Merge pull request #135 from DFE-Digital/deploy-to-azure-aca

Deploy to Azure Container Apps

.github/workflows/build-and-push-image-development.yml

@@ -0,0 +1,43 @@
+name: Continuous delivery
+
+on:
+  push:
+    branches:
+      - main
+jobs:
+  build-and-push-image-development:
+    name: Build and push image development
+    environment: development
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Azure Container Registry login
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DEVELOPMENT_AZURE_ACR_CLIENTID }}
+          password: ${{ secrets.DEVELOPMENT_AZURE_ACR_SECRET }}
+          registry: ${{ secrets.DEVELOPMENT_ACR_URL }}
+
+      - name: Prepare tags
+        id: prepare-tags
+        run: |
+          DOCKER_IMAGE=${{ secrets.DEVELOPMENT_ACR_URL }}/academies-academisation-api
+          VERSION=latest
+          TAGS="${DOCKER_IMAGE}:${VERSION}"
+          if [ "${{ github.event_name }}" = "push" ]; then
+            VERSION=sha-${GITHUB_SHA}
+            TAGS="$TAGS,${DOCKER_IMAGE}:${VERSION}"
+          fi
+          echo ::set-output name=tags::${TAGS}
+          echo ::set-output name=deploy-version::${VERSION}
+
+      - name: Push image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./Dockerfile
+          build-args: ASPNET_IMAGE_TAG=6.0.9-bullseye-slim-amd64
+          push: true
+          tags: ${{ steps.prepare-tags.outputs.tags }}

.github/workflows/continuous-integration-terraform.yml

@@ -0,0 +1,63 @@
+name: Continuous integration
+
+on:
+  push:
+    branches: main
+  pull_request:
+
+jobs:
+  terraform-validate:
+    name: Terraform Validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Check for terraform version mismatch
+        run: |
+          DOTFILE_VERSION=$(cat terraform/.terraform-version)
+          TERRAFORM_IMAGE_REFERENCES=$(grep "uses: docker://hashicorp/terraform" .github/workflows/continuous-integration-terraform.yml | grep -v TERRAFORM_IMAGE_REFERENCES | wc -l | tr -d ' ')
+          if [ "$(grep "docker://hashicorp/terraform:${DOTFILE_VERSION}" .github/workflows/continuous-integration-terraform.yml | wc -l | tr -d ' ')" != "$TERRAFORM_IMAGE_REFERENCES" ]
+          then
+            echo -e "\033[1;31mError: terraform version in .terraform-version file does not match docker://hashicorp/terraform versions in .github/workflows/continuous-integration-terraform.yml"
+            exit 1
+          fi
+
+      - name: Remove azure backend
+        run: rm ./terraform/backend.tf
+
+      - name: Run a Terraform init
+        uses: docker://hashicorp/terraform:1.2.9
+        with:
+          entrypoint: terraform
+          args: -chdir=terraform init
+
+      - name: Run a Terraform validate
+        uses: docker://hashicorp/terraform:1.2.9
+        with:
+          entrypoint: terraform
+          args: -chdir=terraform validate
+
+      - name: Run a Terraform format check
+        uses: docker://hashicorp/terraform:1.2.9
+        with:
+          entrypoint: terraform
+          args: -chdir=terraform fmt -check=true -diff=true
+  terraform-docs-validation:
+    name: Terraform Docs validation
+    needs: terraform-validate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Generate Terraform docs
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: terraform
+          config-file: .terraform-docs.yml
+          output-file: README.md
+          output-method: inject
+          fail-on-diff: true

.github/workflows/continuous-integration-tfsec.yml

@@ -0,0 +1,14 @@
+name: Continuous integration
+on:
+  pull_request:
+jobs:
+  tfsec-pr-commenter:
+    name: tfsec PR commenter
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v3
+      - name: tfsec
+        uses: aquasecurity/[email protected]
+        with:
+          github_token: ${{ github.token }}

.gitignore

@@ -372,3 +372,15 @@ FodyWeavers.xsd
 .env.*.local
 !.env.development.local.example
 !.env.database.example
+
+# Homebrew
+Brewfile.lock.json
+
+### Terraform
+.terraformrc*
+terraform.rc*
+*.tfstate*
+*.tfvars*
+!terraform.tfvars.example
+.terraform/
+backend.vars

Dockerfile

@@ -1,4 +1,5 @@
 # Stage 1
+ARG ASPNET_IMAGE_TAG=6.0.9-bullseye-slim
 FROM mcr.microsoft.com/dotnet/sdk:6.0 as build
 WORKDIR /build
 
@@ -27,7 +28,8 @@ RUN dotnet publish Dfe.Academies.Academisation.WebApi -c Release -o /app
 
 COPY ./script/webapi-docker-entrypoint.sh /app/docker-entrypoint.sh
 
-FROM mcr.microsoft.com/dotnet/aspnet:6.0.9-bullseye-slim AS final
+ARG ASPNET_IMAGE_TAG
+FROM "mcr.microsoft.com/dotnet/aspnet:${ASPNET_IMAGE_TAG}" AS final
 
 RUN apt-get update
 RUN apt-get install unixodbc curl gnupg -y

terraform/.terraform-docs.yml

@@ -0,0 +1,26 @@
+---
+formatter: "markdown table"
+version: "~> 0.16"
+settings:
+  anchor: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
+sort:
+  enabled: true
+  by: name
+output:
+  file: README.md
+  mode: inject
+  template: |-
+        <!-- BEGIN_TF_DOCS -->
+        {{ .Content }}
+        <!-- END_TF_DOCS -->

terraform/.terraform-version

@@ -0,0 +1 @@
+1.2.9

terraform/Brewfile

@@ -0,0 +1,4 @@
+brew "tfenv"
+brew "terraform-docs"
+brew "tfsec"
+brew "az"