Skip to content

Commit

Permalink
Update Azure terraform resources to work with the deployment script (#…
Browse files Browse the repository at this point in the history
…366)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
jcma-google and renovate[bot] authored Aug 21, 2024
1 parent dd30c24 commit 658a2ba
Show file tree
Hide file tree
Showing 18 changed files with 139 additions and 264 deletions.
3 changes: 0 additions & 3 deletions cloud/azure/bin/configure-slot-settings
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,5 @@ else
readonly STAGING_HOSTNAME="${PRIMARY_URL}"
fi

azure::slot_setting "canary" "${APP_NAME}" "BASE_URL" "${BASE_URL}" "${AZURE_RESOURCE_GROUP}"
azure::slot_setting "primary" "${APP_NAME}" "BASE_URL" "${BASE_URL}" "${AZURE_RESOURCE_GROUP}"

azure::slot_setting "canary" "${APP_NAME}" "STAGING_HOSTNAME" "${STAGING_HOSTNAME}" "${AZURE_RESOURCE_GROUP}"
azure::slot_setting "primary" "${APP_NAME}" "STAGING_HOSTNAME" "${STAGING_HOSTNAME}" "${AZURE_RESOURCE_GROUP}"
2 changes: 1 addition & 1 deletion cloud/azure/bin/create_resource_group
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ if [[ ! "${RESOURCE_GROUP}" ]] \
fi

echo "Creating resource group ${RESOURCE_GROUP}"
azure::create_resource_group "${RESOURCE_GROUP}" "${LOCATION}"
azure::create_resource_group "${RESOURCE_GROUP}" "${AZURE_LOCATION}"
6 changes: 2 additions & 4 deletions cloud/azure/bin/deploy
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,14 @@ fi

azure::set_new_container_tag "${AZURE_RESOURCE_GROUP}" "${AZURE_APP_NAME}" "${IMAGE_TAG}"

if health::wait_for_success "${AZURE_CANARY_URL}/loginForm"; then
echo "New container successfully started in canary slot"
if health::wait_for_success "${AZURE_PRIMARY_URL}/playIndex"; then
echo "New container returns expected signal on ping"
else
log::deploy_failed "${IMAGE_TAG}" "${AZURE_USER_ID}"
azure_log::upload_log_file
exit 1
fi

echo "Swapping deployment slot 'canary' into production. This may take up to 10 minutes."
azure::swap_deployment_slot "${AZURE_RESOURCE_GROUP}" "${AZURE_APP_NAME}"
echo "Success! The new application version is up and running."

echo "Updating deployment log."
Expand Down
8 changes: 4 additions & 4 deletions cloud/azure/bin/lib/azure.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
function azure::set_common_vars() {
export AZURE_USER_ID="$(azure::get_current_user_id)"
export AZURE_APP_NAME="$(azure::get_app_name "${AZURE_RESOURCE_GROUP}")"
export AZURE_CANARY_URL="$(azure::get_canary_url "${AZURE_RESOURCE_GROUP}" "${AZURE_APP_NAME}")"
export AZURE_PRIMARY_URL="$(azure::get_primary_url "${AZURE_RESOURCE_GROUP}" "${AZURE_APP_NAME}")"
}

#######################################
Expand Down Expand Up @@ -140,11 +140,11 @@ function azure::get_container_tag() {
# 3. The new tag version
#######################################
function azure::set_new_container_tag() {
echo "setting new container tag ${3}"
az webapp config container set \
--resource-group "${1}" \
--name "${2}" \
--slot "canary" \
--docker-custom-image-name "DOCKER|civiform/civiform:${3}"
--container-image-name "DOCKER|civiform/civiform:${3}"
}

#######################################
Expand Down Expand Up @@ -191,7 +191,7 @@ function azure::ensure_role_assignment() {
if azure::is_service_principal; then
object_id="$(az account show --query user.name -o tsv)"
else
object_id="$(az ad signed-in-user show --query objectId -o tsv)"
object_id="$(az ad signed-in-user show --query id -o tsv)"
fi

local ROLE_ASSIGNMENTS="$(az role assignment list --assignee ${object_id} --resource-group ${1})"
Expand Down
2 changes: 1 addition & 1 deletion cloud/azure/bin/lib/key_vault.sh
Original file line number Diff line number Diff line change
Expand Up @@ -124,5 +124,5 @@ function key_vault::has_secret() {
--query value \
-o tsv 2>&1 >/dev/null)"

echo "${SECRET_RESULT}" | grep -q -v "SecretNotFound"
! echo "${SECRET_RESULT}" | grep -q "SecretNotFound"
}
2 changes: 1 addition & 1 deletion cloud/azure/bin/ses-to-keyvault
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ if key_vault::has_secret "${VAULT_NAME}" "${AWS_ACCESS_KEY_ID_NAME}"; then
exit 0
fi

echo "Getting an AWS access key"
echo "Getting an AWS access key for ${USERNAME}"
CREATED_KEY_RESULT="$(aws::create_access_key "${USERNAME}")"
ACCESS_KEY_ID="$(aws::parse_access_key_id "${CREATED_KEY_RESULT}")"
SECRET_ACCESS_KEY="$(aws::parse_access_secret_key "${CREATED_KEY_RESULT}")"
Expand Down
4 changes: 2 additions & 2 deletions cloud/azure/bin/setup_tf_shared_state
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ fi

readonly BACKEND_VARS_FILENAME="${1}"

