updated github actions to use federated credentials

Signed-off-by: ishuar <[email protected]>
ishuar · Mar 3, 2024 · a00a9a0 · a00a9a0
1 parent 6c253ff
commit a00a9a0
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 20 deletions.
diff --git a/.github/workflows/ansible-set-up.yaml b/.github/workflows/ansible-set-up.yaml
@@ -31,12 +31,14 @@ on:
         required: true
       AZURE_CLIENT_ID:
         required: true
+        description: The federated identity client id when set up.
       AZURE_CLIENT_SECRET:
-        required: true
+        required: false
       AZURE_TENANT_ID:
         required: true
       AZURE_SUBSCRIPTION_ID:
         required: true
+
 jobs:
   configureWebservers:
     name: Configure Linux VM as Nginx Webservers via Ansible
@@ -51,6 +53,20 @@ jobs:
         uses: Homebrew/actions/setup-homebrew@master
 
       - uses: hashicorp/setup-terraform@v2
+
+      - name: 'Azure Login'
+        uses: azure/login@v1
+        with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Delete Temporary NSG Rule
+        uses: azure/CLI@v1
+        with:
+          azcliversion: 2.50.0
+          inlineScript: |
+            az account show
+
       ## https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable
       ## * https://github.com/hashicorp/setup-terraform/issues/20 ### :: This took my 2 Hours 😡 :: ####
       - name: Terraform Outputs for Temporary NSG Rule
@@ -67,16 +83,6 @@ jobs:
           echo "NSG_NAME=$NSG_NAME" >> $GITHUB_ENV
           echo "WEBSERVERS_SNET_ADDRESS=$WEBSERVERS_SNET_ADDRESS" >> $GITHUB_ENV
           echo "RESOURCE_GROUP_NAME=$RESOURCE_GROUP_NAME" >> $GITHUB_ENV
-        env:
-          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-      - name: Azure Login
-        uses: Azure/login@v1
-        with:
-          creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 
       - name: Create Temporary NSG Rule
         uses: azure/CLI@v1
@@ -108,11 +114,6 @@ jobs:
         working-directory: ${{ github.workspace }}/ansible
         run: |-
             ansible-playbook ${{ inputs.playbook }} --inventory-file ${{ inputs.inventory }}
-        env:
-          AZURE_CLIENT_ID:  ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_SECRET:  ${{ secrets.AZURE_CLIENT_SECRET }}
-          AZURE_TENANT: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Delete Temporary NSG Rule
         uses: azure/CLI@v1

diff --git a/.github/workflows/terraform-infra-set-up.yaml b/.github/workflows/terraform-infra-set-up.yaml
@@ -40,7 +40,8 @@ env:
   ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
   ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
   ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }}
+  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+  GH_UID_CLIENT_ID: ${{ secrets.GH_UID_CLIENT_ID }} ## federated identity client id
 
 jobs:
   codeScanning:
@@ -75,6 +76,21 @@ jobs:
       - name: checkout the repository
         uses: actions/checkout@v3
 
+      - name: 'Azure Login'
+        uses: azure/login@v1
+        if:  env.ARM_CLIENT_SECRET == '' && env.GH_UID_CLIENT_ID  != ''
+        with:
+            client-id: ${{ secrets.GH_UID_CLIENT_ID }}
+            tenant-id: ${{ secrets.ARM_TENANT_ID }}
+            subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+
+      - name: Delete Temporary NSG Rule
+        uses: azure/CLI@v1
+        with:
+          azcliversion: 2.50.0
+          inlineScript: |
+            az account show
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:
@@ -116,6 +132,14 @@ jobs:
       - name: checkout the repository
         uses: actions/checkout@v3
 
+      - name: 'Az CLI login'
+        uses: azure/login@v1
+        if:  env.ARM_CLIENT_SECRET == '' && env.GH_UID_CLIENT_ID  != ''
+        with:
+            client-id: ${{ secrets.GH_UID_CLIENT_ID }}
+            tenant-id: ${{ secrets.ARM_TENANT_ID }}
+            subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v2
         with:

diff --git a/.github/workflows/webservers-config-ansible.yaml b/.github/workflows/webservers-config-ansible.yaml
@@ -30,6 +30,5 @@ jobs:
     secrets:
       ssh-private-key: ${{ secrets.PASSWORDLESS_SSH_PRIVATE_KEY }}
       AZURE_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
-      AZURE_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-      AZURE_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-      AZURE_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.GH_UID_CLIENT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}