Skip to content

Add KeyVault Access to Sample Application #71

Add KeyVault Access to Sample Application

Add KeyVault Access to Sample Application #71

Workflow file for this run

name: Infra - Test
permissions:
id-token: write
contents: read
on:
push:
paths:
- "bicep/main.bicep"
- "bicep/modules_bicep/**/*"
- "!bicep/modules/**/*"
- ".github/parameters.json"
pull_request:
branches: [main]
paths:
- "bicep/**/*"
- "bicep/modules_bicep/**/*"
- "!bicep/modules/**/*"
- ".github/parameters.json"
schedule:
# At 11:00pm, every Wednesday week
- cron: "0 23 * * 3"
workflow_dispatch:
inputs:
ResourceGroup:
description: "Which Resource Group to deploy to"
default: "gh-osdu-developer"
type: string
required: false
region:
description: "Region (needs to be same as byo vnet location)"
default: "eastus"
type: string
required: false
doStandards:
description: "Perform the Well Architected Framework assesment"
default: true
type: boolean
required: false
doDebugSteps:
description: "Run informational steps"
default: false
type: boolean
required: false
doVerifySteps:
description: "Run optional verify steps"
default: true
type: boolean
required: false
concurrency: ci-${{ github.ref }}
env:
AZCLIVERSION: latest
ParamFilePath: ".github/parameters.json"
DEPNAME: "Dep${{ github.run_number }}"
jobs:
Standards:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' || github.event.inputs.doStandards == 'true'
steps:
- uses: actions/checkout@v4
- name: Azure Login
uses: Azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
environment: azurecloud
allow-no-subscriptions: false
# PSRule does this cool thing where it traverse the parameter file through to the arm template
# PSRule performs IaC recommendations of the template.
# https://azure.github.io/PSRule.Rules.Azure/
- name: PSRule for Azure - Well Architected
uses: Microsoft/ps-rule@main
continue-on-error: true #Setting this whilst PSRule gets bedded in, in this project
with:
modules: "PSRule.Rules.Azure"
inputPath: "${{ env.ParamFilePath }}"
Validate:
runs-on: ubuntu-latest
environment: dev
if: ${{ !github.event.pull_request.head.repo.fork }}
outputs:
RESOURCEGROUP: ${{ steps.params.outputs.RESOURCEGROUP}}
REGION: ${{ steps.params.outputs.REGION}}
steps:
- uses: actions/checkout@v4
- name: Job parameter check
if: github.event.inputs.doDebugSteps == 'true'
run: |
echo "Param file path is: ${{ env.ParamFilePath }}"
echo "Resource name is ${{ env.RESNAME }}"
echo "Deployment name is ${{ env.DEPNAME }}"
echo "Ref is ${{ github.ref }}"
echo "Ref name is ${{GITHUB.REF_NAME}}"
echo "EventTrigger name is ${{github.event_name}}"
echo "PR contains bug : ${{contains(github.event.pull_request.labels.*.name, 'bug')}}"
echo "PR labels : ${{github.event.pull_request.labels.*.name}}"
echo "AZCLIVERSION is ${{ env.AZCLIVERSION }}"
echo "doDebugSteps is ${{ github.event.inputs.doDebugSteps }}"
echo "doVerifySteps is ${{ github.event.inputs.doVerifySteps }}"
- name: Arm Parameter file check
if: github.event.inputs.doVerifySteps == 'true'
shell: pwsh
run: |
Write-Output "Checking parameter file existence/contents"
$paramFilePath="${{ env.ParamFilePath }}"
Test-Path $paramFilePath
if (Test-Path $paramFilePath) {
$paramFileContent=Get-Content $paramFilePath
Write-Output $paramFileContent
Write-Output "Test Pulling a param (storageAccountType)"
$params=$paramFileContent|ConvertFrom-Json
Write-Output $params.parameters.storageAccountType.value
}
- name: Parameter Value Augmentation
id: params
env:
DEFAULTRGNAME: gh-osdu-developer
run: |
if [ -z "${{ github.event.inputs.region }}" ]
then
echo "Region parameter not available through GitHub event data, setting default"
REGION="eastus"
else
echo "Region parameter found in GitHub event (${{ github.event.inputs.region }})"
REGION="${{ github.event.inputs.region }}"
fi
echo $REGION
echo "REGION=$REGION" >> $GITHUB_OUTPUT
if [ -z "${{ github.event.inputs.ResourceGroup }}" ]
then
echo "ResourceGroup parameter not available through GitHub event data, setting to default"
echo $DEFAULTRGNAME
echo "RESOURCEGROUP=$DEFAULTRGNAME" >> $GITHUB_OUTPUT
else
echo "Resource Group parameter found in GitHub event (${{ github.event.inputs.ResourceGroup }})"
