From 1f42376b7758c6dc46077c92fd9062e7990d2379 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 13:53:54 +0100 Subject: [PATCH 1/7] chore(github): remove unused gh workflows --- .github/workflows/DeployTestFrontend.yml | 59 ----------- .github/workflows/PublishTestFrontend.yml | 117 --------------------- .github/workflows/WorkflowTestFrontend.yml | 27 ----- .github/workflows/test-login.yml | 28 ----- 4 files changed, 231 deletions(-) delete mode 100644 .github/workflows/DeployTestFrontend.yml delete mode 100644 .github/workflows/PublishTestFrontend.yml delete mode 100644 .github/workflows/WorkflowTestFrontend.yml delete mode 100644 .github/workflows/test-login.yml diff --git a/.github/workflows/DeployTestFrontend.yml b/.github/workflows/DeployTestFrontend.yml deleted file mode 100644 index 7c9b0df6..00000000 --- a/.github/workflows/DeployTestFrontend.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: DeployTestFrontend -on: - workflow_call: - secrets: - AZURE_CLIENT_ID: - required: true - AZURE_TENANT_ID: - required: true - AZURE_SUBSCRIPTION_ID: - required: true - - inputs: - environment: - required: true - type: string - -jobs: - deploy: - name: Deploy Frontend to ${{ inputs.environment }} - runs-on: ubuntu-latest - environment: ${{ inputs.environment }} - permissions: - id-token: write - contents: read - packages: read - steps: - - name: Download artifacts - uses: actions/download-artifact@v3 - with: - name: artifacts - - - name: OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true) - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - enable-AzPSSession: true - # - - name: 'Get resource group with PowerShell action' - uses: azure/powershell@v1 - with: - inlineScript: | - Get-AzResourceGroup - azPSVersion: 'latest' - - - name: Deploy infrastructure - id: bicep - shell: pwsh - run: > - .azure/deployBicep.ps1 - -environment test - -gitSha ${{github.sha}} - -subscriptionId ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Logout from azure - if: ${{failure() || success()}} - continue-on-error: true - run: az logout diff --git a/.github/workflows/PublishTestFrontend.yml b/.github/workflows/PublishTestFrontend.yml deleted file mode 100644 index e1ada2c6..00000000 --- a/.github/workflows/PublishTestFrontend.yml +++ /dev/null @@ -1,117 +0,0 @@ -name: PublishTestFrontend -on: - workflow_dispatch: - workflow_call: - inputs: - publishArtifacts: - required: false - type: boolean - default: false - # push: - # branches: ['main'] - -jobs: - publish-migration-and-iac-frontend: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Copy .azure directory to artifact - run: | - # Make sure the .azure directory exists - if [ -d .azure ]; then - # Create the destination directory if it doesn't exist - mkdir -p /home/runner/work/dialogporten-frontend/dialogporten-frontend/artifacts - # Copy the .azure directory to the destination - cp -r .azure /home/runner/work/dialogporten-frontend/dialogporten-frontend/artifacts/.azure - fi - shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} - - - name: Upload .azure directory as an artifact - uses: actions/upload-artifact@v3 - with: - name: artifacts - path: ${{ github.workspace }}/artifacts - - # - name: Log in to the Container registry - # uses: docker/login-action@v3 - # with: - # registry: ${{ env.REGISTRY }} - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # - name: Build and push Docker image - # uses: docker/build-push-action@v5 - # with: - # push: true - # tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-node-bff:${{ github.sha }} - - publish-docker-images: - env: - DOCKER_IMAGE_BASE: ghcr.io/digdir/dialogporten-frontend- - needs: publish-migration-and-iac-frontend - if: ${{inputs.publishArtifacts}} - runs-on: ubuntu-latest - - strategy: - fail-fast: false # TODO: set true - matrix: - include: - - dockerfile: ./Dockerfile - imageName: node-bff - # - dockerfile: ./src/Digdir.Domain.Dialogporten.Service/Dockerfile - # imageName: service - # - dockerfile: ./src/Digdir.Domain.Dialogporten.ChangeDataCapture/Dockerfile - # imageName: cdc - # - dockerfile: ./src/Digdir.Domain.Dialogporten.Infrastructure/MigrationBundleDockerfile - # imageName: migration-bundle - # - dockerfile: ./src/Digdir.Domain.Dialogporten.Infrastructure.MigrationJobVerifier/Dockerfile - # imageName: migration-verifier - - permissions: - contents: read - packages: write - - steps: - - uses: actions/checkout@v4 - - - name: Login to GitHub Container Registry - if: ${{inputs.publishArtifacts}} - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.DOCKER_IMAGE_BASE }}${{ matrix.imageName }} - - - name: Build and push docker image - uses: docker/build-push-action@v5 - with: - context: . - file: ${{ matrix.dockerfile }} - push: true - tags: | - ${{ steps.meta.outputs.tags }}, - ${{ env.DOCKER_IMAGE_BASE }}${{ matrix.imageName }}:${{ github.sha }} - labels: ${{ steps.meta.outputs.labels }} - - - name: testa - run: | - echo "tags=${{ steps.meta.outputs.tags }}" - echo "labels=${{ steps.meta.outputs.labels }}" diff --git a/.github/workflows/WorkflowTestFrontend.yml b/.github/workflows/WorkflowTestFrontend.yml deleted file mode 100644 index bfa7c62d..00000000 --- a/.github/workflows/WorkflowTestFrontend.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: WorkflowTest - -on: - workflow_dispatch: - push: - branches: [main] - #paths: [ src/**, tests/**, .github/workflows/** ] - -jobs: - BuildAndRunTests: - uses: ./.github/workflows/BuildAndRunTestsFrontend.yml - secrets: inherit - with: - environment: test - - BuildContainersAndPublishToGHCR: - needs: [BuildAndRunTests] - uses: ./.github/workflows/PublishTestFrontend.yml - with: - publishArtifacts: true - - DeployToAzureTestEnv: - needs: [BuildContainersAndPublishToGHCR] - uses: ./.github/workflows/DeployTestFrontend.yml - secrets: inherit - with: - environment: test diff --git a/.github/workflows/test-login.yml b/.github/workflows/test-login.yml deleted file mode 100644 index 7a01e0fa..00000000 --- a/.github/workflows/test-login.