Use deployment slots for TI (#1264)

* Use deployment slots for TI * turn on platform logs --------- Co-authored-by: jherrflexion <[email protected]> Co-authored-by: jcrichlake <[email protected]> Co-authored-by: halprin <[email protected]> Co-authored-by: Bella L. Quintero <[email protected]> Co-authored-by: Samuel Aquino <[email protected]>
CDCgov · Aug 27, 2024 · b0ef2d6 · b0ef2d6
1 parent a8dd8a1
commit b0ef2d6
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 1 deletion.
diff --git a/.github/workflows/deploy_reusable.yml b/.github/workflows/deploy_reusable.yml
@@ -113,9 +113,15 @@ jobs:
       uses: azure/webapps-deploy@v3
       with:
         app-name: ${{ inputs.APP }}
-        slot-name: production
+        slot-name: pre-live
         images: '${{ inputs.REGISTRY }}/${{ inputs.REPO }}:${{ github.sha }}'
 
+    - name: Azure Swap Slots
+      uses: azure/CLI@v2
+      with:
+        inlineScript: |
+          az webapp deployment slot swap -n ${{ inputs.APP }} --slot pre-live --resource-group csels-rsti-${{ inputs.ENVIRONMENT }}${{ github.event.number }}-moderate-rg
+
     - name: Retrieve registry password
       id: retrieve-registry-password
       uses: azure/CLI@v2

diff --git a/operations/template/app.tf b/operations/template/app.tf
@@ -100,6 +100,8 @@ resource "azurerm_linux_web_app" "api" {
     }
   }
 
+  #   When adding new settings that are needed for the live app but shouldn't be used in the pre-live
+  #   slot, add them to `sticky_settings` as well as `app_settings` for the main app resource
   app_settings = {
     DOCKER_REGISTRY_SERVER_URL    = "https://${azurerm_container_registry.registry.login_server}"
     ENV                           = var.environment
@@ -115,6 +117,11 @@ resource "azurerm_linux_web_app" "api" {
     DB_MAX_LIFETIME               = "3480000" # 58 minutes
   }
 
+  sticky_settings {
+    app_setting_names = ["REPORT_STREAM_URL_PREFIX", "KEY_VAULT_NAME", "STORAGE_ACCOUNT_BLOB_ENDPOINT",
+    "METADATA_CONTAINER_NAME", "DB_URL", "DB_PORT", "DB_NAME", "DB_USER", "DB_SSL", "DB_MAX_LIFETIME"]
+  }
+
   identity {
     type = "SystemAssigned"
   }
@@ -138,6 +145,61 @@ resource "azurerm_linux_web_app" "api" {
   }
 }
 
+resource "azurerm_linux_web_app_slot" "pre_live" {
+  name           = "pre-live"
+  app_service_id = azurerm_linux_web_app.api.id
+
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags because the CDC sets these automagically
+      tags,
+    ]
+  }
+
+  https_only = true
+
+  virtual_network_subnet_id = local.cdc_domain_environment ? azurerm_subnet.app.id : null
+
+  site_config {
+    health_check_path                 = "/health"
+    health_check_eviction_time_in_min = 5
+
+    scm_use_main_ip_restriction = local.cdc_domain_environment ? true : null
+
+    dynamic "ip_restriction" {
+      for_each = local.cdc_domain_environment ? [1] : []
+
+      content {
+        name       = "deny_all_ipv4"
+        action     = "Deny"
+        ip_address = "0.0.0.0/0"
+        priority   = "200"
+      }
+    }
+
+    dynamic "ip_restriction" {
+      for_each = local.cdc_domain_environment ? [1] : []
+
+      content {
+        name       = "deny_all_ipv6"
+        action     = "Deny"
+        ip_address = "::/0"
+        priority   = "201"
+      }
+    }
+  }
+
+  app_settings = {
+    DOCKER_REGISTRY_SERVER_URL = "https://${azurerm_container_registry.registry.login_server}"
+
+    ENV = var.environment
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
 resource "azurerm_monitor_autoscale_setting" "api_autoscale" {
   name                = "api_autoscale"
   resource_group_name = data.azurerm_resource_group.group.name

diff --git a/operations/template/logs.tf b/operations/template/logs.tf
@@ -83,4 +83,28 @@ resource "azurerm_monitor_diagnostic_setting" "app_to_logs" {
   enabled_log {
     category = "AppServiceHTTPLogs"
   }
+  enabled_log {
+    category = "AppServicePlatformLogs"
+  }
+}
+
+resource "azurerm_monitor_diagnostic_setting" "prelive_slot_to_logs" {
+  name                       = "ti-prelive-slot-to-logs-${var.environment}"
+  target_resource_id         = azurerm_linux_web_app_slot.pre_live.id
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.logs_workspace.id
+
+  log_analytics_destination_type = "Dedicated"
+
+  enabled_log {
+    category = "AppServiceConsoleLogs"
+  }
+  enabled_log {
+    category = "AppServiceAppLogs"
+  }
+  enabled_log {
+    category = "AppServiceHTTPLogs"
+  }
+  enabled_log {
+    category = "AppServicePlatformLogs"
+  }
 }