-
Notifications
You must be signed in to change notification settings - Fork 91
212 lines (199 loc) · 9.46 KB
/
infra-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
name: Build and deploy infrastructure as code to Azure
on:
push:
branches:
- main
paths:
- 'bicep/**'
- '.github/workflows/infra-deploy.yml'
workflow_dispatch:
inputs:
teardown:
description: 'Set this to true if you want to deleted the infrastructure deployed in the subscription'
required: true
type: boolean
concurrency:
group: infra-deploy-demo-env
cancel-in-progress: false
permissions:
id-token: write
contents: read
env:
REGISTRY: ghcr.io
BACKEND_API_IMAGE_NAME: azure/tasksmanager-backend-api
FRONTEND_APP_IMAGE_NAME: azure/tasksmanager-frontend-webapp
BACKEND_PROCESSOR_IMAGE_NAME: azure/tasksmanager-backend-processor
jobs:
# This job is used for linting the bicep files
lint:
runs-on: ubuntu-latest
if : ${{ github.event.inputs.teardown != 'true' }}
name: Lint bicep files
steps:
- uses: actions/checkout@v2
- name: Perform linting
run: az bicep build --f bicep/main.bicep
# This job creates the resource group if it does not exist and validates the bicep template
validate:
runs-on: ubuntu-latest
if : ${{ github.event.inputs.teardown != 'true' }}
name: Create RG and Validate bicep template
needs: [ lint ]
steps:
- uses: actions/checkout@v2
- name: Azure login
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Create Resource Group if does not exist
uses: azure/CLI@v1
with:
inlineScript: |
if [[ $(az group exists -n ${{ vars.RESOURCE_GROUP }}) == true ]]
then
echo "Resource group already exists in the subscription"
else
az group create --name ${{ vars.RESOURCE_GROUP }} --location ${{ vars.LOCATION }}
echo "Resource group created"
fi
- uses: azure/arm-deploy@v1
name: Run validation
with:
deploymentName: ${{ github.run_number }}
resourceGroupName: ${{ vars.RESOURCE_GROUP }}
region: ${{ vars.LOCATION }}
template: ./bicep/main.bicep
parameters: ./bicep/main.parameters.json
deploymentMode: Validate
# This job run what-if on the bicep template
preview:
runs-on: ubuntu-latest
if : ${{ github.event.inputs.teardown != 'true' }}
needs: [ validate ]
name: Run what-if on the bicep template
steps:
- uses: actions/checkout@v4
- uses: azure/login@v1
name: Sign in to Azure
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: azure/arm-deploy@v1
name: Run what-if
with:
resourceGroupName: ${{ vars.RESOURCE_GROUP }}
template: ./bicep/main.bicep
parameters: ./bicep/main.parameters.json containerRegistryName=${{ vars.CONTAINER_REGISTRY_NAME }} backendProcessorServiceImage=${{ env.REGISTRY }}/${{ env.BACKEND_PROCESSOR_IMAGE_NAME }} backendApiServiceImage=${{ env.REGISTRY }}/${{ env.BACKEND_API_IMAGE_NAME }} frontendWebAppServiceImage=${{ env.REGISTRY }}/${{ env.FRONTEND_APP_IMAGE_NAME }}
additionalArguments: "--what-if --rollback-on-error --what-if-exclude-change-types Ignore"
# This job creates ACR and imports images from GitHub Container Registry if configured. If ACR already exists but not in same resource group, it will fail the workflow
create-acr:
runs-on: ubuntu-latest
name: Create ACR and import images from GitHub Container Registry if configured
if : ${{ vars.CONTAINER_REGISTRY_NAME != '' }}
needs: [ preview ]
steps:
- uses: actions/checkout@v4
- uses: azure/login@v1
name: Sign in to Azure
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Create ACR ${{ vars.CONTAINER_REGISTRY_NAME }} if does not exist
uses: azure/CLI@v1
with:
inlineScript: |
if [[ $(az acr check-name -n ${{ vars.CONTAINER_REGISTRY_NAME }} -o tsv --query "nameAvailable") == false ]]
then
echo "ACR already exists."
if [[ $(az acr list -g ${{ vars.RESOURCE_GROUP }} -o tsv --query "[?name=='${{ vars.CONTAINER_REGISTRY_NAME }}']") == "" ]]
then
echo "ACR exists but not in the resource group ${{ vars.RESOURCE_GROUP }}. Please select a different name for the ACR and update in repository variable."
echo "::error title=Not Unique ACR::ACR exists but not in the resource group ${{ vars.RESOURCE_GROUP }}. Please select a different name for the ACR and update in repository variable."