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Test Azure Login with OpenID Connect and PowerShell -on: - workflow_dispatch: - -permissions: - id-token: write - contents: read - -jobs: - Windows-latest: - runs-on: windows-latest - environment: - name: test - steps: - - name: OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true) - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - enable-AzPSSession: true - - - name: 'Get resource group with PowerShell action' - uses: azure/powershell@v1 - with: - inlineScript: | - Get-AzResourceGroup - azPSVersion: "latest" From 86567b388cc68e290f16fd0f4df14a788b3ea6bc Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 14:16:11 +0100 Subject: [PATCH 2/7] ci: refactor workflows to match backend --- .github/workflows/ci-cd-main.yml | 16 ++++++++++++++++ .github/workflows/ci-cd-pull-request.yml | 15 +++++++++++++++ .../{CI.yml => workflow-build-and-test.yml} | 10 ---------- .../{cd-docs.yml => workflow-deploy-docs.yml} | 6 ++---- ...aywright.yml => workflow-playwright-test.yml} | 16 ++-------------- 5 files changed, 35 insertions(+), 28 deletions(-) create mode 100644 .github/workflows/ci-cd-main.yml create mode 100644 .github/workflows/ci-cd-pull-request.yml rename .github/workflows/{CI.yml => workflow-build-and-test.yml} (88%) rename .github/workflows/{cd-docs.yml => workflow-deploy-docs.yml} (96%) rename .github/workflows/{playwright.yml => workflow-playwright-test.yml} (77%) diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml new file mode 100644 index 00000000..a5f89a40 --- /dev/null +++ b/.github/workflows/ci-cd-main.yml @@ -0,0 +1,16 @@ +name: CI/CD Main + +on: + push: + branches: + - main + +jobs: + build-and-test: + uses: ./.github/workflows/workflow-build-and-test.yml + with: + environment: test + + deploy-documentation: + uses: ./.github/workflows/workflow-deploy-docs.yml + \ No newline at end of file diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml new file mode 100644 index 00000000..6de8bfda --- /dev/null +++ b/.github/workflows/ci-cd-pull-request.yml @@ -0,0 +1,15 @@ +name: CI/CD Pull Request + +on: + pull_request: + branches: [main] + types: [opened, synchronize, reopened] + +jobs: + build-and-test: + uses: ./.github/workflows/workflow-build-and-test.yml + with: + environment: test + + playwright-test: + uses: ./.github/workflows/workflow-playwright-test.yml \ No newline at end of file diff --git a/.github/workflows/CI.yml b/.github/workflows/workflow-build-and-test.yml similarity index 88% rename from .github/workflows/CI.yml rename to .github/workflows/workflow-build-and-test.yml index 095cdd41..ae9d9efe 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/workflow-build-and-test.yml @@ -6,16 +6,6 @@ on: environment: required: true type: string - push: - paths: - - 'packages/**' - - './**' - - '.github/workflows/CI.yml' - - 'package.json' - - 'pnpm-lock.yaml' - - 'pnpm-workspace.yaml' - - 'turbo.json' - - 'biome.json' concurrency: group: ${{ github.ref }} diff --git a/.github/workflows/cd-docs.yml b/.github/workflows/workflow-deploy-docs.yml similarity index 96% rename from .github/workflows/cd-docs.yml rename to .github/workflows/workflow-deploy-docs.yml index 22486897..56e50a06 100644 --- a/.github/workflows/cd-docs.yml +++ b/.github/workflows/workflow-deploy-docs.yml @@ -1,9 +1,7 @@ -name: CD Docs +name: Deploy documentation on: - push: - branches: - - main + workflow_call: jobs: deploy-github-pages: diff --git a/.github/workflows/playwright.yml b/.github/workflows/workflow-playwright-test.yml similarity index 77% rename from .github/workflows/playwright.yml rename to .github/workflows/workflow-playwright-test.yml index 3c405b84..cd5456d0 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/workflow-playwright-test.yml @@ -1,18 +1,6 @@ -name: Playwright tests on pr +name: Playwright tests on: - pull_request: - branches: [main] - types: [opened, synchronize, reopened] - paths: - - 'packages/**' - - './**' - - '.github/workflows/playwright.yml' - - 'package.json' - - 'pnpm-lock.yaml' - - 'pnpm-workspace.yaml' - - 'turbo.json' - - 'biome.json' - + workflow_call: workflow_dispatch: jobs: From 838aacfce10274caf3dedb4bb518fe5bdd1d7a9c Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 14:55:56 +0100 Subject: [PATCH 3/7] chore(azure): restructure bicep files --- .azure/applications/.gitkeep | 1 + .azure/deployBicep.ps1 | 127 ------------------ .azure/{ => infrastructure}/main.bicep | 30 ++--- .../{ => infrastructure}/main.parameters.json | 0 .../appConfiguration/addReaderRoles.bicep | 0 .../appConfiguration/addWriterRoles.bicep | 0 .../appConfiguration/create.bicep | 0 .../appConfiguration/upsertKeyValue.bicep | 0 .../applicationInsights/create.bicep | 0 .../addNECertufucateToContainer.bicep | 0 .../containerApp/createMECertificate.bicep | 0 .azure/{ => modules}/containerApp/init.bicep | 0 .../containerApp/upsertAppsettings.bicep | 0 .azure/{ => modules}/customRoles/assign.bicep | 0 .azure/{ => modules}/customRoles/create.bicep | 0 .azure/{ => modules}/dnsZones/create.bicep | 0 .../keyvault/addReaderRoles.bicep | 0 .../{ => modules}/keyvault/copySecrets.bicep | 0 .azure/{ => modules}/keyvault/create.bicep | 0 .../{ => modules}/keyvault/upsertSecret.bicep | 0 .../{ => modules}/migrationJob/create.bicep | 0 .azure/{ => modules}/postgreSql/create.bicep | 0 .../powershell/fetchKeyvaultSecret.ps1 | 0 .azure/{ => modules}/powershell/jsonMerge.ps1 | 0 .../{ => modules}/powershell/pwdGenerator.ps1 | 0 .azure/{ => modules}/website/create.bicep | 0 .../website/upsertAppsettings.bicep | 0 .github/workflows/ci-cd-pull-request.yml | 7 +- 28 files changed, 22 insertions(+), 143 deletions(-) create mode 100644 .azure/applications/.gitkeep delete mode 100755 .azure/deployBicep.ps1 rename .azure/{ => infrastructure}/main.bicep (88%) rename .azure/{ => infrastructure}/main.parameters.json (100%) rename .azure/{ => modules}/appConfiguration/addReaderRoles.bicep (100%) rename .azure/{ => modules}/appConfiguration/addWriterRoles.bicep (100%) rename .azure/{ => modules}/appConfiguration/create.bicep (100%) rename .azure/{ => modules}/appConfiguration/upsertKeyValue.bicep (100%) rename .azure/{ => modules}/applicationInsights/create.bicep (100%) rename .azure/{ => modules}/containerApp/addNECertufucateToContainer.bicep (100%) rename .azure/{ => modules}/containerApp/createMECertificate.bicep (100%) rename .azure/{ => modules}/containerApp/init.bicep (100%) rename .azure/{ => modules}/containerApp/upsertAppsettings.bicep (100%) rename .azure/{ => modules}/customRoles/assign.bicep (100%) rename .azure/{ => modules}/customRoles/create.bicep (100%) rename .azure/{ => modules}/dnsZones/create.bicep (100%) rename .azure/{ => modules}/keyvault/addReaderRoles.bicep (100%) rename .azure/{ => modules}/keyvault/copySecrets.bicep (100%) rename .azure/{ => modules}/keyvault/create.bicep (100%) rename .azure/{ => modules}/keyvault/upsertSecret.bicep (100%) rename .azure/{ => modules}/migrationJob/create.bicep (100%) rename .azure/{ => modules}/postgreSql/create.bicep (100%) rename .azure/{ => modules}/powershell/fetchKeyvaultSecret.ps1 (100%) rename .azure/{ => modules}/powershell/jsonMerge.ps1 (100%) rename .azure/{ => modules}/powershell/pwdGenerator.ps1 (100%) rename .azure/{ => modules}/website/create.bicep (100%) rename .azure/{ => modules}/website/upsertAppsettings.bicep (100%) diff --git a/.azure/applications/.gitkeep b/.azure/applications/.gitkeep new file mode 100644 index 00000000..8b60bc6f --- /dev/null +++ b/.azure/applications/.gitkeep @@ -0,0 +1 @@ +# Applications will be added here \ No newline at end of file diff --git a/.azure/deployBicep.ps1 b/.azure/deployBicep.ps1 deleted file mode 100755 index 45e40edf..00000000 --- a/.azure/deployBicep.ps1 +++ /dev/null @@ -1,127 +0,0 @@ -param( - [Parameter(Mandatory)] - [string]$environment, - - [Parameter(Mandatory)] - [string]$subscriptionId, - - # [Parameter(Mandatory)] - # [string]$imageUrl, - - # [Parameter(Mandatory)] - # [string]$deployTimestamp, - - [Parameter(Mandatory)] - [string]$gitSha -) -Import-module "$PSScriptRoot/powershell/jsonMerge.ps1" -Force -Import-module "$PSScriptRoot/powershell/pwdGenerator.ps1" -Force - -# Merge main.parameters.json and optional main.parameters.$environment.json -$paramsJson = JsonMergeFromPath "$PSScriptRoot/main.parameters.json" "$PSScriptRoot/main.parameters.$environment.json" -Write-Host "GitSha: $gitSha" - -# Add keyvault keys to parameters.keyVault.value.source.keys -AddMemberPath $paramsJson "parameters.keyVault.value.source.keys" @( ` - az keyvault secret list ` - --vault-name $paramsJson.parameters.keyVault.value.source.name ` - --subscription $paramsJson.parameters.keyVault.value.source.subscriptionId ` - --query "[].name" ` - --output tsv ` -) - -# Add gitSha to parameters -AddMemberPath $paramsJson "parameters.gitSha.value" $gitSha - - -# Add auto generated secrets to parameters -AddMemberPath $paramsJson "parameters.secrets.value" @{ - dialogportenPgAdminPassword = (GeneratePassword -length 30).Password -} -# AddMemberPath $paramsJson "parameters.imageUrl.value" $imageUrl -# AddMemberPath $paramsJson "parameters.deployTimestamp.value" $deployTimestamp - -# Add environment to parameters -AddMemberPath $paramsJson "parameters.environment.value" $environment - -Write-Host (ConvertTo-Json -Depth 100 $paramsJson) - - -# Format parameters to be used in az deployment sub create -$formatedParamsJsonForGHA = $paramsJson ` -| ConvertTo-Json -Compress -Depth 100 ` -| % { $_ -replace "`"", "\`"" } ` -| % { $_ -replace "`n", "" } ` -| % { $_ -replace "\s", "" } - -$formatedParamsJsonForLocalCLI = $paramsJson ` -| ConvertTo-Json -Compress -Depth 100 ` - -$formatedParamsJson = $formatedParamsJsonForGHA - -if ( $environment -match 'cli-test') { - Write-Host ("********** FOUND LOCAL CLI DEPLOYMENT") - $formatedParamsJson = $formatedParamsJsonForLocalCLI -} -else { - Write-Host ("********** FOUND GITHUB ACTIONS DEPLOYMENT") -} -# # Format parameters to be used in az deployment sub create -# $formatedParamsJson = $paramsJson ` -# | ConvertTo-Json -Compress -Depth 100 ` -# | % { $_ -replace "`"", "\`"" } ` -# | % { $_ -replace "`n", "" } ` -# | % { $_ -replace "\s", "" } - - -# if ($environment == 'cli-fe-dev') { -# Write-Host ("********** FOUND LOCAL CLI DEPLOYMENT") -# $formatedParamsJson = $paramsJson ` -# | ConvertTo-Json -Compress -Depth 100 ` - -# } -# else { -# Write-Host ("********** FOUND GITHUB ACTIONS DEPLOYMENT") -# } - -Write-Host ("********** Starting deployment of $environment **********") -# Write-Host ("********** properties $properties **********") -# Write-Host ("********** formatedParamsJson $formatedParamsJson **********") - -# Deploy -$deploymentOutputs = @( ` - az deployment sub create ` - --subscription $subscriptionId ` - --location $paramsJson.parameters.location.value ` - --name "GithubActionsDeploy-fe-$environment" ` - --template-file "$($PSScriptRoot)/main.bicep" ` - --parameters $formatedParamsJson ` - --query properties.outputs ` - --debug ` - --verbose ` - #--confirm-with-what-if - | ConvertFrom-Json ` -) -Write-Host ("********** deploymentOutputs $deploymentOutputs **********") - -# Start migration job -$resourceGroup = $deploymentOutputs.resourceGroupName.value -$migrationJobName = $deploymentOutputs.migrationJobName.value - -if ([string]::IsNullOrEmpty($resourceGroup)) { - Write-Host "ResourceGroup output is missing" - exit 1 -} -if ([string]::IsNullOrEmpty($migrationJobName)) { - Write-Host "MigrationJobName output is missing" - exit 1 -} - -az containerapp job start -n $migrationJobName -g $resourceGroup - -Write-Host ("********** Starting foreach **********") - -# Write outputs to GITHUB_OUTPUT so that they can be used in other steps -foreach ($Property in $deploymentOutputs | Get-Member -type NoteProperty, Property) { - "$($Property.Name)=$($deploymentOutputs.