forked from alexandair/espc23
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path06-demo-gha.ps1
65 lines (40 loc) · 2.51 KB
/
06-demo-gha.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# DEMO: Deploy Bicep files by using GitHub Actions
#region Create a new GitHub repository
cd c:\gh
# create a new remote repository and clone it locally
gh repo create espc23 --public --clone
#endregion
#region Create resource group
$resourceGroupName = "demowebsite-rg"
$location = "northeurope"
az group create -n $resourceGroupName -l $location
#endregion
#region Generate deployment credentials
# Create a user-assigned managed identity
Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease
$resourceGroupName_UAMI = "espc23-rg"
New-AzUserAssignedIdentity -Name uami-espc23 -ResourceGroupName $resourceGroupName_UAMI -Location $location
# Configure a user-assigned managed identity to trust an external identity provider
New-AzFederatedIdentityCredentials -Name fic-espc23 -IdentityName uami-espc23 -ResourceGroupName $resourceGroupName_UAMI -Issuer "https://token.actions.githubusercontent.com" -Subject "repo:alexandair/espc23:ref:refs/heads/main" -Audience "api://AzureADTokenExchange"
<#
Name Issuer Subject Audience
---- ------ ------- --------
fic-espc23 https://token.actions.githubusercontent.com repo:alexandair/espc23:ref:refs/heads/main {api://AzureADTokenExchange}
#>
New-AzFederatedIdentityCredentials -Name fic2-espc23 -IdentityName uami-espc23 -ResourceGroupName $resourceGroupName_UAMI -Issuer "https://token.actions.githubusercontent.com" -Subject "repo:alexandair/espc23:environment:Website" -Audience "api://AzureADTokenExchange"
Get-AzFederatedIdentityCredentials -IdentityName uami-espc23 -ResourceGroupName $resourceGroupName_UAMI | fl *
$uami_clientId = (Get-AzUserAssignedIdentity -ResourceGroupName $resourceGroupName_UAMI -Name uami-espc23).ClientId
cd c:\gh\espc23
gh secret set AZURE_UAMI_CLIENT_ID --body $uami_clientId
# ADD ROLE ASSIGNMENT FOR UAMI
# ROLE: contributor
# SCOPE: resource group demowebsite-rg
$uami_principalId = (Get-AzUserAssignedIdentity -ResourceGroupName $resourceGroupName_UAMI -Name uami-espc23).PrincipalId
$subscriptionId = (Get-AzContext).Subscription.Id
New-AzRoleAssignment -ObjectId $uami_principalId -RoleDefinitionName "Contributor" -Scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName"
#endregion
# Open GitHub repository (https://github.com/alexandair/espc23) in browser
# Workflow file: .github/workflows/workflow.yml
# Other files are in the Deploy folder
cd C:\gh\espc23
gh browse