Skip to content

Latest commit

 

History

History
52 lines (39 loc) · 2.26 KB

README.md

File metadata and controls

52 lines (39 loc) · 2.26 KB

Bicep Module Registry with GitHub OIDC authentication

A secretless implementation of a Bicep module registry using GitHub Open ID Connect and Azure AD workload identity federation.

The solution deploys Azure Container Registry and configures Azure Role Based Access Control to allow the GitHub Repository to push bicep modules to it through OIDC. However, the deployment workflow and approach can be reused to support many other Azure deployment scenarios.

Deploy the solution

Guidance/Scripts are Linux/bash.

  1. Configure the GitHub cli to access your GitHub account.
  2. Login to your target subscription with Azure CLI and ensure it's the current default subscription.
az account show -o json --query name
  1. Set the target Resource Group by configuring the environment variable AZURE_RG_NAME (default:bicepregistry)
  2. Set the Azure Region by configuring the environment variable AZURE_LOCATION (default:westeurope)
  3. Set the Azure AD Application names for both the deployment credential and the Module Push credential (defaults: bicepregistrydeploy and bicepregistryacrpush)
  4. Set the Azure Container Registry name. This is required to be globally unique and defaults to a random name.
export AZURE_RG_NAME='bicepregistry'
export AZURE_LOCATION='westeurope'
export AAD_DEPLOY_APP_NAME='bicepregistrydeploy'
export AAD_ACRPUSH_APP_NAME='bicepregistryacrpush'
export AZURE_ACR_NAME=$(echo $RANDOM | md5sum | head -c32)
  1. Run the deployment pre-requisites script
./deploy/deploy.sh
  1. Run the solution deployment workflow
gh workflow run deploy.yml
  1. Optionally, run the individual module deployment workflows
gh workflow run

Requirements

Roadmap