deploy stage added

Author: deviant101

.github/workflows/devsecops-pipeline.yml

@@ -338,56 +338,78 @@ jobs:
         if: always()
         run: docker stop solar-system-app && docker rm solar-system-app
 
-  # Stage 11: Deploy to Azure VM
-  # deploy-azure:
-  #   name: Deploy to Azure VM
-  #   runs-on: ubuntu-latest
-  #   needs: [container-scan, dast-zap]
-  #   if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
-  #   permissions:
-  #     contents: read
-  #     packages: read
-  #   environment:
-  #     name: production
-  #     url: http://${{ secrets.AZURE_VM_IP }}:3000
+  # Stage 11: Deploy Infrastructure and Application to Azure
+  deploy-azure:
+    name: Deploy to Azure Web App
+    runs-on: ubuntu-latest
+    needs: [container-scan, dast-zap]
+    if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master'
+    permissions:
+      contents: read
+      packages: read
+    environment:
+      name: production
+      url: https://${{ secrets.AZURE_WEBAPP_NAME }}.azurewebsites.net
 
-  #   steps:
-  #     - name: Deploy on Azure VM
-  #       uses: appleboy/ssh-action@master
-  #       with:
-  #         host: ${{ secrets.AZURE_VM_IP }}
-  #         username: ${{ secrets.AZURE_VM_USERNAME }}
-  #         key: ${{ secrets.AZURE_VM_SSH_KEY }}
-  #         script: |
-  #           # Log in to GitHub Container Registry
-  #           echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-            
-  #           # Pull the latest image
-  #           docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.sha }}
-            
-  #           # Stop and remove old container if exists
-  #           docker stop solar-system || true
-  #           docker rm solar-system || true
-            
-  #           # Run new container
-  #           docker run -d --name solar-system \
-  #             -p 3000:3000 \
-  #             --restart unless-stopped \
-  #             -e MONGO_URI="${{ secrets.MONGO_URI }}" \
-  #             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.sha }}
-            
-  #           # Clean up old images (keep last 3)
-  #           docker image prune -af --filter "until=72h"
-            
-  #           # Verify deployment
-  #           sleep 5
-  #           curl -f http://localhost:3000/ready || exit 1
-            
-  #           echo "Deployment successful!"
-  #           docker ps | grep solar-system
-
-  #     - name: Health check
-  #       run: |
-  #         sleep 10
-  #         curl -f http://${{ secrets.AZURE_VM_IP }}:3000/ready || exit 1
-  #         echo "Application is healthy and running!"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Log in to Azure
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.0
+
+      - name: Terraform Init
+        run: terraform init
+        working-directory: ./terraform
+
+      - name: Terraform Plan
+        run: |
+          terraform plan \
+            -var="app_name=${{ secrets.AZURE_WEBAPP_NAME }}" \
+            -var="github_username=${{ github.repository_owner }}" \
+            -var="github_token=${{ secrets.GITHUB_TOKEN }}" \
+            -var="mongo_uri=${{ secrets.MONGO_URI }}" \
+            -var="docker_image=${{ github.repository_owner }}/solar-system:${{ github.ref_name }}" \
+            -out=tfplan
+        working-directory: ./terraform
+        env:
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+
+      - name: Terraform Apply
+        run: terraform apply -auto-approve tfplan
+        working-directory: ./terraform
+        env:
+          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
+
+      - name: Get Web App URL
+        id: webapp
+        run: |
+          WEBAPP_URL=$(terraform output -raw webapp_url)
+          echo "url=$WEBAPP_URL" >> $GITHUB_OUTPUT
+        working-directory: ./terraform
+
+      - name: Restart Web App (force pull latest image)
+        run: |
+          az webapp restart \
+            --name ${{ secrets.AZURE_WEBAPP_NAME }} \
+            --resource-group $(terraform output -raw resource_group_name)
+        working-directory: ./terraform
+
+      - name: Health check
+        run: |
+          sleep 60
+          curl -f ${{ steps.webapp.outputs.url }}/ready || exit 1
+          echo "Application is healthy and running on Azure Web App!"

