights that tracks the general telemetry of the Dashboard.

    		monitoring
    auditsCollectionThroughput
    default: 1000

    The collection throughput (RU/s) for the audits MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    azureActiveDirectoryAudience

    The allowed audience when the Dashboard interacts with the client's the Microsoft Entra ID during managing Azure Logic Apps alerts.

    		security
    azureActiveDirectoryClientId

    The application ID of the Microsoft Entra ID app registration that facilitates authentication towards the client's Microsoft Entra ID resource, useful when the Dashboard is configured for Microsoft Entra ID signin authentication.

    		security
    azureActiveDirectoryClientSecret

    The client secret of the Microsoft Entra ID app registration that facilitates authentication towards the client's Microsoft Entra ID resource, useful when the Dashboard is configured for Microsoft Entra ID signin authentication.

    		security
    azureActiveDirectoryTenantId

    The tenant ID of the Microsoft Entra ID app registration that facilitates authentication towards the client's Microsoft Entra ID resource, useful when the Dashboard is configured for Microsoft Entra ID signin authentication.

    		security
    azureWebJobsWorkFlowEventsClearFunctionDisabled
    default: true
    deprecated since: v6.2, will be removed in v7, clearing happens via Cosmos DB for MongoDB TTL policies.

    Indicates whether the Azure Functions timer trigger should be disabled, meaning the Azure Logic Apps workflow Dashboard backend storage won't be cleared.

    		storagedeprecated
    caeVnetInfraRgName
    default: invictus-${resourcePrefix}-cae-infra

    The name of the Azure Container Apps infrastructure resource group (when VNET is enabled).

    		container-appsnetworkingvnet
    containerAppEnvironmentSubnetName

    The name of the subnet to form the network rules of the Azure Container App environment, useful for VNET deployments.

    		networkingvnetcontainer-apps
    containerAppEnvironmentSubnets

    A list of subnet names to form the network rules of all the Azure Container App resources, useful for VNET deployments.

    		networkingvnetcontainer-apps
    containerAppsEnvironmentLocation
    default: resourceGroup().location

    The Azure location for the Azure Container Apps and their environment.

    		container-apps
    containerAppsEnvironmentName
    default: invictus-${resourcePrefix}-cae

    The name of the Azure Container App environment.

    		container-apps
    containerRegistryName

    The name of the Azure Container Apps registry that hosts the Dashboard's container images.

    		container-apps
    containerRegistryUrl
    default: ${resourcePrefix}.acr.azurecr.io

    The server URL of the Azure Container Apps registry that hosts the Dashboard's container images.

    		container-apps
    cosmosAccountName
    default: invictus-${resourcePrefix}-cosmos

    The name of the Azure Cosmos DB resource that acts as the main backend storage for the Dashboard. (The deployment ads a suffix -serverless or -provisioned based on the Azure Cosmos DB pricing tier).

    		storage
    cosmosDatabaseName
    default: InvictusDashboard

    The name of the singleton database in the Azure Cosmos DB resource that acts as the main backend storage for the Dashboard.

    		storage
    cosmosDbSubnets

    A list of subnet names to form the Azure Cosmos DB for MongoDB resource, useful for VNET deployments.

    		networkingvnetstorage
    customApplicationIds
    default: []

    A list of additional IDs referring to custom Microsoft Entra ID applications that should also be able to access the Azure Container Apps hosting the Dashboard.

    		security
    customTags
    default: {}

    A set of Azure resource tags to apply to all to the deployed Invictus resources.

    		governance
    dashboardSettingsCollectionThroughput
    default: 1000

    The collection throughput (RU/s) for the Dashboard settings MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    dataFactoryEventHubName
    default: invictus-${resourcePrefix}-df-evhb

    The name of the Azure Event Hub for the import job where Azure Data Factory pipeline diagnostic traces are send to.

    		messagingimporting
    dataMergeWorkflowEventHubName
    default: invictus-${resourcePrefix}-mergeddata-evhb

    The name of the Azure Event Hub where the merge job pushes finalized flow traces, where the store job listens.

    		container-apps
    devOpsObjectId
    default: deployer().objectId

    The object ID associated with the service principal of the enterprise application that the Azure DevOps service connection is created for.

