Add Terraform configuration and Azure deployment workflow for Pets Workshop

Author: scubaninja

.github/workflows/azure-deploy.yml

@@ -0,0 +1,189 @@
+name: Deploy Pets Workshop to Azure
+
+on:
+  push:
+    branches: [ main, msignite-25 ]
+    paths:
+      - 'terraform/**'
+      - 'server/**'
+      - 'client/**'
+      - '.github/workflows/azure-deploy.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'terraform/**'
+      - 'server/**'
+      - 'client/**'
+  workflow_dispatch:
+    inputs:
+      terraform_action:
+        description: 'Terraform action to perform'
+        required: true
+        default: 'plan'
+        type: choice
+        options:
+        - plan
+        - apply
+        - destroy
+
+env:
+  ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+  ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  TF_VAR_sql_admin_password: ${{ secrets.SQL_ADMIN_PASSWORD }}
+
+jobs:
+  terraform:
+    name: 'Terraform Infrastructure'
+    runs-on: ubuntu-latest
+    environment: production
+    
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform
+
+    outputs:
+      backend_app_name: ${{ steps.terraform_output.outputs.backend_app_name }}
+      frontend_deployment_token: ${{ steps.terraform_output.outputs.frontend_deployment_token }}
+      resource_group_name: ${{ steps.terraform_output.outputs.resource_group_name }}
+      static_web_app_name: ${{ steps.terraform_output.outputs.static_web_app_name }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.6.0
+        terraform_wrapper: false
+
+    - name: Terraform Init
+      run: terraform init
+
+    - name: Terraform Format Check
+      run: terraform fmt -check
+
+    - name: Terraform Validate
+      run: terraform validate
+
+    - name: Terraform Plan
+      if: github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'plan')
+      run: terraform plan -no-color
+      continue-on-error: true
+
+    - name: Terraform Plan Status
+      if: github.event_name == 'pull_request' && steps.plan.outcome == 'failure'
+      run: exit 1
+
+    - name: Terraform Apply
+      if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || (github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'apply')
+      run: terraform apply -auto-approve
+
+    - name: Terraform Destroy
+      if: github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'destroy'
+      run: terraform destroy -auto-approve
+
+    - name: Terraform Output
+      if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || (github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'apply')
+      id: terraform_output
+      run: |
+        echo "backend_app_name=$(terraform output -raw backend_app_service_name)" >> $GITHUB_OUTPUT
+        echo "frontend_deployment_token=$(terraform output -raw frontend_deployment_token)" >> $GITHUB_OUTPUT
+        echo "resource_group_name=$(terraform output -raw resource_group_name)" >> $GITHUB_OUTPUT
+        echo "static_web_app_name=$(terraform output -raw frontend_static_web_app_name)" >> $GITHUB_OUTPUT
+
+  deploy_backend:
+    name: 'Deploy Flask Backend'
+    runs-on: ubuntu-latest
+    needs: terraform
+    if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || (github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'apply')
+    
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      working-directory: ./server
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+
+    - name: Login to Azure
+      uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+    - name: Deploy to Azure Web App
+      uses: azure/webapps-deploy@v2
+      with:
+        app-name: ${{ needs.terraform.outputs.backend_app_name }}
+        package: ./server
+        startup-command: 'gunicorn --bind=0.0.0.0 --timeout 600 app:app'
+
+  deploy_frontend:
+    name: 'Deploy Astro Frontend'
+    runs-on: ubuntu-latest
+    needs: terraform
+    if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || (github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'apply')
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18'
+        cache: 'npm'
+        cache-dependency-path: './client/package-lock.json'
+
+    - name: Install dependencies
+      working-directory: ./client
+      run: npm ci
+
+    - name: Build Astro app
+      working-directory: ./client
+      run: npm run build
+      env:
+        # Update API endpoint to point to Azure App Service
+        VITE_API_URL: https://${{ needs.terraform.outputs.backend_app_name }}.azurewebsites.net
+
+    - name: Deploy to Static Web App
+      uses: Azure/static-web-apps-deploy@v1
+      with:
+        azure_static_web_apps_api_token: ${{ needs.terraform.outputs.frontend_deployment_token }}
+        repo_token: ${{ secrets.GITHUB_TOKEN }}
+        action: 'upload'
+        app_location: '/client'
+        api_location: ''
+        output_location: 'dist'
+
+  database_setup:
+    name: 'Setup Database'
+    runs-on: ubuntu-latest
+    needs: terraform
+    if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || (github.event_name == 'workflow_dispatch' && inputs.terraform_action == 'apply')
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Login to Azure
+      uses: azure/login@v1
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+    - name: Setup Database Schema
+      run: |
+        # Note: Add your database migration/setup commands here
+        echo "Database setup would go here"
+        echo "You may want to run SQL scripts to create tables and seed data"
+        # Example: sqlcmd -S $SQL_SERVER -d $SQL_DATABASE -U $SQL_USER -P $SQL_PASSWORD -i ./database/schema.sql

