PlatformPlatform/.github/workflows/_deploy-infrastructure.yml at main · platformplatform/PlatformPlatform · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: Deploy Infrastructure

on:
  workflow_call:
    inputs:
      azure_environment:
        required: true
        type: string
      cluster_location_acronym:
        required: true
        type: string
      service_principal_id:
        required: true
        type: string
      subscription_id:
        required: true
        type: string
      tenant_id:
        required: true
        type: string
      unique_prefix:
        required: true
        type: string
      shared_location:
        required: true
        type: string
      cluster_location:
        required: true
        type: string
      domain_name:
        required: true
        type: string
      postgres_admin_object_id:
        required: true
        type: string
      production_service_principal_object_id:
        required: false
        type: string
        default: "-"

jobs:
  plan:
    name: Plan
    runs-on: ubuntu-24.04
    outputs:
      should_deploy: ${{ steps.determine_deployment.outputs.should_deploy }}
    steps:
      - name: Determine Deployment Conditions # For production: only deploy from main branch, but for staging also deploy from pull requests with 'Deploy to Staging' label
        id: determine_deployment
        run: |
          if [[ "${{ inputs.azure_environment }}" == "prod" && "${{ github.ref }}" == "refs/heads/main" ]]; then
            should_deploy="true"
          elif [[ "${{ inputs.azure_environment }}" == "stage" && ("${{ github.ref }}" == "refs/heads/main" || "${{ contains(github.event.pull_request.labels.*.name, 'Deploy to Staging') }}" == "true") ]]; then
            should_deploy="true"
          else
            should_deploy="false"
          fi
          echo "should_deploy=$should_deploy" >> $GITHUB_OUTPUT
      - name: Checkout Code
        uses: actions/checkout@v6

      - name: Install Bicep CLI
        run: |
          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64 &&
          chmod +x ./bicep &&
          sudo mv ./bicep /usr/local/bin/bicep &&
          bicep --version

      - name: Login to Azure
        uses: azure/login@v3
        with:
          client-id: ${{ inputs.service_principal_id }}
          tenant-id: ${{ inputs.tenant_id }}
          subscription-id: ${{ inputs.subscription_id }}

      - name: Plan Shared Environment Resources
        run: bash ./cloud-infrastructure/environment/deploy-environment.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.shared_location }} ${{ inputs.production_service_principal_object_id }} --plan

      - name: Plan Cluster Resources
        id: deploy_cluster
        env:
          POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
          GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
          GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
          STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
          STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
          STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
        run: bash ./cloud-infrastructure/cluster/deploy-cluster.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }} ${{ inputs.domain_name }} --plan

      - name: Show DNS Configuration
        if: ${{ inputs.domain_name != '' && inputs.domain_name != '-' }}
        run: |
          CLUSTER_RESOURCE_GROUP_NAME="${{ inputs.unique_prefix }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}"

          # Try to get the Container Apps Environment details
          env_details=$(az containerapp env show --name $CLUSTER_RESOURCE_GROUP_NAME --resource-group $CLUSTER_RESOURCE_GROUP_NAME 2>&1 || echo "")

          if [[ "$env_details" != "" ]] && [[ "$env_details" != *"ResourceNotFound"* ]] && [[ "$env_details" != *"ResourceGroupNotFound"* ]]; then
            custom_domain_verification_id=$(echo "$env_details" | jq -r '.properties.customDomainConfiguration.customDomainVerificationId')
            default_domain=$(echo "$env_details" | jq -r '.properties.defaultDomain')

            # Check if app-gateway already has the custom domain configured
            app_gateway_details=$(az containerapp show --name app-gateway --resource-group $CLUSTER_RESOURCE_GROUP_NAME 2>&1 || echo "")
            custom_domains=$(echo "$app_gateway_details" | jq -r '.properties.configuration.ingress.customDomains // []')

