Deploy-Test-Cleanup Pipeline #505
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy-Test-Cleanup Pipeline | |
| on: | |
| workflow_run: | |
| workflows: ["Build Docker and Optional Push"] | |
| types: | |
| - completed | |
| branches: | |
| - main | |
| - dev | |
| - demo | |
| - vee-pipeline-fixes | |
| schedule: | |
| - cron: '0 5,17 * * *' # Runs at 5:00 AM and 5:00 PM GMT | |
| workflow_dispatch: | |
| env: | |
| GPT_MIN_CAPACITY: 150 | |
| BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| RESOURCE_GROUP_NAME: ${{ steps.check_create_rg.outputs.RESOURCE_GROUP_NAME }} | |
| WEBAPP_URL: ${{ steps.get_output.outputs.WEBAPP_URL }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Setup Azure CLI | |
| run: | | |
| curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash | |
| az --version # Verify installation | |
| - name: Login to Azure | |
| run: | | |
| az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} | |
| - name: Run Quota Check | |
| id: quota-check | |
| run: | | |
| export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }} | |
| export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }} | |
| export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }} | |
| export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" | |
| export GPT_MIN_CAPACITY="${{ env.GPT_MIN_CAPACITY }}" | |
| export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}" | |
| chmod +x scripts/checkquota.sh | |
| if ! scripts/checkquota.sh; then | |
| # If quota check fails due to insufficient quota, set the flag | |
| if grep -q "No region with sufficient quota found" scripts/checkquota.sh; then | |
| echo "QUOTA_FAILED=true" >> $GITHUB_ENV | |
| fi | |
| exit 1 # Fail the pipeline if any other failure occurs | |
| fi | |
| - name: Send Notification on Quota Failure | |
| if: env.QUOTA_FAILED == 'true' | |
| run: | | |
| RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| EMAIL_BODY=$(cat <<EOF | |
| { | |
| "body": "<p>Dear Team,</p><p>The quota check has failed, and the pipeline cannot proceed.</p><p><strong>Build URL:</strong> <a href=\"${RUN_URL}\">${RUN_URL}</a></p><p>Please take necessary action.</p><p>Best regards,<br>Your Automation Team</p>" | |
| } | |
| EOF | |
| ) | |
| curl -X POST "${{ secrets.LOGIC_APP_URL }}" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$EMAIL_BODY" || echo "Failed to send notification" | |
| - name: Fail Pipeline if Quota Check Fails | |
| if: env.QUOTA_FAILED == 'true' | |
| run: exit 1 | |
| - name: Install Bicep CLI | |
| run: az bicep install | |
| - name: Generate Resource Group Name | |
| id: generate_rg_name | |
| run: | | |
| echo "Generating a unique resource group name..." | |
| ACCL_NAME="codemod" | |
| SHORT_UUID=$(uuidgen | cut -d'-' -f1) | |
| UNIQUE_RG_NAME="arg-${ACCL_NAME}-${SHORT_UUID}" | |
| echo "RESOURCE_GROUP_NAME=${UNIQUE_RG_NAME}" >> $GITHUB_ENV | |
| echo "Generated RESOURCE_GROUP_NAME: ${UNIQUE_RG_NAME}" | |
| - name: Check and Create Resource Group | |
| id: check_create_rg | |
| run: | | |
| set -e | |
| echo "Checking if resource group exists..." | |
| rg_exists=$(az group exists --name ${{ env.RESOURCE_GROUP_NAME }}) | |
| if [ "$rg_exists" = "false" ]; then | |
| echo "Resource group does not exist. Creating..." | |