$($Property.Name).value)" >> $env:GITHUB_OUTPUT -} diff --git a/.azure/main.bicep b/.azure/infrastructure/main.bicep similarity index 88% rename from .azure/main.bicep rename to .azure/infrastructure/main.bicep index b95a0517..6fa5ccac 100644 --- a/.azure/main.bicep +++ b/.azure/infrastructure/main.bicep @@ -18,7 +18,7 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { location: location } -module keyVaultModule 'keyvault/create.bicep' = { +module keyVaultModule '../modules/keyvault/create.bicep' = { scope: resourceGroup name: 'keyVault' params: { @@ -28,7 +28,7 @@ module keyVaultModule 'keyvault/create.bicep' = { } } -module appConfiguration 'appConfiguration/create.bicep' = { +module appConfiguration '../modules/appConfiguration/create.bicep' = { scope: resourceGroup name: 'appConfiguration' params: { @@ -37,7 +37,7 @@ module appConfiguration 'appConfiguration/create.bicep' = { } } -module appInsights 'applicationInsights/create.bicep' = { +module appInsights '../modules/applicationInsights/create.bicep' = { scope: resourceGroup name: 'appInsights' params: { @@ -53,7 +53,7 @@ resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2022-11-01' existing = { } // Create resources with dependencies to other resources -module postgresql 'postgreSql/create.bicep' = { +module postgresql '../modules/postgreSql/create.bicep' = { scope: resourceGroup name: 'postgresql' params: { @@ -66,7 +66,7 @@ module postgresql 'postgreSql/create.bicep' = { } } -module copySecret 'keyvault/copySecrets.bicep' = { +module copySecret '../modules/keyvault/copySecrets.bicep' = { scope: resourceGroup name: 'copySecrets' params: { @@ -79,7 +79,7 @@ module copySecret 'keyvault/copySecrets.bicep' = { } } -module migrationJob 'migrationJob/create.bicep' = { +module migrationJob '../modules/migrationJob/create.bicep' = { scope: resourceGroup name: 'migrationJob' params: { @@ -129,7 +129,7 @@ module migrationJob 'migrationJob/create.bicep' = { } } -module appConfigConfigurations 'appConfiguration/upsertKeyValue.bicep' = { +module appConfigConfigurations '../modules/appConfiguration/upsertKeyValue.bicep' = { scope: resourceGroup name: 'AppConfig_Add_DialogDbConnectionString' params: { @@ -150,7 +150,7 @@ module appConfigConfigurations 'appConfiguration/upsertKeyValue.bicep' = { // } // } -module keyVaultReaderAccessPolicy 'keyvault/addReaderRoles.bicep' = { +module keyVaultReaderAccessPolicy '../modules/keyvault/addReaderRoles.bicep' = { scope: resourceGroup name: 'keyVaultReaderAccessPolicy' params: { @@ -169,7 +169,7 @@ module keyVaultReaderAccessPolicy 'keyvault/addReaderRoles.bicep' = { // } // } -module initContainerApp 'containerApp/init.bicep' = { +module initContainerApp '../modules/containerApp/init.bicep' = { scope: resourceGroup name: 'initContainerApp' params: { @@ -180,7 +180,7 @@ module initContainerApp 'containerApp/init.bicep' = { } } -module createMECertificate 'containerApp/createMECertificate.bicep' = { +module createMECertificate '../modules/containerApp/createMECertificate.bicep' = { dependsOn: [ initContainerApp ] scope: resourceGroup name: 'createMECertificate' @@ -189,7 +189,7 @@ module createMECertificate 'containerApp/createMECertificate.bicep' = { location: location } } -module containerApp 'containerApp/addNECertufucateToContainer.bicep' = { +module containerApp '../modules/containerApp/addNECertufucateToContainer.bicep' = { dependsOn: [ createMECertificate ] scope: resourceGroup name: 'containerApp' @@ -245,7 +245,7 @@ module containerApp 'containerApp/addNECertufucateToContainer.bicep' = { } -module customContainerAppRole 'customRoles/create.bicep' = { +module customContainerAppRole '../modules/customRoles/create.bicep' = { scope: resourceGroup name: 'customContainerAppRole' params: { @@ -253,7 +253,7 @@ module customContainerAppRole 'customRoles/create.bicep' = { } } -module assignContainerAppJobRoles 'customRoles/assign.bicep' = { +module assignContainerAppJobRoles '../modules/customRoles/assign.bicep' = { scope: resourceGroup name: 'assignContainerAppJobRoles' params: { @@ -262,7 +262,7 @@ module assignContainerAppJobRoles 'customRoles/assign.bicep' = { } } -module assignConfigReaderRole 'customRoles/assign.bicep' = { +module assignConfigReaderRole '../modules/customRoles/assign.bicep' = { scope: resourceGroup name: 'assignConfigReaderRole' params: { @@ -271,7 +271,7 @@ module assignConfigReaderRole 'customRoles/assign.bicep' = { } } -module appConfigReaderAccessPolicy 'appConfiguration/addReaderRoles.bicep' = { +module appConfigReaderAccessPolicy '../modules/appConfiguration/addReaderRoles.bicep' = { scope: resourceGroup name: 'appConfigReaderAccessPolicy' params: { diff --git a/.azure/main.parameters.json b/.azure/infrastructure/main.parameters.json similarity index 100% rename from .azure/main.parameters.json rename to .azure/infrastructure/main.parameters.json diff --git