            if [[ "$custom_domains" != "[]" ]] && [[ "$custom_domains" != "null" ]]; then
              echo "$(date +"%Y-%m-%dT%H:%M:%S") Custom domain '${{ inputs.domain_name }}' is already configured correctly."
            else
              echo "$(date +"%Y-%m-%dT%H:%M:%S") Please add the following DNS entries and then retry:"
              echo "- A TXT record with the name 'asuid.${{ inputs.domain_name }}' and the value '$custom_domain_verification_id'."
              echo "- A CNAME record with the Host name '${{ inputs.domain_name }}' that points to address 'app-gateway.$default_domain'."
            fi
          else
            echo "$(date +"%Y-%m-%dT%H:%M:%S") DNS configuration instructions will be shown after the Container Apps Environment is created."
          fi

  deploy:
    name: Deploy
    if: ${{ needs.plan.outputs.should_deploy == 'true' }}
    needs: plan
    environment: ${{ github.event_name != 'pull_request' && (inputs.azure_environment == 'prod' && 'production' || 'staging') || '' }}
    runs-on: ubuntu-24.04

    steps:
      - name: Checkout Code
        uses: actions/checkout@v6

      - name: Install Bicep CLI
        run: |
          curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64 &&
          chmod +x ./bicep &&
          sudo mv ./bicep /usr/local/bin/bicep &&
          bicep --version

      - name: Login to Azure
        uses: azure/login@v3
        with:
          client-id: ${{ inputs.service_principal_id }}
          tenant-id: ${{ inputs.tenant_id }}
          subscription-id: ${{ inputs.subscription_id }}

      - name: Deploy Shared Environment Resources
        run: bash ./cloud-infrastructure/environment/deploy-environment.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.shared_location }} ${{ inputs.production_service_principal_object_id }} --apply

      - name: Deploy Cluster Resources
        id: deploy_cluster
        env:
          POSTGRES_ADMIN_OBJECT_ID: ${{ inputs.postgres_admin_object_id }}
          GOOGLE_OAUTH_CLIENT_ID: ${{ vars.GOOGLE_OAUTH_CLIENT_ID }}
          GOOGLE_OAUTH_CLIENT_SECRET: ${{ secrets.GOOGLE_OAUTH_CLIENT_SECRET }}
          STRIPE_PUBLISHABLE_KEY: ${{ vars.STRIPE_PUBLISHABLE_KEY }}
          STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
          STRIPE_WEBHOOK_SECRET: ${{ secrets.STRIPE_WEBHOOK_SECRET }}
        run: bash ./cloud-infrastructure/cluster/deploy-cluster.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location }} ${{ inputs.cluster_location_acronym }} ${{ inputs.postgres_admin_object_id }} ${{ inputs.domain_name }} --apply

      - name: Refresh Azure Tokens # The previous step may take a while, so we refresh the token to avoid timeouts
        uses: azure/login@v3
        with:
          client-id: ${{ inputs.service_principal_id }}
          tenant-id: ${{ inputs.tenant_id }}
          subscription-id: ${{ inputs.subscription_id }}

      - name: Install PostgreSQL Client
        run: sudo apt-get update && sudo apt-get install -y postgresql-client

      - name: Open Firewall
        working-directory: cloud-infrastructure/cluster
        env:
          CLUSTER_RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
          POSTGRES_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
          DATABASE_NAME: permissions
        run: bash ./firewall.sh open

      - name: Grant Database Permissions
        run: |
          bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'account' ${{ steps.deploy_cluster.outputs.ACCOUNT_IDENTITY_CLIENT_ID }}
          bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'back-office' ${{ steps.deploy_cluster.outputs.BACK_OFFICE_IDENTITY_CLIENT_ID }}
          bash ./cloud-infrastructure/cluster/grant-database-permissions.sh ${{ inputs.unique_prefix }} ${{ inputs.azure_environment }} ${{ inputs.cluster_location_acronym }} 'main' ${{ steps.deploy_cluster.outputs.MAIN_IDENTITY_CLIENT_ID }}

      - name: Close Firewall
        if: always()
        working-directory: cloud-infrastructure/cluster
        env:
          CLUSTER_RESOURCE_GROUP_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
          POSTGRES_SERVER_NAME: ${{ vars.UNIQUE_PREFIX }}-${{ inputs.azure_environment }}-${{ inputs.cluster_location_acronym }}
          DATABASE_NAME: permissions
        run: bash ./firewall.sh close