    		security
    disableStorageAccountPublicNetworkAccess
    default: false

    Indicates whether the shared Azure Storage Account should disable public network access. If true, only private endpoints or VNET integration are allowed.

    		storagenetworkingsecurityvnet
    dnsZoneResourceGroupName
    default: resourceGroup().name

    The name of the Azure resource group where the private DNS zone deploys to.

    		networkingvnet
    dnsZoneSubscriptionId
    default: subscription().subscriptionId

    The Azure subscription ID to control the private DNS zone throughout, useful for VNET deployments.

    		networkingvnet
    enableVnetSupport
    default: false

    Feature flag to control whether the Dashboard deploys within a VNET.

    		networkingvnet
    eventHubAutoInflate
    default: false

    Indicates whether the Azure Event Hubs namespace should automatically scale up. More on Azure Event Hubs throughput units.

    		messagingscaling
    eventHubMaxThroughputUnits
    default: 0

    The maximum amount of Azure Event Hubs throughput units for the namespace. More on Azure Event Hubs throughput units.

    		messagingscaling
    eventHubMessageRetentionInDays
    default: 1

    The amount of days Azure Event Hubs messages will be retained on all the hubs throughout More on Microsoft documentation on Azure Event Hubs properties.

    		messaging
    eventHubName
    default: invictus-${resourcePrefix}-evhb

    The name of the Azure Event Hub within the namespace that receives diagnostic traces from client Azure Logic Apps with Consumption plan.

    		messagingimporting
    eventHubNamespaceName
    default: invictus-${resourcePrefix}-evnm

    The name of the Azure Event Hubs namespace resource that acts as the backend event sink system for notifications within the Dashboard backend infrastructure.

    		messaging
    eventHubNameV2
    default: invictus-${resourcePrefix}-evhb-v2

    The name of the Azure Event Hub within the namespace that receives diagnostic traces from client Azure Logic Apps with Standard plan.

    		messagingimporting
    eventHubSkuCapacity
    default: 1

    The limit of the chosen pricing tier of the Azure Event Hubs namespace. More on Azure Event Hubs quotas and limits.

    		messaging
    eventHubSkuName
    default: enableVnetSupport ? 'Standard' : 'Basic'

    The pricing tier of the Azure Event Hubs namespace that acts as the backend event sink system for notifications within the Dashboard backend infrastructure.

    		messaging
    eventHubSubnets

    A list of subnet names to form the Azure Event Hubs namespace resource, useful for VNET deployments.

    		networkingvnet
    flowActivityIntervalInMinutes
    default: 55

    The time period threshold (in minutes) to update the active flow traces watermark during finalizing pending flow traces in the merge job.

    		monitoring
    flowBlobArchiverFunctionCron
    default: 0 0 */3 * * *
    deprecated since: v6.2, will be removed in v7, clearing happens via Cosmos DB for MongoDB TTL policies.

    The CRON expression that represents the time period in which flow trace information is archived.

    		storagedeprecated
    flowDataCollectionThroughput
    default: 2000

    The collection throughput (RU/s) for the flow traces MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    flowDataTTLInDays

    The maximum amount of days the flow traces stay remain in the Dashboard backend storage.

    		storage
    folderFlowsCollectionThroughput
    default: 1000

    The collection throughput (RU/s) for the flow folders MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    genericEventHubName
    default: invictus-${resourcePrefix}-genericreceiver-evhb

    The name of the Azure Event Hub for the import job that programmatically imports flow traces via Azure Event Hubs.

    		messagingimporting
    groupsCollectionThroughput
    default: 1000

    The collection throughput (RU/s) for the Microsoft Entra ID group references MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    hashCacheClearFunctionCron
    default: 0 00 03 * * *
    deprecated since: v6.2, will be removed in v7, clearing happens via Azure Storage Account policies.

