【5章】CICD（azd版）の追加

* Added CICD workflow * Added workflow_dispatch trigger
Azure-Samples · Nov 17, 2023 · 1895e81 · 1895e81
1 parent 7aa90ad
commit 1895e81
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 6 deletions.
diff --git a/.github/workflows/5.deploy_azd.yml b/.github/workflows/5.deploy_azd.yml
@@ -0,0 +1,81 @@
+name: '5.internal-document-search-deployment-azd'
+
+on: [workflow_dispatch]
+# GitHub Actions workflow to deploy to Azure using azd
+# To configure required secrets for connecting to Azure, simply run `azd pipeline config`
+# Set up permissions for deploying with secretless Azure federated credentials
+# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: windows-latest
+    environment:
+      name: sample-env
+    env:
+      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install azd
+        uses: Azure/[email protected]
+
+      - name: Login azure
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }} 
+          enable-AzPSSession: true
+
+      - name: Log in with Azure (Federated Credentials)
+        if: ${{ env.AZURE_CLIENT_ID != '' }}
+        run: |
+          cd 5.internal-document-search
+          azd auth login `
+            --client-id "$Env:AZURE_CLIENT_ID" `
+            --federated-credential-provider "github" `
+            --tenant-id "$Env:AZURE_TENANT_ID"
+        shell: pwsh
+
+      - name: Log in with Azure (Client Credentials)
+        if: ${{ env.AZURE_CREDENTIALS != '' }}
+        run: |
+          cd 5.internal-document-search
+          $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
+          Write-Host "::add-mask::$($info.clientSecret)"
+
+          azd auth login `
+            --client-id "$($info.clientId)" `
+            --client-secret "$($info.clientSecret)" `
+            --tenant-id "$($info.tenantId)"
+        shell: pwsh
+        env:
+          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDEfNTIALS }}
+
+      - name: Provision Infrastructure
+        run: |
+          cd 5.internal-document-search
+          azd provision --no-prompt
+        shell: pwsh
+        env:
+          AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+          AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_PRINCIPAL_TYPE: ${{ vars.AZURE_PRINCIPAL_TYPE }}
+
+      - name: Deploy Application
+        run: |
+          cd 5.internal-document-search
+          azd deploy --no-prompt
+        shell: pwsh
+        env:
+          AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
+          AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
+          AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          AZURE_PRINCIPAL_TYPE: ${{ vars.AZURE_PRINCIPAL_TYPE }}
+
diff --git a/5.internal-document-search/infra/main.bicep b/5.internal-document-search/infra/main.bicep
@@ -54,6 +54,7 @@ param cosmosDbDatabaseName string = 'ChatHistory'
 param cosmosDbContainerName string = 'Prompts'
 
 
+
 param vnetLocation string = location
 param vnetAddressPrefix string = '10.0.0.0/16'
 
@@ -67,6 +68,7 @@ param vmLoginName string = 'azureuser'
 @secure()
 param vmLoginPassword string
 
+
 @description('Id of the user or app to assign application roles')
 param principalId string = ''
 
@@ -528,7 +530,7 @@ module openAiRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-    principalType: 'User'
+    principalType: !empty(principalType) ? principalType : 'User'
   }
 }
 
@@ -538,7 +540,7 @@ module formRecognizerRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
-    principalType: 'User'
+    principalType: !empty(principalType) ? principalType : 'User'
   }
 }
 
@@ -548,7 +550,7 @@ module storageRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
-    principalType: 'User'
+    principalType: !empty(principalType) ? principalType : 'User'
   }
 }
 
@@ -558,7 +560,7 @@ module storageContribRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
-    principalType: 'User'
+    principalType: !empty(principalType) ? principalType : 'User'
   }
 }
 
@@ -568,7 +570,7 @@ module searchRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
-    principalType: 'User'
+    principalType: !empty(principalType) ? principalType : 'User'
   }
 }
 
@@ -578,7 +580,7 @@ module searchContribRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
-    principalType: 'User'
+    principalType: !empty(principalType) ? principalType : 'User'
   }
 }
 

diff --git a/5.internal-document-search/infra/main.parameters.json b/5.internal-document-search/infra/main.parameters.json
@@ -52,6 +52,9 @@
     },
     "appInsightsInstrumentationKey": {
       "value": "${AZURE_APPINSIGHTS_INSTRUMENTATION_KEY}"
+    },
+    "principalType": {
+      "value": "${AZURE_PRINCIPAL_TYPE}"
     }
   }
 }