This project supports multiple deployment methods to accommodate different workflows and preferences:
- Push to
mainbranch → Automatically deploys to PROD environment - Push to
developbranch → Automatically deploys to DEV environment - Pull Request to
main→ Runs plan and validation only (no deployment) - Manual Workflow Dispatch → Allows manual deployment to any environment
- Push to
mainbranch → Automatically deploys to PROD environment - Push to
developbranch → Automatically deploys to DEV environment - Pull Request to
main→ Runs plan and validation only - Manual Pipeline Run → Allows manual deployment with parameters
# Plan changes for dev environment
./infra/scripts/deploy.sh --environment dev --action plan
# Apply changes to dev environment
./infra/scripts/deploy.sh --environment dev --action apply
# Apply changes with auto-approval
./infra/scripts/deploy.sh --environment dev --action apply --auto-approve
# Destroy dev environment
./infra/scripts/deploy.sh --environment dev --destroycd infra/terraform
# Initialize backend
terraform init \
-backend-config="resource_group_name=rg-smartdocs-tfstate-dev" \
-backend-config="storage_account_name=sastmartdocstfstatedev" \
-backend-config="container_name=tfstate" \
-backend-config="key=smartdocs-dev.terraform.tfstate"
# Plan deployment
terraform plan -var-file="dev/terraform.tfvars"
# Apply deployment
terraform apply -var-file="dev/terraform.tfvars"-
Feature Development
git checkout -b feature/new-infrastructure # Make infrastructure changes git add . git commit -m "Add new infrastructure component" git push origin feature/new-infrastructure
-
Testing in Dev
# Create PR to develop branch # This triggers validation and planning # Merge to develop triggers deployment to DEV
-
Production Release
# Create PR from develop to main # This triggers validation and shows production plan # Merge to main triggers deployment to PROD
- Direct Production Fix
git checkout main git checkout -b hotfix/critical-fix # Make urgent changes git commit -m "Critical infrastructure fix" git push origin hotfix/critical-fix # Create PR directly to main # Merge triggers immediate PROD deployment
| Trigger | Environment | Action | Approval Required |
|---|---|---|---|
Push to main |
PROD | Auto Deploy | No* |
Push to develop |
DEV | Auto Deploy | No |
PR to main |
PROD | Plan Only | Manual Review |
PR to develop |
DEV | Plan Only | Manual Review |
| Manual Dispatch | Any | Configurable | Optional |
| Local Script | Any | Manual | Yes |
*Production deployments can be configured to require manual approval in GitHub/Azure DevOps environments.
- Production environment requires manual approval
- Only specific users/teams can approve production deployments
- Deployment windows can be configured
- Terraform format checking
- Configuration validation
- Security scanning with Checkov
- Cost estimation with Infracost
- Plan review before apply
# Rollback using previous state
terraform apply -var-file="prod/terraform.tfvars" -target=module.specific_module
# Complete environment rebuild
./infra/scripts/deploy.sh --environment prod --destroy
./infra/scripts/deploy.sh --environment prod --action apply-
Create Azure Service Principal:
az ad sp create-for-rbac --name "smartdocs-github-actions" \ --role contributor \ --scopes /subscriptions/{subscription-id} \ --sdk-auth -
Add GitHub Secrets:
AZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_SUBSCRIPTION_IDAZURE_TENANT_IDINFRACOST_API_KEY(optional)
-
Configure Environment Protection:
- Go to Settings → Environments
- Create
prodenvironment - Add required reviewers
- Set deployment branches to
mainonly
-
Create Service Connection:
- Project Settings → Service Connections
- New service connection → Azure Resource Manager
- Service principal (automatic)
-
Create Environments:
- Pipelines → Environments
- Create
devandprodenvironments - Add approval gates for production
-
Set Pipeline Variables:
INFRACOST_API_KEYTEAMS_WEBHOOK_URL(optional)
-
Install Prerequisites:
# Install Azure CLI curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash # Install Terraform wget https://releases.hashicorp.com/terraform/1.6.0/terraform_1.6.0_linux_amd64.zip unzip terraform_1.6.0_linux_amd64.zip sudo mv terraform /usr/local/bin/ # Login to Azure az login
-
Initialize Backend:
./infra/scripts/deploy.sh --init-backend --environment dev
- View workflow runs in Actions tab
- Download artifacts (Terraform plans, logs)
- Review security scan results
- Monitor pipeline runs in Pipelines section
- View test results and security scans
- Check environment deployment history
- Monitor resource health
- View deployment history
- Check cost analysis
-
Backend State Lock
# Force unlock (use carefully) terraform force-unlock <lock-id>
-
Permission Issues
# Check current Azure context az account show # List available subscriptions az account list # Set correct subscription az account set --subscription <subscription-id>
-
Resource Conflicts
# Import existing resources terraform import azurerm_resource_group.main /subscriptions/{id}/resourceGroups/{name}
- Always use feature branches for infrastructure changes
- Test in dev environment before promoting to production
- Review Terraform plans carefully before applying
- Use semantic versioning for infrastructure releases
- Monitor costs regularly using Infracost reports
- Keep state files secure and backed up
- Document all changes in commit messages and PRs