Enterprise Security Infrastructure for Azure OpenAI Workshop #61
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Orchestrate Full Deployment | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| target_env: | |
| type: choice | |
| description: Environment to deploy | |
| options: [dev, test, prod] | |
| required: true | |
| pull_request: | |
| branches: | |
| - main | |
| - int-agentic | |
| push: | |
| branches: | |
| - tjs-infra-as-code | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| preflight: | |
| runs-on: ubuntu-latest | |
| # environment: removed to use repo-level variables | |
| steps: | |
| - name: Azure OIDC Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ vars.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ vars.AZURE_TENANT_ID }} | |
| subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| - run: | | |
| echo "Full orchestrated run through. Should add unit testing and validation here later." | |
| echo "MCAPS sub disables storage account networking, run a command to ensure the account is reachable." | |
| az storage account update --resource-group ${{ vars.TFSTATE_RG }} --name ${{ vars.TFSTATE_ACCOUNT }} --default-action Allow | |
| az storage account update --resource-group ${{ vars.TFSTATE_RG }} --name ${{ vars.TFSTATE_ACCOUNT }} --public-network-access Enabled | |
| # Step 1: Deploy infrastructure FIRST (creates ACR, Container Apps, etc.) | |
| deploy-infrastructure: | |
| needs: preflight | |
| uses: ./.github/workflows/infrastructure.yml | |
| with: | |
| environment: >- | |
| ${{ | |
| inputs.target_env | |
| || (github.event_name == 'pull_request' && ( | |
| github.base_ref == 'tjs-infra-as-code' && 'dev' | |
| || github.base_ref == 'int-agentic' && 'integration' | |
| || github.base_ref == 'main' && 'prod' | |
| )) | |
| || (github.ref_name == 'tjs-infra-as-code' && 'dev') | |
| || (github.ref_name == 'int-agentic' && 'integration') | |
| || (github.ref_name == 'main' && 'prod') | |
| || 'dev' | |
| }} | |
| secrets: inherit | |
| # Step 2: Build containers AFTER infrastructure exists (ACR is now available) | |
| build-application-container: | |
| needs: deploy-infrastructure | |
| uses: ./.github/workflows/docker-application.yml | |
| with: | |
| environment: >- | |
| ${{ | |
| inputs.target_env | |
| || (github.event_name == 'pull_request' && ( | |
| github.base_ref == 'tjs-infra-as-code' && 'dev' | |
| || github.base_ref == 'int-agentic' && 'integration' | |
| || github.base_ref == 'main' && 'prod' | |
| )) | |
| || (github.ref_name == 'tjs-infra-as-code' && 'dev') | |
| || (github.ref_name == 'int-agentic' && 'integration') | |
| || (github.ref_name == 'main' && 'prod') | |
| || 'dev' | |
| }} | |
| secrets: inherit | |
| build-mcp-container: | |
| needs: deploy-infrastructure | |
| uses: ./.github/workflows/docker-mcp.yml | |
| with: | |
| environment: >- | |
| ${{ | |
| inputs.target_env | |
| || (github.event_name == 'pull_request' && ( | |
| github.base_ref == 'tjs-infra-as-code' && 'dev' | |
| || github.base_ref == 'int-agentic' && 'integration' | |
| || github.base_ref == 'main' && 'prod' | |
| )) | |
| || (github.ref_name == 'tjs-infra-as-code' && 'dev') | |
| || (github.ref_name == 'int-agentic' && 'integration') | |
| || (github.ref_name == 'main' && 'prod') | |
| || 'dev' | |
| }} | |
| secrets: inherit | |
| # Step 3: Update Container Apps with new images after builds complete | |
| update-containers: | |
| needs: [ build-application-container, build-mcp-container ] | |
| if: always() && (needs.build-application-container.result == 'success' || needs.build-mcp-container.result == 'success') | |
| uses: ./.github/workflows/update-containers.yml | |
| with: | |
| environment: >- | |
| ${{ | |
| inputs.target_env | |
| || (github.event_name == 'pull_request' && ( | |
| github.base_ref == 'tjs-infra-as-code' && 'dev' | |
| || github.base_ref == 'int-agentic' && 'integration' | |
| || github.base_ref == 'main' && 'prod' | |
| )) | |
| || (github.ref_name == 'tjs-infra-as-code' && 'dev') | |
| || (github.ref_name == 'int-agentic' && 'integration') | |
| || (github.ref_name == 'main' && 'prod') | |
| || 'dev' | |
| }} | |
| secrets: inherit | |
| # Step 4: Run integration tests AFTER containers are deployed and running | |
| integration-tests: | |
| needs: [ deploy-infrastructure, update-containers ] | |
| if: always() && needs.update-containers.result == 'success' | |
| uses: ./.github/workflows/integration-tests.yml | |
| with: | |
| environment: >- | |
| ${{ | |
| inputs.target_env | |
| || (github.event_name == 'pull_request' && ( | |
| github.base_ref == 'tjs-infra-as-code' && 'dev' | |
| || github.base_ref == 'int-agentic' && 'integration' | |
| || github.base_ref == 'main' && 'prod' | |
| )) | |
| || (github.ref_name == 'tjs-infra-as-code' && 'dev') | |
| || (github.ref_name == 'int-agentic' && 'integration') | |
| || (github.ref_name == 'main' && 'prod') | |
| || 'dev' | |
| }} | |
| backend_endpoint: ${{ needs.deploy-infrastructure.outputs.backend_endpoint }} | |
| mcp_endpoint: ${{ needs.deploy-infrastructure.outputs.mcp_endpoint }} | |
| mcp_internal_only: true | |
| secrets: inherit | |
| # Optional: Destroy infrastructure (only for test branches) | |
| destroy-infrastructure: | |
| needs: [ integration-tests ] | |
| if: always() && (github.ref_name == 'tjs-infra-as-code' || (inputs.target_env && inputs.target_env == 'dev')) && needs.integration-tests.result == 'success' | |
| uses: ./.github/workflows/destroy.yml | |
| with: | |
| environment: >- | |
| ${{ | |
| inputs.target_env | |
| || (github.event_name == 'pull_request' && ( | |
| github.base_ref == 'tjs-infra-as-code' && 'dev' | |
| || github.base_ref == 'int-agentic' && 'integration' | |
| || github.base_ref == 'main' && 'prod' | |
| )) | |
| || (github.ref_name == 'tjs-infra-as-code' && 'dev') | |
| || (github.ref_name == 'int-agentic' && 'integration') | |
| || (github.ref_name == 'main' && 'prod') | |
| || 'dev' | |
| }} | |
| secrets: inherit |