separating infra and application deployments

.github/workflows/cms.yaml

@@ -21,10 +21,10 @@ jobs:
     environment: production
     outputs:
       containerRegistryName: ${{ steps.deployinfra.outputs.containerRegistryName }}
-      containerAppEnvironmentName: ${{ steps.deployinfra.outputs.containerAppEnvironmentName }}
-      containerAppName: ${{ steps.deployinfra.outputs.containerAppName }}
       resourceGroupName: ${{ steps.deployinfra.outputs.resourceGroupName }}
       resourceLocation: ${{ steps.deployinfra.outputs.resourceLocation }}
+      containerAppEnvironmentName: ${{ steps.deploycms.outputs.containerAppEnvironmentName }}
+      containerAppName: ${{ steps.deploycms.outputs.containerAppName }}
     steps:
       - uses: actions/checkout@v4
 
@@ -41,8 +41,22 @@ jobs:
         with:
           subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           scope: "subscription"
-          template: ./infrastructure/cms/cms.bicep
-          parameters: "environment=production databaseClient=${{ vars.CMS_DATABASE_CLIENT }}"
+          template: ./infrastructure/cms/infrastructure.bicep
+          parameters: "environment=production"
+          region: ${{ vars.AZURE_REGION }}
+
+      - name: Deploy CMS application
+        id: deploycms
+        uses: azure/arm-deploy@v2
+        with:
+          scope: "resourcegroup"
+          resourceGroupName: ${{ steps.deployinfra.outputs.resourceGroupName }}
+          template: ./infrastructure/cms/main.bicep
+          parameters: >
+            databaseClient=${{ vars.CMS_DATABASE_CLIENT }} 
+            logAnalyticsWorkspaceName=${{ steps.deployinfra.outputs.logAnalyticsWorkspaceName }}
+            keyVaultName=${{ steps.deployinfra.outputs.keyVaultName }}
+            identityResourceId=${{ steps.deployinfra.outputs.identityResourceId }}
           region: ${{ vars.AZURE_REGION }}
 
   push_image_to_acr:

infrastructure/cms/infrastructure.bicep

@@ -0,0 +1,53 @@
+targetScope = 'subscription'
+
+param environment string
+
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-07-01' = {
+  name: 'rg-strapi-playground-${environment}'
+  location: deployment().location
+}
+
+module cmsIdentity '../modules/identity.bicep' = {
+  scope: resourceGroup
+  name: 'deployCmsIdentity'
+  params: {
+    identityName: 'id-cms'
+  }
+}
+
+module keyVault '../modules/keyVault.bicep' = {
+  scope: resourceGroup
+  name: 'deployCmsKeyVault'
+  params: {
+    keyVaultName: 'kv-cms'
+    cmsIdentityPrincipalId: cmsIdentity.outputs.principalId
+  }
+}
+
+module containerRegistry '../modules/registry.bicep' = {
+  scope: resourceGroup
+  name: 'deployContainerRegistry'
+}
+
+module logAnalyticsWorkspace '../modules/logAnalytics.bicep' = {
+  scope: resourceGroup
+  name: 'deployLogAnalytics'
+}
+
+module mysql '../modules/sql.bicep' = {
+  scope: resourceGroup
+  name: 'deployMysql'
+  params: {
+    cmsIdentityPrincipalId: cmsIdentity.outputs.principalId
+    cmsIdentityResourceId: cmsIdentity.outputs.resourceId
+    cmsIdentityTenantId: cmsIdentity.outputs.tenantId
+    cmsIdentityName: cmsIdentity.outputs.resourceName
+  }
+}
+
+output resourceGroupName string = resourceGroup.name
+output resourceLocation string = resourceGroup.location
+output containerRegistryName string = containerRegistry.outputs.registryName
+output logAnalyticsWorkspaceName string = logAnalyticsWorkspace.outputs.resourceName
+output keyVaultName string = keyVault.outputs.resourceName
+output identityResourceId string = cmsIdentity.outputs.resourceId

infrastructure/cms/main.bicep

@@ -0,0 +1,37 @@
+import { appendHash } from '../utilities.bicep'
+
+param databaseClient string
+param logAnalyticsWorkspaceName string
+param keyVaultName string
+param identityResourceId string
+
+module cmsContainerApp '../modules/containerApp.bicep' = {
+  name: 'deployCmsContainer'
+  params: {
+    containerAppEnvironmentName: 'cae-cms'
+    containerAppName: 'ca-cms'
+    imageName: 'nginx:latest'
+    logAnalyicsWorkspaceName: logAnalyticsWorkspaceName
+    keyVaultName: keyVaultName
+    targetPort: 1337
+    cmsIdentityResourceId: identityResourceId
+    environmentVariables: [
+      {
+        name: 'DATABASE_CLIENT'
+        value: databaseClient
+      }
+    ]
+    secrets: [
+      'APP_KEYS'
+      'API_TOKEN_SALT'
+      'ADMIN_JWT_SECRET'
+      'TRANSFER_TOKEN_SALT'
+      'JWT_SECRET'
+      'DATABASE_USERNAME'
+      'DATABASE_PASSWORD'
+    ]
+  }
+}
+
+output containerAppEnvironmentName string = cmsContainerApp.outputs.containerAppEnvironmentName
+output containerAppName string = cmsContainerApp.outputs.containerAppName

infrastructure/modules/identity.bicep

@@ -7,7 +7,7 @@ resource cmsIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-3
   location: resourceGroup().location
 }
 
-output cmsIdentityResourceId string = cmsIdentity.id
-output cmsIdentityPrincipalId string = cmsIdentity.properties.principalId
-output cmsIdentityTenantId string = cmsIdentity.properties.tenantId
-output cmsIdentityName string = cmsIdentity.name
+output resourceId string = cmsIdentity.id
+output principalId string = cmsIdentity.properties.principalId
+output tenantId string = cmsIdentity.properties.tenantId
+output resourceName string = cmsIdentity.name

infrastructure/modules/registry.bicep

@@ -10,4 +10,4 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-07-01' =
   }
 }
 
-output containerRegistryName string = containerRegistry.name
+output registryName string = containerRegistry.name