Update deploy-az-resources.yml #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Use OpenID Connect to authenticate to Azure | |
# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#use-the-azure-login-action-with-openid-connect | |
# *** https://colinsalmcorner.com/using-oidc-with-terraform-in-github-actions/ | |
# https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=openid%2CCLI | |
name: deploy-az-resources | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
pre-requisites: | |
name: 'Intialize Values' | |
env: | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
spnName: oid-bcp-ghb-003 | |
rgpLabName: rgp-lab | |
rgpIacName: rgp-iac | |
location: centralus | |
stackName: 'stack-deploy-az-resources' | |
templateFile: "./exercises-dev/main-exercises-dev.bicep" | |
templateParamFile: "./exercises-dev/main-exercises-dev.parameters.json" | |
templateSpecName: tsp-rgp-iac | |
templateSpecVersion: '1.0.${{ github.run_number }}' | |
templateSpecDescription: 'Template Spec for RGP IaC' | |
templateSpecSourceFile: "./exercises-dev/modules/sbx/sta-tsp.bicep" | |
templateSpecParamFile: "./exercises-dev/modules/sbx/sta-tsp-params.json" | |
deploy: false # Set to true to plan only, false to deploy or rollback | |
deployTemplateSpec: true # Set to true to deploy template spec, false to deploy template | |
rollback: true # Set to true to rollback, false to deploy | |
runs-on: ubuntu-latest | |
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest | |
defaults: | |
run: | |
shell: bash | |
working-directory: ${{ github.workspace }} | |
steps: | |
# Clear the GitHub Actions runner's local npm cache | |
- name: Cache dependencies | |
uses: actions/cache@v2 | |
with: | |
path: node_modules | |
key: ${{ runner.os }}-${{ github.sha }}-${{ hashFiles('**/package-lock.json') }}-${{ github.run_number }} | |
# Checkout the repository to the GitHub Actions runner | |
- name: Checkout | |
uses: actions/checkout@v3 | |
# Authenticate to Azure tenant using the Azure login action (OIDC) | |
- name: Authenticate to Azure with OIDC | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
enable-AzPSSession: false | |
# https://github.com/Azure/login | |
- name: deploy | |
uses: azure/CLI@v1 | |
with: | |
azcliversion: latest | |
inlineScript: | | |
az --version | |
az account show | |
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
az stack sub create --name ${{ env.stackName }} --location ${{ env.location }} --template-file ${{ env.templateFile }} --parameters ${{ env.templateParamFile }} --deny-settings-mode none --delete-all --yes --verbose | |
if: ${{ env.deploy == 'true' }} | |
- name: rollback | |
uses: azure/CLI@v1 | |
with: | |
azcliversion: latest | |
inlineScript: | | |
az --version | |
az account show | |
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
az stack sub delete --name ${{ env.stackName }} --location ${{ env.location }} --yes --verbose | |
if: ${{ env.rollback == 'true' }} |