Skip to content
deploy-az-resources

federated(credential): add for each environment #51

Sign in to view logs

federated(credential): add for each environment

federated(credential): add for each environment #51

Workflow file for this run

.github/workflows/deploy-az-resources.yml at 6933a1e
# Use OpenID Connect to authenticate to Azure
# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#use-the-azure-login-action-with-openid-connect
# *** https://colinsalmcorner.com/using-oidc-with-terraform-in-github-actions/
# https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=openid%2CCLI
name: deploy-az-resources
on:
push:
branches:
- main
workflow_dispatch:
permissions:
id-token: write
contents: read
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
run:
shell: bash
working-directory: $GITHUB_WORKSPACE
# Global environment variables accessible from any job
env:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
spnName: oid-bcp-ghb-003
rgpLabName: rgp-lab
rgpIacName: rgp-iac
location: centralus
stackName: 'stack-deploy-az-resources'
templateFile: "./exercises-dev/main-exercises-dev.bicep"
templateParamFile: "./exercises-dev/main-exercises-dev.parameters.json"
deploy: true # Set to true to plan only, false to deploy or rollback
rollback: false # Set to true to rollback, false to deploy
jobs:
stage:
runs-on: ubuntu-latest
environment: dev
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
# Authenticate to Azure tenant using the Azure login action (OIDC)
- name: Authenticate to Azure with OIDC
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: false
- name: 'Test Deployment'
uses: azure/CLI@v1
with:
azcliversion: latest
inlineScript: |
az --version
az account show
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
az deployment sub what-if --location ${{ env.location }} --template-file ${{ env.templateFile }} --parameters ${{ env.templateParamFile }} --verbose
# https://docs.microsoft.com/en-us/cli/azure/deployment/sub?view=azure-cli-latest#az_deployment_sub_what_if
# az deployment sub what-if --location WestUS --template-file ./exercises-dev/main-exercises-dev.bicep --parameters ./exercises-dev/main-exercises-dev.parameters.json
deliver:
needs: stage
runs-on: ubuntu-latest
environment: prd
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
# Authenticate to Azure tenant using the Azure login action (OIDC)
- name: Authenticate to Azure with OIDC
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: false
# https://github.com/Azure/login
- name: deploy
uses: azure/CLI@v1
with:
azcliversion: latest
inlineScript: |
az --version
az account show
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
az stack sub create --name ${{ env.stackName }} --location ${{ env.location }} --template-file ${{ env.templateFile }} --parameters ${{ env.templateParamFile }} --deny-settings-mode none --delete-all --yes --verbose
if: ${{ env.deploy == 'true' }}
- name: rollback
uses: azure/CLI@v1
with:
azcliversion: latest
inlineScript: |
az --version
az account show
az account set --subscription ${{ secrets.AZURE_SUBSCRIPTION_ID }}
az stack sub delete --name ${{ env.stackName }} --location ${{ env.location }} --yes --verbose
if: ${{ env.rollback == 'true' }}