Update Terraform config for new deployment setup

[thekaveman]

Follow up to #1880 / #2111

The Terraform config still has the old webhook-style / DOCKER_ENABLE_CI config. This will overwrite the changes made as follow-up items in #2111 if and when the Terraform pipeline runs next time!

We need to update Terraform to conform to the new GitHub Actions setup.

[angela-tran]

I suggest we also update the part in our Infrastructure documentation that mentions the webhook as a part of this issue.

[thekaveman]

The apply failed:

A resource with the ID
│ "/subscriptions/xxx/resourceGroups/RG-CDT-PUB-VIP-CALITP-D-001/providers/Microsoft.Web/sites/AS-CDT-PUB-VIP-CALITP-D-001"
│ already exists - to be managed via Terraform this resource needs to be
│ imported into the State. Please see the resource documentation for
│ "azurerm_app_service_source_control" for more information.

In hindsight, I guess this is kind of expected since I just hand-crafted the azurerm_app_service_source_control. Will try the import.

[thekaveman]

I did the import with the following command. I was unclear what ID to pass here, since this isn't something that is visible within the Azure portal, so just went with app id:

terraform import \
  azurerm_app_service_source_control.main \
  "/subscriptions/xxx/resourceGroups/RG-CDT-PUB-VIP-CALITP-D-001/providers/Microsoft.Web/sites/AS-CDT-PUB-VIP-CALITP-D-001"

And it looks like it worked:

data.azurerm_resource_group.main: Reading...
data.azurerm_client_config.current: Reading...
azurerm_app_service_source_control.main: Importing from ID "/subscriptions/xxx/resourceGroups/RG-CDT-PUB-VIP-CALITP-D-001/providers/Microsoft.Web/sites/AS-CDT-PUB-VIP-CALITP-D-001"...
azurerm_app_service_source_control.main: Import prepared!
  Prepared azurerm_app_service_source_control for import
azurerm_app_service_source_control.main: Refreshing state...

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

This resulted in zero file changes locally:

$ git status
On branch dev
Your branch is up to date with 'origin/dev'.

Then getting the output of the current state:

terraform show

Which has the current state for the source control block as:

# azurerm_app_service_source_control.main:
resource "azurerm_app_service_source_control" "main" {
  app_id                 = "/subscriptions/xxx/resourceGroups/RG-CDT-PUB-VIP-CALITP-D-001/providers/Microsoft.Web/sites/AS-CDT-PUB-VIP-CALITP-D-001"
  branch                 = "dev"
  id                     = "/subscriptions/xxx/resourceGroups/RG-CDT-PUB-VIP-CALITP-D-001/providers/Microsoft.Web/sites/AS-CDT-PUB-VIP-CALITP-D-001"
  repo_url               = "https://github.com/cal-itp/benefits"
  rollback_enabled       = false
  scm_type               = "GitHubAction"
  use_local_git          = false
  use_manual_integration = false
  use_mercurial          = false
  uses_github_action     = true

  timeouts {}
}

Comparing against the local config with plan:

terraform plan

We see there are some changes:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azurerm_app_service_source_control.main must be replaced
-/+ resource "azurerm_app_service_source_control" "main" {
      ~ id                     = "/subscriptions/xxx/resourceGroups/RG-CDT-PUB-VIP-CALITP-D-001/providers/Microsoft.Web/sites/AS-CDT-PUB-VIP-CALITP-D-001" -> (known after apply)
      ~ rollback_enabled       = false -> true # forces replacement
      ~ scm_type               = "GitHubAction" -> (known after apply)
      ~ uses_github_action     = true -> (known after apply)
        # (6 unchanged attributes hidden)

      + github_action_configuration { # forces replacement
          + generate_workflow_file = false # forces replacement
          + linux_action           = (known after apply)

          + container_configuration {
              + image_name   = "cal-itp/benefits" # forces replacement
              + registry_url = "https://ghcr.io/" # forces replacement
            }
        }

      - timeouts {}
    }

  # azurerm_linux_web_app.main will be updated in-place
  ~ resource "azurerm_linux_web_app" "main" {
      ~ app_settings                       = {
          + "WEBSITE_HTTPLOGGING_RETENTION_DAYS"  = "99999"
            # (23 unchanged elements hidden)
        }
        # (20 unchanged attributes hidden)
        # (5 unchanged blocks hidden)
    }

Plan: 1 to add, 1 to change, 1 to destroy.

