Skip to content
This repository was archived by the owner on Nov 3, 2025. It is now read-only.

feat: migrate from SWA to ACA#36

Merged
glaucia86 merged 86 commits into
mainfrom
feat/migrate-swa-to-aca
Apr 24, 2025
Merged

feat: migrate from SWA to ACA#36
glaucia86 merged 86 commits into
mainfrom
feat/migrate-swa-to-aca

Conversation

@glaucia86
Copy link
Copy Markdown
Contributor

@glaucia86 glaucia86 commented Mar 4, 2025
edited
Loading

Purpose

This pull request includes several changes to enhance the development environment, add deployment automation, and improve infrastructure management. The most important changes include updates to the development container configuration, the addition of environment variables, new GitHub workflows for deployment and validation, and the creation of a Dockerfile for building and running the application.

Development Environment Updates:

Environment Variables:

  • .env.example: Added environment variables for Azure OpenAI settings and optional Azure configurations.

Deployment Automation:

  • .github/workflows/azure-dev.yml: Added a workflow for deploying to Azure Container Apps, including steps for provisioning infrastructure and deploying the application.
  • deploy-to-aca.sh: Added a script for deploying the application to Azure Container Apps, including building the Docker image and configuring autoscaling.

Infrastructure Management:

  • infra/app/microblog-app.bicep: Added a Bicep template for deploying the application infrastructure, including managed identities, container apps, and environment variables.
  • infra/abbreviations.json: Added abbreviations for various Azure resources to streamline Bicep template writing.

Dockerfile:

  • Dockerfile: Created a multi-stage Dockerfile to build and run the application, optimizing for both development and production environments.

Does this introduce a breaking change?

[x] Yes
[ ] No

Pull Request Type

What kind of change does this Pull Request introduce?

[ ] Bugfix
[x] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

@glaucia86 glaucia86 self-assigned this Mar 4, 2025
@glaucia86 glaucia86 added the enhancement New feature or request label Mar 4, 2025
glaucia86 added 27 commits March 4, 2025 20:52
@glaucia86
feat: add Dockerfile for multi-stage build and production setup
92b2afb
@glaucia86
feat: rename server package and update dependencies for improved func…
45269a3 
…tionality
@glaucia86
feat: implement Express server with health check and static file serving
684d8e4
@glaucia86
feat: add entry point to start the Express server
1b1c4a8
@glaucia86
fix: install packages
7379d9f
@glaucia86
chore: update .gitignore to include plain.md and fix azurite_db entry
c55027d
@glaucia86
fix: add TypeScript types to health check route in Express app
cddb4af
@glaucia86
fix: update comment to clarify serving static files from build and pu…
f0212da 
…blic directories
@glaucia86
fix: add additional typeRoots path for TypeScript configuration
669c186
@glaucia86
fix: add compression, express, and morgan packages with corresponding…
2946fe4 
… TypeScript types
@glaucia86
fix: update start script to use built server and remove unnecessary d…
769eb9d 
…eploy command
@glaucia86
fix: update server configuration to use Express and adjust build paths
4b2b02d
@glaucia86
feat: add deployment script for Azure Container Apps
a6f6abe
@glaucia86
fix: update SSR handler to use Remix Express and improve compatibilit…
47b5919 
…y response
@glaucia86
fix: add debug statements to Dockerfile for file listing during build…
36c7bb5 
… process
@glaucia86
feat: add dotenv-cli for environment variable management in develop…
b758564 
…ment scripts
@glaucia86
feat: add dotenv for environment variable management and update sta…
bd481ff 
…rt scripts
@glaucia86
fix: update TypeScript configuration for module and directory settings
5c2e5a2
@glaucia86
feat: integrate dotenv for environment variable management and add va…
94211c2 
…lidation for required variables
@glaucia86
fix: update import statement to include file extension for express-ap…
4a207ee 
…p module
@glaucia86
feat: add environment variable loading and validation in deployment s…
328d106 
…cript
@glaucia86
fix: correct .env file check syntax and update resource group and con…
7e8c696 
…tainer names for testing
@glaucia86
fix: update resource group and container names in deployment script f…
6964458 
…or consistency
@glaucia86
feat: enhance compression middleware and improve static file serving …
727424b 
…with caching
@glaucia86
chore: remove obsolete server configuration and static web app files
8badd7e
@glaucia86
chore: remove obsolete swa-cli configuration file
4023bfb
@glaucia86
refactor: update package configuration and remove obsolete dependenci…
ae9581e 
…es for improved clarity and compatibility
glaucia86 added 10 commits March 20, 2025 01:55
@glaucia86
chore: update Azure login step to use secrets for authentication cred…
c57952c 
…entials
@glaucia86
chore: enhance Azure CLI command to check for empty subscription ID b…
24cde05 
…efore setting context
@glaucia86
chore: simplify Azure DevOps workflow by refining authentication step…
82fa6b8 
…s and removing redundant comments
@glaucia86
chore: enhance Azure subscription context validation with improved er…
f211314 
…ror messages and checks
@glaucia86
chore: improve Azure subscription context validation with clearer err…
1e79eb8 
…or messages and streamlined variable usage
@glaucia86
chore: add debug step for Azure subscription ID to enhance troublesho…
8a754ed 
…oting
@glaucia86
chore: format debug step for Azure subscription ID for consistency
6a30974
@glaucia86
chore: remove redundant comments from Azure DevOps workflow for clarity
a9af9b0
@glaucia86
chore: refine Azure login step and improve context verification for c…
3c198cb 
…larity
@glaucia86
chore: enhance Azure login step with improved error handling and vali…
27a978f 
…dation for subscription ID
Copilot AI reviewed Mar 22, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR migrates the project deployment from SWA to ACA by integrating Azure OpenAI services, enhancing the deployment process, and updating the infrastructure using Bicep templates.

