ci: Added post-deployment workflow and script execution logic (#2168)

Vamshi-Microsoft · web-flow · commit 51b0c7723875 · 2026-04-16T14:59:36.000+05:30
diff --git a/.github/workflows/job-deploy.yml b/.github/workflows/job-deploy.yml
@@ -557,13 +557,25 @@ jobs:
       DATABASE_TYPE: ${{ inputs.DATABASE_TYPE }}
     secrets: inherit
 
+  # Run post-deployment setup (Function App client key + PostgreSQL tables)
+  post-deployment-setup:
+    needs: [azure-setup, deploy-linux, deploy-windows]
+    if: |
+      always() &&
+      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success')
+    uses: ./.github/workflows/job-post-deployment-setup.yml
+    with:
+      RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
+    secrets: inherit
+
   # Call PostgreSQL setup workflow when DATABASE_TYPE is PostgreSQL
   import-sample-data-postgresql:
-    needs: [azure-setup, deploy-linux, deploy-windows]
+    needs: [azure-setup, deploy-linux, deploy-windows, post-deployment-setup]
     if: |
       always() &&
       inputs.DATABASE_TYPE == 'PostgreSQL' &&
-      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success')
+      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success') &&
+      needs.post-deployment-setup.result == 'success'
     uses: ./.github/workflows/import-sample-data-postgresql.yml
     with:
       RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
@@ -572,11 +584,12 @@ jobs:
 
   # Call CosmosDB/Azure Search setup workflow when DATABASE_TYPE is CosmosDB
   import-sample-data-cosmosdb:
-    needs: [azure-setup, deploy-linux, deploy-windows]
+    needs: [azure-setup, deploy-linux, deploy-windows, post-deployment-setup]
     if: |
       always() &&
       inputs.DATABASE_TYPE == 'CosmosDB' &&
-      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success')
+      (needs.deploy-linux.result == 'success' || needs.deploy-windows.result == 'success') &&
+      needs.post-deployment-setup.result == 'success'
     uses: ./.github/workflows/import-sample-data-cosmosdb.yml
     with:
       RESOURCE_GROUP_NAME: ${{ needs.azure-setup.outputs.RESOURCE_GROUP_NAME }}
diff --git a/.github/workflows/job-post-deployment-setup.yml b/.github/workflows/job-post-deployment-setup.yml
@@ -0,0 +1,103 @@
+name: Post-Deployment Setup
+
+on:
+  workflow_dispatch:
+    inputs:
+      RESOURCE_GROUP_NAME:
+        description: 'Azure Resource Group name'
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      RESOURCE_GROUP_NAME:
+        description: 'Azure Resource Group name'
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  post-deployment-setup:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install Python Dependencies
+        shell: bash
+        run: |
+          pip install psycopg2-binary azure-identity
+
+      - name: Run Post-Deployment Setup (Attempt 1)
+        id: setup1
+        shell: bash
+        env:
+          RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+        run: |
+          chmod +x scripts/post_deployment_setup.sh
+          bash scripts/post_deployment_setup.sh "$RESOURCE_GROUP"
+        continue-on-error: true
+
+      - name: Wait 20 seconds before retry
+        if: ${{ steps.setup1.outcome == 'failure' }}
+        shell: bash
+        run: sleep 20s
+
+      - name: Run Post-Deployment Setup (Attempt 2)
+        id: setup2
+        if: ${{ steps.setup1.outcome == 'failure' }}
+        shell: bash
+        env:
+          RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+        run: |
+          chmod +x scripts/post_deployment_setup.sh
+          bash scripts/post_deployment_setup.sh "$RESOURCE_GROUP"
+        continue-on-error: true
+
+      - name: Wait 40 seconds before final retry
+        if: ${{ steps.setup2.outcome == 'failure' }}
+        shell: bash
+        run: sleep 40s
+
+      - name: Run Post-Deployment Setup (Attempt 3)
+        id: setup3
+        if: ${{ steps.setup2.outcome == 'failure' }}
+        shell: bash
+        env:
+          RESOURCE_GROUP: ${{ inputs.RESOURCE_GROUP_NAME }}
+        run: |
+          chmod +x scripts/post_deployment_setup.sh
+          bash scripts/post_deployment_setup.sh "$RESOURCE_GROUP"
+
+      - name: Generate Post-Deployment Summary
+        if: always()
+        shell: bash
+        run: |
+          echo "## 🔧 Post-Deployment Setup Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| **Job Status** | ${{ job.status == 'success' && '✅ Success' || '❌ Failed' }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Resource Group** | \`${{ inputs.RESOURCE_GROUP_NAME }}\` |" >> $GITHUB_STEP_SUMMARY
+
+      - name: Logout from Azure
+        if: always()
+        shell: bash
+        run: |
+          az logout || true
+          echo "Logged out from Azure."
diff --git a/scripts/post_deployment_setup.ps1 b/scripts/post_deployment_setup.ps1
@@ -35,6 +35,40 @@ $pgAdminCmd = "ad-admin"
 $entraCheck = az postgres flexible-server microsoft-entra-admin --help 2>$null
 if ($LASTEXITCODE -eq 0) { $pgAdminCmd = "microsoft-entra-admin" }
 
