Skip to content

Commit

Permalink
Merge pull request #208 from microsoft/remove-secret-from-cicd
Browse files Browse the repository at this point in the history
Remove secret from cicd
  • Loading branch information
elayrocks authored May 2, 2024
2 parents b62fcc0 + f4e3d90 commit 2df6413
Show file tree
Hide file tree
Showing 8 changed files with 33 additions and 23 deletions.
26 changes: 18 additions & 8 deletions .github/workflows/cicd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
branches: [main]
tags: ["*"]

permissions:
id-token: write
contents: read

jobs:
build_and_publish:

Expand All @@ -16,12 +20,11 @@ jobs:
- name: Log in with Azure
uses: azure/login@v1
with:
creds: '${{ secrets.AZURE_CREDENTIALS }}'
client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}

- name: Authenticate
env:
CLIENT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
CLIENT_SECRET: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
run: ./scripts/ciauthenticate

- name: Run cibuild
Expand Down Expand Up @@ -54,6 +57,13 @@ jobs:
- build_and_publish
steps:
- uses: actions/checkout@v3

- name: Log in with Azure
uses: azure/login@v1
with:
client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}

- name: Get image tag
id: get_image_tag
Expand All @@ -73,7 +83,7 @@ jobs:
env:
IMAGE_TAG: ${{needs.build_and_publish.outputs.image_tag}}
ENVIRONMENT: staging
ARM_CLIENT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
ARM_CLIENT_SECRET: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}
ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).subscriptionId }}
ARM_TENANT_ID: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
ARM_CLIENT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }}
ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }}
ARM_TENANT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }}
ARM_USE_OIDC: true
4 changes: 2 additions & 2 deletions deployment/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ RUN echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu

RUN apt-get update && apt-get install -y azure-functions-core-tools-4

# Install Terraform 0.14.4
# Install Terraform 1.8.2

RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/0.14.4/terraform_0.14.4_linux_amd64.zip
RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/1.8.2/terraform_1.8.2_linux_amd64.zip
RUN unzip terraform.zip
RUN mv terraform /usr/local/bin

Expand Down
3 changes: 1 addition & 2 deletions deployment/bin/deploy
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,8 @@ fi
require_env "IMAGE_TAG"
require_env "GIT_COMMIT"
require_env "ARM_CLIENT_ID"
require_env "ARM_CLIENT_SECRET"
require_env "ARM_TENANT_ID"
require_env "ARM_USE_OIDC"

# Directory for rendered values and templates
CONF_DIR='/opt/conf'
Expand All @@ -84,7 +84,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
# Add IP to KV firewall #
#########################

bin/azlogin
bin/kv_add_ip

#####################
Expand Down
8 changes: 1 addition & 7 deletions deployment/bin/lib
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,6 @@ function azlogin() {
function cluster_login() {
echo "Logging into the cluster..."

azlogin;

az aks get-credentials \
--resource-group ${RESOURCE_GROUP} \
--name ${CLUSTER_NAME} \
Expand All @@ -84,9 +82,7 @@ function cluster_login() {
# So we export to a kubeconfig file
echo "Converting kubeconfig..."
kubelogin convert-kubeconfig \
--login spn \
--client-id ${ARM_CLIENT_ID} \
--client-secret ${ARM_CLIENT_SECRET} \
-l azurecli \
--kubeconfig=kubeconfig
export KUBECONFIG=kubeconfig
}
Expand Down Expand Up @@ -128,8 +124,6 @@ function prepare_funcs() {
function deploy_funcs() {
require_env "FUNCTION_APP_NAME"

azlogin

prepare_funcs

pushd /opt/src/pcfuncs_deploy
Expand Down
8 changes: 7 additions & 1 deletion deployment/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,12 @@ services:
- ARM_SUBSCRIPTION_ID
- ARM_TENANT_ID
- ARM_CLIENT_ID
- ARM_CLIENT_SECRET
- ARM_USE_OIDC
- ARM_OIDC_TOKEN
- ACTIONS_ID_TOKEN_REQUEST_URL
- ACTIONS_ID_TOKEN_REQUEST_TOKEN
- ARM_OIDC_REQUEST_TOKEN
- ARM_OIDC_REQUEST_URL

# Used in the dev stack as an identifier
- TF_VAR_username=${USER}
Expand All @@ -32,3 +37,4 @@ services:
- ../deployment:/opt/src/deployment
- ../pccommon:/opt/src/pccommon:ro
- ../pcfuncs:/opt/src/pcfuncs:ro
- ~/.azure:/root/.azure
3 changes: 2 additions & 1 deletion deployment/terraform/resources/providers.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
provider azurerm {
features {}
use_oidc = true
}

terraform {
Expand All @@ -8,7 +9,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.77.0"
version = "3.97.1"
}
}
}
Expand Down
1 change: 1 addition & 0 deletions deployment/terraform/staging/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ terraform {
storage_account_name = "pctesttfstate"
container_name = "pc-test-api"
key = "pqe-apis.tfstate"
use_oidc = true
}
}

Expand Down
3 changes: 1 addition & 2 deletions scripts/ciauthenticate
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,4 @@ CI authentication for this project.

# curl -sL https://aka.ms/InstallAzureCLIDeb | bash
# az login --service-principal --username ${CLIENT_ID} --tenant "microsoft.onmicrosoft.com" --password ${CLIENT_SECRET}
az acr login --name pccomponentstest
docker login pccomponentstest.azurecr.io --username ${CLIENT_ID} --password ${CLIENT_SECRET}
az acr login --name pccomponentstest

0 comments on commit 2df6413

Please sign in to comment.