forked from JulianHayward/Azure-MG-Sub-Governance-Reporting
-
Notifications
You must be signed in to change notification settings - Fork 0
150 lines (134 loc) · 7.17 KB
/
AzGovViz_OIDC.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# Azure Governance Visualizer v6_major_20230728_1
# First things first:
# 1. Mandatory: define <Management Group Id> in line 11
# 2. Optional: enable the schedule (line 22,23)
# Documentation: https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting
name: AzureGovernanceVisualizer_OIDC
env:
OutputPath: wiki
ManagementGroupId: <Management Group Id> #provide the Management Group Id, not the displayName
ScriptDir: pwsh #example: 'my folder\pwsh' or 'my folder/pwsh'
ScriptPrereqFile: prerequisites.ps1
ScriptFile: AzGovVizParallel.ps1
#optional
WebAppPublish: false #set to true and define the Web App details in the next 3 lines
WebAppSubscriptionId: <subscriptionId> e.g. 2674403a-4acd-40e6-a694-2ac7b968761e
WebAppResourceGroup: <ResourceGroupName> e.g. MyWebAppResourceGroup
WebAppName: <Name> e.g. MyAzGovVizWebApp
#handle the GitHub 100MB file size limit; files in the folder 'OutputPath' hitting the limit will be removed https://docs.github.com/en/repositories/working-with-files/managing-large-files/about-large-files-on-github#file-size-limits
#set to true AND uncomment line 79
HandleGitHub100MBFileSizeLimit: false
on:
#schedule:
# - cron: '30 5 * * *'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
#requirement OIDC
permissions:
id-token: write
contents: write
jobs:
AzureGovernanceVisualizer:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Connect Azure OIDC
uses: azure/login@v2
with:
client-id: ${{secrets.CLIENT_ID}} #create this secret
tenant-id: ${{secrets.TENANT_ID}} #create this secret
subscription-id: ${{secrets.SUBSCRIPTION_ID}} #create this secret
enable-AzPSSession: true
- name: Check prerequisites
uses: azure/powershell@v1
with:
inlineScript: |
. .\$($env:ScriptDir)\$($env:ScriptPrereqFile) -OutputPath ${env:OutputPath}
azPSVersion: "latest"
- name: Run Azure Governance Visualizer
uses: azure/powershell@v1
with:
inlineScript: |
. .\$($env:ScriptDir)\$($env:ScriptFile) -ManagementGroupId ${env:ManagementGroupId} -SubscriptionId4AzContext ${{secrets.SUBSCRIPTION_ID}} -ScriptPath ${env:ScriptDir} -OutputPath ${env:OutputPath} -GitHubActionsOIDC
azPSVersion: "latest"
- name: Handle GH 100MB file size limit
if: env.HandleGitHub100MBFileSizeLimit == 'true'
shell: pwsh
run: |
Write-Host "Checking files in $($env:OutputPath) for GitHub 100MB file size limit"
Write-Host "Ref: https://docs.github.com/en/repositories/working-with-files/managing-large-files/about-large-files-on-github#file-size-limits"
$files = Get-ChildItem -Path $($env:OutputPath) -File -Recurse -ErrorAction Stop
Write-Host "Found total of $($files.Count) files"
$gitHubFileSizeLimit = 100
$largeFiles = $files.where({ $_.Length / 1MB -gt $gitHubFileSizeLimit })
Write-Host "Found $($largeFiles.Count) files hitting the GitHub file size limit"
foreach ($file in $largeFiles) {
Write-Host "File '$($file.Name)' size $($file.Length / 1MB)MB exceeds the GitHub 100MB file size limit - removing file $($file.FullName)"
#Remove-Item -Path $file.FullName -Force
}
- name: Push Azure Governance Visualizer output to repository
run: |
git config --global user.email "[email protected]"
git config --global user.name "azgvz"
git config pull.rebase false
git add --all
git commit -m "$GITHUB_WORKFLOW $GITHUB_JOB"
git push
#log again to avoid timeout before web publishing
- name: Connect Azure OIDC
if: env.WebAppPublish == 'true'
uses: azure/login@v2
with:
client-id: ${{secrets.CLIENT_ID}} #create this secret (GitHub/Setting/Secrets)
tenant-id: ${{secrets.TENANT_ID}} #create this secret
subscription-id: ${{secrets.SUBSCRIPTION_ID}} #create this secret
enable-AzPSSession: true
- name: Publish HTML to WebApp
if: env.WebAppPublish == 'true'
uses: azure/powershell@v1
with:
inlineScript: |
$azAPICallConf = initAzAPICall -DebugAzAPICall $true
$currentTask = "AzAPICall - Check if WebApp ($($env:WebAppName)) has Authentication enabled"
$uri = "$($azAPICallConf['azAPIEndpointUrls'].ARM)/subscriptions/$($env:WebAppSubscriptionId)/resourceGroups/$($env:WebAppResourceGroup)/providers/Microsoft.Web/sites/$($env:WebAppName)/config/authsettings/list?api-version=2021-02-01"
$method = 'POST'
$request = AzAPICall -AzAPICallConfiguration $azAPICallConf -uri $uri -method $method -currentTask $currentTask -listenOn 'Content'
$authStatus = $request.properties.enabled
Write-Host "WebApp ($($env:WebAppName)) has Authentication enabled: $authStatus"
if ($authStatus) {
try {
if (Test-Path -Path "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId)_DefinitionInsights.html") {
try {
Compress-Archive -Path "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId).html", "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId)_DefinitionInsights.html" -DestinationPath "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId).zip" -ErrorAction Stop
}
catch {
throw 'Make sure that the ManagementGroupId variable in the AzGovViz*.yml has correct casing (Linux!=linuX)'
}
}
else {
try {
Compress-Archive -Path "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId).html" -DestinationPath "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId).zip" -ErrorAction Stop
}
catch {
throw 'Make sure that the ManagementGroupId variable in the AzGovViz*.yml has correct casing (Linux!=linuX)'
}
}
$null = Select-AzSubscription -SubscriptionId $($env:WebAppSubscriptionId)
if (Publish-AzWebApp -ResourceGroupName $($env:WebAppResourceGroup) -Name $($env:WebAppName) -ArchivePath "$($env:OutputPath)/AzGovViz_$($env:ManagementGroupId).zip" -Force) {
Write-Host 'HTML published'
}
}
catch {
$_
Write-Host 'HTML NOT published'
Write-Host "RBAC Role 'Website Contributor' is required"
exit 1
}
}
else {
Write-Host 'Assuming and insisting that you do not want to publish your tenant insights to the public'
Write-Host "HTML NOT published. Please configure authentication on the Azure Web App ($($env:WebAppName))."
exit 1
}
azPSVersion: "latest"