Skip to content

Commit

Permalink
feat: Add OIDC implementation to platform workflow (subscription clea…
Browse files Browse the repository at this point in the history 
…nup) (Azure#3011)

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes Azure#123
Fixes Azure#456
Closes Azure#123
Closes Azure#456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
| Backward compatibility: run tested before setting up OIDC in the
target environment
https://github.com/Azure/bicep-registry-modules/actions/runs/10304434978
<img width="469" alt="image"
src="https://github.com/user-attachments/assets/c9297acc-cd05-418f-9e46-2636c0c09642">
|
| OIDC: run tested after setting up OIDC
<img width="541" alt="image"
src="https://github.com/user-attachments/assets/c35542c3-8240-4fd3-8ce9-89e5d8fcde44">
<img width="330" alt="image"
src="https://github.com/user-attachments/assets/3d463dc2-d8df-4525-b33d-ab1bd32057d0">
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [x] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ ] I'm sure there are no other open Pull Requests for the same
update/change
- [ ] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
  • Loading branch information
@eriqua
eriqua authored Aug 8, 2024
1 parent 3f2601f commit 391fdde
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions .github/workflows/platform.deployment.history.cleanup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ jobs:
job_cleanup_subscription_deployments:
runs-on: ubuntu-latest
name: "Remove Subscription deployments"
environment: avm-validation
permissions:
id-token: write # For OIDC
needs:
- job_initialize_pipeline
if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleSubscriptionScope == 'true' }}
Expand All @@ -62,10 +65,17 @@ jobs:
- name: Set environment
uses: ./.github/actions/templates/avm-setEnvironment

# [Azure login] task(s)
# ------------------------------
# Supports both OIDC and service principal with secret
# 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
client-id: ${{ secrets.VALIDATE_CLIENT_ID }}
tenant-id: ${{ secrets.VALIDATE_TENANT_ID }}
subscription-id: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
enable-AzPSSession: true

- name: Remove deployments
Expand All @@ -89,6 +99,9 @@ jobs:
job_cleanup_managementGroup_deployments:
runs-on: ubuntu-latest
name: "Remove Management Group deployments"
environment: avm-validation
permissions:
id-token: write # For OIDC
needs:
- job_initialize_pipeline
if: ${{ (fromJson(needs.job_initialize_pipeline.outputs.workflowInput)).handleManagementGroupScope == 'true' }}
Expand All @@ -101,10 +114,17 @@ jobs:
- name: Set environment
uses: ./.github/actions/templates/avm-setEnvironment

# [Azure login] task(s)
# ------------------------------
# Supports both OIDC and service principal with secret
# 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
client-id: ${{ secrets.VALIDATE_CLIENT_ID }}
tenant-id: ${{ secrets.VALIDATE_TENANT_ID }}
subscription-id: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
enable-AzPSSession: true

- name: Remove deployments
Expand Down

0 comments on commit 391fdde

Please sign in to comment.