    The CRON expression that represents the time period in which to clear the Dashboard storage backend cache.

    		storagedeprecated
    identityProviderApplicationId

    The application ID of the Microsoft Entra ID app registration that facilitates managed identity authentication for the Azure Container Apps, hosting the Dashboard.

    		security
    identityProviderClientSecret

    The client secret of the Microsoft Entra ID app registration that facilitates managed identity authentication for the Azure Container Apps, hosting the Dashboard.

    		security
    invictusCacheImportJobFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/caching.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the cache job.

    		container-apps
    invictusCacheImportJobFunctionName
    default: inv-${resourcePrefix}-cacheimportjob

    The name of the Azure Container App deployed for the Dashboard backend infrastructure that handles internal caching during the importing of diagnostic traces of client resources.

    		container-apps
    invictusDashboardGatewayFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/dashboardgateway:${version}-${date}

    The URL that navigates to the Azure Container App image of the Dashboard Gateway that acts as the backend/back office of the web application.

    		container-apps
    invictusDashboardGatewayFunctionName
    default: inv-${resourcePrefix}-dashboardgateway

    The name of the Azure Container App deployed for the Dashboard Gateway that acts as the backend/back office of the web application.

    		container-apps
    invictusDashboardWebAppLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/dashboard:${version}-${date}

    The URL that navigates to the Azure Container App image of the Dashboard web application.

    		container-apps
    invictusDashboardWebAppName
    default: inv-${resourcePrefix}-dashboard-v2

    The name of the Azure Container App deployed for the Dashboard web application.

    		container-appsweb
    invictusDatabaseManagerFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/databasemanager.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the store job.

    		container-apps
    invictusDatabaseManagerFunctionName
    default: inv-${resourcePrefix}-db-importjob

    The name of the Azure Container App deployed for the store job that eventually stores the imported flow trace to the Dashboard backend storage.

    		container-apps
    invictusDataFactoryReceiverFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/datafactoryreceiver.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the import job that imports diagnostic traces from Azure Data Factory pipelines.

    		container-appsimporting
    invictusDataFactoryReceiverFunctionName
    default: inv-${resourcePrefix}-dfreceiver

    The name of the Azure Container App deployed for the import job that imports diagnostic traces from client Azure Data Factory pipelines.

    		container-appsimporting
    invictusFlowHandlerFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/flowhandler:${version}-${date}

    The URL that navigates to the Azure Container App image of the Flow Handler.

    		container-apps
    invictusFlowHandlerFunctionName
    default: inv-${resourcePrefix}-flowhandlerjob

    The name of the Azure Container App deployed for handling flow operations requested by the Dashboard.

    		container-apps
    invictusFunctionAppImportJobFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/functionapp.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the import job that imports diagnostic traces from Azure Function Apps.

    		container-apps
    invictusFunctionAppImportJobFunctionName
    default: inv-${resourcePrefix}-fncimportjob

    The name of the Azure Container App deployed for the import job that imports diagnostic traces from client Azure Function Apps.

    		container-appsimporting
    invictusGenericReceiverFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/genericreceiver.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the import job that programmatically imports diagnostic traces via Azure Event Hubs.

    		container-appsimporting
    invictusGenericReceiverFunctionName
    default: inv-${resourcePrefix}-genericreceiver

    The name of the Azure Container App deployed for the import job that allows developers to programmatically import diagnostic traces via an Azure Event Hub.

    		container-appsimporting
    invictusHttpReceiverFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/httpreceiver.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the import job that programmatically imports diagnostic traces via a HTTP endpoint.

    		container-apps
    invictusHttpReceiverFunctionName
    default: inv-${resourcePrefix}-httpreceiver

    The name of the Azure Container App deployed for the import job that allows developers to programmatically import diagnostic traces via a HTTP endpoint.

    		container-appsimporting
    invictusImportJobFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/logicapps.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the import job that imports diagnostic traces from Azure Logic Apps.

    		container-apps
    invictusImportJobFunctionName
    default: inv-${resourcePrefix}-importjob

    The name of the Azure Container App deployed for the import job that imports diagnostic traces from client Azure Logic Apps.

    		container-apps
    invictusStoreImportJobFunctionLocalContainerImage
    default: ${resourcePrefix}.acr.azurecr.io/${env}/datamerge.importjob:${version}-${date}

    The URL that navigates to the Azure Container App image of the merge job.

    		container-apps
    invictusStoreImportJobFunctionName
    default: inv-${resourcePrefix}-storeimportjob

