generated from CDCgov/template
-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document the current build and deploy workflows along with our infrastructure setup #373
Merged
Merged
Changes from all commits
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
979905f
wip
214d952
wip
7bd4020
wip
7efc35b
wip
5bb9a9f
wip
f692337
wip
7f9d5c4
wip
aa05441
Merge branch 'main' into document-current-gha-workflows
7c1ac99
scope creep
102219d
scope creep
867c6bd
wip
0be0f01
wip
5250da6
Merge branch 'main' into document-current-gha-workflows
259c43b
updates
3f3c7e3
updates
5d83e77
updates
84051e7
terraform readme update
21d30c7
terraform readme update
12cb837
gha readme update
2449030
gha readme update
c015f5b
gha readme update
20255f1
gha readme update
975b05a
gha readme update
cc68997
gha readme update
7284197
gha readme update
3d895bc
add list of Azure services that are being used
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# Github Action workflows for building and deploying ReportVision in a dev environment | ||
|
||
## Prerequisites | ||
|
||
You will need to create new App registrations(federated secrets) and Resource Groups in your Azure account for each environment, while also updating the existing `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_OBJECT_ID` ID's in each Github Environment. Most these ID's are found in each environments App Registration Overview page and Subscriptions Overview page in the Azure Portal. To update these secrets in Github go to Settings > Environments > And select the environment you would like to edit. | ||
|
||
**NOTE**: Resource Groups were never created from Terraform on purpose to better replicate CDC's Azure setup and requirements for potential future migrations from Skylight's Azure. CDC would manually create Resource Groups for us. | ||
|
||
Azure Resource Group naming convention: | ||
|
||
- `reportvision-rg-<environment-name>` | ||
|
||
With how our Github Action workflows are parametrized, to enable better automation and less user intervention, Azure Resource Groups will need to be named in a strict manor. If you would like to change the convention, you will also need to change how its named and parametrized in the Github Actions workflow files. | ||
|
||
## Complete e2e build and deploy for ReportVision | ||
|
||
To build and deploy all of ReportVision's services at once, `deploy-dev.yml` will do the trick specifically for dev environments within Azure only. | ||
|
||
Required Inputs: | ||
|
||
- `branch`: Any | ||
- `deploy-env`: Drop down of available environments to chose from. | ||
|
||
Optional Inputs: | ||
|
||
- `ocr-docker-tag`: The OCR Docker Tag. This input is optional because if it is left blank, the workflow will build and publish a new docker image each time. If you would like to deploy a previously built docker image, you can add the tag here. | ||
- `middleware-docker-tag`: The Middleware Docker Tag. This input is optional because if it is left blank, the workflow will build and publish a new docker image each time. If you would like to deploy a previously built docker image, you can add the tag here. | ||
|
||
|
||
**NOTE**: This workflow is currently failing for a known, valid reason with Terraform. See the Terraform README.md for more details on the error. In the meantime, if you need to setup or update an environments infrastructure, it needs to be done locally with Terraform and then deploy the frontend and the API's from their separate workflows shown below. | ||
|
||
## Build and deploy ReportVision's frontend only | ||
|
||
We made a separate workflow that builds and deploys the frontend files only, `build-deploy-frontend.yml`. Having to wait for the end-to-end deploy, along with the Terraform setup job to complete, just to refresh the frontend can be a giant waste of time. | ||
|
||
Before running this workflow, just make sure the Azure environment is already up and running from either the `deploy-dev.yml` workflow, your local terraform, or at the very least a Storage Account in is created. | ||
|
||
Required Inputs: | ||
|
||
- `branch`: Any | ||
- `deploy-env`: Drop down of available environments to chose from. | ||
|
||
## Build and deploy ReportVision's OCR-API and Middleware-API separately | ||
|
||
Just like with the frontend, we needed a way to refresh the OCR-API and/or Middleware-API without having to re-apply Terraform and deploying the frontend. With `build-deploy-ocr.yml` or `build-deploy-ocr.yml` we can either build and publish a new docker image or we can use an already registered docker image. Both the OCR-API and Middleware-API docker images are published here: | ||
- https://github.com/CDCgov/ReportVision/pkgs/container/reportvision-ocr | ||
- https://github.com/CDCgov/ReportVision/pkgs/container/reportvision-middleware. | ||
|
||
Once the workflow builds and publishes the images, it will deploy it to the selected environments Azure App-Service Webapp. | ||
|
||
Again, Just make sure you have already applied the needed resources with Terraform before running this workflow. | ||
|
||
Required Inputs: | ||
|
||
- `branch`: Any | ||
- `deploy-env`: Drop down of available environments to chose from. | ||
|
||
Optional Inputs: | ||
|
||
- `ocr-docker-tag`: The OCR Docker Tag. This input is optional because if it is left blank, the workflow will build and publish a new docker image each time. If you would like to deploy a previously built docker image, you can add the tag here. | ||
|
||
**Note**: Using an already registered docker image will be a bit faster than waiting for a new one to be built. Also, this is how we quickly rollback versions. | ||
|