a/.azure/appConfiguration/addReaderRoles.bicep b/.azure/modules/appConfiguration/addReaderRoles.bicep similarity index 100% rename from .azure/appConfiguration/addReaderRoles.bicep rename to .azure/modules/appConfiguration/addReaderRoles.bicep diff --git a/.azure/appConfiguration/addWriterRoles.bicep b/.azure/modules/appConfiguration/addWriterRoles.bicep similarity index 100% rename from .azure/appConfiguration/addWriterRoles.bicep rename to .azure/modules/appConfiguration/addWriterRoles.bicep diff --git a/.azure/appConfiguration/create.bicep b/.azure/modules/appConfiguration/create.bicep similarity index 100% rename from .azure/appConfiguration/create.bicep rename to .azure/modules/appConfiguration/create.bicep diff --git a/.azure/appConfiguration/upsertKeyValue.bicep b/.azure/modules/appConfiguration/upsertKeyValue.bicep similarity index 100% rename from .azure/appConfiguration/upsertKeyValue.bicep rename to .azure/modules/appConfiguration/upsertKeyValue.bicep diff --git a/.azure/applicationInsights/create.bicep b/.azure/modules/applicationInsights/create.bicep similarity index 100% rename from .azure/applicationInsights/create.bicep rename to .azure/modules/applicationInsights/create.bicep diff --git a/.azure/containerApp/addNECertufucateToContainer.bicep b/.azure/modules/containerApp/addNECertufucateToContainer.bicep similarity index 100% rename from .azure/containerApp/addNECertufucateToContainer.bicep rename to .azure/modules/containerApp/addNECertufucateToContainer.bicep diff --git a/.azure/containerApp/createMECertificate.bicep b/.azure/modules/containerApp/createMECertificate.bicep similarity index 100% rename from .azure/containerApp/createMECertificate.bicep rename to .azure/modules/containerApp/createMECertificate.bicep diff --git a/.azure/containerApp/init.bicep b/.azure/modules/containerApp/init.bicep similarity index 100% rename from .azure/containerApp/init.bicep rename to .azure/modules/containerApp/init.bicep diff --git a/.azure/containerApp/upsertAppsettings.bicep b/.azure/modules/containerApp/upsertAppsettings.bicep similarity index 100% rename from .azure/containerApp/upsertAppsettings.bicep rename to .azure/modules/containerApp/upsertAppsettings.bicep diff --git a/.azure/customRoles/assign.bicep b/.azure/modules/customRoles/assign.bicep similarity index 100% rename from .azure/customRoles/assign.bicep rename to .azure/modules/customRoles/assign.bicep diff --git a/.azure/customRoles/create.bicep b/.azure/modules/customRoles/create.bicep similarity index 100% rename from .azure/customRoles/create.bicep rename to .azure/modules/customRoles/create.bicep diff --git a/.azure/dnsZones/create.bicep b/.azure/modules/dnsZones/create.bicep similarity index 100% rename from .azure/dnsZones/create.bicep rename to .azure/modules/dnsZones/create.bicep diff --git a/.azure/keyvault/addReaderRoles.bicep b/.azure/modules/keyvault/addReaderRoles.bicep similarity index 100% rename from .azure/keyvault/addReaderRoles.bicep rename to .azure/modules/keyvault/addReaderRoles.bicep diff --git a/.azure/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep similarity index 100% rename from .azure/keyvault/copySecrets.bicep rename to .azure/modules/keyvault/copySecrets.bicep diff --git a/.azure/keyvault/create.bicep b/.azure/modules/keyvault/create.bicep similarity index 100% rename from .azure/keyvault/create.bicep rename to .azure/modules/keyvault/create.bicep diff --git a/.azure/keyvault/upsertSecret.bicep b/.azure/modules/keyvault/upsertSecret.bicep similarity index 100% rename from .azure/keyvault/upsertSecret.bicep rename to .azure/modules/keyvault/upsertSecret.bicep diff --git a/.azure/migrationJob/create.bicep b/.azure/modules/migrationJob/create.bicep similarity index 100% rename from .azure/migrationJob/create.bicep rename to .azure/modules/migrationJob/create.bicep diff --git a/.azure/postgreSql/create.bicep b/.azure/modules/postgreSql/create.bicep similarity index 100% rename from .azure/postgreSql/create.bicep rename to .azure/modules/postgreSql/create.bicep diff --git a/.azure/powershell/fetchKeyvaultSecret.ps1 b/.azure/modules/powershell/fetchKeyvaultSecret.ps1 similarity index 100% rename from .azure/powershell/fetchKeyvaultSecret.ps1 rename to .azure/modules/powershell/fetchKeyvaultSecret.ps1 diff --git a/.azure/powershell/jsonMerge.ps1 b/.azure/modules/powershell/jsonMerge.ps1 similarity index 100% rename from .azure/powershell/jsonMerge.ps1 rename to .azure/modules/powershell/jsonMerge.ps1 diff --git a/.azure/powershell/pwdGenerator.ps1 b/.azure/modules/powershell/pwdGenerator.ps1 similarity index 100% rename from .azure/powershell/pwdGenerator.ps1 rename to .azure/modules/powershell/pwdGenerator.ps1 diff --git a/.azure/website/create.bicep b/.azure/modules/website/create.bicep similarity index 100% rename from .azure/website/create.bicep rename to .azure/modules/website/create.bicep diff --git a/.azure/website/upsertAppsettings.bicep b/.azure/modules/website/upsertAppsettings.bicep similarity index 100% rename from .azure/website/upsertAppsettings.bicep rename to .azure/modules/website/upsertAppsettings.bicep diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml index 6de8bfda..57941f3d 100644 --- a/.github/workflows/ci-cd-pull-request.yml +++ b/.github/workflows/ci-cd-pull-request.yml @@ -12,4 +12,9 @@ jobs: environment: test playwright-test: - uses: ./.github/workflows/workflow-playwright-test.yml \ No newline at end of file + uses: ./.github/workflows/workflow-playwright-test.yml + + dry-run-infrastructure: + uses: ./.github/workflows/workflow-deploy-infrastructure.yml + with: + environment: test \ No newline at end of file From 31ad04133670181453e9b9040d6aee80082f71f6 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 15:02:41 +0100 Subject: [PATCH 4/7] cleanup --- .github/workflows/ci-cd-pull-request.