exit 1
fi
else
az acr create --name ${{ vars.CONTAINER_REGISTRY_NAME }} --resource-group ${{ vars.RESOURCE_GROUP }} --sku Basic --location ${{ vars.LOCATION }}
echo "ACR created"
fi
- name: Import images from GitHub Container Registry
uses: azure/CLI@v1
with:
inlineScript: |
az acr import --name ${{ vars.CONTAINER_REGISTRY_NAME }} --source ${{ env.REGISTRY }}/${{ env.BACKEND_PROCESSOR_IMAGE_NAME }}:latest --image tasksmanager/tasksmanager-backend-processor --force
az acr import --name ${{ vars.CONTAINER_REGISTRY_NAME }} --source ${{ env.REGISTRY }}/${{ env.BACKEND_API_IMAGE_NAME }}:latest --image tasksmanager/tasksmanager-backend-api --force
az acr import --name ${{ vars.CONTAINER_REGISTRY_NAME }} --source ${{ env.REGISTRY }}/${{ env.FRONTEND_APP_IMAGE_NAME }}:latest --image tasksmanager/tasksmanager-frontend-webapp --force
# This job deploys the bicep template to Azure subscription using ACR images
deploy-with-acr-images:
runs-on: ubuntu-latest
if : ${{ github.event.inputs.teardown != 'true' }}
needs: [ create-acr]
name: Deploy to Azure subscription with ACR
steps:
- uses: actions/checkout@v4
- uses: azure/login@v1
name: Sign in to Azure
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: azure/arm-deploy@v1
id: deployment-with-acr-images
name: Deploy to Azure subscription
with:
deploymentName: "github-${{ github.run_number }}"
resourceGroupName: ${{ vars.RESOURCE_GROUP }}
region: ${{ vars.LOCATION }}
template: ./bicep/main.bicep
parameters: ./bicep/main.parameters.json containerRegistryName=${{ vars.CONTAINER_REGISTRY_NAME }} backendProcessorServiceImage=${{ vars.CONTAINER_REGISTRY_NAME }}.azurecr.io/tasksmanager/tasksmanager-backend-processor:latest backendApiServiceImage=${{ vars.CONTAINER_REGISTRY_NAME }}.azurecr.io/tasksmanager/tasksmanager-backend-api:latest frontendWebAppServiceImage=${{ vars.CONTAINER_REGISTRY_NAME }}.azurecr.io/tasksmanager/tasksmanager-frontend-webapp:latest
failOnStdErr: false
# This job deploys the bicep template to Azure subscription using GitHub Container Registry images
deploy-with-ghcr-images:
runs-on: ubuntu-latest
if: ${{ github.event.inputs.teardown != 'true' && vars.CONTAINER_REGISTRY_NAME == '' }}
needs: [ preview ]
name: Deploy to Azure subscription with GHCR
steps:
- uses: actions/checkout@v4
- uses: azure/login@v1
name: Sign in to Azure
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: azure/arm-deploy@v1
id: deployment-with-ghcr-images
name: Deploy to Azure subscription
with:
deploymentName: "github-${{ github.run_number }}"
resourceGroupName: ${{ vars.RESOURCE_GROUP }}
region: ${{ vars.LOCATION }}
template: ./bicep/main.bicep
parameters: ./bicep/main.parameters.json containerRegistryName= backendProcessorServiceImage=${{ env.REGISTRY }}/${{ env.BACKEND_PROCESSOR_IMAGE_NAME }}:latest backendApiServiceImage=${{ env.REGISTRY }}/${{ env.BACKEND_API_IMAGE_NAME }}:latest frontendWebAppServiceImage=${{ env.REGISTRY }}/${{ env.FRONTEND_APP_IMAGE_NAME }}:latest
failOnStdErr: false
# This job deletes the resource group created by the workflow and can only be triggered by the workflow dispatch event.
teardown:
runs-on: ubuntu-latest
if : ${{ github.event.inputs.teardown == 'true' }}
steps:
- uses: actions/checkout@v4
- uses: azure/login@v1
name: Sign in to Azure
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Delete Resource Group if exist
uses: azure/CLI@v1
with:
inlineScript: |
if [[ $(az group exists -n ${{ vars.RESOURCE_GROUP }}) == true ]]
then
echo "Resource group exists. Deleting..."
az group delete -n ${{ vars.RESOURCE_GROUP }} --yes
else
echo "Resource group does not exist in the subscription. Nothing to delete."
fi