.github/workflows/IaC-bicep-AKSClusterOnly.yml

name: 'IaC Deploy AKS Cluster only'

on:
  workflow_dispatch:
    inputs:
      ENVIRONMENT:
        description: 'A GitHub Environment to pull action secrets from'
        required: true
        type: environment
      REGION:
        description: 'The Azure region to deploy to'
        required: true
        default: westus2
      clusterVnetResourceId:
        description: 'The vnet resource ID (not uuid)'
        required: true
      ACRNAME:
        description: 'The Name of the ACR resource'
        required: true
        type: string
      clusterAdminAadGroupObjectId:
        description: 'K8S Admin Azure AAD Group ObjectID'
        required: true
        type: string
      a0008NamespaceReaderAadGroupObjectId:
        description: 'K8S Reader Azure AAD Group ObjectID'
        required: true
        type: string

env:
  event_sha: +refs/pull/${{ github.event.issue.number }}/merge

permissions:
      id-token: write
      contents: read

jobs:
  prereqs:
    runs-on: ubuntu-latest
    environment: ${{ github.event.inputs.ENVIRONMENT }}
    name: Prerequisite Checks
    steps:
      - name: "Checkout"
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: "Parameter Check"
        run: |
          echo "Environment : ${{ github.event.inputs.ENVIRONMENT }}"
          echo "vnet resource ID : ${{ github.event.inputs.clusterVnetResourceId }}"
          echo "ACR : ${{ github.event.inputs.ACRNAME }}"
          echo "K8S Admin Azure AAD Group ObjectID : ${{ github.event.inputs.clusterAdminAadGroupObjectId }}"
          echo "K8S Reader Azure AAD Group ObjectID : ${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }}"

      - name: Azure Login
        uses: Azure/login@v1.4.3
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: "Check Preview Features"
        shell: pwsh
        run: |
          write-output "Verifying required Resource Providers Features are registered"
          $aksfeatures = az feature list --query "[?contains(name, 'Microsoft.ContainerService')]" | ConvertFrom-Json

          $featureName='AKS-ExtensionManager'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

          $featureName='EnableOIDCIssuerPreview'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

          $featureName='AKS-AzureDefender'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

  deployment:
    runs-on: ubuntu-latest
    environment: ${{ github.event.inputs.ENVIRONMENT }}
    name: Deployment
    needs: [prereqs]
    steps:
      - name: "Checkout"
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Azure Login
        uses: Azure/login@v1.4.3
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: "Cert Generation"
        id: cert
        run: |
          export DOMAIN_NAME_AKS_BASELINE="contoso.com"
          export CN="bicycle"
          openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out appgw.crt -keyout appgw.key -subj "/CN=${CN}.${DOMAIN_NAME_AKS_BASELINE}/O=Contoso Bicycle" -addext "subjectAltName = DNS:${CN}.${DOMAIN_NAME_AKS_BASELINE}" -addext "keyUsage = digitalSignature" -addext "extendedKeyUsage = serverAuth"
          openssl pkcs12 -export -out appgw.pfx -in appgw.crt -inkey appgw.key -passout pass:
          export APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE=$(cat appgw.pfx | base64 | tr -d '\n')
          echo "APP_GATEWAY_LISTENER_CERTIFICATE=$APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE" >> $GITHUB_ENV
          openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out traefik-ingress-internal-aks-ingress-tls.crt -keyout traefik-ingress-internal-aks-ingress-tls.key -subj "/CN=*.aks-ingress.${DOMAIN_NAME_AKS_BASELINE}/O=Contoso AKS Ingress"
          export AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE=$(cat traefik-ingress-internal-aks-ingress-tls.crt | base64 | tr -d '\n')
          echo "AKS_INGRESS_CONTROLLER_CERTIFICATE=$AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE" >> $GITHUB_ENV

      - name: "test"
        id: test
        run: |
          echo "${{ env.APP_GATEWAY_LISTENER_CERTIFICATE }}"
          echo "${{ env.AKS_INGRESS_CONTROLLER_CERTIFICATE }}"

      - name: "Deploy Cluster"
        id: cluster
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
          region: ${{ github.event.inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/rg-spoke/cluster.bicep
          parameters: ./IaC/bicep/rg-spoke/cluster.parameters.json appGatewayListenerCertificate=${{ env.APP_GATEWAY_LISTENER_CERTIFICATE }} aksIngressControllerCertificate=${{ env.AKS_INGRESS_CONTROLLER_CERTIFICATE }} targetVnetResourceId=${{ github.event.inputs.clusterVnetResourceId }} clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }} vNetResourceGroup=rg-enterprise-networking-spokes-${{ github.event.inputs.REGION }} location=${{ github.event.inputs.REGION }} resourceGroupName=rg-BU0001A0008-${{ github.event.inputs.REGION }} gitOpsBootstrappingRepoBranch=${{ github.ref_name }}
          failOnStdErr: false
          deploymentName: carml-cluster-${{ github.event.inputs.REGION }}

      - name: "Pull AKV_NAME"
        id: akv_name
        run: |
          export AKV_NAME=$(az deployment group list -g rg-BU0001A0008-${{ github.event.inputs.REGION }} -o table| grep 'kv-aks'|awk '{print $1}')
          echo "AKV_NAME=${AKV_NAME}" >> $GITHUB_ENV
          echo "AKV Name extracted by querying is ${AKV_NAME}"

          echo "aksIngressControllerPodManagedIdentityResourceId from bicep output is ${{ steps.cluster.outputs.aksIngressControllerPodManagedIdentityResourceId }}"
          echo "AKV Name from bicep output is ${{ steps.cluster.outputs.keyVaultName }}"

      - name: "Get KeyVault Name"
        id: testName
        run: |
          echo "aksIngressControllerPodManagedIdentityResourceId from bicep output is ${{ steps.cluster.outputs.aksIngressControllerPodManagedIdentityResourceId }}"
          echo "AKV Name from bicep output is ${{ steps.cluster.outputs.keyVaultName }}"