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml index 57941f3d..ca4aecb9 100644 --- a/.github/workflows/ci-cd-pull-request.yml +++ b/.github/workflows/ci-cd-pull-request.yml @@ -13,8 +13,3 @@ jobs: playwright-test: uses: ./.github/workflows/workflow-playwright-test.yml - - dry-run-infrastructure: - uses: ./.github/workflows/workflow-deploy-infrastructure.yml - with: - environment: test \ No newline at end of file From a9c6a3860a179404b4cbc5e0bbb7382af37b5be9 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 16:29:19 +0100 Subject: [PATCH 5/7] ci: add dry-run of infrastructure deployment on PRs --- .azure/infrastructure/main.bicep | 63 +++++++--- .azure/infrastructure/test.bicepparam | 13 ++ .github/workflows/ci-cd-main.yml | 2 +- .github/workflows/ci-cd-pull-request.yml | 31 +++++ .../workflows/workflow-check-for-changes.yml | 32 +++++ .../workflow-deploy-infrastructure.yml | 115 ++++++++++++++++++ .../workflow-generate-git-short-sha.yml | 21 ++++ 7 files changed, 256 insertions(+), 21 deletions(-) create mode 100644 .azure/infrastructure/test.bicepparam create mode 100644 .github/workflows/workflow-check-for-changes.yml create mode 100644 .github/workflows/workflow-deploy-infrastructure.yml create mode 100644 .github/workflows/workflow-generate-git-short-sha.yml diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep index 6fa5ccac..8681c86e 100644 --- a/.azure/infrastructure/main.bicep +++ b/.azure/infrastructure/main.bicep @@ -2,13 +2,31 @@ targetScope = 'subscription' param environment string param location string -param keyVault object -// param imageUrl string -// param deployTimestamp string +param keyVaultSourceKeys array + param gitSha string -var namePrefix = 'dp-fe-${environment}' + +@secure() +@minLength(3) +param dialogportenPgAdminPassword string +@secure() +@minLength(3) +param sourceKeyVaultSubscriptionId string +@secure() +@minLength(3) +param sourceKeyVaultResourceGroup string @secure() -param secrets object +@minLength(3) +param sourceKeyVaultName string + +var secrets = { + dialogportenPgAdminPassword: dialogportenPgAdminPassword + sourceKeyVaultSubscriptionId: sourceKeyVaultSubscriptionId + sourceKeyVaultResourceGroup: sourceKeyVaultResourceGroup + sourceKeyVaultName: sourceKeyVaultName +} + +var namePrefix = 'dp-fe-${environment}' var baseImageUrl = 'ghcr.io/digdir/dialogporten-frontend' @@ -18,13 +36,12 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { location: location } -module keyVaultModule '../modules/keyvault/create.bicep' = { +module environmentKeyVault '../modules/keyvault/create.bicep' = { scope: resourceGroup name: 'keyVault' params: { namePrefix: namePrefix location: location - adminObjectIds: keyVault.adminObjectIds } } @@ -48,8 +65,14 @@ module appInsights '../modules/applicationInsights/create.bicep' = { // Create references to existing resources resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2022-11-01' existing = { - name: keyVault.source.name - scope: az.resourceGroup(keyVault.source.subscriptionId, keyVault.source.resourceGroupName) + name: secrets.sourceKeyVaultName + scope: az.resourceGroup(secrets.sourceKeyVaultSubscriptionId, secrets.sourceKeyVaultResourceGroup) +} + +var srcKeyVault = { + name: secrets.sourceKeyVaultName + subscriptionId: secrets.sourceKeyVaultSubscriptionId + resourceGroupName: secrets.sourceKeyVaultResourceGroup } // Create resources with dependencies to other resources @@ -59,10 +82,10 @@ module postgresql '../modules/postgreSql/create.bicep' = { params: { namePrefix: namePrefix location: location - keyVaultName: keyVaultModule.outputs.name - srcKeyVault: keyVault.source + keyVaultName: environmentKeyVault.outputs.name + srcKeyVault: srcKeyVault srcSecretName: 'dialogportenPgAdminPassword${environment}' - administratorLoginPassword: contains(keyVault.source.keys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword + administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword } } @@ -70,11 +93,11 @@ module copySecret '../modules/keyvault/copySecrets.bicep' = { scope: resourceGroup name: 'copySecrets' params: { - srcKeyVaultKeys: keyVault.source.keys - srcKeyVaultName: keyVault.source.name - srcKeyVaultRGNName: keyVault.source.resourceGroupName - srcKeyVaultSubId: keyVault.source.subscriptionId - destKeyVaultName: keyVaultModule.outputs.name + srcKeyVaultKeys: keyVaultSourceKeys + srcKeyVaultName: srcKeyVault.name + srcKeyVaultRGNName: srcKeyVault.resourceGroupName + srcKeyVaultSubId: srcKeyVault.subscriptionId + destKeyVaultName: environmentKeyVault.outputs.name secretPrefix: 'dialogporten--${environment}--' } } @@ -99,7 +122,7 @@ module migrationJob '../modules/migrationJob/create.bicep' = { } { name: 'KV_NAME' - value: keyVaultModule.outputs.name + value: environmentKeyVault.outputs.name } { name: 'PSQL_CONNECTION_JSON_NAME' // MÅ BYTTES UT, DETTE SKAL HENTES FRA APP CONFIG @@ -154,7 +177,7 @@ module keyVaultReaderAccessPolicy '../modules/keyvault/addReaderRoles.bicep' = { scope: resourceGroup name: 'keyVaultReaderAccessPolicy' params: { - keyvaultName: keyVaultModule.outputs.name + keyvaultName: environmentKeyVault.outputs.name // TODO: Har lagt til dialogporten-subscription-deploy-principal ettersom den m� hente ut db connectionstring fra keyvault for migrasjon principalIds: [ containerApp.outputs.identityPrincipalId, migrationJob.outputs.principalId, '49f570f3-9677-4eb7-b360-eaed33f98632', '2e8cd2b0-400f-4be7-9b8e-311c14263048' ] // FJERNES!!!!! } @@ -214,7 +237,7 @@ module containerApp '../modules/containerApp/addNECertufucateToContainer.bicep' } { name: 'KV_NAME' - value: keyVaultModule.outputs.name + value: environmentKeyVault.outputs.name } { name: 'GIT_SHA' diff --git a/.azure/infrastructure/test.bicepparam b/.azure/infrastructure/test.bicepparam new file mode 100644 index 00000000..ada1a5bb --- /dev/null +++ b/.azure/infrastructure/test.bicepparam @@ -0,0 +1,13 @@ +using './main.bicep' + +param environment = 'test' +param location = 'norwayeast' + +param gitSha = readEnvironmentVariable('GIT_SHA') +param keyVaultSourceKeys = json(readEnvironmentVariable('KEY_VAULT_SOURCE_KEYS')) + +// secrets +param dialogportenPgAdminPassword = readEnvironmentVariable('PG_ADMIN_PASSWORD') +param sourceKeyVaultSubscriptionId = readEnvironmentVariable('SOURCE_KEY_VAULT_SUBSCRIPTION_ID') +param sourceKeyVaultResourceGroup = readEnvironmentVariable('SOURCE_KEY_VAULT_RESOURCE_GROUP') +param sourceKeyVaultName = readEnvironmentVariable('SOURCE_KEY_VAULT_NAME') diff --git a/.github/workflows/ci-cd-main.yml b/.github/workflows/ci-cd-main.yml index a5f89a40..0be185dc 100644 --- a/.github/workflows/ci-cd-main.yml +++ b/.github/workflows/ci-cd-main.yml @@ -13,4 +13,4 @@ jobs: deploy-documentation: uses: ./.github/workflows/workflow-deploy-docs.yml - \ No newline at end of file + \ No newline at end of file diff --git a/.github/workflows/ci-cd-pull-request.yml b/.github/workflows/ci-cd-pull-request.yml index ca4aecb9..eb808730 100644 --- a/.github/workflows/ci-cd-pull-request.yml +++ b/.github/workflows/ci-cd-pull-request.yml @@ -6,6 +6,14 @@ on: types: [opened, synchronize, reopened] jobs: + generate-git-short-sha: + name: Generate git short sha + uses: ./.github/workflows/workflow-generate-git-short-sha.yml + + check-for-changes: + name: Check for changes + uses: ./.github/workflows/workflow-check-for-changes.yml + build-and-test: uses: ./.github/workflows/workflow-build-and-test.yml with: @@ -13,3 +21,26 @@ jobs: playwright-test: uses: ./.github/workflows/workflow-playwright-test.yml + + dry-run-deploy-infra: + uses: ./.github/workflows/workflow-deploy-infrastructure.yml + needs: + [ + generate-git-short-sha, + check-for-changes + ] + if: ${{ needs.check-for-changes.outputs.hasInfrastructureChanges == 'true' }} + secrets: + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + AZURE_SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} + AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} + AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} + with: + environment: test + region: norwayeast + dryRun: true + version: ${{ github.sha }} + + \ No newline at end of file diff --git a/.github/workflows/workflow-check-for-changes.yml b/.github/workflows/workflow-check-for-changes.yml new file mode 100644 index 00000000..3b046232 --- /dev/null +++ b/.github/workflows/workflow-check-for-changes.yml @@ -0,0 +1,32 @@ +name: "Check for file changes" + +on: + workflow_call: + outputs: + hasInfrastructureChanges: + description: "Infrastructure related files changed" + value: ${{ jobs.check-for-changes.outputs.hasInfrastructureChanges }} + +jobs: + check-for-changes: + name: Filter + runs-on: ubuntu-latest + outputs: + hasInfrastructureChanges: ${{ steps.filter.outputs.infrastructure_any_changed == 'true' }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + # fetch-depth needs to be 0 in cases where we want to fetch changes since previous tag for example + fetch-depth: 0 + + - uses: tj-actions/changed-files@v42 + id: filter + with: + files_yaml: | + infrastructure: + - '.github/**/*' + - '.azure/infrastructure/*' + - '.azure/modules/**/*' + diff --git a/.github/workflows/workflow-deploy-infrastructure.yml b/.github/workflows/workflow-deploy-infrastructure.yml new file mode 100644 index 00000000..0711a646 --- /dev/null +++ b/.github/workflows/workflow-deploy-infrastructure.yml @@ -0,0 +1,115 @@ +name: Deploy infrastructure + +env: + AZ_CLI_VERSION: 2.56.0 + +on: + workflow_call: + secrets: + AZURE_CLIENT_ID: + required: true + AZURE_TENANT_ID: + required: true + AZURE_SUBSCRIPTION_ID: + required: true + AZURE_SOURCE_KEY_VAULT_NAME: + required: true + AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID: + required: true + AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP: + required: true + + inputs: + region: + required: true + type: string + environment: + required: true + type: string + dryRun: + description: "If true, the deployment will be validated but not executed." + required: false + type: boolean + default: false + version: + description: "Current version to use as tag" + required: true + type: string + ref: + description: "The branch or tag ref to deploy. Using default checkout ref if not provided." + required: false + default: ${{ github.ref }} + type: string + +concurrency: + # Existing runs are cancelled if someone repeatedly commits to their own Pull Request (PR). However, it does not stop others' dry runs or actual deployments from the main branch. + # Also, the cancellation does not occur on merges to the main branch. Therefore, if multiple merges to main are performed simultaneously, they will just be queued up. + group: deploy-infrastructure-${{ inputs.environment }}-${{ github.ref_name }}-${{ inputs.dryRun }} + # if the dryrun input is true, we want to cancel any running deployments in order to not block the pipeline e.g for environment approvals + cancel-in-progress: ${{ inputs.dryRun }} +jobs: + deploy: + name: Deploy to ${{ inputs.environment }} + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + permissions: + id-token: write + contents: read + steps: + - name: "Checkout GitHub Action" + uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + + - name: OIDC Login to Azure Public