| az group create --name ${{ env.RESOURCE_GROUP_NAME }} --location northcentralus || { echo "Error creating resource group"; exit 1; } | |
| else | |
| echo "Resource group already exists." | |
| fi | |
| echo "RESOURCE_GROUP_NAME=${{ env.RESOURCE_GROUP_NAME }}" >> $GITHUB_OUTPUT | |
| - name: Generate Unique Solution Prefix | |
| id: generate_solution_prefix | |
| run: | | |
| set -e | |
| COMMON_PART="pslcod" | |
| TIMESTAMP=$(date +%s) | |
| UPDATED_TIMESTAMP=$(echo $TIMESTAMP | tail -c 3) | |
| UNIQUE_SOLUTION_PREFIX="${COMMON_PART}${UPDATED_TIMESTAMP}" | |
| echo "SOLUTION_PREFIX=${UNIQUE_SOLUTION_PREFIX}" >> $GITHUB_ENV | |
| echo "Generated SOLUTION_PREFIX: ${UNIQUE_SOLUTION_PREFIX}" | |
| - name: Deploy Bicep Template | |
| id: deploy | |
| run: | | |
| set -e | |
| # set image tag based on branch | |
| if [[ "${{ env.BRANCH_NAME }}" == "main" ]]; then | |
| IMAGE_TAG="latest" | |
| elif [[ "${{ env.BRANCH_NAME }}" == "dev" ]]; then | |
| IMAGE_TAG="dev" | |
| elif [[ "${{ env.BRANCH_NAME }}" == "demo" ]]; then | |
| IMAGE_TAG="demo" | |
| else | |
| IMAGE_TAG="latest" | |
| fi | |
| # Generate current timestamp in desired format: YYYY-MM-DDTHH:MM:SS.SSSSSSSZ | |
| current_date=$(date -u +"%Y-%m-%dT%H:%M:%S.%7NZ") | |
| EFFECTIVE_AI_REGION="${{ env.VALID_REGION }}" | |
| if [ -z "$EFFECTIVE_AI_REGION" ]; then | |
| EFFECTIVE_AI_REGION="eastus" | |
| echo "⚠️ WARNING: VALID_REGION not set, falling back to eastus" | |
| fi | |
| echo "✅ Using AI Deployments Region: $EFFECTIVE_AI_REGION" | |
| az deployment group create \ | |
| --name ${{ env.SOLUTION_PREFIX }}-deployment \ | |
| --resource-group ${{ env.RESOURCE_GROUP_NAME }} \ | |
| --template-file infra/main.bicep \ | |
| --parameters \ | |
| solutionName="${{ env.SOLUTION_PREFIX }}" \ | |
| aiDeploymentsLocation="$EFFECTIVE_AI_REGION" \ | |
| capacity=${{ env.GPT_MIN_CAPACITY }} \ | |
| imageVersion="${IMAGE_TAG}" \ | |
| createdBy="Pipeline" \ | |
| tags="{'SecurityControl':'Ignore','Purpose':'Deploying and Cleaning Up Resources for Validation','CreatedDate':'$current_date'}" | |
| - name: Assign Contributor role to Service Principal | |
| if: always() | |
| run: | | |
| echo "Assigning Contributor role to SPN for RG: ${{ env.RESOURCE_GROUP_NAME }}" | |
| az role assignment create \ | |
| --assignee ${{ secrets.AZURE_CLIENT_ID }} \ | |
| --role "Contributor" \ | |
| --scope /subscriptions/${{ secrets.AZURE_SUBSCRIPTION_ID }}/resourceGroups/${{ env.RESOURCE_GROUP_NAME }} | |
| - name: Get Deployment Output and extract Values | |
| id: get_output | |
| run: | | |
| set -e | |
| echo "Fetching deployment output..." | |
| BICEP_OUTPUT=$(az deployment group show --name ${{ env.SOLUTION_PREFIX }}-deployment --resource-group ${{ env.RESOURCE_GROUP_NAME }} --query "properties.outputs" -o json) | |
| echo "Extracting deployment output..." | |
| WEBAPP_URL=$(echo $BICEP_OUTPUT | jq -r '.weB_APP_URL.value') | |
| echo "WEBAPP_URL=$WEBAPP_URL" >> $GITHUB_OUTPUT | |
| echo "Deployment output: $BICEP_OUTPUT" | |
| - name: Logout from Azure | |
| if: always() | |
| run: | | |
| az logout | |
| echo "Logged out from Azure." | |
| e2e-test: | |
| needs: deploy | |
| uses: ./.github/workflows/test-automation.yml | |
| with: | |
| CODEMOD_WEB_URL: ${{ needs.deploy.outputs.WEBAPP_URL }} | |
| secrets: inherit | |
| cleanup-deployment: | |
