Skip to content

Commit 08890a3

Browse files
author
Benjamin Michaelis
committed
fix: replace containerapp up with targeted commands; add --image to update
- Add --image to az containerapp update so image and env vars are set atomically in a single revision (dev and prod) - Remove separate containerapp up which required CAE-level permissions; identity assign + registry set + update --image are CA-scoped only (plus managedEnvironments/read, covered by Container Apps Contributor role on the CAE granted to deploy UAMIs)
1 parent f211979 commit 08890a3

1 file changed

Lines changed: 14 additions & 8 deletions

File tree

.github/workflows/Build-Test-And-Deploy.yml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -120,17 +120,18 @@ jobs:
120120
- name: Push Image to Container Registry
121121
run: docker push --all-tags ${{ vars.DEVCONTAINER_REGISTRY }}/essentialcsharpweb
122122

123-
- name: Create and Deploy to Container App
123+
- name: Configure Container App Identity and Registry
124124
uses: azure/CLI@v3
125125
env:
126126
CONTAINER_APP_NAME: ${{ vars.CONTAINER_APP_NAME }}
127127
RESOURCEGROUP: ${{ vars.RESOURCEGROUP }}
128128
CONTAINER_REGISTRY: ${{ vars.DEVCONTAINER_REGISTRY }}
129-
CONTAINER_APP_ENVIRONMENT: ${{ vars.CONTAINER_APP_ENVIRONMENT }}
130129
with:
131130
inlineScript: |
131+
# Assumes container app already exists (provisioned by Terraform)
132132
az extension add --name containerapp --upgrade
133-
az containerapp up -n $CONTAINER_APP_NAME -g $RESOURCEGROUP --image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} --environment $CONTAINER_APP_ENVIRONMENT --registry-server $CONTAINER_REGISTRY --registry-identity ${{ secrets.WEB_UAMI_RESOURCE_ID }} --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }} --ingress external --target-port 8080
133+
az containerapp identity assign --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }}
134+
az containerapp registry set --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --server $CONTAINER_REGISTRY --identity ${{ secrets.WEB_UAMI_RESOURCE_ID }}
134135
135136
- name: Assign Managed Identity to Container App and Set Secrets and Environment Variables
136137
uses: azure/CLI@v3
@@ -156,7 +157,9 @@ jobs:
156157
ai-vectordeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--VectorGenerationDeploymentName,identityref:$MANAGEDIDENTITYID ai-chatdeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ChatDeploymentName,identityref:$MANAGEDIDENTITYID \
157158
ai-systemprompt=keyvaultref:$KEYVAULTURI/secrets/AIOptions--SystemPrompt,identityref:$MANAGEDIDENTITYID \
158159
postgres-vectorstore-connectionstring=keyvaultref:$KEYVAULTURI/secrets/ConnectionStrings--PostgresVectorStore,identityref:$MANAGEDIDENTITYID
159-
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
160+
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP \
161+
--image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} \
162+
--replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
160163
Authentication__microsoft__clientId=secretref:msft-clientid Authentication__microsoft__clientSecret=secretref:msft-clientsecret AuthMessageSender__ApiKey=secretref:emailsender-apikey AuthMessageSender__SecretKey=secretref:emailsender-secret \
161164
AuthMessageSender__SendFromName=secretref:emailsender-name AuthMessageSender__SendFromEmail=secretref:emailsender-email ConnectionStrings__EssentialCSharpWebContextConnection=secretref:connectionstring ASPNETCORE_ENVIRONMENT=Staging \
162165
AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \
@@ -210,17 +213,18 @@ jobs:
210213
- name: Push Image to Container Registry
211214
run: docker push --all-tags ${{ vars.PRODCONTAINER_REGISTRY }}/essentialcsharpweb
212215

213-
- name: Create and Deploy to Container App
216+
- name: Configure Container App Identity and Registry
214217
uses: azure/CLI@v3
215218
env:
216219
CONTAINER_APP_NAME: ${{ vars.CONTAINER_APP_NAME }}
217220
RESOURCEGROUP: ${{ vars.RESOURCEGROUP }}
218221
CONTAINER_REGISTRY: ${{ vars.PRODCONTAINER_REGISTRY }}
219-
CONTAINER_APP_ENVIRONMENT: ${{ vars.CONTAINER_APP_ENVIRONMENT }}
220222
with:
221223
inlineScript: |
224+
# Assumes container app already exists (provisioned by Terraform)
222225
az extension add --name containerapp --upgrade
223-
az containerapp up -n $CONTAINER_APP_NAME -g $RESOURCEGROUP --image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} --environment $CONTAINER_APP_ENVIRONMENT --registry-server $CONTAINER_REGISTRY --registry-identity ${{ secrets.WEB_UAMI_RESOURCE_ID }} --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }} --ingress external --target-port 8080
226+
az containerapp identity assign --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }}
227+
az containerapp registry set --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --server $CONTAINER_REGISTRY --identity ${{ secrets.WEB_UAMI_RESOURCE_ID }}
224228
225229
- name: Assign Managed Identity to Container App and Set Secrets and Environment Variables
226230
uses: azure/CLI@v3
@@ -246,7 +250,9 @@ jobs:
246250
ai-vectordeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--VectorGenerationDeploymentName,identityref:$MANAGEDIDENTITYID ai-chatdeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ChatDeploymentName,identityref:$MANAGEDIDENTITYID \
247251
ai-systemprompt=keyvaultref:$KEYVAULTURI/secrets/AIOptions--SystemPrompt,identityref:$MANAGEDIDENTITYID \
248252
postgres-vectorstore-connectionstring=keyvaultref:$KEYVAULTURI/secrets/ConnectionStrings--PostgresVectorStore,identityref:$MANAGEDIDENTITYID
249-
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
253+
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP \
254+
--image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} \
255+
--replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
250256
Authentication__microsoft__clientId=secretref:msft-clientid Authentication__microsoft__clientSecret=secretref:msft-clientsecret AuthMessageSender__ApiKey=secretref:emailsender-apikey AuthMessageSender__SecretKey=secretref:emailsender-secret \
251257
AuthMessageSender__SendFromName=secretref:emailsender-name AuthMessageSender__SendFromEmail=secretref:emailsender-email ConnectionStrings__EssentialCSharpWebContextConnection=secretref:connectionstring ASPNETCORE_ENVIRONMENT=Production \
252258
AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \

0 commit comments

Comments
 (0)