terraform/backend.tf

@@ -0,0 +1,8 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "tfstate"
+    storage_account_name = "devtfstate12345"
+    container_name       = "tfstate"
+    key                  = "solar-system.terraform.tfstate"
+  }
+}

terraform/main.tf

@@ -0,0 +1,90 @@
+terraform {
+  required_version = ">= 1.0"
+  
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# Resource Group
+resource "azurerm_resource_group" "rg" {
+  name     = var.resource_group_name
+  location = var.location
+  
+  tags = {
+    Environment = "Production"
+    Project     = "SSD-DevSecOps"
+    ManagedBy   = "Terraform"
+  }
+}
+
+# App Service Plan (Linux-based for containers)
+resource "azurerm_service_plan" "app_plan" {
+  name                = var.app_service_plan_name
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  os_type             = "Linux"
+  sku_name            = var.sku_name
+  
+  tags = {
+    Environment = "Production"
+    Project     = "SSD-DevSecOps"
+  }
+}
+
+# Linux Web App for Containers
+resource "azurerm_linux_web_app" "webapp" {
+  name                = var.app_name
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  service_plan_id     = azurerm_service_plan.app_plan.id
+  
+  site_config {
+    always_on = var.sku_name != "F1" ? true : false  # Free tier doesn't support always_on
+    
+    application_stack {
+      docker_registry_url      = "https://ghcr.io"
+      docker_image_name        = var.docker_image
+      docker_registry_username = var.github_username
+      docker_registry_password = var.github_token
+    }
+    
+    health_check_path = "/ready"
+  }
+  
+  app_settings = {
+    "MONGO_URI"                       = var.mongo_uri
+    "WEBSITES_PORT"                   = "3000"
+    "DOCKER_ENABLE_CI"                = "true"
+    "DOCKER_REGISTRY_SERVER_URL"      = "https://ghcr.io"
+    "DOCKER_REGISTRY_SERVER_USERNAME" = var.github_username
+    "DOCKER_REGISTRY_SERVER_PASSWORD" = var.github_token
+  }
+  
+  https_only = true
+  
+  logs {
+    http_logs {
+      file_system {
+        retention_in_days = 7
+        retention_in_mb   = 35
+      }
+    }
+    
+    application_logs {
+      file_system_level = "Information"
+    }
+  }
+  
+  tags = {
+    Environment = "Production"
+    Project     = "SSD-DevSecOps"
+  }
+}

terraform/outputs.tf

@@ -0,0 +1,19 @@
+output "webapp_url" {
+  description = "URL of the deployed Web App"
+  value       = "https://${azurerm_linux_web_app.webapp.default_hostname}"
+}
+
+output "webapp_name" {
+  description = "Name of the Web App"
+  value       = azurerm_linux_web_app.webapp.name
+}
+
+output "resource_group_name" {
+  description = "Name of the Resource Group"
+  value       = azurerm_resource_group.rg.name
+}
+
+output "webapp_id" {
+  description = "Resource ID of the Web App"
+  value       = azurerm_linux_web_app.webapp.id
+}

terraform/variables.tf

@@ -0,0 +1,53 @@
+variable "resource_group_name" {
+  description = "Name of the Azure Resource Group"
+  type        = string
+  default     = "rg-solar-system"
+}
+
+variable "location" {
+  description = "Azure region for resources"
+  type        = string
+  default     = "East US"
+}
+
+variable "app_service_plan_name" {
+  description = "Name of the App Service Plan"
+  type        = string
+  default     = "plan-solar-system"
+}
+
+variable "app_name" {
+  description = "Name of the Web App (must be globally unique)"
+  type        = string
+  default     = "solar-system-devsecops"
+}
+
+variable "sku_name" {
+  description = "SKU name for App Service Plan (F1=Free, B1=Basic, S1=Standard, P1V2=Premium)"
+  type        = string
+  default     = "B1"  # Basic tier - cheapest paid tier with always_on support
+}
+
+variable "docker_image" {
+  description = "Docker image name with tag from GitHub Container Registry"
+  type        = string
+  default     = "deviant101/solar-system:latest"
+}
+
+variable "github_username" {
+  description = "GitHub username for container registry authentication"
+  type        = string
+  sensitive   = true
+}
+
+variable "github_token" {
+  description = "GitHub Personal Access Token for pulling images from GHCR"
+  type        = string
+  sensitive   = true
+}
+
+variable "mongo_uri" {
+  description = "MongoDB connection string"
+  type        = string
+  sensitive   = true
+}