| if: always() && needs.deploy.outputs.RESOURCE_GROUP_NAME != '' | |
| needs: [deploy, e2e-test] | |
| runs-on: ubuntu-latest | |
| env: | |
| RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }} | |
| steps: | |
| - name: Setup Azure CLI | |
| run: | | |
| curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash | |
| az --version # Verify installation | |
| - name: Login to Azure | |
| run: | | |
| az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} | |
| - name: Assign Contributor role to Service Principal | |
| if: always() | |
| run: | | |
| echo "Assigning Contributor role to SPN for RG: ${{ env.RESOURCE_GROUP_NAME }}" | |
| az role assignment create \ | |
| --assignee ${{ secrets.AZURE_CLIENT_ID }} \ | |
| --role "Contributor" \ | |
| --scope /subscriptions/${{ secrets.AZURE_SUBSCRIPTION_ID }}/resourceGroups/${{ env.RESOURCE_GROUP_NAME }} | |
| echo "Assigning Log Analytics Contributor role for Log Analytics workspace access at RG level..." | |
| az role assignment create \ | |
| --assignee ${{ secrets.AZURE_CLIENT_ID }} \ | |
| --role "Log Analytics Contributor" \ | |
| --scope /subscriptions/${{ secrets.AZURE_SUBSCRIPTION_ID }}/resourceGroups/${{ env.RESOURCE_GROUP_NAME }} || echo "Log Analytics Contributor role assignment failed (may already exist)" | |
| echo "Waiting for role assignment propagation..." | |
| sleep 30 | |
| - name: Get Log Analytics Workspace and OpenAI from Resource Group | |
| if: always() | |
| id: get_azure_resources | |
| run: | | |
| set -e | |
| echo "Fetching Log Analytics workspace from resource group ${{ env.RESOURCE_GROUP_NAME }}..." | |
| # Run the az monitor log-analytics workspace list command to get the workspace name | |
| log_analytics_workspace_name=$(az monitor log-analytics workspace list --resource-group ${{ env.RESOURCE_GROUP_NAME }} --query "[0].name" -o tsv) | |
| if [ -z "$log_analytics_workspace_name" ]; then | |
| echo "No Log Analytics workspace found in resource group ${{ env.RESOURCE_GROUP_NAME }}." | |
| else | |
| echo "LOG_ANALYTICS_WORKSPACE_NAME=${log_analytics_workspace_name}" >> $GITHUB_ENV | |
| echo "Log Analytics workspace name: ${log_analytics_workspace_name}" | |
| fi | |
| echo "Fetching OpenAI resource from resource group ${{ env.RESOURCE_GROUP_NAME }}..." | |
| # Run the az resource list command to get the OpenAI resource name | |
| openai_resource_name=$(az resource list --resource-group ${{ env.RESOURCE_GROUP_NAME }} --resource-type "Microsoft.CognitiveServices/accounts" --query "[0].name" -o tsv) | |
| if [ -z "$openai_resource_name" ]; then | |
| echo "No OpenAI resource found in resource group ${{ env.RESOURCE_GROUP_NAME }}." | |
| exit 1 | |
| else | |
| echo "OPENAI_RESOURCE_NAME=${openai_resource_name}" >> $GITHUB_ENV | |
| echo "OpenAI resource name: ${openai_resource_name}" | |
| fi | |
| - name: List KeyVaults and Store in Array | |
| if: always() | |
| id: list_keyvaults | |
| run: | | |
| set -e | |
| echo "Listing all KeyVaults in the resource group ${RESOURCE_GROUP_NAME}..." | |
| # Get the list of KeyVaults in the specified resource group | |
| keyvaults=$(az resource list --resource-group ${{ env.RESOURCE_GROUP_NAME }} --query "[?type=='Microsoft.KeyVault/vaults'].name" -o tsv) | |
| if [ -z "$keyvaults" ]; then | |
| echo "No KeyVaults found in resource group ${RESOURCE_GROUP_NAME}." | |