echo "RESOURCEGROUP=${{ github.event.inputs.ResourceGroup }}" >> $GITHUB_OUTPUT
fi
- name: Azure Login
uses: Azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
environment: azurecloud
allow-no-subscriptions: false
- name: Install Pwsh modules
shell: pwsh
run: |
Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
Install-Module -Name Az.KeyVault -Force
- name: Verify Resource Group Exists
id: hasResourceGroup
env:
RESOURCE_GROUP: ${{ steps.params.outputs.RESOURCEGROUP }}
LOCATION: ${{ steps.params.outputs.REGION }}
uses: azure/CLI@v1
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
echo "RESOURCE_GROUP is $RESOURCE_GROUP"
echo "LOCATION is $LOCATION"
EXISTING=$(az group list --query "[?name=='$RESOURCE_GROUP'].[name]" -otsv)
if [ "$EXISTING" == "" ]
then
az group create --name $RESOURCE_GROUP --location $LOCATION
else
echo "Resource Group $RESOURCE_GROUP exists"
fi
- name: Verify any active Azure Resource Group Deployments #These can mess up our deployment
id: activedeps
if: github.event.inputs.doVerifySteps == 'true'
env:
RESOURCE_GROUP: ${{ steps.params.outputs.RESOURCEGROUP }}
uses: azure/CLI@v1
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
echo "AZ CLI version"
az version
RUNCOUNT=$(az deployment group list -g $RESOURCE_GROUP --query "[?properties.provisioningState=='Running'].[properties.provisioningState, name] | length(@)" -o tsv)
echo "Active deployments : $RUNCOUNT"
echo 'Active deployment list'
az deployment group list -g $RESOURCE_GROUP --query "[?properties.provisioningState=='Running'].[properties.provisioningState, name]"
echo "RUNCOUNT=$RUNCOUNT" >> $GITHUB_OUTPUT
- name: Verify AKS Preview Features are available in target Subscription
if: github.event.inputs.doVerifySteps == 'true'
shell: pwsh
run: |
write-output 'Full list of features of AKS'
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService')].{Name:name,State:properties.state}"
write-output 'Features that are still registering'
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService') && properties.state=='Registering'].{Name:name,State:properties.state}"
write-output 'Checking to ensure no features are still registering'
$aksfeatures = az feature list --query "[?contains(name, 'Microsoft.ContainerService')]" | ConvertFrom-Json
$registeringfeatures = $aksfeatures | Where-Object {$_.properties.state -eq 'Registering'}
if ($registeringfeatures.count -gt 0) {
Write-Error "There are still features registering"
} else { Write-Output "-- All good, no features in the process of registering" }
write-output 'Check specific features.'
$paramFilePath="${{ env.ParamFilePath }}"
$paramFileContent=Get-Content $paramFilePath
$params=$paramFileContent|ConvertFrom-Json
if($params.parameters.keyVaultAksCSI.value -eq $true) {
$feature='AKS-AzureKeyVaultSecretsProvider'
write-output "-- $feature"
$featureCsi = $aksfeatures | Where-Object {$_.name -like "*$feature"}
$featureCsi.properties.state
if ($featureCsi.properties.state -ne 'Registered') {
Write-Output $featureCsi
Write-Error "$feature NOT registered"
} else { Write-Output "-- Looks like $feature is registered properly" }
}
- name: Create Parameter file imperative override string
uses: azure/CLI@v1
id: imperitiveparams
env:
RESOURCE_GROUP: ${{ steps.params.outputs.RESOURCEGROUP }}
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
PARAMOVERRIDES="location=${{ steps.params.outputs.REGION }}"
echo $PARAMOVERRIDES
echo "PARAMOVERRIDES=$PARAMOVERRIDES" >> $GITHUB_OUTPUT
- name: Validate Infrastructure deployment
uses: azure/CLI@v1
env:
RESOURCE_GROUP: ${{ steps.params.outputs.RESOURCEGROUP }}
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
DEPNAME='Dep${{ github.run_number }}'
PARAMS='${{ steps.imperitiveparams.outputs.PARAMOVERRIDES }} applicationClientId=${{ secrets.STAMP_CLIENT_ID }} '
echo $PARAMS
az deployment group validate -f bicep/main.bicep -g $RESOURCE_GROUP -p ${{ env.ParamFilePath }} -p $PARAMS --verbose
- name: What If
uses: azure/CLI@v1
id: whatif
env:
RESOURCE_GROUP: ${{ steps.params.outputs.RESOURCEGROUP }}
continue-on-error: true #Setting to true due to bug in the AzureCLI https://github.com/Azure/azure-cli/issues/19850
with:
azcliversion: ${{ env.AZCLIVERSION }} #latest
inlineScript: |