RESOURCE_GROUP_NAME="tfstate"
STORAGE_ACCOUNT_NAME="tfstate${RANDOM}"
RESOURCE_GROUP_NAME="${AZURE_RESOURCE_GROUP}"
STORAGE_ACCOUNT_NAME="${AZURE_RESOURCE_GROUP}${RANDOM}"
CONTAINER_NAME="tfstate"

echo "Check for Resource Group"
Expand Down
23 changes: 14 additions & 9 deletions cloud/azure/modules/app/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,11 @@ locals {
# The hard-coded zero indexes here are necessary to access the fqdn from the record set associated with it
# because the private_dns_zone_configs and record_sets blocks expose lists, even if we only have one dns zone
# and record set configured.
postgres_private_link = azurerm_private_endpoint.endpoint.private_dns_zone_configs[0].record_sets[0].fqdn
generated_hostname = "${var.application_name}-${random_pet.server.id}.azurewebsites.net"
# TODO(https://github.com/civiform/civiform/issues/8364): commenting postgres_private_link out for now as I
# set up the private link network right now postgres server is protected by password, subnet, and firewall,
# which is enough for staging purposes.
# postgres_private_link = azurerm_private_endpoint.endpoint.private_dns_zone_configs[0].record_sets[0].fqdn
generated_hostname = "${var.application_name}-${random_pet.server.id}.azurewebsites.net"

postgres_password_keyvault_id = "postgres-password"
app_secret_key_keyvault_id = "app-secret-key"
Expand All @@ -18,10 +21,9 @@ locals {

DOCKER_REGISTRY_SERVER_URL = "https://index.docker.io"

DB_USERNAME = "${azurerm_postgresql_server.civiform.administrator_login}@${azurerm_postgresql_server.civiform.name}"
DB_PASSWORD = data.azurerm_key_vault_secret.postgres_password.value
DB_JDBC_STRING = "jdbc:postgresql://${local.postgres_private_link}:5432/postgres?ssl=true&sslmode=require"

DB_USERNAME = "${azurerm_postgresql_flexible_server.civiform.administrator_login}@${azurerm_postgresql_flexible_server.civiform.name}"
DB_PASSWORD = data.azurerm_key_vault_secret.postgres_password.value
DB_JDBC_STRING = "jdbc:postgresql://${azurerm_postgresql_flexible_server.civiform.name}.postgres.database.azure.com:5432/postgres?user=${azurerm_postgresql_flexible_server.civiform.administrator_login}&password=${azurerm_postgresql_flexible_server.civiform.administrator_password}&sslmode=require"
STORAGE_SERVICE_NAME = "azure-blob"

AZURE_STORAGE_ACCOUNT_NAME = azurerm_storage_account.files_storage_account.name
Expand All @@ -32,8 +34,12 @@ locals {

SECRET_KEY = data.azurerm_key_vault_secret.app_secret_key.value

ADFS_SECRET = data.azurerm_key_vault_secret.adfs_secret.value
ADFS_CLIENT_ID = data.azurerm_key_vault_secret.adfs_client_id.value
ADFS_SECRET = data.azurerm_key_vault_secret.adfs_secret.value
ADFS_CLIENT_ID = data.azurerm_key_vault_secret.adfs_client_id.value
ADFS_DISCOVERY_URI = data.azurerm_key_vault_secret.adfs_discovery_uri.value
APPLICANT_OIDC_CLIENT_SECRET = data.azurerm_key_vault_secret.adfs_secret.value
APPLICANT_OIDC_DISCOVERY_URI = data.azurerm_key_vault_secret.adfs_discovery_uri.value
APPLICANT_OIDC_CLIENT_ID = data.azurerm_key_vault_secret.adfs_client_id.value

# The values below are all defaulted to null. If SAML authentication is used, the values can be pulled from the
# saml_keystore module
Expand All @@ -48,7 +54,6 @@ locals {
STAGING_HOSTNAME = "placeholder"
BASE_URL = "placeholder"

ADFS_DISCOVERY_URI = data.azurerm_key_vault_secret.adfs_discovery_uri.value
# In HOCON, env variables set to the empty string are
# kept as such (set to empty string, rather than undefined).
# This allows for the default to include atallclaims and for
Expand Down
2 changes: 1 addition & 1 deletion cloud/azure/modules/app/logs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ resource "azurerm_log_analytics_workspace" "civiform_logs" {

resource "azurerm_monitor_diagnostic_setting" "app_service_log_analytics" {
name = "${var.application_name}_log_analytics"
target_resource_id = azurerm_app_service.civiform_app.id
target_resource_id = azurerm_linux_web_app.civiform_app.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.civiform_logs.id

log {
Expand Down
Loading

0 comments on commit 658a2ba

Please sign in to comment.