+# -------------------------------------------------------
+# Detect identity type: interactive user vs service principal
+# -------------------------------------------------------
+$identityType = "user"
+$currentIdentityOid = $null
+$currentIdentityDisplay = $null
+$principalType = "User"
+
+# Try signed-in user first
+$currentIdentityOid = az ad signed-in-user show --query "id" -o tsv 2>$null
+if ($currentIdentityOid) {
+    $identityType = "user"
+    $currentIdentityDisplay = az ad signed-in-user show --query "userPrincipalName" -o tsv 2>$null
+    $principalType = "User"
+    Write-Host "✓ Detected identity type: User ($currentIdentityDisplay)"
+} else {
+    # Fallback to service principal
+    $spAppId = az account show --query "user.name" -o tsv 2>$null
+    if ($spAppId -and $spAppId -ne "null") {
+        $currentIdentityOid = az ad sp show --id $spAppId --query "id" -o tsv 2>$null
+        $currentIdentityDisplay = az ad sp show --id $spAppId --query "displayName" -o tsv 2>$null
+        if ($currentIdentityOid) {
+            $identityType = "servicePrincipal"
+            $principalType = "ServicePrincipal"
+            Write-Host "✓ Detected identity type: Service Principal ($currentIdentityDisplay, OID: $currentIdentityOid)"
+        }
+    }
+}
+
+if (-not $currentIdentityOid) {
+    Write-Warning "⚠ Could not determine current identity (user or service principal)."
+    Write-Warning "  Some operations (Key Vault role assignment, PostgreSQL admin) may be skipped."
+}
+
 # Track resources that need public access restored to Disabled
 $resourcesToRestore = @()
 
@@ -108,16 +142,15 @@ else {
         $keyVaultName = ($keyVaults -split "`n")[0].Trim()
         Write-Host "✓ Discovered Key Vault: $keyVaultName"
 
