Skip to content

Commit

Permalink
Add GitHub Action and make targets to validate bicep
Browse files Browse the repository at this point in the history
Signed-off-by: Michael Shen <[email protected]>
  • Loading branch information
mjlshen committed May 8, 2024
1 parent c5afbfa commit 60e545e
Show file tree
Hide file tree
Showing 5 changed files with 86 additions and 37 deletions.
34 changes: 34 additions & 0 deletions .github/workflows/dev-infrastructure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
name: Validate dev-infrastructure

on:
push:
branches:
- main
pull_request:
branches:
- main
paths:
- 'dev-infrastructure/**'

jobs:
validate_bicep:
permissions:
contents: 'read'
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
fetch-depth: 1
sparse-checkout: dev-infrastructure

- name: 'az bicep format and lint'
run: |
make fmt
make lint
- name: Check for uncommitted changes
run: |
git diff --exit-code || (echo "::error::Uncommitted changes detected in OpenAPI spec. Please regenerate and commit them." && exit 1)
28 changes: 21 additions & 7 deletions dev-infrastructure/Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

SHELL = /bin/bash

HCPDEVSUBSCRIPTION="ARO Hosted Control Planes (EA Subscription 1)"
Expand All @@ -9,13 +8,25 @@ DEPLOYMENTNAME=hcp-$(USER)-dev-infra
LOCATION?=eastus
RESOURCEGROUP=aro-hcp-${AKSCONFIG}-$(USER)

ifndef AKSCONFIG
$(error "Must set AKSCONFIG")
endif

list:
@grep '^[^#[:space:]].*:' Makefile

fmt:
set -e; \
FILES="$$(find . -type f -name "*.bicep*")"; \
for file in $$FILES; do \
echo "az bicep format --file $${file}"; \
az bicep format --file $$file; \
done

lint:
set -e; \
FILES="$$(find . -type f -name "*.bicep*")"; \
for file in $$FILES; do \
echo "az bicep lint --file $${file}"; \
az bicep lint --file $$file; \
done

show:
@echo "Resource group : $(RESOURCEGROUP)"
@echo "VPN resource group : $(VPNRESOURCEGROUP)"
Expand All @@ -26,6 +37,9 @@ show:
@echo "DNSZone/deployment : $(DEPLOYMENTNAME)"

setsubscription:
ifndef AKSCONFIG
$(error "Must set AKSCONFIG")
endif
az account set --subscription $(HCPDEVSUBSCRIPTION)
az account show

Expand Down Expand Up @@ -54,9 +68,9 @@ mgmt-cluster: setsubscription rg
--parameters \
configurations/${AKSCONFIG}.bicepparam \
--parameters \
currentUserId=$(CURRENTUSER)
currentUserId=$(CURRENTUSER)

aks.kubeconfig:
aks.kubeconfig: setsubscription
az aks get-credentials -n aro-hcp-cluster-001 -g $(RESOURCEGROUP) -a -f aks.kubeconfig

secrets-download: setsubscription
Expand Down
6 changes: 3 additions & 3 deletions dev-infrastructure/configurations/svc-cluster.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ param disableLocalAuth = false
param deployFrontendCosmos = false
param workloadIdentities = items({
frontend_wi: {
uamiName: 'frontend'
namespace: 'aro-hcp'
serviceAccountName: 'frontend'
uamiName: 'frontend'
namespace: 'aro-hcp'
serviceAccountName: 'frontend'
}
})

Expand Down
31 changes: 16 additions & 15 deletions dev-infrastructure/modules/aks-cluster-base.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ param podSubnetPrefix string
param clusterType string
param workloadIdentities array


// Local Params
@description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.')
param dnsPrefix string = aksClusterName
Expand Down Expand Up @@ -341,23 +340,25 @@ resource currentUserAksRbacClusterAdmin 'Microsoft.Authorization/roleAssignments
}

resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [
for wi in workloadIdentities: {
location: location
name: '${wi.value.uamiName}-${location}'
}]
for wi in workloadIdentities: {
location: location
name: '${wi.value.uamiName}-${location}'
}
]

resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [
for i in range(0, length(workloadIdentities)): {
parent: uami[i]
name: '${workloadIdentities[i].value.uamiName}-${location}-fedcred'
properties: {
audiences: [
'api://AzureADTokenExchange'
]
issuer: aksCluster.properties.oidcIssuerProfile.issuerURL
subject: 'system:serviceaccount:${workloadIdentities[i].value.namespace}:${workloadIdentities[i].value.serviceAccountName}'
for i in range(0, length(workloadIdentities)): {
parent: uami[i]
name: '${workloadIdentities[i].value.uamiName}-${location}-fedcred'
properties: {
audiences: [
'api://AzureADTokenExchange'
]
issuer: aksCluster.properties.oidcIssuerProfile.issuerURL
subject: 'system:serviceaccount:${workloadIdentities[i].value.namespace}:${workloadIdentities[i].value.serviceAccountName}'
}
}
}]
]

// Outputs
output userAssignedIdentities array = [
Expand Down
24 changes: 12 additions & 12 deletions dev-infrastructure/templates/svc-cluster.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -50,18 +50,18 @@ module svcCluster '../modules/aks-cluster-base.bicep' = {
}
var frontendMI = filter(svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'frontend')[0]

module rpCosmosDb '../modules/rp-cosmos.bicep' =
if (deployFrontendCosmos) {
name: 'rp_cosmos_db'
scope: resourceGroup()
params: {
location: location
aksNodeSubnetId: svcCluster.outputs.aksNodeSubnetId
vnetId: svcCluster.outputs.aksVnetId
disableLocalAuth: disableLocalAuth
userAssignedMI: frontendMI.uamiID
uamiPrincipalId: frontendMI.uamiPrincipalID
module rpCosmosDb '../modules/rp-cosmos.bicep' =
if (deployFrontendCosmos) {
name: 'rp_cosmos_db'
scope: resourceGroup()
params: {
location: location
aksNodeSubnetId: svcCluster.outputs.aksNodeSubnetId
vnetId: svcCluster.outputs.aksVnetId
disableLocalAuth: disableLocalAuth
userAssignedMI: frontendMI.uamiID
uamiPrincipalId: frontendMI.uamiPrincipalID
}
}
}

output frontend_mi_client_id string = frontendMI.uamiClientID

0 comments on commit 60e545e

Please sign in to comment.