Fix Runner deployment issues and docs (#289)

mawasile · web-flow · commit 1b82f8e3764b · 2025-10-13T18:08:16.000+02:00
* fixing deployment issues

* chore: update azd version to 1.19.0 and add Node.js setup in workflows

* refactor: move validation check for missing security roles into lifecycle block

* fix: add --debug flag to azd provision for enhanced troubleshooting

* chore: update Node.js and Terraform versions in CI workflow

* chore: update azd version to 1.20.0 and enable Azure CLI authentication for azapi provider

* fix: update azapi provider version to 2.7.0

* fix: update azapi provider version to 2.7.0 in multiple terraform files

* fix: add environment variable logging to Azure deployment workflow

* fix: add debug logging for environment variables in Azure deployment workflow

* fix: downgrade azd version from 1.20.0 to 1.19.0 and comment out TF_LOG debug

* fix: add wait for Azure OpenAI account provisioning and update dependencies in search configuration

* fix: update azCliVersion to 2.74.0 and reduce timeout to 5 minutes in search index configuration

* refactor: comment out non-dataverse user resource block in Power Platform configuration

* refactor: uncomment data blocks for power platform user configuration

* fix: update azd version to 1.20.0 in workflow configuration

* fix: update azd version to 1.20.0 in workflow configuration

* fix: update cognitive deployment model name to text-embedding-3-small

* feat: add security rule to allow outbound internet access in network security group
feat: update storage account configuration to clarify public network access
chore: add launch configuration for .NET Core debugging
chore: add tasks configuration for building and publishing .NET projects

* refactor: move private endpoint creation outside module for proper provisioning wait time

* cleaning up

* feat: enhance GitHub runner installation script with user existence check and cleanup of existing configurations

* fix: restore denied inbound and outbound traffic rules in network security group

* fix: add comment to clarify purpose of security rule for storage IP

* fix: remove redundant deny rules for inbound and outbound traffic in network security group

* feat: add default outbound access configuration and update tagging for network resources
diff --git a/.github/workflows/azure-dev-down.yml b/.github/workflows/azure-dev-down.yml
@@ -33,12 +33,17 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@ae0f8b5482eeac61e940f447327d84c73beb8b1e # v2.1.0
         with:
-          version: '1.18.1'  # Specify your desired azd version here
+          version: '1.20.0'  # Specify your desired azd version here
+        
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
 
       - name: Install Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
-          terraform_version: 1.12.2
+          terraform_version: 1.13.3
 
       - name: Login to Azure with Federated Identity
         uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml
@@ -45,7 +45,17 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@ae0f8b5482eeac61e940f447327d84c73beb8b1e # v2.1.0
         with:
-          version: '1.18.1'  # Specify your desired azd version here
+          version: '1.20.0'  # Specify your desired azd version here
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: 1.13.3
 
       - name: Install TFLint
         uses: terraform-linters/setup-tflint@90f302c255ef959cbfb4bd10581afecdb7ece3e6 # v4.1.1
diff --git a/cicd/github_runner_aca/terraform.tf b/cicd/github_runner_aca/terraform.tf
@@ -7,7 +7,7 @@ terraform {
     }
     azapi = {
       source  = "Azure/azapi"
-      version = "~> 2.5"
+      version = "~> 2.7.0"
     }
   }
 }
diff --git a/cicd/github_runner_vm/install-github-runner.sh b/cicd/github_runner_vm/install-github-runner.sh
@@ -113,7 +113,12 @@ usermod -aG docker azureuser
 
 # Create a dedicated user for the runner
 log "Creating GitHub runner user..."
-useradd -m -d /home/github-runner -s /bin/bash github-runner
+if id "github-runner" &>/dev/null; then
+    log "User github-runner already exists, skipping creation"
+else
+    useradd -m -d /home/github-runner -s /bin/bash github-runner
+    log "User github-runner created successfully"
+fi
 usermod -aG docker github-runner
 
 # Create sudoers file for github-runner
@@ -178,8 +183,20 @@ rm "$${RUNNER_TARBALL}"
 # Set ownership
 chown -R github-runner:github-runner "$RUNNER_DIR"
 