    The name of the Azure Container App deployed for the Dashboard backend infrastructure that handles the final storage of flow traces within the Dashboard backend storage.

    		container-apps
    invictusUserManagedIdentityName
    default: invictus-user-managed-identity

    The name of the Azure user managed identity that has access to all the deployed Azure Container App components.

    		security
    isAdDisabled
    default: false

    Feature flag to control whether the Dashboard should use Microsoft Entra ID besides local authentication for signing in users into the Dashboard.

    		security
    isProvisionedCosmos
    default: 0

    Feature flag to control whether the Azure Cosmos DB resource should deploy as a provisioned or serverless resource. How to choose between provisioned and serverless.

    		storage
    jwtSecretToken

    The secret value of the Json Web Token (JWT) that the Dashboard users to facilitate authentication, stored as an Azure Key Vault secret.

    		security
    keyVaultEnablePurgeProtection
    default: false

    Indicates whether the shared Azure Key Vault should be protected against purging.

    		security
    keyVaultName
    default: invictus-${resourcePrefix}-vlt

    The name of the shared Azure Key Vault, used by the Dashboard backend infrastructure.

    		security
    keyVaultSubnets

    A list of subnet names to form the Azure Key Vault resource, useful for VNET deployments.

    		networkingvnet
    logAnalyticsWorkspaceAppInsightsName
    default: invictus-${resourcePrefix}-loganalytics-appinsights

    The name of the Azure Log Analytics workspace that acts as the main workspace that collects the main telemetry of the Azure Application Insights resource.

    		monitoring
    logAnalyticsWorkspaceImportFunctionV2Cron
    default: 0 */10 * * * *
    deprecated since: v6.2, will be removed in v7, support for automatically triggering importing stops.

    The time period in which the automatically Azure Functions timer trigger imports Azure Logic Apps diagnostic traces.

    		importingdeprecated
    logAnalyticsWorkspaceMaxNoOfRows
    default: 1000
    deprecated since: v6.2, will be removed in v7, support for automatically triggering importing stops.

    The maximum amount of rows to query the Azure Log Analytics workspace to automatically import Azure Logic Apps diagnostic traces.

    		importingdeprecated
    logAnalyticsworkspaceNamelaV2
    default: invictus-${resourcePrefix}-loganalytics

    The name of the Azure Log Analytics workspace besides the main workspace that collects the main telemetry of the Azure Application Insights resource.

    		monitoring
    logicAppsImportJobErrorFilters
    default: *

    A list of Azure Logic Apps workflow error codes (ex. 'ActionConditionFailed', 'ActionFailed'...) that the import job importing diagnostic traces from Azure Logic App workflows should use to filter in specific diagnostic traces.

    • Use * to include all error codes.
    • Use <error-code> for a single code.
    • Use <error-code>, <error-code> for more than one code.
    		importing
    maxHttpHeaderSizeInBytes
    default: 100000

    The maximum allowed size (in bytes) of a HTTP header during interaction between the Dashboard web application and the Dashboard backend/back office.

    		web
    maxMessageStatusCacheInDay
    default: 60
    deprecated since: v6.2, will be removed in v7, caching happens independently now.

    The maximum amount of messages per day cached during importing.

    		storagescalingdeprecated
    messageContentCollectionThroughput
    default: 2000

    The collection throughput (RU/s) for the MongoDB collection for the Azure Logic Apps workflow actions (mentioned in a flow trace) in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    messageStatusCacheDeleteAfterDays
    default: 30

    The time period (in days) after which the storage policy deletes the message status Azure Storage Account table.

    		storage
    performSqlDataMigration
    default: false

    Indicates whether the old SQL data storage migrates to the new Azure Cosmos DB for MongoDB storage (< v6 installations).

    		storage
    resourcePrefix
    required

    An abbreviation to include in all the Azure resource names that Invictus deploys, often an environment name.

    		governance
    serviceBusNamespaceName
    default: invictus-${resourcePrefix}-sbs

    The name of the Azure Service Bus resource that acts as the backend messaging system for sending asynchronous messages within the Dashboard backend infrastructure.

