-
Notifications
You must be signed in to change notification settings - Fork 2
138 lines (118 loc) · 3.85 KB
/
bicep-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: 'Bicep Whatif / Deploy'
on:
push:
branches:
- main
pull_request:
branches:
- main
#Special permissions required for OIDC authentication
permissions:
id-token: write
contents: read
pull-requests: write
env:
LOCATION: "eastus"
jobs:
bicep-whatif:
name: 'Bicep Whatif'
runs-on: ubuntu-latest
environment: production
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Authenticate to Az CLI using OIDC
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Checks that all Bicep configuration files adhere to a canonical format
- name: Bicep Lint
uses: Azure/cli@v1
with:
inlineScript: az bicep build --file main.bicep
# Validate whether a template is valid at subscription scope
- name: Bicep Validate
uses: Azure/cli@v1
with:
inlineScript: |
az deployment sub validate \
--name validate-${{ github.run_id }} \
--template-file main.bicep \
--location $LOCATION
# Preview changes
- name: "What-If"
uses: Azure/cli@v1
with:
inlineScript: |
az deployment sub what-if \
--name whatif-${{ github.run_id }} \
--template-file main.bicep \
--location $LOCATION > whatif
# Create string output of Whatif
- name: Create String Output
id: whatif-string
run: |
WHATIF=$(cat whatif)
echo "## Whatif Output" >> whatif.string
echo "<details><summary>Click to expand</summary>" >> whatif.string
echo "" >> whatif.string
echo '```' >> whatif.string
echo "$WHATIF" >> whatif.string
echo '```' >> whatif.string
echo "</details>" >> whatif.string
SUMMARY=$(cat whatif.string)
SUMMARY="${SUMMARY//'%'/'%25'}"
SUMMARY="${SUMMARY//$'\n'/'%0A'}"
SUMMARY="${SUMMARY//$'\r'/'%0D'}"
echo "::set-output name=summary::$SUMMARY"
# Publish Terraform Plan as task summary
- name: Publish Whatif to Task Summary
run: |
cat whatif.string >> $GITHUB_STEP_SUMMARY
# If this is a PR post the changes
- name: Push Whatif Output to PR
if: github.ref != 'refs/heads/main'
uses: actions/github-script@v2
env:
SUMMARY: "${{ steps.whatif-string.outputs.summary }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const body = `${process.env.SUMMARY}`;
github.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
})
bicep-deploy:
name: 'Bicep Deploy'
#TODO can we easily determine if there are any changes to deploy?
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production-approval
needs: [bicep-whatif]
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v2
# Authenticate to Az CLI using OIDC
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Deploy
- name: "Bicep Deployment"
uses: Azure/cli@v1
with:
inlineScript: |
az deployment sub create \
--name deploy-${{ github.run_id }} \
--template-file main.bicep \
--location $LOCATION