content/ignite/infra/terraform/main.tf

@@ -0,0 +1,200 @@
+# Main Terraform configuration for Pets Workshop Azure deployment
+
+# Generate random string for unique naming
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+
+# Get current user context for Key Vault access policy
+data "azurerm_client_config" "current" {}
+
+# Resource Group
+resource "azurerm_resource_group" "main" {
+  name     = "${var.resource_prefix}-rg-${random_string.suffix.result}"
+  location = var.location
+
+  tags = var.tags
+}
+
+# Application Insights for monitoring
+resource "azurerm_application_insights" "main" {
+  name                = "${var.resource_prefix}-ai-${random_string.suffix.result}"
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+  application_type    = "web"
+
+  tags = var.tags
+}
+
+# Key Vault for storing secrets
+resource "azurerm_key_vault" "main" {
+  name                = "${var.resource_prefix}-kv-${random_string.suffix.result}"
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "standard"
+
+  # Enable soft delete and purge protection
+  soft_delete_retention_days = 7
+  purge_protection_enabled   = false
+
+  # Network access
+  network_acls {
+    default_action = "Allow"
+    bypass         = "AzureServices"
+  }
+
+  tags = var.tags
+}
+
+# Key Vault access policy for current user
+resource "azurerm_key_vault_access_policy" "current_user" {
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  secret_permissions = [
+    "Get",
+    "List",
+    "Set",
+    "Delete",
+    "Recover",
+    "Backup",
+    "Restore"
+  ]
+}
+
+# SQL Server
+resource "azurerm_mssql_server" "main" {
+  name                         = "${var.resource_prefix}-sql-${random_string.suffix.result}"
+  resource_group_name          = azurerm_resource_group.main.name
+  location                     = azurerm_resource_group.main.location
+  version                      = "12.0"
+  administrator_login          = var.sql_admin_username
+  administrator_login_password = var.sql_admin_password
+
+  # Security configurations
+  minimum_tls_version = "1.2"
+
+  azuread_administrator {
+    login_username = var.sql_admin_username
+    object_id      = data.azurerm_client_config.current.object_id
+  }
+
+  tags = var.tags
+}
+
+# SQL Database
+resource "azurerm_mssql_database" "main" {
+  name           = "${var.resource_prefix}-sqldb-${random_string.suffix.result}"
+  server_id      = azurerm_mssql_server.main.id
+  collation      = "SQL_Latin1_General_CP1_CI_AS"
+  license_type   = "LicenseIncluded"
+  max_size_gb    = 2
+  sku_name       = var.sql_database_sku
+  zone_redundant = false
+
+  tags = var.tags
+}
+
+# SQL Server firewall rule to allow Azure services
+resource "azurerm_mssql_firewall_rule" "allow_azure_services" {
+  name             = "AllowAzureServices"
+  server_id        = azurerm_mssql_server.main.id
+  start_ip_address = "0.0.0.0"
+  end_ip_address   = "0.0.0.0"
+}
+
+# Store database connection string in Key Vault
+resource "azurerm_key_vault_secret" "database_connection_string" {
+  name         = "database-connection-string"
+  value        = "mssql+pyodbc://${var.sql_admin_username}:${var.sql_admin_password}@${azurerm_mssql_server.main.fully_qualified_domain_name}:1433/${azurerm_mssql_database.main.name}?driver=ODBC+Driver+17+for+SQL+Server"
+  key_vault_id = azurerm_key_vault.main.id
+
+  depends_on = [azurerm_key_vault_access_policy.current_user]
+}
+
+# App Service Plan for Flask backend
+resource "azurerm_service_plan" "main" {
+  name                = "${var.resource_prefix}-asp-${random_string.suffix.result}"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  os_type             = "Linux"
+  sku_name            = var.app_service_sku
+
+  tags = var.tags
+}
+
+# App Service for Flask backend
+resource "azurerm_linux_web_app" "backend" {
+  name                = "${var.resource_prefix}-backend-${random_string.suffix.result}"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_service_plan.main.location
+  service_plan_id     = azurerm_service_plan.main.id
+
+  site_config {
+    application_stack {
+      python_version = "3.11"
+    }
+
+    # Enable CORS for frontend
+    cors {
+      allowed_origins = ["*"] # In production, specify your frontend domain
+      support_credentials = false
+    }
+
+    # Health check
+    health_check_path = "/api/dogs"
+  }
+
+  # Application settings
+  app_settings = {
+    "APPLICATIONINSIGHTS_CONNECTION_STRING" = azurerm_application_insights.main.connection_string
+    "SCM_DO_BUILD_DURING_DEPLOYMENT"       = "true"
+    "ENABLE_ORYX_BUILD"                    = "true"
+    "WEBSITES_ENABLE_APP_SERVICE_STORAGE"  = "false"
+    
+    # Database configuration will be set via Key Vault reference
+    "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault_secret.database_connection_string.id})" = "DATABASE_URL"
+  }
+
+  # Identity for Key Vault access
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = var.tags
+}
+
+# Key Vault access policy for App Service managed identity
+resource "azurerm_key_vault_access_policy" "app_service" {
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = azurerm_linux_web_app.backend.identity[0].tenant_id
+  object_id    = azurerm_linux_web_app.backend.identity[0].principal_id
+
+  secret_permissions = [
+    "Get",
+    "List"
+  ]
+}
+
+# Static Web App for frontend
+resource "azurerm_static_web_app" "frontend" {
+  name                = "${var.resource_prefix}-swa-${random_string.suffix.result}"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.static_web_app_location
+  sku_tier            = var.static_web_app_sku
+  sku_size            = var.static_web_app_sku
+
+  tags = var.tags
+}
+
+# Static Web App custom domain (optional)
+# Uncomment and configure if you have a custom domain
+# resource "azurerm_static_web_app_custom_domain" "frontend" {
+#   static_web_app_id = azurerm_static_web_app.frontend.id
+#   domain_name       = var.custom_domain
+#   validation_type   = "cname-delegation"
+# }