Skip to content

Commit e49c5c0

Browse files
author
Benjamin Michaelis
committed
feat: OIDC/UAMI ACR migration for container app deployments
2 parents 47b32b4 + 38795e9 commit e49c5c0

1 file changed

Lines changed: 15 additions & 11 deletions

File tree

.github/workflows/Build-Test-And-Deploy.yml

Lines changed: 15 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -120,25 +120,25 @@ jobs:
120120
- name: Push Image to Container Registry
121121
run: docker push --all-tags ${{ vars.DEVCONTAINER_REGISTRY }}/essentialcsharpweb
122122

123-
- name: Create and Deploy to Container App
123+
- name: Configure Container App Identity and Registry
124124
uses: azure/CLI@v3
125125
env:
126126
CONTAINER_APP_NAME: ${{ vars.CONTAINER_APP_NAME }}
127127
RESOURCEGROUP: ${{ vars.RESOURCEGROUP }}
128128
CONTAINER_REGISTRY: ${{ vars.DEVCONTAINER_REGISTRY }}
129-
CONTAINER_APP_ENVIRONMENT: ${{ vars.CONTAINER_APP_ENVIRONMENT }}
130129
with:
131130
inlineScript: |
131+
# Assumes container app already exists (provisioned by Terraform)
132132
az extension add --name containerapp --upgrade
133-
az containerapp up -n $CONTAINER_APP_NAME -g $RESOURCEGROUP --image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} --environment $CONTAINER_APP_ENVIRONMENT --registry-server $CONTAINER_REGISTRY --registry-identity ${{ secrets.WEB_UAMI_RESOURCE_ID }} --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }} --ingress external --target-port 8080
133+
az containerapp identity assign --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }}
134+
az containerapp registry set --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --server $CONTAINER_REGISTRY --identity ${{ secrets.WEB_UAMI_RESOURCE_ID }}
134135
135136
- name: Assign Managed Identity to Container App and Set Secrets and Environment Variables
136137
uses: azure/CLI@v3
137138
env:
138139
CONTAINER_APP_NAME: ${{ vars.CONTAINER_APP_NAME }}
139140
RESOURCEGROUP: ${{ vars.RESOURCEGROUP }}
140141
CONTAINER_REGISTRY: ${{ vars.DEVCONTAINER_REGISTRY }}
141-
CONTAINER_APP_ENVIRONMENT: ${{ vars.CONTAINER_APP_ENVIRONMENT }}
142142
KEYVAULTURI: ${{ secrets.ESSENTIALCSHARP_KEYVAULT_URI }}
143143
MANAGEDIDENTITYID: ${{ secrets.WEB_UAMI_RESOURCE_ID }}
144144
AZURECLIENTID: ${{ secrets.WEB_UAMI_CLIENT_ID }}
@@ -156,7 +156,9 @@ jobs:
156156
ai-vectordeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--VectorGenerationDeploymentName,identityref:$MANAGEDIDENTITYID ai-chatdeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ChatDeploymentName,identityref:$MANAGEDIDENTITYID \
157157
ai-systemprompt=keyvaultref:$KEYVAULTURI/secrets/AIOptions--SystemPrompt,identityref:$MANAGEDIDENTITYID \
158158
postgres-vectorstore-connectionstring=keyvaultref:$KEYVAULTURI/secrets/ConnectionStrings--PostgresVectorStore,identityref:$MANAGEDIDENTITYID
159-
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
159+
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP \
160+
--image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} \
161+
--replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
160162
Authentication__microsoft__clientId=secretref:msft-clientid Authentication__microsoft__clientSecret=secretref:msft-clientsecret AuthMessageSender__ApiKey=secretref:emailsender-apikey AuthMessageSender__SecretKey=secretref:emailsender-secret \
161163
AuthMessageSender__SendFromName=secretref:emailsender-name AuthMessageSender__SendFromEmail=secretref:emailsender-email ConnectionStrings__EssentialCSharpWebContextConnection=secretref:connectionstring ASPNETCORE_ENVIRONMENT=Staging \
162164
AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \
@@ -179,7 +181,7 @@ jobs:
179181
needs: [deploy-development]
180182
concurrency:
181183
group: deploy-production
182-
cancel-in-progress: true
184+
cancel-in-progress: false
183185
environment:
184186
name: "Production"
185187

