forked from Azure/bicep-registry-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (133 loc) · 5.58 KB
/
platform.deployment.history.cleanup.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: ".Platform - Clean up deployment history"
on:
workflow_dispatch:
inputs:
handleSubscriptionScope:
type: boolean
description: "Include Subscription deployments"
required: false
default: true # Note: This requires your service principal to have permissions on the subscription scope.
handleManagementGroupScope:
type: boolean
description: "Include Management Group deployments"
required: false
default: true # Note: This requires your service principal to have permissions on the management group scope.
maxDeploymentRetentionInDays:
type: string
description: "The number of days to keep deployments with status [failed]" # 'Running' are always excluded
required: false
default: "14"
schedule:
- cron: "0 0 * * *"
env:
workflowPath: ".github/workflows/platform.deployment.history.cleanup.yml"
jobs:
###########################
# Initialize pipeline #
###########################
job_initialize_pipeline:
runs-on: ubuntu-latest
name: "Initialize pipeline"
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Set input parameters to output variables"
id: get-workflow-param
uses: ./.github/actions/templates/avm-getWorkflowInput
with:
workflowPath: "${{ env.workflowPath}}"
outputs:
workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }}
###############
# Removal #
###############
job_cleanup_subscription_deployments:
runs-on: ubuntu-latest
name: "Remove Subscription deployments"
environment: avm-validation
permissions:
id-token: write # For OIDC
needs:
- job_initialize_pipeline
if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleSubscriptionScope == 'true' }}
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set environment
uses: ./.github/actions/templates/avm-setEnvironment
# [Azure login] task(s)
# ------------------------------
# Supports both OIDC and service principal with secret
# 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
client-id: ${{ secrets.VALIDATE_CLIENT_ID }}
tenant-id: ${{ secrets.VALIDATE_TENANT_ID }}
subscription-id: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Remove deployments
uses: azure/powershell@v2
with:
inlineScript: |
# Load used functions
. (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'platform' 'deploymentRemoval' 'Clear-SubscriptionDeploymentHistory.ps1')
$functionInput = @{
SubscriptionId = '${{ secrets.ARM_SUBSCRIPTION_ID }}'
maxDeploymentRetentionInDays = '${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).maxDeploymentRetentionInDays }}'
}
Write-Verbose "Invoke task with" -Verbose
Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
Clear-SubscriptionDeploymentHistory @functionInput
azPSVersion: "latest"
job_cleanup_managementGroup_deployments:
runs-on: ubuntu-latest
name: "Remove Management Group deployments"
environment: avm-validation
permissions:
id-token: write # For OIDC
needs:
- job_initialize_pipeline
if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleManagementGroupScope == 'true' }}
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set environment
uses: ./.github/actions/templates/avm-setEnvironment
# [Azure login] task(s)
# ------------------------------
# Supports both OIDC and service principal with secret
# 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
client-id: ${{ secrets.VALIDATE_CLIENT_ID }}
tenant-id: ${{ secrets.VALIDATE_TENANT_ID }}
subscription-id: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
- name: Remove deployments
uses: azure/powershell@v2
with:
inlineScript: |
# Load used functions
. (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'platform' 'deploymentRemoval' 'Clear-ManagementGroupDeploymentHistory.ps1')
$mgmtGroupIdInput = '${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).customManagementGroupId }}'
foreach($mgmtGroupId in @('${{ secrets.ARM_MGMTGROUP_ID }}', 'bicep-lz-vending-automation-child')) {
Write-Verbose "Processing mgmtGroupId [$mgmtGroupId]" -Verbose
$functionInput = @{
ManagementGroupId = $mgmtGroupId
maxDeploymentRetentionInDays = '${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).maxDeploymentRetentionInDays }}'
}
Write-Verbose "Invoke task with" -Verbose
Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
Clear-ManagementGroupDeploymentHistory @functionInput
}
azPSVersion: "latest"