feat: Container app revision verification on deploy (#392)

Author: oskogstad

.azure/containerApp/createExternal.bicep

@@ -210,5 +210,6 @@ output identityPrincipalIds array = [
 
 output containerAppEnvName string = containerAppEnv.name
 output webApiSoName string = webapiSo.name
+output webApiSoRevisionName string = webapiSo.properties.latestRevisionName
 output webApiEuName string = webapiEu.name
 output migrationJobName string = migrationJob.name

.azure/main.bicep

@@ -333,3 +333,4 @@ module keyVaultReaderAccessPolicy 'keyvault/addReaderRoles.bicep' = {
 
 output migrationJobName string = containerAppsExternal.outputs.migrationJobName
 output resourceGroupName string = resourceGroup.name
+output webapiSoRevisionName string = containerAppsExternal.outputs.webApiSoRevisionName

.github/tools/revisionVerifier.sh

@@ -0,0 +1,50 @@
+if [ -z "$1" ]; then
+  echo "Usage: $0 <revision-name>"
+  exit 1
+fi
+
+if [ -z "$2" ]; then
+  echo "Usage: $0 <resource-group-name>"
+  exit 1
+fi
+
+revision_name="$1"
+resource_group="$2"
+query_filter="{name:name, runningState:properties.runningState, healthState:properties.healthState}"
+
+verify_revision() {
+  local json_output
+  
+  # Fetch app revision
+  json_output=$(az containerapp revision show -g "$resource_group" --revision "$revision_name" --query "$query_filter" 2>/dev/null)
+  
+  health_state=$(echo $json_output | jq -r '.healthState')
+  running_state=$(echo $json_output | jq -r '.runningState')
+
+  echo "Revision $revision_name status:"
+  echo "-----------------------------"
+  echo "Health state: $health_state"
+  echo "Running state: $running_state"
+  echo " "
+  
+  # Check health and running status
+  if [[ $health_state == "Healthy" && ($running_state == "Running" || $running_state == "RunningAtMaxScale") ]]; then
+    return 0  # OK!
+  else
+    return 1  # Not OK!
+  fi
+}
+
+attempt=1
+
+# Loop until verified (GitHub action will do a timeout)
+while true; do
+  if verify_revision; then
+    echo "Revision $revision_name is healthy and running"
+    break
+  else
+    echo "Attempt $attempt: Waiting for revision $revision_name ..."
+    sleep 10 # Sleep for 10 seconds
+    attempt=$((attempt+1))
+  fi
+done

.github/workflows/action-deploy.yml

@@ -2,6 +2,9 @@
 
 on:
   workflow_call:
+    env:
+      AZ_CLI_VERSION: 2.56.0
+
     secrets:
       AZURE_CLIENT_ID:
         required: true
@@ -56,7 +59,7 @@ jobs:
         uses: azure/CLI@v1
         id: keyvault-keys
         with:
-          azcliversion: 2.56.0
+          azcliversion: ${{ env.AZ_CLI_VERSION }}
           inlineScript: |
             KEY_VAULT_KEYS=$(az keyvault secret list --vault-name ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} --subscription ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} --query "[].name" -o json | tr -d '\n')
             echo "::set-output name=key-vault-keys::$KEY_VAULT_KEYS"
@@ -98,10 +101,20 @@ jobs:
         uses: azure/CLI@v1
         if: ${{!inputs.dryRun}}
         with:
-          azcliversion: 2.56.0
+          azcliversion: ${{ env.AZ_CLI_VERSION }}
           inlineScript: |
             az containerapp job start -n ${{ steps.deploy.outputs.migrationJobName }} -g ${{ steps.deploy.outputs.resourceGroupName }}
 
+      - name: Verify deployment running
+        timeout-minutes: 3
+        uses: azure/CLI@v1
+        id: verify-deployment
+        with:
+          azcliversion: ${{ env.AZ_CLI_VERSION }}
+          inlineScript: |
+            ./.github/tools/revisionVerifier.sh "${{ steps.deploy.outputs.webApiSoRevisionName }} ${{ steps.deploy.outputs.resourceGroupName }}"
+
+
       - name: Logout from azure
         if: ${{failure() || success()}}
         continue-on-error: true