The deployments to all environments share the same and simplified workflow. The deployment to review app (via Pull Request), qa, staging and production go through the CI/CD pipeline.
Once the PR has been merged to main or a deploy tag applied to Review app, the GitHub actions workflow build_and_deploy.yml performs these steps:
- Builds and tags a Docker image from code in the
main(staging, prod and qa) orreview appbranch - Tags the Docker image with the commit SHA as the tag
- Logs in to Github's container registry as the service account
twd-tv-ci - Pushes the image to GitHub packages, after it has been scanned by
Snykfor vulnerabilities - Calls the deploy_app.yml workflow to use Terraform to update the
webandworkerapps to use the new Docker image, and apply any changes to the appropriate environment. - Runs a smoke test against the deployed environment
- If deployment (push) is to the main branch, performs
Post Deployment - Sends a Slack notification to the
#twd_tv_devchannel - success or failure.
Perform the following to trigger a deployment a review app
- Push to a feature branch.
- Create a Pull Request.
- attach a
deploylabel - Docker image and tag used to deploy the
review appis based on the review app'sbranchandshae.g teva-1234:commit_sha
By default, review apps use a simple postgis container deployed to AKS, as opposed to real Azure database flexible servers as it's cheaper and much faster to deploy.
To use the Azure database temporarily in a review app, you can change the following parameters to true in terraform/workspace-variables/review.tfvars.json on the branch (do not commit this hange to main, remove it before merging):
"deploy_azure_backing_services": true,
"enable_postgres_ssl": true,
"add_database_name_suffix": true,When there are multiple merges, this could lead to race conditions. To mitigate this, the turnstyle action prevents two or more instances of the same workflow from running concurrently.
Furthermore, to help with workflow code reuse, we trigger a separate deployment workflow via the workflow_dispatch action. We must pass the ref (branch) or pull request ref to locate the workflow.
To block the calling workflow until the triggered workflow is completed, we use action-wait-for-check. This checks and waits on a sha (commit) instead of ref (branch), which is a moving target.
Refresh the cached ghcr.io/dfe-digital/teaching-vacancies:main image on Github packages. In case the build workflow fails at the Scan ghcr.io/dfe-digital/teaching-vacancies:main image stage, it may be that a fix is available but our cache is stale; with the vulnerable dependency. In this case use the rebuild_docker_cache_workflow to refresh the cache with updated packages. The rebuild_docker_cache_workflow is scheduled on a weekly run (12 noon on Sundays) and can also be triggered manaully via workflow dispatch.
If no docker image tag is specified, the makefile defaults to using the main tag - as specified in the makfile's terraform-app-init: target
If you need to deploy a particular image to an environment, including in a rollback situation, this is possible with the deploy_app_via_workflow_dispatch.yml workflow.
You will need to know the tag of the Docker image you wish to use. Go to the Github packages
E.g. image tag 2641bebaf22ad96be543789693e015922e4514c4 is built from commit 2641bebaf22ad96be543789693e015922e4514c4
Go to the Deploy App via workflow Dispatch workflow. Click "Run workflow", and choose:
- Use workflow from
Branch: main - Environment: e.g.
production(orstaging,qa) - Docker tag: e.g.
2641bebaf22ad96be543789693e015922e4514c41
The review apps lifecycle will be handled via GitHub Actions:
- destruction via the delete_review_app.yml workflow on PR close
This workflow can be triggered manually, passing the PR number corresponding to the review app to remove.
Sometimes, the delete_review_app.yml workflow errors as the review app wasn't healthy/accesible and failed the initial "is this review app running?" check.
The kubernetes pods and other AKS resources (DB, Redis instances...) may still be running but orphaned once the PR is closed and the deletion job fails.
In those cases, we will need to manually delete the review app by:
- Deleting the review app kubernetes deployment through
kubectl. - Deleting the review app Azure resources through the Azure Portal page.
- Login in the azure tenant and get credentials for the AKS testing subscription.
- Identify the review app we want to delete, by listing the current deployments:
In this example, we identify
kubectl -n tv-development get deployments
teaching-vacancies-review-pr-6488as the review app that needs to be removed. - Delete the web app deployment with
kubectl:kubectl -n tv-development delete deployment teaching-vacancies-review-pr-6488
- Delete the worker deployment with
kubectl:kubectl -n tv-development delete deployment teaching-vacancies-review-pr-6488-worker
- On the Azure Portal, go to the
Resource Groupssection. - Click on the the
s189t01-tv-rv-rgresource group (review resource group), under thes189-teacher-services-cloud-testsubscription - In the filter field, introduce the number of the review app you're deleting, to find all its associated resources. In our example it will be
6488.- Example of the filtered resources we will find:
Name Type s189t01-tv-review-pr-6488-redis-cache Azure Cache for Redis s189t01-tv-review-pr-6488-redis-cache-pe Private endpoint s189t01-tv-review-pr-6488-redis-cache-pe.nic.ae0700e4-b326-43cd-aab5-b65da2c4ebfe Network Interface s189t01-tv-review-pr-6488-redis-queue Azure Cache for Redis s189t01-tv-review-pr-6488-redis-queue-pe Private endpoint s189t01-tv-review-pr-6488-redis-queue-pe.nic.fb886c94-78c0-42d1-8132-4f82d59bfaa3 Network Interface s189t01-tv-rv-pg-review-pr-6488 Azure Database for PostgreSQL flexible server
- Example of the filtered resources we will find:
- Select all the resources associated with the Review App you are deleting.
- On the top menu, click on the bin icon with the Delete action.
- Do not click on the
Delete resource group, as this would delete all the resources for all the running review apps.
- Do not click on the
- Review the resources that are going to be deleted and confirm the deletion.
- You will see the resources progressively dissapearing from the list as the deletion gets processed.