Skip to content
Scenario 2: Bicep Single-tenant ASEv3 Secure Baseline

feat: merge scenarios #4

Sign in to view logs

feat: merge scenarios

feat: merge scenarios #4

Workflow file for this run

.github/workflows/scenario2.bicep.yml at 0ecc7d4
name: 'Scenario 2: Bicep Single-tenant ASEv3 Secure Baseline'
on:
workflow_dispatch:
push:
branches:
- main
paths:
- '.github/workflows/bicep.scenario2.yml'
- 'scenarios/secure-baseline-ase/bicep/**'
- '!scenarios/secure-baseline-ase/**.md'
pull_request:
branches:
- main
- feature/*
- feat/*
- fix/*
paths:
- '.github/workflows/bicep.scenario2.yml'
- 'scenarios/secure-baseline-ase/bicep/**'
- '!scenarios/secure-baseline-ase/**.md'
permissions:
id-token: write
contents: read
env:
modulePath: 'scenarios/secure-baseline-ase/bicep'
jobs:
validate_bicep:
name: "Validate Bicep files"
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Validate that bicep builds
run: az bicep build -f main.bicep
working-directory: ${{ env.modulePath }}
build-and-deploy:
timeout-minutes: 360
name: "Deploy Bicep templates"
needs: validate_bicep
runs-on: ubuntu-latest
environment: production
steps:
# Checkout code
- name: Checkout the code
uses: actions/checkout@main
- name: Variable substitution
uses: microsoft/variable-substitution@v1
with:
files: ${{ env.modulePath }}/config.yml
env:
ACCOUNT_NAME: ${{ secrets.AZURE_SUBSCRIPTION }}
- name: Install yq to parse yaml file
run: |
sudo wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.5.0/yq_linux_amd64
sudo chmod +x /usr/local/bin/yq
- name: Parse config.yaml as output to GitHub Actions matrix
run: |
echo "config=$(yq e ${{ env.modulePath }}/config.yml -j -I=0)" >> $GITHUB_ENV
- name: Write deployment information to log
run: |
echo "Deploying to ${{ fromJson(env.config).AZURE_LOCATION }} with name prefix ${{ fromJson(env.config).RESOURCE_NAME_PREFIX }}"
# Log into Azure via OIDC
- uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
- name: Run Preflight Validation
working-directory: ${{ env.modulePath }}
run: |
az deployment sub validate \
--location ${{ fromJson(env.config).AZURE_LOCATION }} \
--parameters workloadName=${{ fromJson(env.config).RESOURCE_NAME_PREFIX }} environment=${{ fromJson(env.config).ENVIRONMENT_TAG }} \
vmUsername=${{ fromJson(env.config).VM_USERNAME }} vmPassword=${{ secrets.VM_PW }} location=${{ fromJson(env.config).AZURE_LOCATION }}\
accountName=${{ secrets.ACCOUNT_NAME }} personalAccessToken=${{ secrets.PAT }} CICDAgentType=${{ fromJson(env.config).CICD_AGENT_TYPE}} \
createRedisResource=${{ fromJson(env.config).CREATE_REDIS_RESOURCE }} redisTier=${{ fromJson(env.config).REDIS_TIER }} --template-file main.bicep
# Deploy Bicep file, need to point parameters to the main.parameters.json location
- name: deploy
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
scope: subscription
region: ${{ fromJson(env.config).AZURE_LOCATION }}
deploymentName: "${{ fromJson(env.config).DEPLOYMENT_NAME }}-${{ fromJson(env.config).AZURE_LOCATION }}"
template: ${{ env.modulePath }}/main.bicep
parameters: >
workloadName=${{ fromJson(env.config).RESOURCE_NAME_PREFIX }} environment=${{ fromJson(env.config).ENVIRONMENT_TAG }}
vmUsername=${{ fromJson(env.config).VM_USERNAME }} vmPassword=${{ secrets.VM_PW }} location=${{ fromJson(env.config).AZURE_LOCATION }}
accountName=${{ secrets.ACCOUNT_NAME }} personalAccessToken=${{ secrets.PAT }} CICDAgentType=${{ fromJson(env.config).CICD_AGENT_TYPE}}
createRedisResource=${{ fromJson(env.config).CREATE_REDIS_RESOURCE }} redisTier=${{ fromJson(env.config).REDIS_TIER }}