Engagement 05 · Pipelines
Production-grade pipelines for Terraform and applications. Environment promotion, gated apply, approvals, and release safety — built in GitHub Actions or Azure DevOps to match where your team already works.
Why this exists
Manual deploys via the portal or local terraform apply work fine until they don't. Production gets deployed by accident. State files get corrupted. Nobody knows what's running where. The CI/CD engagement gives you safe, repeatable pipelines for both infrastructure and applications — with approvals, environment promotion, and clear failure modes baked in.
What's included
Branching model, environment topology, promotion flow, secrets management, and runner strategy. Designed for your team size and platform.
PR validation (fmt, lint, security scan, plan), gated apply per environment, drift detection, and state-aware concurrency control.
Build, test, container or artefact publish, deploy to environments with progressive rollout where it makes sense. App Service, Container Apps, AKS — your stack, your patterns.
Dev/test/staging/prod with the right gates between them. Approver groups, change windows, and emergency override paths documented.
OIDC federation between GitHub Actions / Azure DevOps and Azure — no long-lived service principal secrets. Key Vault for application secrets.
Pipeline failure alerts, deployment history, rollback procedures, and a runbook your team can actually use during an incident.
Deliverables
Timeline
Branching model, environments, approvals, runner strategy — agreed before any pipeline is written.
Pipelines built and tested. Terraform first, then application pipelines, then environment configuration.
First real release with your team. Runbook handover, edge cases discussed, on-call playbook agreed.
FAQ
GitHub Actions or Azure DevOps?
Either. We deliver in whichever you already use (or are about to standardise on). The patterns transfer between the two — what matters is the architecture and the discipline, not the tool.
Do we need IaC in place first?
For Terraform pipelines, yes — you need Terraform. If you don't, look at Azure Launchpad (greenfield) or Brownfield Terraform Migration (existing Azure) first. Application pipelines can run on their own.
What about GitOps / Flux / Argo CD?
If you're already on Kubernetes and want pull-based deploys, we can build that pattern. For most Azure-native workloads (App Service, Container Apps, Functions), pipeline-pushed deploys are simpler and that's the default.
Will you onboard our existing applications?
We'll set up a reference pipeline for one or two key apps. Rolling it out to dozens of services is usually a separate engagement — often handled within Ongoing Platform Support.
Can you also enforce code quality / security gates?
Yes — tflint, Checkov, container scanning, dependency review. We tune them for signal over noise. The goal is gates your team trusts, not a flood of warnings everyone learns to ignore.
Next step
Book a 30-minute discovery call. We'll talk through your stack, branching model, and any pipeline pain points before agreeing scope.
Related engagements