Decoupling Azure Releases With GitHub Actions

Cloud deployments typically fail as a result of surroundings configurations are hardcoded into the construct course of. Here’s a sample to decouple your Construct Artifacts out of your Deployment Logic utilizing GitHub Actions and a versatile JSON Configuration map.

On the planet of Kubernetes, we’re used to the separation of considerations: Docker builds the picture, and Helm/Kustomize handles the surroundings configuration. Nonetheless, when working with serverless (Azure Features) or PaaS (App Service), builders typically fall into the entice of monolithic pipelines. They construct a package deal that solely works in DEV, after which rebuild it for PROD.

This results in “Artifact Drift,” the place the binary operating in Manufacturing just isn’t arguably the identical binary that handed testing in Staging.

A latest implementation by Fujitsu’s International Gateway Division tackles this drawback head-on. By shifting away from handbook Azure CLI deployments to a strict GitHub Actions workflow, they lowered launch time by 75% (from 2 hours to half-hour) and eradicated handbook configuration errors.

Right here is learn how to implement their “Atmosphere Configuration Map” sample to realize protected, automated deployments throughout Azure environments. 

The Downside: The “Config Matrix” Hell

In an Agile surroundings, particularly throughout Proof-of-Idea (PoC) phases, property are changed continuously. You may need:

1. Azure Features (API logic)
2. Cosmos DB (Knowledge persistence)
3. Digital machines (Legacy processing)

The problem is that DEV, STAGING, and PROD have utterly completely different Useful resource Group names, Subscription IDs, and tier settings (e.g., Use a less expensive SKU for Dev).

When you hardcode these into your pipeline YAML, your pipeline turns into brittle. When you attempt to handle them manually, you danger human error.

The Resolution: The “Construct-As soon as, Deploy-Many” Structure

The core philosophy of this sample is straightforward: Construct the binary as soon as, model it, after which inject configuration solely in the mean time of deployment.

The workflow consists of three distinct phases:

1. Construct part: Compile code and generate a .zip artifact.
2. Launch part: Retailer the artifact in GitHub Releases (immutable versioning).
3. Deploy part: A workflow reads a Config JSON, pulls the artifact, and pushes it to Azure.

A pattern workflow to know launch move utilizing GitHub Actions (handbook versus automated execution):

1. The Atmosphere Configuration Map (config.json)

As a substitute of scattering variables throughout GitHub Secrets and techniques or Azure App Settings, we centralize the surroundings definition in a JSON file dedicated to the repository. This acts as our “Supply of Reality.”

File: .github/config/config.json

{
  "dev": {
    "subscriptionId": "sub-id-dev-001",
    "resourceGroup": "rg-app-dev",
    "sources": [
      {
        "type": "function",
        "name": "func-api-dev",
        "slot": "staging" 
      }
    ]
  },
  "prod": {
    "subscriptionId": "sub-id-prod-999",
    "resourceGroup": "rg-app-prod",
    "sources": [
      {
        "type": "function",
        "name": "func-api-prod",
        "slot": "production"
      },
      {
        "type": "cosmosdb",
        "name": "cosmos-core-prod",
        "partitionKey": "/userId"
      }
    ]
  }
}

Key perception: Discover that dev would possibly deploy to a staging slot, whereas prod deploys to manufacturing. This logic is abstracted away from the construct script. 

2. The Deployment “Operator” (Shell + Azure CLI)

As a substitute of relying solely on inflexible GitHub Actions plugins, this sample makes use of a Shell script to parse the JSON and execute the logic. This makes the deployment transportable — you’ll be able to run it domestically or in CI.

File: scripts/deploy.sh

#!/bin/bash
ENV_FLAVOR=$1  # e.g., "prod"
TAG_VERSION=$2 # e.g., "v1.0.2"

# 1. Learn Config utilizing jq
CONFIG=$(cat .github/config/config.json | jq -r --arg env "$ENV_FLAVOR" '.[$env]')
RG_NAME=$(echo $CONFIG | jq -r '.resourceGroup')
SUB_ID=$(echo $CONFIG | jq -r '.subscriptionId')

# 2. Login to Azure
az account set --subscription $SUB_ID

# 3. Obtain the Immutable Artifact from GitHub Releases
wget https://github.com/my-org/my-repo/releases/obtain/$TAG_VERSION/build-artifact.zip

# 4. Iterate by means of outlined sources and deploy
echo $CONFIG | jq -c '.sources[]' | whereas learn useful resource; do
    TYPE=$(echo $useful resource | jq -r '.kind')
    NAME=$(echo $useful resource | jq -r '.identify')
    
    if [ "$TYPE" == "function" ]; then
        echo "Deploying $TAG_VERSION to Azure Perform: $NAME..."
        az functionapp deployment supply config-zip 
            --resource-group $RG_NAME 
            --name $NAME 
            --src build-artifact.zip
    fi
finished

3. The GitHub Actions Workflow

Lastly, we tie it along with a Workflow that requires handbook approval for Manufacturing environments.

File: .github/workflows/deploy.yaml

identify: Deploy to Azure

on:
  launch:
    varieties: [published]
  workflow_dispatch:
    inputs:
      surroundings:
        description: 'Goal Atmosphere'
        required: true
        default: 'dev'
        kind: selection
        choices:
        - dev
        - prod

jobs:
  deploy:
    runs-on: ubuntu-latest
    surroundings: ${{ github.occasion.inputs.surroundings }} # Makes use of GitHub Environments for approvals
    steps:
      - identify: Checkout Code
        makes use of: actions/checkout@v3

      - identify: Azure Login
        makes use of: azure/login@v1
        with:
          creds: ${{ secrets and techniques.AZURE_CREDENTIALS }}

      - identify: Run Deployment Operator
        run: |
          chmod +x scripts/deploy.sh
          ./scripts/deploy.sh ${{ github.occasion.inputs.surroundings }} ${{ github.occasion.launch.tag_name }}

The Structure Visualized

This method separates the lifecycle of the code from the lifecycle of the surroundings.

Why This Sample Works (The Outcomes)

Within the Fujitsu case research, adopting this sample solved three essential points:

1. Prompt rollbacks: As a result of artifacts are saved in GitHub Releases, “rolling again” is simply re-running the deployment job with the earlier Model Tag (e.g., v1.0.1 as a substitute of v1.0.2). No rebuilding vital.
2. Useful resource isolation: The config.json permits granular management. You’ll be able to outline particular permissions or exclusion guidelines (e.g., ignore: [“iam”]) for Dev environments to forestall unintended permission overwrites.
3. Eliminating “VM Lock”: Beforehand, deployments required unique entry to VMs, blocking different builders. By shifting to Azure Features and asynchronous Actions, the pipeline turned non-blocking.

Conclusion

Instruments like Terraform and Bicep are glorious for Infrastructure as Code (creating the sources). Nonetheless, for Deployment as Code (shifting the bits to the sources), a light-weight, configuration-driven method utilizing GitHub Actions and JSON maps gives the pliability wanted for high-velocity groups.

By decoupling the “What” (the construct artifact) from the “The place” (the surroundings config), you flip a fragile handbook launch course of into a sturdy, repeatable engine.