+# Remove existing runner configuration if it exists
+log "Checking for existing runner configuration..."
+if [ -f "$RUNNER_DIR/.runner" ]; then
+    log "Existing runner configuration found, removing..."
+    # Stop and uninstall the service first
+    cd "$RUNNER_DIR"
+    ./svc.sh stop 2>/dev/null || log "Service was not running"
+    ./svc.sh uninstall 2>/dev/null || log "Service was not installed"
+    # Now remove the configuration
+    sudo -u github-runner bash -c "cd '$RUNNER_DIR' && ./config.sh remove --token '$RUNNER_TOKEN'" || log "Failed to remove existing configuration, continuing anyway"
+fi
+
 log "Configuring GitHub Actions runner..."
-sudo -u github-runner bash -c "cd '$RUNNER_DIR' && ./config.sh --url '$GITHUB_URL' --token '$RUNNER_TOKEN' --name '$RUNNER_NAME' --work '$RUNNER_WORK_FOLDER' --labels '$RUNNER_LABELS' --unattended --replace"
+sudo -u github-runner bash -c "cd '$RUNNER_DIR' && ./config.sh --url '$GITHUB_URL' --token '$RUNNER_TOKEN' --name '$RUNNER_NAME' --work '$RUNNER_WORK_FOLDER' --labels '$RUNNER_LABELS' --unattended --replace" || true
 
 # Install the runner as a service
 log "Installing runner as a service..."
diff --git a/cicd/github_runner_vm/main.tf b/cicd/github_runner_vm/main.tf
@@ -67,6 +67,27 @@ resource "local_file" "github_runner_private_key" {
   file_permission = "0600"
 }
 
+# Cleanup existing extension before creating new one
+resource "null_resource" "cleanup_extension" {
+  count = var.github_runner_os_type == "linux" ? 1 : 0
+
+  triggers = {
+    always = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      az vm extension delete \
+        --resource-group ${var.resource_group_name} \
+        --vm-name vm-github-runner-${var.unique_id} \
+        --name install-github-runner \
+        2>/dev/null || true
+    EOT
+  }
+
+  depends_on = [azurerm_linux_virtual_machine.github_runner]
+}
+
 # Custom Script Extension to install and configure GitHub Actions Runner
 resource "azurerm_virtual_machine_extension" "github_runner" {
   count                = var.github_runner_os_type == "linux" ? 1 : 0
@@ -90,6 +111,15 @@ resource "azurerm_virtual_machine_extension" "github_runner" {
 
   tags = var.tags
 
-  depends_on = [azurerm_linux_virtual_machine.github_runner]
+  lifecycle {
+    replace_triggered_by = [
+      null_resource.cleanup_extension[0]
+    ]
+  }
+
+  depends_on = [
+    azurerm_linux_virtual_machine.github_runner,
+    null_resource.cleanup_extension
+  ]
 }
 
diff --git a/cicd/network.runner.tf b/cicd/network.runner.tf
@@ -8,6 +8,8 @@ resource "azurerm_subnet" "github_runner" {
   # GitHub runners don't need private endpoint policies
   private_endpoint_network_policies = "Disabled"
 
+  default_outbound_access_enabled = "false"
+
   dynamic "delegation" {
     for_each = var.github_runner_type == "aca" ? [1] : []
     content {
@@ -26,7 +28,7 @@ resource "azurerm_network_security_group" "github_runner" {
   name                = "nsg-github-runner-${random_id.suffix.hex}"
   location            = azurerm_resource_group.tfstate.location
   resource_group_name = azurerm_resource_group.tfstate.name
-  tags                = local.common_tags
+  tags                = var.tags
 
   # VM-specific rules (conditionally added when github_runner_type == "vm")
   # dynamic "security_rule" {
@@ -182,7 +184,7 @@ resource "azurerm_public_ip" "github_runner_nat_ip" {
   resource_group_name = azurerm_resource_group.tfstate.name
   allocation_method   = "Static"
   sku                 = "Standard"
-  tags                = local.common_tags
+  tags                = var.tags
 }
 
 # Create NAT Gateway
@@ -191,7 +193,7 @@ resource "azurerm_nat_gateway" "github_runner" {
   location            = azurerm_resource_group.tfstate.location
   resource_group_name = azurerm_resource_group.tfstate.name
   sku_name            = "Standard"
-  tags                = local.common_tags
+  tags                = var.tags
 }
 
 # Associate Public IP with NAT Gateway
diff --git a/cicd/network.storage.tf b/cicd/network.storage.tf
@@ -10,27 +10,16 @@ resource "azurerm_subnet" "storage" {
 
   # Enable private endpoint network policies
   private_endpoint_network_policies = "Enabled"
+
+  default_outbound_access_enabled = "false"
 }
 
 # Create Network Security Group
 resource "azurerm_network_security_group" "storage" {
   name                = local.nsg_name
   location            = azurerm_resource_group.tfstate.location
   resource_group_name = azurerm_resource_group.tfstate.name
-  tags                = local.common_tags
-
-  # Allow inbound HTTPS traffic within the subnet
-  security_rule {
-    name                       = "AllowHTTPSInbound"
-    priority                   = 100
-    direction                  = "Inbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
-    destination_port_range     = "443"
-    source_address_prefix      = azurerm_subnet.storage.address_prefixes[0]
-    destination_address_prefix = azurerm_subnet.storage.address_prefixes[0]
-  }
+  tags                = var.tags
 