I'm a little surprised by the github_actions_configuration not being in the original state, beyond saying the scm_type = "GitHubAction"

[thekaveman]

At this point, since there are no changes to the files in dev yet the most recent pipeline has failed, I decided to try an apply locally:

$ terraform apply

[plan output from above]

Do you want to perform these actions in workspace "dev"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_app_service_source_control.main: Destroying...
azurerm_app_service_source_control.main: Destruction complete after 5s
azurerm_linux_web_app.main: Modifying...
azurerm_linux_web_app.main: Modifications complete after 9s
azurerm_app_service_source_control.main: Creating...
azurerm_app_service_source_control.main: Creation complete after 3s

Apply complete! Resources: 1 added, 1 changed, 1 destroyed.

The container logs for the app service show a restart and successful pull of the correct image a563e7e

2024-06-04T21:06:21.8964109Z Container start method called.
2024-06-04T21:07:05.4453557Z Establishing network.
2024-06-04T21:07:05.4454795Z Pulling image: ghcr.io/cal-itp/benefits:a563e7e75139846048ee545c8ed5845572c22d06.
2024-06-04T21:07:08.5024037Z Container is starting.
...
2024-06-04T21:08:46.4412829Z [2024-06-04 21:08:46 +0000] [27] [INFO] Starting gunicorn 22.0.0
2024-06-04T21:08:46.4414430Z [2024-06-04 21:08:46 +0000] [27] [INFO] Listening at: unix:/home/calitp/run/gunicorn.sock (27)
2024-06-04T21:08:46.4414652Z [2024-06-04 21:08:46 +0000] [27] [INFO] Using worker: sync
2024-06-04T21:08:46.4749045Z [2024-06-04 21:08:46 +0000] [30] [INFO] Booting worker with pid: 30
2024-06-04T21:08:46.5622671Z [2024-06-04 21:08:46 +0000] [31] [INFO] Booting worker with pid: 31
2024-06-04T21:08:46.6160437Z [2024-06-04 21:08:46 +0000] [32] [INFO] Booting worker with pid: 32
2024-06-04T21:09:02.7832300Z [04/Jun/2024:14:09:02 -0700] "GET /healthcheck HTTP/1.1" 200 17 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; AppInsights)" "20.42.35.32, 147.243.243.232:51242"

[thekaveman]

I'm going to merge a small dependency PR #2133 and see what the deploy / logs look like. I want to make sure the image tag is still updated and the latest is pulled.

Commit SHA: 8b56df4
Deploy job run: https://github.com/cal-itp/benefits/actions/runs/9374474477/job/25810584330

The GitHub deploy succeeded with the updated image tag:

Run azure/webapps-deploy@v2
Deploying image ghcr.io/cal-itp/benefits:8b56df4612c37a2dea18ffd6740da172f2699271 to App Service AS-CDT-PUB-VIP-CALITP-D-001
Successfully deployed image to App Service.

The Azure deploy logs show the new image being pulled:

2024-06-04T21:30:12.6599316Z Creating container.
2024-06-04T21:30:31.1955504Z Container start method called.
2024-06-04T21:30:31.7191174Z Establishing network.
2024-06-04T21:30:31.7990433Z Pulling image: ghcr.io/cal-itp/benefits:8b56df4612c37a2dea18ffd6740da172f2699271.
2024-06-04T21:31:04.5980030Z Container is starting.
2024-06-04T21:33:08.4678955Z [2024-06-04 21:33:08 +0000] [27] [INFO] Starting gunicorn 22.0.0
2024-06-04T21:33:08.4764233Z [2024-06-04 21:33:08 +0000] [27] [INFO] Listening at: unix:/home/calitp/run/gunicorn.sock (27)
2024-06-04T21:33:08.4765244Z [2024-06-04 21:33:08 +0000] [27] [INFO] Using worker: sync
2024-06-04T21:33:08.6148534Z [2024-06-04 21:33:08 +0000] [30] [INFO] Booting worker with pid: 30
2024-06-04T21:33:08.6554112Z [2024-06-04 21:33:08 +0000] [31] [INFO] Booting worker with pid: 31
2024-06-04T21:33:08.7560225Z [2024-06-04 21:33:08 +0000] [32] [INFO] Booting worker with pid: 32
2024-06-04T21:33:57.6402494Z [04/Jun/2024:14:33:57 -0700] "GET /healthcheck HTTP/1.1" 200 17 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; AppInsights)" "20.42.35.32, 147.243.243.230:45574"

And the current sha.txt is as expected:

8b56df4612c37a2dea18ffd6740da172f2699271

[thekaveman]

Closing this as complete, since I think the TF state and config definitions now match. We'll have to watch next time the Azure Pipeline runs.

[thekaveman]

Closed by #2146