| echo "KEYVAULTS=[]" >> $GITHUB_ENV # If no KeyVaults found, set an empty array | |
| else | |
| echo "KeyVaults found: $keyvaults" | |
| # Format the list into an array with proper formatting (no trailing comma) | |
| keyvault_array="[" | |
| first=true | |
| for kv in $keyvaults; do | |
| if [ "$first" = true ]; then | |
| keyvault_array="$keyvault_array\"$kv\"" | |
| first=false | |
| else | |
| keyvault_array="$keyvault_array,\"$kv\"" | |
| fi | |
| done | |
| keyvault_array="$keyvault_array]" | |
| # Output the formatted array and save it to the environment variable | |
| echo "KEYVAULTS=$keyvault_array" >> $GITHUB_ENV | |
| fi | |
| - name: Delete Bicep Deployment | |
| if: always() | |
| run: | | |
| set -e | |
| echo "Checking if resource group exists..." | |
| rg_exists=$(az group exists --name ${{ env.RESOURCE_GROUP_NAME }}) | |
| if [ "$rg_exists" = "true" ]; then | |
| echo "Resource group exist. Cleaning..." | |
| az group delete \ | |
| --name ${{ env.RESOURCE_GROUP_NAME }} \ | |
| --yes \ | |
| --no-wait | |
| echo "Resource group deleted... ${{ env.RESOURCE_GROUP_NAME }}" | |
| else | |
| echo "Resource group does not exists." | |
| fi | |
| - name: Purge log analytics workspace | |
| if: always() | |
| id: log_analytics_workspace | |
| run: | | |
| set -e | |
| # Purge Log Analytics Workspace | |
| echo "Purging the Log Analytics Workspace..." | |
| if ! az monitor log-analytics workspace delete --force --resource-group ${{ env.RESOURCE_GROUP_NAME }} --workspace-name ${{ env.LOG_ANALYTICS_WORKSPACE_NAME }} --yes --verbose; then | |
| echo "Failed to purge Log Analytics workspace: ${{ env.LOG_ANALYTICS_WORKSPACE_NAME }}" | |
| else | |
| echo "Purged the Log Analytics workspace: ${{ env.LOG_ANALYTICS_WORKSPACE_NAME }}" | |
| fi | |
| echo "Log analytics workspace resource purging completed successfully" | |
| - name: Wait for resource deletion to complete | |
| if: always() | |
| run: | | |
| # List of keyvaults | |
| KEYVAULTS="${{ env.KEYVAULTS }}" | |
| # Remove the surrounding square brackets, if they exist | |
| stripped_keyvaults=$(echo "$KEYVAULTS" | sed 's/\[\|\]//g') | |
| # Convert the comma-separated string into an array | |
| IFS=',' read -r -a resources_to_check <<< "$stripped_keyvaults" | |
| # Append new resources to the array | |
| resources_to_check+=("${{ env.LOG_ANALYTICS_WORKSPACE_NAME }}" "${{ env.OPENAI_RESOURCE_NAME }}") | |
| echo "List of resources to check: ${resources_to_check[@]}" | |
| # Maximum number of retries | |
| max_retries=3 | |
| # Retry intervals in seconds (30, 60, 120) | |
| retry_intervals=(30 60 120) | |
| # Retry mechanism to check resources | |
| retries=0 | |
| while true; do | |
| resource_found=false | |
| # Get the list of resources in YAML format again on each retry | |
| resource_list=$(az resource list --resource-group ${{ env.RESOURCE_GROUP_NAME }} --output yaml) | |
| # Iterate through the resources to check | |
| for resource in "${resources_to_check[@]}"; do | |
| echo "Checking resource: $resource" | |
| if echo "$resource_list" | grep -q "name: $resource"; then | |
| echo "Resource '$resource' exists in the resource group." | |
| resource_found=true | |
| else | |
| echo "Resource '$resource' does not exist in the resource group." | |
| fi | |