  • Introduces new Azure resource definitions and retrieves OpenAI secrets in azure.yaml.
  • Adds a new GitHub workflow for deploying to Azure Container Apps and updates the CI workflow dependency installation command.
  • Updates import paths in the application code to reflect the new module location.

Reviewed Changes

Copilot reviewed 32 out of 47 changed files in this pull request and generated 1 comment.

File Description
azure.yaml Adds infrastructure configuration using Bicep templates and secret retrieval steps.
.github/workflows/azure-dev.yml Introduces a workflow for deploying to Azure Container Apps with enhanced subscription checks.
.github/workflows/ci.yml Modifies dependency installation and removes the installation of Azure Functions Core Tools.
app/routes/generate.tsx Updates the import path to reflect the module relocation of azureOpenAIService.
Files not reviewed (15)
  • .env.example: Language not supported
  • Dockerfile: Language not supported
  • deploy-to-aca.sh: Language not supported
  • infra/abbreviations.json: Language not supported
  • infra/app/containerapp.bicep: Language not supported
  • infra/core/ai/openai.bicep: Language not supported
  • infra/core/host/container-apps-environment.bicep: Language not supported
  • infra/core/monitoring/app-insights.bicep: Language not supported
  • infra/core/monitoring/log-analytics.bicep: Language not supported
  • infra/core/registry/container-registry.bicep: Language not supported
  • infra/core/security/keyvault.bicep: Language not supported
  • infra/core/security/managed-identity.bicep: Language not supported
  • infra/main.bicep: Language not supported
  • infra/main.parameters.json: Language not supported
  • package.json: Language not supported

