testing bicep cicd - added new oidc client id for read-only access, t… (

#199)

* testing bicep cicd - added new oidc client id for read-only access, testing what-if flag

* Adding region into the bicep yml, env var and to the what-if arm-deploy action

* testing pipeline, adding puysh trigger for this branch

* testing pipeline, adding puysh trigger for this branch

* testing with prod id as the what-if scenario requires same level of permissions

* testing with prod id as the what-if scenario requires same level of permissions

* testing the deployment

* testing the deployment

* testing cicd bicep templates

* testing cicd

* testing cicd

* testing cicd

* disabling psrule for now

* disabling psrule for now

* consolidating tf scenario 1 workflows into a single cicd pipeline

* consolidating tf scenario 1 workflows into a single cicd pipeline

* consolidating tf scenario 1 workflows into a single cicd pipeline

* consolidating tf scenario 1 workflows into a single cicd pipeline

* renaming consolidated scenario 1 tf pipeline

* Adding concurrency, removed redundant param files

* Adding concurrency, removed redundant param files

* removing test branch trigger

* cleanup

* cleanup

.github/workflows/.template.bicep.yml

@@ -0,0 +1,107 @@
+name: '.Template - Bicep Deployment'
+
+on:
+  workflow_call:
+    inputs:
+      # bicepVersion:
+      #   type: string
+      #   description: 'Bicep version'
+      #   required: true
+      #   default: 'v0.24.24'
+      modulePath:
+        type: string
+        description: 'Path to the Bicep module'
+        required: true
+        default: 'scenarios/secure-baseline-multitenant/bicep'
+      deployStackName:
+        type: string
+        description: 'Name of the subscription scoped stack to deploy'
+        required: false
+        default: 'secure-baseline-multitenant'
+      bicepParamPath:
+        type: string
+        description: 'Path to the Bicep variables'
+        required: true
+      bicepAdditionalParams:
+        type: string
+        description: 'Optional parameters to pass to Bicep in string format'
+        required: false
+        default: --deny-settings-mode 'none'
+      destroy:
+        type: boolean
+        description: 'Destroy resources?'
+        default: false
+      region:
+        type: string
+        description: 'Azure region'
+        required: true
+        default: 'westus2'
+
+jobs:
+  validate:
+    name: "Validate Bicep files"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@v4
+
+      # Log into Azure via OIDC
+      - uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
+
+      - name: Run Bicep linter
+        run: az bicep build --file ${{ inputs.modulePath }}
+        # working-directory: ${{ inputs.modulePath }}
+
+      # TODO: Buildout PSRule policies
+      # - name: Run PSRule analysis
+      #   uses: microsoft/[email protected]
+      #   with:
+      #     modules: PSRule.Rules.Azure
+
+  deploy:
+    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    name: 'Deploy'
+    environment: production
+    needs: validate
+    timeout-minutes: 360
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@main
+
+      # Log into Azure via OIDC
+      - uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION }}
+
+      - name: Deploy Bicep Scenario
+        run: |
+          # If Destroy flag is set, delete the stack
+          if ${{ inputs.destroy }}; then
+            echo "Destroying stack ${{ inputs.deployStackName }}"
+
+            # Possible flags for delete: --delete-all, --delete-resource-groups, --delete-resources
+            az stack delete --name ${{ inputs.deployStackName }} --delete-all --yes
+
+            exit 0 # Exit successfully
+          fi
+
+          az stack sub create --name ${{ inputs.deployStackName }} \
+            --location ${{ inputs.region }} \
+            --template-file ${{ inputs.modulePath }} \
+            --parameters ${{ inputs.bicepParamPath }} \
+            ${{ inputs.bicepAdditionalParams }}
+
+      # Potential Deny Settings
+      # -----------------------------
+      # deny-settings-mode: Defines the operations that are prohibited on the managed resources to safeguard against unauthorized security principals attempting to delete or update them. This restriction applies to everyone unless explicitly granted access. The values include: none, denyDelete, and denyWriteAndDelete.
+      # deny-settings-apply-to-child-scopes: Deny settings are applied to child Azure management scopes.
+      # deny-settings-excluded-actions: List of role-based access control (RBAC) management operations excluded from the deny settings. Up to 200 actions are allowed.
+      # deny-settings-excluded-principals: List of Microsoft Entra principal IDs excluded from the lock. Up to five principals are allowed.
+

.github/workflows/scenario1.bicep.yml

@@ -0,0 +1,73 @@
+name: 'Scenario 1: Bicep Multi-Tenant ASEv3 Secure Baseline'
+
+# This workflow tests the ASEv3 Secure Baseline Multi-Tenant scenario deployment.
+# This will use the default parameter file (main.parameters.jsonc) with an overridden
+#   SKU to deploy ASEv3
+
+concurrency:
+  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  cancel-in-progress: false
+
+on:
+  workflow_dispatch:
+
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/_template.bicep.yml'
+      - '.github/workflows/scenario1.bicep.yml'
+      - 'scenarios/secure-baseline-multitenant/bicep/**.bicep'
+      - 'scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc'
+      - '!scenarios/secure-baseline-multitenant/**.md'
+
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/_template.bicep.yml'
+      - '.github/workflows/scenario1.bicep.yml'
+      - 'scenarios/secure-baseline-multitenant/bicep/**.bicep'
+      - 'scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc'
+      - '!scenarios/secure-baseline-multitenant/**.md'
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  deployStackName: 'Scenario1-ASEv3-Secure-Baseline-MultiTenant'
+  deploymentPath: 'scenarios/secure-baseline-multitenant/bicep/main.bicep'
+  scenarioName: 'ase-multitenant'
+  region: 'westus2'
+  # webAppPlanSKU is the only parameter that is overridden for ASEv3
+  webAppPlanSku: 'ASE_I3V2_AZ'
+
+jobs:
+  prepare-environment:
+    name: 'Prepare CICD Environment for Bicep Workflow'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@main
+    outputs:
+      deployStackName: ${{ env.deployStackName }}
+      region: ${{ env.region }}
+      modulePath: ${{ env.deploymentPath }}
+      bicepParamPath: ${{ env.deploymentPath }}/main.parameters.jsonc
+      bicepAdditionalParams: -p webAppPlanSku=${{ env.webAppPlanSku }} --deny-settings-mode 'none'
+
+  call-workflow-passing-data:
+    name: 'Bicep CICD'
+    needs: 
+    - prepare-environment
+    uses: ./.github/workflows/.template.bicep.yml
+    with:
+      deployStackName: ${{ needs.prepare-environment.outputs.deployStackName }}
+      region: ${{ needs.prepare-environment.outputs.region }}
+      modulePath: ${{ needs.prepare-environment.outputs.modulePath }}
+      bicepParamPath: ${{ needs.prepare-environment.outputs.bicepParamPath }}
+      bicepAdditionalParams: ${{ needs.prepare-environment.outputs.bicepAdditionalParams }}
+      # Ensure this value is a boolean
+      destroy: ${{ github.event.inputs.destroy == 'true' }}
+    secrets: inherit