DEPNAME='${{ env.DEPNAME }}'
WHATIFPATH='whatif.json'
PARAMS='${{ steps.imperitiveparams.outputs.PARAMOVERRIDES }} applicationClientId=${{ secrets.STAMP_CLIENT_ID }}'
az deployment group what-if --no-pretty-print -f bicep/main.bicep -g $RESOURCE_GROUP -p ${{ env.ParamFilePath }} -p $PARAMS > $WHATIFPATH
if [[ -f $WHATIFPATH ]]
then
echo "The WhatIf json file was created"
fi
cat $WHATIFPATH
echo "edgeSuccess=true" >> $GITHUB_OUTPUT
- name: What If Analysis Output - Parse output
if: github.event.inputs.doVerifySteps == 'true'
shell: pwsh
run: |
$whatifpath='whatif.json'
Write-Output "Checking for JSON What-If"
$whatifexists=Test-Path -path $whatifpath
Write-Output $whatifexists
if ($whatifexists) {
$jsonFileRaw=Get-Content $whatifpath
Write-Output $jsonFileRaw
$whatIf=$jsonFileRaw | ConvertFrom-Json
if ($null -eq $whatIf) {
Write-Output "What If results are null"
} else {
Write-Output $whatif.changes[0].after.type
}
}
Deploy:
name: Deploy
runs-on: ubuntu-latest
needs: [Validate]
environment: ${{ github.event.inputs.environment }}
env:
RESOURCE_GROUP: ${{ needs.Validate.outputs.RESOURCEGROUP }}
REGION: ${{ needs.Validate.outputs.REGION }}
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/develop'
steps:
- uses: actions/checkout@v4
- name: Job parameter check
if: github.event.inputs.doDebugSteps == 'true'
run: |
echo "RESOURCE_GROUP is: ${{ env.RESOURCE_GROUP }}"
echo "Param file path is: ${{ env.ParamFilePath }}"
echo "Deployment name is ${{ env.DEPNAME }}"
- name: Parameter file check
if: github.event.inputs.doVerifySteps == 'true'
shell: pwsh
run: |
Write-Output "Checking parameter file existence/contents"
$paramFilePath="${{ env.ParamFilePath }}"
Test-Path $paramFilePath
if (Test-Path $paramFilePath) {
$paramFileContent=Get-Content $paramFilePath
Write-Output $paramFileContent
Write-Output "Test Pulling a param (storageAccountType)"
$params=$paramFileContent|ConvertFrom-Json
Write-Output $params.parameters.storageAccountType.value
}
- name: Azure Login
uses: Azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
environment: azurecloud
allow-no-subscriptions: false
- name: Deploy Infrastructure
id: deployAks
uses: azure/CLI@v1
with:
azcliversion: ${{ env.AZCLIVERSION }}
inlineScript: |
DEPNAME='Dep${{ github.run_number }}'
PARAMS="location=$REGION applicationClientId=${{ secrets.STAMP_CLIENT_ID }}"
az deployment group create -f bicep/main.bicep -g $RESOURCE_GROUP -p ${{ env.ParamFilePath }} -p $PARAMS --name $DEPNAME --verbose
az deployment operation group list --resource-group $RESOURCE_GROUP --name $DEPNAME
AKS_NAME=$(az deployment group show -n $DEPNAME -g $RESOURCE_GROUP --query "properties.outputs.aksName.value" -o tsv)
echo "AKS_NAME=$AKS_NAME" >> $GITHUB_OUTPUT
Verify:
name: Verify
runs-on: ubuntu-latest
needs: [Validate, Deploy]
env:
RESOURCE_GROUP: ${{ needs.Validate.outputs.RESOURCEGROUP }}
steps:
- uses: actions/checkout@v4
- name: Param check
if: github.event.inputs.doDebugSteps == 'true'
run: |
echo "RESOURCE_GROUP is $RESOURCE_GROUP"
echo "Param file path is: ${{ env.ParamFilePath }}"
echo "Deployment name is ${{ env.DEPNAME }}"
echo "AKS name is ${{ needs.Deploy.outputs.AKS_NAME }}"
- name: Azure Login
uses: Azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
environment: azurecloud
allow-no-subscriptions: false
- name: Test Deployment
shell: pwsh
run: |
$RESOURCE_GROUP='${{ env.RESOURCE_GROUP }}'
$AKS_NAME='${{ needs.Deploy.outputs.AKS_NAME }}'
$paramFilePath="${{ env.ParamFilePath }}"
$params = Get-Content $paramFilePath | ConvertFrom-Json
Write-Output "Checking for User Assigned Identity"
if($params.parameters.custom_vnet.value -eq $true) {
$aksId=az aks show -n $AKS_NAME -g $RESOURCE_GROUP --query "identity.type" -o tsv
write-output $aksId
if($aksId -eq "UserAssigned"){
Write-Output "UAI set correctly"
} else {
Write-Error "UAI not set properly"}
}
Write-Output "Checking for CSI Secrets driver"
if($params.parameters.keyVaultAksCSI.value -eq $true) {
$csiEnabled=az aks show -n $AKS_NAME -g $RESOURCE_GROUP --query "addonProfiles.omsagent.enabled" -o tsv
write-output $csiEnabled
if($csiEnabled -eq "true"){
Write-Output "CSI Secrets driver set correctly"
} else {
Write-Error "CSI Secrets driver not set properly"}
}