more infra and GitHub Actions

kantega · Sep 11, 2024 · 206c5ad · 206c5ad
1 parent 2dcc8b7
commit 206c5ad
Show file tree

Hide file tree

Showing 5 changed files with 170 additions and 71 deletions.
diff --git a/.github/workflows/build-push-docker.yml b/.github/workflows/build-push-docker.yml
@@ -1,17 +1,15 @@
-name: Build and Push to ACR
+name: Build and Push to Azure
+
 on:
   push:
     branches:
-      - 'main'
+      - main
+  workflow_dispatch:
+
 jobs:
   build:
-    name: 'Build and Push to ACR'
     runs-on: ubuntu-latest
 
-    defaults:
-      run:
-        shell: bash
-
     steps:
       - uses: actions/checkout@v4
 
@@ -21,8 +19,12 @@ jobs:
           username: ${{ secrets.DOCKER_REGISTRY_SERVER_USERNAME }}
           password: ${{ secrets.DOCKER_REGISTRY_SERVER_PASSWORD }}
 
-      - uses: docker/build-push-action@v6
+      - run: |
+          docker build -t ${{ secrets.DOCKER_REGISTRY_SERVER_URL }}/kantega-big-agi:latest .
+          docker push ${{ secrets.DOCKER_REGISTRY_SERVER_URL }}/kantega-big-agi:latest
+
+      - uses: azure/webapps-deploy@v3
         with:
-          push: true
-          tags: ${{ secrets.DOCKER_REGISTRY_SERVER_URL }}/kantega-big-agi:latest
-          file: Dockerfile
+          app-name: 'kantega-big-agi'
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+          images: '${{ secrets.DOCKER_REGISTRY_SERVER_URL }}/kantega-big-agi:latest'
diff --git a/infra/build.tf b/infra/build.tf
diff --git a/infra/main.tf b/infra/main.tf
@@ -18,6 +18,28 @@ resource "azurerm_resource_group" "rg" {
   location = var.location
 }
 
+resource "azurerm_virtual_network" "vnet" {
+  name                = "${var.project_name}-vnet"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  address_space       = ["10.0.0.0/16"]
+}
+
+resource "azurerm_subnet" "subnet" {
+  name                 = "${var.project_name}-subnet"
+  resource_group_name  = azurerm_resource_group.rg.name
+  virtual_network_name = azurerm_virtual_network.vnet.name
+  address_prefixes     = ["10.0.1.0/24"]
+
+  delegation {
+    name = "webapp-delegation"
+    service_delegation {
+      name    = "Microsoft.Web/serverFarms"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+}
+
 resource "azurerm_container_registry" "acr" {
   name                = replace("${var.project_name}registry", "-", "")
   resource_group_name = azurerm_resource_group.rg.name
@@ -34,53 +56,116 @@ resource "azurerm_service_plan" "asp" {
   sku_name            = "B1"
 }
 
-resource "azurerm_linux_web_app" "app" {
-  name                = "${var.project_name}"
+resource "azurerm_linux_web_app" "browserless" {
+  name                = "${var.project_name}-browserless"
   location            = azurerm_resource_group.rg.location
   resource_group_name = azurerm_resource_group.rg.name
   service_plan_id     = azurerm_service_plan.asp.id
 
   app_settings = {
     WEBSITES_ENABLE_APP_SERVICE_STORAGE = "false"
     WEBSITES_PORT                       = "3000"
-
-    # Environment variables for the container
-    OPENAI_API_KEY      = var.openai_api_key
-    ANTHROPIC_API_KEY   = var.anthropic_api_key
-    GEMINI_API_KEY      = var.gemini_api_key
+    MAX_CONCURRENT_SESSIONS             = "10"
   }
 
   site_config {
     always_on = true
-
     application_stack {
-    docker_registry_url      = "https://${azurerm_container_registry.acr.login_server}"
-    docker_image_name        = "${var.project_name}:latest"
-    docker_registry_username = azurerm_container_registry.acr.admin_username
-    docker_registry_password = azurerm_container_registry.acr.admin_password
+      docker_registry_url = "https://registry.hub.docker.com"
+      docker_image_name   = "browserless/chrome:latest"
+    }
+
+    ip_restriction {
+      ip_address = var.allowed_ip
+      action     = "Allow"
+      priority   = 100
+      name       = "AllowKantegaIP"
+    }
+
+    dynamic "ip_restriction" {
+      for_each = toset(split(",", azurerm_linux_web_app.app.outbound_ip_addresses))
+      content {
+        ip_address = "${ip_restriction.value}/32"
+        action     = "Allow"
+        priority   = 200
+        name       = "A-${ip_restriction.value}"
+      }
+    }
+
+    ip_restriction {
+      ip_address = "0.0.0.0/0"
+      action     = "Deny"
+      priority   = 300
+      name       = "DenyAll"
+    }
   }
 
