Merge pull request #82 from NHSDigital/cd

[DTOSS-9339] Deployment

Author: saliceti

.azuredevops/pipelines/deploy.yml

@@ -0,0 +1,50 @@
+trigger: none
+pr: none
+
+parameters:
+- name: commitSHA
+  displayName: Commit SHA
+  type: string
+- name: environments
+  type: object
+  default:
+  - dev
+  - int
+
+stages:
+- ${{ each env in parameters.environments }}:
+  - stage: ${{ env }}
+    displayName: Deploy to ${{ env }} environment
+    pool:
+      name: private-pool-dev-uks
+    lockBehavior: sequential
+    isSkippable: false
+
+    jobs:
+    - deployment: DeployApp
+      displayName: Deploy application
+      environment: ${{ env }}
+      strategy:
+        runOnce:
+          deploy:
+            steps:
+            - checkout: self
+
+            - task: TerraformInstaller@1
+              displayName: Install Terraform
+              inputs:
+                terraformVersion: 1.7.0
+
+            - task: AzureCLI@2
+              name: RunTerraform
+              inputs:
+                azureSubscription: manbrs-${{ env }}
+                scriptType: bash
+                scriptLocation: inlineScript
+                addSpnToEnvironment: true
+                inlineScript: |
+                  export ARM_TENANT_ID="$tenantId"
+                  export ARM_CLIENT_ID="$servicePrincipalId"
+                  export ARM_OIDC_TOKEN="$idToken"
+                  export ARM_USE_OIDC=true
+                  make ci ${{ env }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }}

.github/workflows/cicd-2-main-branch.yaml

@@ -77,3 +77,13 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
+
+  deploy-stage:
+    name: Deploy stage
+    needs: [build-stage]
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-4-deploy.yaml
+    with:
+      commit_sha: ${{ github.sha }}
+    secrets: inherit

.github/workflows/stage-4-deploy.yaml

@@ -0,0 +1,30 @@
+name: Deployment stage
+
+on:
+  workflow_call:
+    inputs:
+      commit_sha:
+        description: Commit SHA used to fetch ADO pipeline and docker image
+        required: true
+        type: string
+
+jobs:
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    environment: azure
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Call deployment pipeline
+      run: |
+        az pipelines run --commit-id ${{inputs.commit_sha}} --name "Deploy to Azure" --org https://dev.azure.com/nhse-dtos --project dtos-manage-breast-screening \
+          --parameters commitSHA=${{inputs.commit_sha}}

README.md

@@ -107,7 +107,7 @@ To generate a new app, run:
 poetry run ./manage.py startapp <app_name> manage_breast_screening/`
 ```
 
-## Deployment
+## Manual deployment
 The build pipeline builds and pushes a docker image to [Github container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The app is deployed to an [Azure container app](https://azure.microsoft.com/en-us/products/container-apps) using terraform.
 
 For each environment, e.g. 'dev':
@@ -127,6 +127,11 @@ For each environment, e.g. 'dev':
    ```
 1. The web app URL will be displayed as output. Copy it into a browser on the AVD to access the app.
 
+## Continuous deployment
+When a PR is merged, Github actions securely triggers the deployment pipeline on the Azure devops pool running on the internal network. It currently deploys the dev environment automatically.
+
+Access [Azure devops](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=86) to see the pipeline.
+
 ## Application secrets
 The app requires secrets provided as environment variables. Terraform creates an Azure key vault and all its secrets are mapped directly to the app as environment variables. Devs can access the key vault to create and update the secrets manually.
 

infrastructure/terraform/resource_group_init/core.bicep

@@ -22,6 +22,16 @@ resource contributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-
   }
 }
 
+// Let the managed identity read key vault secrets during terraform plan
+resource kvSecretUserAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().subscriptionId, miPrincipalId, 'kvSecretUser')
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleID.kvSecretUser)
+    principalId: miPrincipalId
+    description: '${miName} kvSecretUser access to subscription'
+  }
+}
+
 // Let the managed identity assign the Key Vault Secrets User role to the container app managed identity
 resource rbacAdminAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(subscription().subscriptionId, miPrincipalId, 'rbacAdmin')

scripts/terraform/terraform.mk

@@ -13,7 +13,7 @@ ci: # Skip manual approvals when running in CI - make ci <env> <action>
 set-azure-account: # Set the Azure account for the environment - make <env> set-azure-account
 	[ "${SKIP_AZURE_LOGIN}" != "true" ] && az account set -s ${AZURE_SUBSCRIPTION} || true
 
-resource-group-init: get-subscription-ids # Initialise the resource group - make <env> resource-group-init
+resource-group-init: set-azure-account get-subscription-ids # Initialise the resource group - make <env> resource-group-init
 	$(eval STORAGE_ACCOUNT_NAME=sa${APP_SHORT_NAME}${ENV_CONFIG}tfstate)
 
 	$(eval output='$(shell az deployment sub create --location "${REGION}" --template-file infrastructure/terraform/resource_group_init/main.bicep \