-        # Ensure the current user has 'Key Vault Secrets User' role on the Key Vault
-        $currentUserOid = az ad signed-in-user show --query "id" -o tsv 2>$null
-        if ($currentUserOid) {
+        # Ensure the current identity has 'Key Vault Secrets User' role on the Key Vault
+        if ($currentIdentityOid) {
             $kvResourceId = az keyvault show --name $keyVaultName --resource-group $ResourceGroupName --query "id" -o tsv 2>$null
             if ($kvResourceId) {
                 $kvSecretsUserRoleId = "4633458b-17de-408a-b874-0445c86b69e6"
-                $existingAssignment = az role assignment list --assignee $currentUserOid --role $kvSecretsUserRoleId --scope $kvResourceId --query "[0].id" -o tsv 2>$null
+                $existingAssignment = az role assignment list --assignee $currentIdentityOid --role $kvSecretsUserRoleId --scope $kvResourceId --query "[0].id" -o tsv 2>$null
                 if (-not $existingAssignment) {
-                    Write-Host "✓ Assigning 'Key Vault Secrets User' role to current user on Key Vault..."
-                    $roleOutput = az role assignment create --assignee-object-id $currentUserOid --assignee-principal-type User --role $kvSecretsUserRoleId --scope $kvResourceId 2>&1 | Out-String
+                    Write-Host "✓ Assigning 'Key Vault Secrets User' role to current ${identityType} on Key Vault..."
+                    $roleOutput = az role assignment create --assignee-object-id $currentIdentityOid --assignee-principal-type $principalType --role $kvSecretsUserRoleId --scope $kvResourceId 2>&1 | Out-String
                     if ($LASTEXITCODE -ne 0) {
                         Write-Warning "⚠ Failed to assign Key Vault Secrets User role."
                         Write-Warning "  $roleOutput"
@@ -126,11 +159,11 @@ else {
                         Start-Sleep -Seconds 30
                     }
                 } else {
-                    Write-Host "✓ Current user already has 'Key Vault Secrets User' role on Key Vault."
+                    Write-Host "✓ Current ${identityType} already has 'Key Vault Secrets User' role on Key Vault."
                 }
             }
         } else {
-            Write-Warning "⚠ Could not determine current user OID. Skipping Key Vault role assignment."
+            Write-Warning "⚠ Could not determine current identity OID. Skipping Key Vault role assignment."
         }
 
         # Check if Key Vault public access is disabled (WAF/private networking)
@@ -235,14 +268,14 @@ else {
         --start-ip-address $publicIp `
         --end-ip-address $publicIp 2>$null | Out-Null
 
-    # Get current user info for local Entra auth to PostgreSQL
-    $currentUserUpn = az ad signed-in-user show --query "userPrincipalName" -o tsv 2>$null
-    $currentUserOid = az ad signed-in-user show --query "id" -o tsv 2>$null
-    if (-not $currentUserUpn -or -not $currentUserOid) {
-        Write-Error "✗ Could not determine current signed-in user. Ensure you are logged in with 'az login'."
+    # Use previously detected identity for PostgreSQL Entra auth
+    if (-not $currentIdentityOid -or -not $currentIdentityDisplay) {
+        Write-Error "✗ Could not determine current identity. Ensure you are logged in with 'az login'."
         exit 1
     }
-    Write-Host "✓ Current user: $currentUserUpn ($currentUserOid)"
+    $currentUserUpn = $currentIdentityDisplay
+    $currentUserOid = $currentIdentityOid
+    Write-Host "✓ Current ${identityType}: $currentUserUpn ($currentUserOid)"
 
     # Ensure current user is a PostgreSQL Entra administrator
     $existingAdmins = az postgres flexible-server $pgAdminCmd list --resource-group $ResourceGroupName --server-name $serverName --query "[].objectId" -o tsv 2>$null
@@ -254,23 +287,23 @@ else {
     }
     $addedPgAdmin = $false
     if (-not $isAdmin) {
-        Write-Host "✓ Adding current user as PostgreSQL Entra administrator..."
+        Write-Host "✓ Adding current ${identityType} as PostgreSQL Entra administrator..."
         $adminOutput = az postgres flexible-server $pgAdminCmd create `
             --resource-group $ResourceGroupName `
             --server-name $serverName `
             --display-name $currentUserUpn `
             --object-id $currentUserOid `
-            --type User 2>&1 | Out-String
+            --type $principalType 2>&1 | Out-String
         if ($LASTEXITCODE -ne 0) {
-            Write-Warning "⚠ Failed to add current user as PostgreSQL admin. Table creation may fail."
+            Write-Warning "⚠ Failed to add current ${identityType} as PostgreSQL admin. Table creation may fail."
             Write-Warning "  $adminOutput"
         } else {
             $addedPgAdmin = $true
             Write-Host "✓ PostgreSQL admin added. Waiting 60s for propagation..."
             Start-Sleep -Seconds 60
         }
     } else {
-        Write-Host "✓ Current user is already a PostgreSQL Entra administrator."
+        Write-Host "✓ Current ${identityType} is already a PostgreSQL Entra administrator."
     }
 
     try {
diff --git a/scripts/post_deployment_setup.sh b/scripts/post_deployment_setup.sh