   # Allow outbound HTTPS traffic
   security_rule {
@@ -57,31 +46,6 @@ resource "azurerm_network_security_group" "storage" {
     source_address_prefix      = azurerm_subnet.github_runner.address_prefixes[0]
     destination_address_prefix = azurerm_subnet.storage.address_prefixes[0]
   }
-
-  # Deny all other inbound traffic
-  security_rule {
-    name                       = "DenyAllInbound"
-    priority                   = 4096
-    direction                  = "Inbound"
-    access                     = "Deny"
-    protocol                   = "*"
-    source_port_range          = "*"
-    destination_port_range     = "*"
-    source_address_prefix      = "*"
-    destination_address_prefix = "*"
-  }
-  # Deny all other outbound traffic
-  security_rule {
-    name                       = "DenyAllOutbound"
-    priority                   = 4096
-    direction                  = "Outbound"
-    access                     = "Deny"
-    protocol                   = "*"
-    source_port_range          = "*"
-    destination_port_range     = "*"
-    source_address_prefix      = "*"
-    destination_address_prefix = "*"
-  }
 }
 
 # Associate NSG with Subnet
@@ -94,7 +58,7 @@ resource "azurerm_subnet_network_security_group_association" "storage" {
 resource "azurerm_private_dns_zone" "blob" {
   name                = "privatelink.blob.core.windows.net"
   resource_group_name = azurerm_resource_group.tfstate.name
-  tags                = local.common_tags
+  tags                = var.tags
 }
 
 # Link Private DNS Zone to Virtual Network
@@ -104,7 +68,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "blob" {
   private_dns_zone_name = azurerm_private_dns_zone.blob.name
   virtual_network_id    = azurerm_virtual_network.tfstate.id
   registration_enabled  = false
-  tags                  = local.common_tags
+  tags                  = var.tags
 }
 
 # Create Private Endpoint for Storage Account
@@ -113,7 +77,7 @@ resource "azurerm_private_endpoint" "storage_blob" {
   location            = azurerm_resource_group.tfstate.location
   resource_group_name = azurerm_resource_group.tfstate.name
   subnet_id           = azurerm_subnet.storage.id
-  tags                = local.common_tags
+  tags                = var.tags
 
   private_service_connection {
     name                           = "pe-connection-${random_id.suffix.hex}"
diff --git a/cicd/network.tf b/cicd/network.tf
@@ -4,5 +4,5 @@ resource "azurerm_virtual_network" "tfstate" {
   address_space       = var.network_config.vnet_address_space
   location            = azurerm_resource_group.tfstate.location
   resource_group_name = azurerm_resource_group.tfstate.name
-  tags                = local.common_tags
+  tags                = var.tags
 }
diff --git a/cicd/runner.tf b/cicd/runner.tf
@@ -19,7 +19,7 @@ module "github_runner_vm" {
   github_runner_registration_token = var.github_runner_registration_token
 
   # Tags
-  tags = local.common_tags
+  tags = var.tags
 
   # Ensure NSG is associated to the subnet before provisioning the VM and its extension
   depends_on = [
@@ -47,7 +47,7 @@ module "github_runner_aca_primary" {
 
   # openai_endpoint            = module.azure_open_ai.endpoint
 
-  tags = local.common_tags
+  tags = var.tags
 
   # Ensure NSG is associated to the subnet before provisioning ACA
   depends_on = [
diff --git a/cicd/terraform.tf b/cicd/terraform.tf
@@ -7,7 +7,7 @@ terraform {
     }
     azapi = {
       source  = "Azure/azapi"
-      version = "~> 2.5"
+      version = "~> 2.7.0"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/cicd/tfstate.tf b/cicd/tfstate.tf
@@ -15,19 +15,13 @@ locals {
   subnet_name         = "snet-storage-${random_id.suffix.hex}"
   nsg_name            = "nsg-storage-${random_id.suffix.hex}"
   pe_name             = "pe-storage-${random_id.suffix.hex}"
-
-  common_tags = {
-    Environment = "Production"
-    Purpose     = "TerraformState"
-    CreatedBy   = "Terraform"
-  }
 }
 
 # Create Resource Group
 resource "azurerm_resource_group" "tfstate" {
   name     = local.resource_group_name
   location = local.location
-  tags     = local.common_tags
+  tags     = var.tags
 }
 
 # Create Storage Account with private access only
@@ -72,7 +66,7 @@ resource "azurerm_storage_account" "tfstate" {
     }
   }
 