Cloud + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Fetch secret keys from source Azure Key Vault + uses: azure/CLI@v1 + id: keyvault-keys + with: + azcliversion: ${{ env.AZ_CLI_VERSION }} + inlineScript: | + KEY_VAULT_KEYS=$(az keyvault secret list --vault-name ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} --subscription ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} --query "[].name" -o json | tr -d '\n') + echo "::set-output name=key-vault-keys::$KEY_VAULT_KEYS" + + - name: Generate postgresql password + id: pwd-generator + shell: pwsh + run: | + Import-module "./.github/tools/pwdGenerator.ps1" -Force + $password = (GeneratePassword -length 30).Password + echo "::add-mask::$password" + echo "::set-output name=postgresqlPassword::$password" + + - name: Deploy infrastructure (${{ inputs.environment }}) + uses: azure/arm-deploy@v2 + id: deploy + env: + # parameters + GIT_SHA: ${{ github.sha }} + KEY_VAULT_SOURCE_KEYS: ${{ steps.keyvault-keys.outputs.key-vault-keys }} + # secrets + PG_ADMIN_PASSWORD: ${{ steps.pwd-generator.outputs.postgresqlPassword }} + SOURCE_KEY_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_SOURCE_KEY_VAULT_SUBSCRIPTION_ID }} + SOURCE_KEY_VAULT_RESOURCE_GROUP: ${{ secrets.AZURE_SOURCE_KEY_VAULT_RESOURCE_GROUP }} + SOURCE_KEY_VAULT_NAME: ${{ secrets.AZURE_SOURCE_KEY_VAULT_NAME }} + with: + scope: subscription + template: ./.azure/infrastructure/main.bicep + subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + deploymentMode: Incremental + deploymentName: dp-fe-${{ inputs.environment }}-${{ inputs.version }} + region: ${{ inputs.region }} + failOnStdErr: false + additionalArguments: "${{ inputs.dryRun && '--what-if' }}" + parameters: ./.azure/infrastructure/${{ inputs.environment }}.bicepparam + + - name: Logout from azure + if: ${{failure() || success()}} + continue-on-error: true + run: az logout diff --git a/.github/workflows/workflow-generate-git-short-sha.yml b/.github/workflows/workflow-generate-git-short-sha.yml new file mode 100644 index 00000000..5118032b --- /dev/null +++ b/.github/workflows/workflow-generate-git-short-sha.yml @@ -0,0 +1,21 @@ +name: "Generate git short sha" + +on: + workflow_call: + outputs: + gitShortSha: + description: "Git short sha" + value: ${{ jobs.generate-git-short-sha.outputs.gitShortSha }} +jobs: + generate-git-short-sha: + name: Generate git short sha + runs-on: ubuntu-latest + outputs: + gitShortSha: ${{ steps.set-git-short-sha.outputs.gitShortSha }} + steps: + - name: "Checkout GitHub Action" + uses: actions/checkout@v4 + # Current workaround to create a short git sha. Not supported as a global variable yet. https://stackoverflow.com/questions/59810838/how-to-get-the-short-sha-for-the-github-workflow + - name: Set git short sha + id: set-git-short-sha + run: echo "gitShortSha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT From 73395dc3159977ea06b66cc7d8fa399277ab5b73 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 16:29:36 +0100 Subject: [PATCH 6/7] cleanup --- .azure/infrastructure/main.parameters.json | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 .azure/infrastructure/main.parameters.json diff --git a/.azure/infrastructure/main.parameters.json b/.azure/infrastructure/main.parameters.json deleted file mode 100644 index 866a3c29..00000000 --- a/.azure/infrastructure/main.parameters.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "keyVault": { - "value": { - "adminObjectIds": ["cd0026d8-283b-4a55-9bfa-d0ef4a8ba21c"], - "source": { - "name": "dp-fe-src-kv-8cdfb5ce-3c", - "resourceGroupName": "dp-fe-common-rg", - "subscriptionId": "8a353de8-d81d-468d-a40d-f3574b6bb3f4" - } - } - }, - "location": { - "value": "norwayeast" - } - } -} From b90540d0d4bb12a4274167255e05b22dca4cd689 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 14 Mar 2024 16:34:38 +0100 Subject: [PATCH 7/7] add pwd generator --- .github/tools/pwdGenerator.ps1 | 47 ++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/tools/pwdGenerator.ps1 diff --git a/.github/tools/pwdGenerator.ps1 b/.github/tools/pwdGenerator.ps1 new file mode 100644 index 00000000..f46dd6c7 --- /dev/null +++ b/.github/tools/pwdGenerator.ps1 @@ -0,0 +1,47 @@ +function Get-RandomCharacters([int]$length, [string]$characters) { + $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length } + $private:ofs="" + return [string]$characters[$random] +} +function Scramble-String([string]$inputString){ + $characterArray = $inputString.ToCharArray() + $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length + $outputString = -join $scrambledStringArray + return $outputString +} +function GeneratePassword{ + param( + [Parameter()] + [ValidateRange(8,64)] + [int]$length=25, + [Parameter()] + [ValidateRange(0,64)] + [int]$minLower=1, + [Parameter()] + [ValidateRange(0,64)] + [int]$minUpper=1, + [Parameter()] + [ValidateRange(0,64)] + [int]$minNumber=1, + [Parameter()] + [ValidateRange(0,64)] + [int]$minSpecial=1 + ) + $lowercase = 'abcdefghiklmnoprstuvwxyz' + $uppercase = 'ABCDEFGHKLMNOPRSTUVWXYZ' + $numbers = '1234567890' + $special = '@#*+&%$!~' + $characters = $lowercase + $uppercase + $numbers + $special + $password = Get-RandomCharacters $minLower $lowercase + $password += Get-RandomCharacters $minUpper $uppercase + $password += Get-RandomCharacters $minNumber $numbers + $password += Get-RandomCharacters $minSpecial $special + $password += Get-RandomCharacters $($length-$password.Length) $characters + $password = Scramble-String $password + $Bytes = [System.Text.Encoding]::Unicode.GetBytes($password) + $EncodedText =[Convert]::ToBase64String($Bytes) + return @{ + Password = $password + EncodedPassword = $EncodedText + } +}