ci: simplify deploy workflows — Terraform owns Container App config, CI owns image version#1081
Conversation
Terraform now owns: - UAMI identity assignment - ACR registry config (pull via managed identity) - Key Vault secret refs - Container env vars So CI no longer needs to re-configure these on every deploy. Each deploy job is now just: push image → az containerapp update. Production now uses az acr import to copy from dev ACR (server-side, no artifact re-download). Deploys by digest for immutability. Added production hardening: - Deploy by image digest (@sha256:...) instead of mutable tag - Post-deploy image verification (catches silent TF rollback) - Smoke test (curl /health) - Git deploy tag (deployed/prod/<sha>) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR simplifies the CI/CD workflow by removing Azure Container App configuration steps from deploy jobs (now owned by Terraform) and hardening production deployments by deploying via immutable image digests with post-deploy verification and a basic smoke test.
Changes:
- Build job now tags/publishes images only to the dev ACR; production receives images via
az acr import. - Deploy jobs now only update Container App image (no identity/registry/secrets/env-var configuration in CI).
- Production deploy adds digest-based deploy, deployed-image verification,
/healthsmoke test, and a Git deploy tag.
| DIGEST=$(az acr repository show-manifests \ | ||
| --name "${PROD_ACR%.azurecr.io}" \ | ||
| --repository essentialcsharpweb \ | ||
| --query "[?tags[?@=='${{ github.sha }}']].digest | [0]" -o tsv) |
| git tag "deployed/prod/${{ github.sha }}" | ||
| git push origin "deployed/prod/${{ github.sha }}" |
- Replace deprecated az acr repository show-manifests with az acr repository show - Add --registry flag to az acr import for explicit ARM auth on source ACR (prod OIDC identity must have AcrPull on dev ACR — Terraform RBAC required) - Guard against empty digest capture to fail fast with clear error - Add --retry-all-errors to curl so HTTP 5xx triggers retry (not just network errors) - Increase smoke test retry budget to cover cold-start (10x15s = 2.5 min + 30s max-time) - Use git tag -f + push --force so re-runs of same SHA don't fail Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Both review comments have been addressed in the latest commit (8f096ba):
Both review threads are marked as outdated since the code was updated. Also in the same commit: replaced deprecated |
Summary
Now that Terraform manages the Container App configuration, the deploy jobs no longer need to re-configure identity, registry, secrets, or env vars on every run. This PR strips those steps and adds production hardening.
What changed
Removed (Terraform owns these now)
az containerapp identity assign— UAMI is set in Terraform HCLaz containerapp registry set— ACR pull via managed identity is in Terraform HCLaz containerapp secret set— all Key Vault secret refs are in Terraform HCL--replace-env-varsonaz containerapp update— env vars are in Terraform HCLChanged
deploy-development: now just loads artifact → pushes to dev ACR →az containerapp update --image :shadeploy-production: replaced artifact download + push withaz acr import(server-side copy from dev ACR to prod ACR — faster, no large artifact download)Added (production hardening)
@sha256:...) instead of mutable tag — immutable referencecurl --fail /healthon the Container App FQDNdeployed/prod/<sha>pushed to repo as a durable audit recordPrerequisites (confirm before merging)
Verify Terraform HCL for the web Container App has all of:
identity { user_assigned_identity_ids = [...] }— UAMI attachedregistry { ... identity = uami_id }— ACR pull via managed identitysecret { key_vault_secret_uri }template.container.envAcrPush(orAcrImporter) on prod ACR foraz acr importRBAC note
The OIDC identity for this repo needs
AcrPushon the prod ACR in addition to the dev ACR —az acr importwrites to prod. Terraform should own this role assignment.