1# Static Web Apps - Deployment
2 
3## azd Deploy (Default)
4 
5Standard deployment via Azure Developer CLI:
6 
7```bash
8azd deploy
9```
10 
11## GitHub-Linked Deployments
12 
13For CI/CD builds on Azure (instead of azd deploy):
14 
15```bicep
16properties: {
17  repositoryUrl: 'https://github.com/owner/repo'
18  branch: 'main'
19  buildProperties: {
20    appLocation: 'src'
21    apiLocation: 'api'
22    outputLocation: 'dist'
23  }
24}
25```
26 
27## Deployment Token
28 
29> ⚠️ **Security Warning:** Do NOT expose deployment tokens in ARM/Bicep outputs. Deployment outputs are visible in Azure portal deployment history and logs.
30 
31**Recommended approach** - retrieve token via Azure CLI and store directly in secret store:
32 
33```bash
34# Capture token to variable (never echo or log)
35DEPLOYMENT_TOKEN=$(az staticwebapp secrets list --name <app-name> --query "properties.apiKey" -o tsv)
36 
37# Store directly in Key Vault
38az keyvault secret set --vault-name <vault-name> --name swa-deployment-token --value "$DEPLOYMENT_TOKEN" --output none
39```
40 
41**Do NOT do this** (exposes token in deployment history):
42```bicep
43// ❌ INSECURE - token visible in deployment history
44// output deploymentToken string = staticWebApp.listSecrets().properties.apiKey
45```
46 
47## Terraform Deployment
48 
49> ⚠️ **Use `azurerm_static_web_app`** — NOT Storage Account `static_website`.
50> Storage Account static websites require anonymous blob access, which is blocked
51> by enterprise Azure Policies. See [terraform.md](terraform.md) for correct patterns.
52 
53Terraform-based deployments use `azd deploy` the same way as Bicep:
54 
55```bash
56azd deploy
57```
58 
59The `azd-service-name` tag on the `azurerm_static_web_app` resource tells azd where to deploy.
60 
61**Do NOT do this** (exposes token in Terraform state):
62```hcl
63# ❌ INSECURE - token stored in Terraform state
64# output "deployment_token" {
65#   value     = azurerm_static_web_app.web.api_key
66#   sensitive = true
67# }
68```
69