@@ -210,25 +212,25 @@ jobs:
210212
- name: Push Image to Container Registry
211213
run: docker push --all-tags ${{ vars.PRODCONTAINER_REGISTRY }}/essentialcsharpweb
212214

213-
- name: Create and Deploy to Container App
215+
- name: Configure Container App Identity and Registry
214216
uses: azure/CLI@v3
215217
env:
216218
CONTAINER_APP_NAME: ${{ vars.CONTAINER_APP_NAME }}
217219
RESOURCEGROUP: ${{ vars.RESOURCEGROUP }}
218220
CONTAINER_REGISTRY: ${{ vars.PRODCONTAINER_REGISTRY }}
219-
CONTAINER_APP_ENVIRONMENT: ${{ vars.CONTAINER_APP_ENVIRONMENT }}
220221
with:
221222
inlineScript: |
223+
# Assumes container app already exists (provisioned by Terraform)
222224
az extension add --name containerapp --upgrade
223-
az containerapp up -n $CONTAINER_APP_NAME -g $RESOURCEGROUP --image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} --environment $CONTAINER_APP_ENVIRONMENT --registry-server $CONTAINER_REGISTRY --registry-identity ${{ secrets.WEB_UAMI_RESOURCE_ID }} --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }} --ingress external --target-port 8080
225+
az containerapp identity assign --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --user-assigned ${{ secrets.WEB_UAMI_RESOURCE_ID }}
226+
az containerapp registry set --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --server $CONTAINER_REGISTRY --identity ${{ secrets.WEB_UAMI_RESOURCE_ID }}
224227
225228
- name: Assign Managed Identity to Container App and Set Secrets and Environment Variables
226229
uses: azure/CLI@v3
227230
env:
228231
CONTAINER_APP_NAME: ${{ vars.CONTAINER_APP_NAME }}
229232
RESOURCEGROUP: ${{ vars.RESOURCEGROUP }}
230233
CONTAINER_REGISTRY: ${{ vars.PRODCONTAINER_REGISTRY }}
231-
CONTAINER_APP_ENVIRONMENT: ${{ vars.CONTAINER_APP_ENVIRONMENT }}
232234
KEYVAULTURI: ${{ secrets.ESSENTIALCSHARP_KEYVAULT_URI }}
233235
MANAGEDIDENTITYID: ${{ secrets.WEB_UAMI_RESOURCE_ID }}
234236
AZURECLIENTID: ${{ secrets.WEB_UAMI_CLIENT_ID }}
@@ -246,7 +248,9 @@ jobs:
246248
ai-vectordeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--VectorGenerationDeploymentName,identityref:$MANAGEDIDENTITYID ai-chatdeployment=keyvaultref:$KEYVAULTURI/secrets/AIOptions--ChatDeploymentName,identityref:$MANAGEDIDENTITYID \
247249
ai-systemprompt=keyvaultref:$KEYVAULTURI/secrets/AIOptions--SystemPrompt,identityref:$MANAGEDIDENTITYID \
248250
postgres-vectorstore-connectionstring=keyvaultref:$KEYVAULTURI/secrets/ConnectionStrings--PostgresVectorStore,identityref:$MANAGEDIDENTITYID
249-
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP --replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
251+
az containerapp update --name $CONTAINER_APP_NAME --resource-group $RESOURCEGROUP \
252+
--image $CONTAINER_REGISTRY/essentialcsharpweb:${{ github.sha }} \
253+
--replace-env-vars Authentication__github__clientId=secretref:github-clientid Authentication__github__clientSecret=secretref:github-clientsecret \
250254
Authentication__microsoft__clientId=secretref:msft-clientid Authentication__microsoft__clientSecret=secretref:msft-clientsecret AuthMessageSender__ApiKey=secretref:emailsender-apikey AuthMessageSender__SecretKey=secretref:emailsender-secret \
251255
AuthMessageSender__SendFromName=secretref:emailsender-name AuthMessageSender__SendFromEmail=secretref:emailsender-email ConnectionStrings__EssentialCSharpWebContextConnection=secretref:connectionstring ASPNETCORE_ENVIRONMENT=Production \
252256
AZURE_CLIENT_ID=$AZURECLIENTID HCaptcha__SiteKey=secretref:captcha-sitekey HCaptcha__SecretKey=secretref:captcha-secretkey APPLICATIONINSIGHTS_CONNECTION_STRING=secretref:appinsights-connectionstring \

0 commit comments

Comments
 (0)