-  tags = local.common_tags
+  tags = var.tags
 }
 
 # Assign Storage Blob Data Contributor role to current user/service principal
@@ -96,7 +90,7 @@ resource "azurerm_log_analytics_workspace" "storage" {
   resource_group_name = azurerm_resource_group.tfstate.name
   sku                 = "PerGB2018"
   retention_in_days   = 30
-  tags                = local.common_tags
+  tags                = var.tags
 }
 
 # Configure diagnostic settings for storage account blob service
diff --git a/cicd/variables.tf b/cicd/variables.tf
@@ -22,6 +22,16 @@ variable "github_runner_type" {
   }
 }
 
+variable "tags" {
+  description = "A map of tags to assign to resources"
+  type        = map(string)
+  default     = {
+    Environment = "Production"
+    Purpose     = "TerraformState"
+    CreatedBy   = "Terraform"
+  }
+}
+
 # Variables for GitHub Runner VM
 variable "github_runner_config" {
   type = object({
diff --git a/docs/cicd.md b/docs/cicd.md
@@ -13,7 +13,7 @@ All infrastructure for CI/CD lives under `cicd/` and can be customized to meet y
 
 ## Prerequisites
 
-- Working local environment of this template. If you do not have one, Follow the step by step instructions for setting up your [**Local Environment**](./../readme.md).
+- Working local environment of this template. If you do not have one, Follow the step by step instructions for setting up your [**Local Environment**](../README.md#local-environment)
 - An Azure subscription with either User Access Administrator or Owner permissions to create workload identity resources like service principal, and OIDC to be used by the GitHub Actions.
 - GitHub CLI (`gh`) installed and authenticated to trigger the bootstrap workflow from your terminal.
 
diff --git a/infra/main.ai.tf b/infra/main.ai.tf
@@ -74,4 +74,4 @@ resource "azurerm_private_dns_a_record" "aoai_dns_record" {
   ttl                 = 10
   records             = [module.azure_open_ai.private_endpoints["pe_endpoint"].private_service_connection[0].private_ip_address]
   tags                = var.tags
-}
+}
diff --git a/infra/main.network.tf b/infra/main.network.tf
@@ -642,4 +642,3 @@ resource "azurerm_subnet_network_security_group_association" "deployment_script_
   subnet_id                 = azurerm_subnet.deployment_script_container_subnet[0].id
   network_security_group_id = azurerm_network_security_group.deployment_script_nsg[0].id
 }
-
diff --git a/infra/modules/copilot_studio/power_platform_users.tf b/infra/modules/copilot_studio/power_platform_users.tf
@@ -27,19 +27,18 @@ locals {
   missing_roles = [for name in var.pp_environment_user_security_role : name if !contains(keys(local.security_role_id), name)]
 }
 
-# Validation check for missing security roles
-check "security_roles_exist" {
-  assert {
-    condition     = length(local.missing_roles) == 0
-    error_message = "The following security roles were requested but do not exist in the Power Platform environment: ${join(", ", local.missing_roles)}. Available roles are: ${join(", ", keys(local.security_role_id))}"
-  }
-}
-
 # Add non-dataverse user to Power Platform environment
 resource "powerplatform_user" "new_non_dataverse_user" {
   for_each       = length(var.resource_share_user) > 0 ? var.resource_share_user : []
   environment_id = local.power_platform_environment_id
   security_roles = local.security_role_ids
   aad_id         = each.value
-  // disable_delete = false
+  disable_delete = false
+
+  lifecycle {
+    precondition {
+      condition     = length(local.missing_roles) == 0
+      error_message = "The following security roles were requested but do not exist in the Power Platform environment: ${join(", ", local.missing_roles)}. Available roles are: ${join(", ", keys(local.security_role_id))}"
+    }
+  }
 }
diff --git a/infra/modules/copilot_studio/terraform.tf b/infra/modules/copilot_studio/terraform.tf
diff --git a/infra/provider.tf b/infra/provider.tf

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ terraform {`
`7`	`7`	`}`
`8`	`8`	`azapi = {`
`9`	`9`	`source = "Azure/azapi"`
`10`		`- version = "~> 2.5"`
	`10`	`+ version = "~> 2.7.0"`
`11`	`11`	`}`
`12`	`12`	`}`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,5 @@ resource "azurerm_virtual_network" "tfstate" {`
`4`	`4`	`address_space = var.network_config.vnet_address_space`
`5`	`5`	`location = azurerm_resource_group.tfstate.location`
`6`	`6`	`resource_group_name = azurerm_resource_group.tfstate.name`
`7`		`- tags = local.common_tags`
	`7`	`+ tags = var.tags`
`8`	`8`	`}`