+  logs {
+    detailed_error_messages = false
+    failed_request_tracing  = false
+    http_logs {
+      file_system {
+        retention_in_days = 7
+        retention_in_mb   = 25
+      }
+    }
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  depends_on = [
+    azurerm_service_plan.asp,
+    azurerm_subnet.subnet
+  ]
+}
+
+resource "azurerm_linux_web_app" "app" {
+  name                = var.project_name
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  service_plan_id     = azurerm_service_plan.asp.id
+
+  app_settings = {
+    WEBSITES_ENABLE_APP_SERVICE_STORAGE = "false"
+    WEBSITES_PORT                       = "3000"
+    OPENAI_API_KEY                      = var.openai_api_key
+    ANTHROPIC_API_KEY                   = var.anthropic_api_key
+    GEMINI_API_KEY                      = var.gemini_api_key
+  }
+
+  site_config {
+    always_on = true
+    application_stack {
+      docker_registry_url      = "https://${azurerm_container_registry.acr.login_server}"
+      docker_image_name        = "${var.project_name}:latest"
+      docker_registry_username = azurerm_container_registry.acr.admin_username
+      docker_registry_password = azurerm_container_registry.acr.admin_password
+    }
+
     ip_restriction {
       ip_address = var.allowed_ip
       action     = "Allow"
       priority   = 100
-      name       = "AllowSpecificIP"
+      name       = "KantegaIP"
     }
 
     ip_restriction {
       ip_address = "0.0.0.0/0"
       action     = "Deny"
-      priority   = 200
+      priority   = 300
       name       = "DenyAll"
     }
   }
+
   logs {
     detailed_error_messages = false
-    failed_request_tracing = false
+    failed_request_tracing  = false
     http_logs {
       file_system {
         retention_in_days = 7
-        retention_in_mb = 25
+        retention_in_mb   = 25
       }
     }
   }
@@ -89,5 +174,32 @@ resource "azurerm_linux_web_app" "app" {
     type = "SystemAssigned"
   }
 
-  depends_on = [null_resource.docker_build]
-}
+  depends_on = [
+    azurerm_container_registry.acr,
+    azurerm_subnet.subnet
+  ]
+}
+
+resource "azurerm_app_service_virtual_network_swift_connection" "app_vnet_integration" {
+  app_service_id = azurerm_linux_web_app.app.id
+  subnet_id      = azurerm_subnet.subnet.id
+}
+
+resource "azurerm_app_service_virtual_network_swift_connection" "browserless_vnet_integration" {
+  app_service_id = azurerm_linux_web_app.browserless.id
+  subnet_id      = azurerm_subnet.subnet.id
+}
+
+resource "null_resource" "update_settings" {
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+az webapp config appsettings set --resource-group ${azurerm_resource_group.rg.name} --name ${azurerm_linux_web_app.app.name} --settings PUPPETEER_WSS_ENDPOINT=wss://${azurerm_linux_web_app.browserless.default_hostname}
+EOT
+  }
+
+  depends_on = [azurerm_linux_web_app.app, azurerm_linux_web_app.browserless]
+}
diff --git a/infra/output.tf b/infra/output.tf
@@ -0,0 +1,21 @@
+output "docker_registry_server_url" {
+  value       = replace(azurerm_container_registry.acr.login_server, "https://", "")
+  description = "ACR login server URL without 'https://'. Add this to GitHub secrets as DOCKER_REGISTRY_SERVER_URL."
+}
+
+output "docker_registry_server_username" {
+  value       = azurerm_container_registry.acr.admin_username
+  description = "ACR admin username. Add this to GitHub secrets as DOCKER_REGISTRY_SERVER_USERNAME."
+}
+
+output "docker_registry_server_password" {
+  value       = azurerm_container_registry.acr.admin_password
+  sensitive   = true
+  description = "ACR admin password. Add this to GitHub secrets as DOCKER_REGISTRY_SERVER_PASSWORD."
+}
+
+# Output Function App publish profile
+output "GET_PUBLISHING_PROFILE_SCRIPT" {
+  value       = "az webapp deployment list-publishing-profiles --name ${azurerm_linux_web_app.app.name} --resource-group ${azurerm_resource_group.rg.name} --xml"
+  description = "Run this command in your shell to retrieve the Azure Web App's publishing profile. Add the result to GitHub secrets as AZURE_WEBAPP_PUBLISH_PROFILE."
+}
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -1,23 +1,19 @@
-# variables.tf
 variable "azure_subscription_id" {}
 variable "openai_api_key" {}
 variable "anthropic_api_key" {}
 variable "gemini_api_key" {}
 
 variable "allowed_ip" {
-  description = "The IP address allowed to access the application"
-  type        = string
-  default     = "X.X.X.X/32"
+  type    = string
+  default = "X.X.X.X/32"
 }
 
 variable "project_name" {
-  description = "The main name for the project, used to derive other resource names"
-  type        = string
-  default     = "big-agi"
+  type    = string
+  default = "big-agi"
 }
 
 variable "location" {
-  description = "The Azure region where resources will be created"
-  type        = string
-  default     = "Norway East"
+  type    = string
+  default = "Norway East"
 }