| done | |
| # If any resource exists, retry | |
| if [ "$resource_found" = true ]; then | |
| retries=$((retries + 1)) | |
| if [ "$retries" -gt "$max_retries" ]; then | |
| echo "Maximum retry attempts reached. Exiting." | |
| break | |
| else | |
| # Wait for the appropriate interval for the current retry | |
| echo "Waiting for ${retry_intervals[$retries-1]} seconds before retrying..." | |
| sleep ${retry_intervals[$retries-1]} | |
| fi | |
| else | |
| echo "No resources found. Exiting." | |
| break | |
| fi | |
| done | |
| - name: Purging the Resources | |
| if: always() | |
| run: | | |
| set -e | |
| echo "Azure OpenAI: ${{ env.OPENAI_RESOURCE_NAME }}" | |
| # Purge OpenAI Resource | |
| echo "Purging the OpenAI Resource..." | |
| if ! az resource delete --ids /subscriptions/${{ secrets.AZURE_SUBSCRIPTION_ID }}/providers/Microsoft.CognitiveServices/locations/northcentralus/resourceGroups/${{ env.RESOURCE_GROUP_NAME }}/deletedAccounts/${{ env.OPENAI_RESOURCE_NAME }} --verbose; then | |
| echo "Failed to purge openai resource: ${{ env.OPENAI_RESOURCE_NAME }}" | |
| else | |
| echo "Purged the openai resource: ${{ env.OPENAI_RESOURCE_NAME }}" | |
| fi | |
| # List of keyvaults | |
| KEYVAULTS="${{ env.KEYVAULTS }}" | |
| # Remove the surrounding square brackets, if they exist | |
| stripped_keyvaults=$(echo "$KEYVAULTS" | sed 's/\[\|\]//g') | |
| # Convert the comma-separated string into an array | |
| IFS=',' read -r -a keyvault_array <<< "$stripped_keyvaults" | |
| echo "Using KeyVaults Array..." | |
| for keyvault_name in "${keyvault_array[@]}"; do | |
| echo "Processing KeyVault: $keyvault_name" | |
| # Check if the KeyVault is soft-deleted | |
| deleted_vaults=$(az keyvault list-deleted --query "[?name=='$keyvault_name']" -o json --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}) | |
| # If the KeyVault is found in the soft-deleted state, purge it | |
| if [ "$(echo "$deleted_vaults" | jq length)" -gt 0 ]; then | |
| echo "KeyVault '$keyvault_name' is soft-deleted. Proceeding to purge..." | |
| # Purge the KeyVault | |
| if az keyvault purge --name "$keyvault_name" --no-wait; then | |
| echo "Successfully purged KeyVault '$keyvault_name'." | |
| else | |
| echo "Failed to purge KeyVault '$keyvault_name'." | |
| fi | |
| else | |
| echo "KeyVault '$keyvault_name' is not soft-deleted. No action taken." | |
| fi | |
| done | |
| echo "Resource purging completed successfully" | |
| - name: Send Notification on Failure | |
| if: failure() || needs.deploy.result == 'failure' | |
| run: | | |
| RUN_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| EMAIL_BODY=$(cat <<EOF | |
| { | |
| "body": "<p>Dear Team,</p><p>We would like to inform you that the DocGen Deployment Automation process has encountered an issue and has failed to complete successfully.</p><p><strong>Build URL:</strong> <a href=\"${RUN_URL}\">${RUN_URL}</a><br></p><p>Please investigate the matter at your earliest convenience.</p><p>Best regards,<br>Your Automation Team</p>" | |
| } | |
| EOF | |
| ) | |
| curl -X POST "${{ secrets.LOGIC_APP_URL }}" \ | |
| -H "Content-Type: application/json" \ | |
| -d "$EMAIL_BODY" || echo "Failed to send notification" | |
| - name: Logout from Azure | |
| if: always() | |
| run: | | |
| az logout | |
| echo "Logged out from Azure." |