Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Tags: IntelliTect/EssentialCSharp.Web

Tags

deployed/prod/ffaa95d91944de1240660626ecf4103dd0d4752f

Toggle deployed/prod/ffaa95d91944de1240660626ecf4103dd0d4752f's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
ci: simplify deploy workflows — Terraform owns Container App config, …

…CI owns image version (#1081)

## Summary

Now that Terraform manages the Container App configuration, the deploy
jobs no longer need to re-configure identity, registry, secrets, or env
vars on every run. This PR strips those steps and adds production
hardening.

## What changed

### Removed (Terraform owns these now)
- `az containerapp identity assign` — UAMI is set in Terraform HCL
- `az containerapp registry set` — ACR pull via managed identity is in
Terraform HCL
- `az containerapp secret set` — all Key Vault secret refs are in
Terraform HCL
- `--replace-env-vars` on `az containerapp update` — env vars are in
Terraform HCL

### Changed
- `deploy-development`: now just loads artifact → pushes to dev ACR →
`az containerapp update --image :sha`
- `deploy-production`: replaced artifact download + push with **`az acr
import`** (server-side copy from dev ACR to prod ACR — faster, no large
artifact download)
- Build job: removed prod registry tags (image only goes to dev ACR at
build time; prod gets it via import)

### Added (production hardening)
- Deploy by **image digest** (`@sha256:...`) instead of mutable tag —
immutable reference
- **Post-deploy image verification** — reads deployed image from
Container App, asserts it matches expected digest; catches silent
rollback if Terraform recreates the resource
- **Smoke test** — `curl --fail /health` on the Container App FQDN
- **Git deploy tag** — `deployed/prod/<sha>` pushed to repo as a durable
audit record

## Prerequisites (confirm before merging)

Verify Terraform HCL for the web Container App has all of:
- [ ] `identity { user_assigned_identity_ids = [...] }` — UAMI attached
- [ ] `registry { ... identity = uami_id }` — ACR pull via managed
identity
- [ ] All 14 secrets as Key Vault refs under `secret {
key_vault_secret_uri }`
- [ ] All env vars under `template.container.env`
- [ ] OIDC identity has `AcrPush` (or `AcrImporter`) on **prod ACR** for
`az acr import`

## RBAC note

The OIDC identity for this repo needs `AcrPush` on the prod ACR in
addition to the dev ACR — `az acr import` writes to prod. Terraform
should own this role assignment.

---------

Co-authored-by: Copilot <[email protected]>