||
# Github Workflows for building and deploying ReportVision in Staging or Production | ||
|
||
Unfortunately we never had the opportunity to pilot our amazing product to actual users which kept us from deploying to any type of Staging or Production environments. We also weren't entirely sure if we'd even be able to deploy to a centrally hosted Azure account like our current one either. | ||
|
||
If we were able to deploy to a centrally hosted system. Our thought would have been to create a `deploy-stage.yml` workflow that is structured and functions very similarly to `deploy-dev.yml`, except it would be triggered off of the `main` branch or Github `tags`. If all staging jobs and tests pass, a `deploy-prod.yml` workflow would then get triggered. | ||
|
||
If we were required to deploy to STLT-hosted environments, our plan was going to ensure that all services are containerized and deployed as a container orchestrated system with tooling like Kubernetes. This would make it easier for us to be cloud-agnostic and have the ability to quickly "lift-and-shift" our product into different organizations. If this were to happen, we would had to paradigm shift completely. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
# ReportVision's Terraform Setup | ||
|
||
Currently, our infrastructure is built specifically for Azure, with a traditional cloud architecture hosting our frontend code from blob storage and our OCR-API, Middleware-API running in App Service's. The frontend, OCR-API, Middleware-API, and the Postgres Database are behind a Virtual Network and load balanced by an App Gateway. | ||
|
||
## List of Azure Services being used | ||
|
||
- Resource Groups | ||
- App Registrations (Federated Credentials) | ||
- Blob Storage Accounts | ||
- App Service Linux Web App (autoscaling enabled for OCR) | ||
- Application Gateway (with Public IP) | ||
- Postgresql Flexible Server | ||
- Private DNS Zone Virtual Network Link | ||
- Postgresql Flexible Server Firewall Rule | ||
- Virtual Network (with subnets) | ||
- Network Security Groups | ||
- Key Vault | ||
|
||
## Prerequisites | ||
|
||
When using Terraform, you will need to created a `terraform.tfvars` file in the `ops/terraform` directory with variables: | ||
|
||
``` bash | ||
resource_group_name = "reportvision-rg-<environment-name>" | ||
name = "reportvision" | ||
sku_name = "P0v3" | ||
client_id = "<CLIENT-ID>" | ||
object_id = "<OBJECT-ID>" | ||
tenant_id = "<TENANT-ID>" | ||
subscription_id = "<SUBSCRIPTION-ID>" | ||
``` | ||
|
||
Install both the Azure and Terraform CLI: | ||
|
||
``` bash | ||
brew install azure-cli | ||
``` | ||
|
||
``` bash | ||
brew install terraform | ||
``` | ||
|
||
**NOTE**, this is specific to setting up the infrastructure from your local machine. There is a bit more setup needed to make it work with Github Actions | ||
|
||
## Authenticate locally with Azure | ||
|
||
Once you have everything needed installed, you will need to authenticate to Azure with the following command: | ||
|
||
``` bash | ||
az login | ||
``` | ||
You should be directed to an SSO login screen and once there is a success you will enter a number in the cli to indicate the Azure subscription you want to use. | ||
|
||
## Initiating Terraform State | ||
|
||
Currently we are storing our state files in an Azure Resource Group called `reportvision-rg`, in a storage container called `rv-tfstate`, with a subfolder of `dev`. You can change these by updating both the `providers.tf` and `config/dev.config` file. | ||
|
||
The reason we chose to go with subfolders for the state files and separate config files for the Backend, is to make creating identical but very decoupled environments with easy and flexibility using Terraform Workspaces. Unfortunately, there doesn't seem to be a way to parameterize within a Terraform Backend, so the separate config files were the way to go without needing to do some type of overly complicated looping logic. | ||
|
||
Run the following command from the `ops/terraform` directory to set your state lock file: | ||
|
||
``` bash | ||
terraform init -backend-config=config/dev.config | ||
``` | ||
|
||
Run the following command to set the appropriate workspace: | ||
|
||
``` bash | ||
terraform workspace select -or-create dev | ||
``` | ||
|
||
## Plan and apply Terraform | ||
|
||
If the above successfully completed you should now have your state configured and its time to apply the infrastructure! | ||
|
||
``` bash | ||
terraform plan | ||
``` | ||
|
||
``` bash | ||
terraform apply -auto-approve | ||
``` | ||
|
||
## Known errors | ||
|
||
The initial Terraform apply for a fresh environment SHOULD be fairly straight forward but when its time to run another updating apply to that environment, you most likely will get and updating Key Vault error that says: | ||
|
||
``` bash | ||
once Purge Protection has been Enabled it's not possible to disable it | ||
``` | ||
This is a valid and expected error because we do not want to purge the secret for the database. We implemented this change right before our contract ended and ran out of time to fix it(We started looking into possibly making it a warning instead of an error). | ||
|
||
All the updating changes should still apply even with this error but it definitely is blocking Github Actions from working properly for this process to be fully automated. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add an overview of the azure services we utilize and purpose of these services.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh! thats a great idea!! Thank you :)