-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support to automatically generate ARM templates and Deploy to Azu…
…… (#8) * Add support to automatically generate ARM templates and Deploy to Azure buttons * Allow manual triggering of the workflow * Update URL with branch name of workflow
- Loading branch information
1 parent
e72866e
commit 34a37b2
Showing
6 changed files
with
177 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
name: Build Policy Sets | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
workflow_dispatch: # This allows the workflow to be triggered manually | ||
|
||
jobs: | ||
cleanup-arm-templates: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Delete ARMTemplates folder if it exists | ||
run: | | ||
if [ -d "ARMTemplates" ]; then | ||
rm -rf ARMTemplates | ||
fi | ||
- name: Commit changes | ||
run: | | ||
git config --global user.name "github-actions[bot]" | ||
git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
git add -A | ||
git commit -m "Delete ARMTemplates folder" --allow-empty | ||
git push --force | ||
cleanup-readme-files: | ||
needs: cleanup-arm-templates | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Sync with main branch | ||
run: git pull | ||
|
||
- name: Remove Deploy to Azure button from README.md files | ||
run: | | ||
find PolicyInitiatives -name "README.md" | while read file; do | ||
sed -i '/\[!\[Deploy to Azure\](.*)\](.*)/d' "$file" | ||
done | ||
- name: Commit changes | ||
run: | | ||
git config --global user.name "github-actions[bot]" | ||
git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
git add -A | ||
git commit -m "Remove Deploy to Azure button from README.md files" --allow-empty | ||
git push --force | ||
list-bicep-files: | ||
needs: cleanup-readme-files | ||
runs-on: ubuntu-latest | ||
outputs: | ||
files: ${{ steps.list.outputs.files }} | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: List Bicep files | ||
id: list | ||
run: | | ||
files=$(find PolicyInitiatives -name "*.bicep" | jq -R -s -c 'split("\n")[:-1]') | ||
echo "FILES=$files" >> "$GITHUB_OUTPUT" | ||
build: | ||
needs: list-bicep-files | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
file: ${{ fromJson(needs.list-bicep-files.outputs.FILES) }} | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Sync with main branch | ||
run: git pull | ||
|
||
- name: Extract branch name | ||
id: extract_branch | ||
run: echo "BRANCH_NAME=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Make output directory | ||
run: mkdir -p ARMTemplates | ||
|
||
- name: Set output file path | ||
id: set-output-path | ||
run: echo "OUTPUT_FILE_PATH=ARMTemplates/$(basename ${{ matrix.file }} .bicep).json" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Set output file name | ||
id: set-output-name | ||
run: echo "OUTPUT_FILE_NAME=$(basename ${{ matrix.file }} .bicep).json" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Bicep Build | ||
uses: Azure/[email protected] | ||
with: | ||
bicepFilePath: ${{ matrix.file }} | ||
outputFilePath: ${{ steps.set-output-path.outputs.OUTPUT_FILE_PATH }} | ||
|
||
- name: Update README.md with Deploy to Azure button | ||
run: | | ||
urlencode() { | ||
local length="${#1}" | ||
for (( i = 0; i < length; i++ )); do | ||
local c="${1:i:1}" | ||
case $c in | ||
[a-zA-Z0-9.~_-]) printf "$c" ;; | ||
*) printf '%%%02X' "'$c" ;; | ||
esac | ||
done | ||
} | ||
dir=$(dirname ${{ matrix.file }}) | ||
readme="$dir/README.md" | ||
if [ -f "$readme" ]; then | ||
arm_template_url="https://raw.githubusercontent.com/${{ github.repository }}/${{ steps.extract_branch.outputs.BRANCH_NAME }}/ARMTemplates/${{ steps.set-output-name.outputs.OUTPUT_FILE_NAME }}" | ||
encoded_url=$(urlencode "$arm_template_url") | ||
button="[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/$encoded_url)" | ||
first_line=$(head -n 1 $readme) | ||
if [[ $first_line == *"[![Deploy to Azure]"* ]]; then | ||
tail -n +2 $readme > $readme.tmp | ||
echo -e "$button\n$(cat $readme.tmp)" > $readme | ||
rm $readme.tmp | ||
else | ||
temp_file=$(mktemp) | ||
echo -e "$button\n$(cat $readme)" > $temp_file | ||
mv $temp_file $readme | ||
fi | ||
fi | ||
- name: Set git user | ||
run: git config --global user.name "GitHub Actions" && git config --global user.email "GitHub Actions" | ||
|
||
- name: Commit changes | ||
run: | | ||
git pull | ||
git add ${{ steps.set-output-path.outputs.OUTPUT_FILE_PATH }} | ||
git add $(dirname ${{ matrix.file }})/README.md | ||
git commit -m "Add generated ARM templates and update README.md" --allow-empty | ||
git push --force |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
targetScope = 'managementGroup' | ||
|
||
var a21 = loadJsonContent('Initiative A2_1_Ordinari.json') | ||
var a22 = loadJsonContent('Initiative A2_2_Critici.json') | ||
var b21 = loadJsonContent('Initiative B2_1_Ordinari.json') | ||
var b22 = loadJsonContent('Initiative B2_2_Critici.json') | ||
|
||
resource policySet1 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { | ||
name: a21.name | ||
properties: a21.properties | ||
} | ||
|
||
resource policySet2 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { | ||
name: a22.name | ||
properties: a22.properties | ||
} | ||
|
||
resource policySet3 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { | ||
name: b21.name | ||
properties: b21.properties | ||
} | ||
|
||
resource policySet4 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { | ||
name: b22.name | ||
properties: b22.properties | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
targetScope = 'managementGroup' | ||
|
||
var csa = loadJsonContent('Cloud_Security_Alliance_Cloud_Controls_v4.json') | ||
|
||
resource policySet1 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { | ||
name: csa.name | ||
properties: csa.properties | ||
} |
File renamed without changes.