Comment thread .github/workflows/ci.yml Outdated
@glaucia86
Use npm ci for dependency installation
fb3ea42
@glaucia86
Refactor infrastructure Bicep modules and remove deprecated resources
aa39744 
- Deleted unused Bicep modules for container apps environment, Application Insights, Log Analytics, and Key Vault.
- Consolidated monitoring resources into a shared module for better management.
- Introduced new shared modules for Cognitive Services, Key Vault secrets, and dashboards.
- Updated main Bicep file to reflect changes in resource management and dependencies.
- Added support for conditional resource creation and improved parameter handling for Azure OpenAI resources.
- Enhanced Key Vault integration for storing sensitive information securely.
- Implemented role assignments for Azure resources to manage access control effectively.
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 22, 2025
View reviewed changes
Comment thread .github/workflows/validate-infra.yml Fixed
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Mar 22, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 22, 2025
View reviewed changes
Comment thread infra/shared/apps-env.bicep
Comment thread infra/shared/cognitiveservices.bicep
}
properties: {
customSubDomainName: customSubDomainName
publicNetworkAccess: publicNetworkAccess

Check failure

Code scanning / templateanalyzer

Restrict Cognitive Service endpoints.

By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate.
Comment thread infra/shared/cognitiveservices.bicep
}
properties: {
customSubDomainName: customSubDomainName
publicNetworkAccess: publicNetworkAccess

Check failure

Code scanning / templateanalyzer

Use Cognitive Service Private Endpoints.

By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.
Comment thread infra/shared/cognitiveservices.bicep
properties: {
customSubDomainName: customSubDomainName
publicNetworkAccess: publicNetworkAccess
networkAcls: networkAcls

Check failure

Code scanning / templateanalyzer

Restrict Cognitive Service endpoints.

By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate.
Comment thread infra/shared/cognitiveservices.bicep
customSubDomainName: customSubDomainName
publicNetworkAccess: publicNetworkAccess
networkAcls: networkAcls
disableLocalAuth: disableLocalAuth

Check failure

Code scanning / templateanalyzer

Use identity-based authentication for Cognitive Services accounts.

To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys.
Comment thread infra/shared/keyvault.bicep
name: name
location: location
tags: tags
properties: {

Check failure

Code scanning / templateanalyzer

Configure Azure Key Vault firewall.

By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment.
Comment thread infra/shared/keyvault.bicep
tenantId: subscription().tenantId
sku: { family: 'A', name: 'standard' }
enabledForTemplateDeployment: true
enableRbacAuthorization: false

Check warning

Code scanning / templateanalyzer

Use Azure role-based access control.

Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default.
Comment thread infra/shared/registry.bicep
tags: tags
sku: sku
properties: {
adminUserEnabled: adminUserEnabled

Check failure

Code scanning / templateanalyzer

Disable ACR admin user.

Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries. Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including: - Strong account protection controls with conditional access, identity governance, and privileged identity management. - Auditing and reporting of account activity. - Granular access control with role-based access control (RBAC). - Separation of account types for users and applications.
glaucia86
glaucia86 commented Mar 31, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@glaucia86 glaucia86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@glaucia86 glaucia86 requested a review from Copilot April 11, 2025 14:01
Copilot AI reviewed Apr 11, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 40 out of 55 changed files in this pull request and generated no comments.

Files not reviewed (15)
  • .devcontainer/devcontainer.json: Language not supported
  • .dockerignore: Language not supported
  • .env.example: Language not supported
  • Dockerfile: Language not supported
  • deploy-to-aca.sh: Language not supported
  • infra/abbreviations.json: Language not supported
  • infra/app/microblog-app.bicep: Language not supported
  • infra/main.bicep: Language not supported
  • infra/main.parameters.json: Language not supported
  • infra/modules/fetch-container-image.bicep: Language not supported
  • infra/shared/apps-env.bicep: Language not supported
  • infra/shared/cognitiveservices.bicep: Language not supported
  • infra/shared/dashboard-web.bicep: Language not supported
  • infra/shared/keyvault-secret.bicep: Language not supported
  • infra/shared/keyvault.bicep: Language not supported

@glaucia86 glaucia86 requested a review from diberry April 24, 2025 15:51
@glaucia86 glaucia86 merged commit 551544a into main Apr 24, 2025
5 of 6 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@manekinekko manekinekko Awaiting requested review from manekinekko

@diberry diberry Awaiting requested review from diberry

Assignees

@glaucia86 glaucia86

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@glaucia86 @github-advanced-security @manekinekko