    		messaging
    serviceBusSkuName
    default: enableVnetSupport ? Premium : Standard

    The pricing tier of the Azure Service Bus, used by the Dashboard backend infrastructure.

    		messaging
    serviceBusSubnets

    A list of subnet names to form the Azure Service Bus namespace resource, useful for VNET deployments.

    		networkingvnet
    sideTasksWorkflowEventHubName
    default: invictus-${resourcePrefix}-sidetasks-evhb

    The name of the Azure Event Hub where the merge job determines Azure Logic App workflow action results to be packed with the flow traces.

    		container-apps
    statisticsCollectionThroughput
    default: 1000

    The collection throughput (RU/s) for the flow trace reports MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    statisticsCutOffDays
    default: -3

    The number of days (in negative numbers) to go back from the current day, used when setting up a custom flow trace report based on active flows in the Dashboard.

    		monitoring
    storageAccountMinimumTLSVersion
    default: TLS1_2

    The minimum allowed TLS version of the shared Azure Storage Account, used by the Dashboard backend infrastructure.

    		storagesecurity
    storageAccountName
    default: invictus${resourcePrefix}store

    The name of the shared Azure Storage Account, used by Dashboard backend infrastructure.

    		storage
    storageAccountSubnets

    A list of subnet names to form the Azure Storage Account resource, useful for VNET deployments.

    		networkingvnetstorage
    storageAccountType
    default: Standard_LRS

    The pricing tier of the shared Azure Storage Account, used by the Dashboard backend infrastructure.

    		storage
    storeImportJobBatchSize
    default: 250

    The maximum amount of events included in a single batch for the store job. More on Azure Event Hubs processor properties

    		messagingscaling
    storeImportJobPreFetchCount
    default: 500

    The number of events eagerly requested from Azure Event Hubs by the store job. More on Azure Event Hubs processor properties

    		messagingscaling
    useOpenAPI
    default: falsenew since v6.3

    Feature flag to control whether the Dashboard deploys with OpenAPI/Swagger specifications

    		monitoring
    useResourceLocks
    default: true

    Feature flag to control whether the deployed Azure resources have resource locks.

    		governance
    usersCollectionThroughput
    default: 1000

    The collection throughput (RU/s) for the local and Microsoft Entra ID user references MongoDB collection in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling
    vnetName

    The name of the Azure Virtual Network (VNET) resource that forms the base for all network-related rules and subnets throughout.

    		networkingvnet
    vnetResourceGroupName
    default: resourceGroup().name

    The name of the Azure resource group where the VNET network rules deploys to.

    		networkingvnet
    workFlowEventHubName
    default: invictus-${resourcePrefix}-workflow-evhb

    The name of the Azure Event Hub where the cache job pushes pending flow traces, where merge job listens.

    		container-apps
    workFlowEventsClearFunctionCron
    default: 0 */15 * * * *
    deprecated since: v6.2, will be removed in v7, clearing happens via Cosmos DB for MongoDB TTL policies.

    The CRON expression that represents the time period in which to clear the Azure Logic Apps workflow Dashboard backend storage.

    		storagedeprecated
    workflowEventsCollectionThroughput
    default: 2000

    The collection throughput (RU/s) for the MongoDB collection for Azure Logic Apps workflows (mentioned in a flow trace) in the Azure Cosmos DB resource, used when the Azure Cosmos DB deploys as provisioned.

    		storagescaling

  4. First-time sign-in

    The Invictus installation generates an administrator account for your initial login to the Dashboard.

    recommended

    Create a new System Admin user with your own email address after signing in for the first time. This will help during the Forgot Password procedure.

    Follow the steps below to sign in to the Dashboard:

    1. Navigate to the Dashboard by visiting https://{yourdashboardurl} in your web browser.

    2. Enter the following credentials:

      • Username: admin
      • Password: (the tempAdminPassword available as an Azure Key vault secret in the accompanied deployed vault)

      Dashboard login page

    3. After successfully logging in, the Dashboard will prompt you to reset your password to one of your choice.

      Dashboard reset password

    4. 🎉 Congratulations! You have logged into the Invictus Dashboard for the first time.

    Further customer-specific setups related to authentication and authorization: