Skip to content

Commit

Permalink
Add environment configuration override and protect sensitive paramete…
Browse files Browse the repository at this point in the history 
…rs (Azure#280)
  • Loading branch information
@skeeler
skeeler authored May 9, 2022
1 parent ce6c27f commit a9c9419
Show file tree
Hide file tree
Showing 10 changed files with 116 additions and 52 deletions.
35 changes: 23 additions & 12 deletions .github/workflows/0-everything.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,12 @@ on:
default: "HubNetworkWithAzureFirewall"
subscriptionIds:
type: string
description: The subscription ID(s) to use for the deployment.
required: true
description: Subscription ID(s)
required: false
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -48,31 +52,35 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployManagementGroups `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
- name: Deploy Roles
run: |
./RunWorkflows.ps1 `
-DeployRoles `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
- name: Deploy Logging
run: |
./RunWorkflows.ps1 `
-DeployLogging `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
- name: Deploy Policy
run: |
./RunWorkflows.ps1 `
-DeployPolicy `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
Expand All @@ -81,7 +89,8 @@ jobs:
run: |
./RunWorkflows.ps1 `
-Deploy${{github.event.inputs.hubNetworkType}} `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
Expand All @@ -90,17 +99,19 @@ jobs:
run: |
./RunWorkflows.ps1 `
-Deploy${{github.event.inputs.hubNetworkType}} `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF} `
-NvaUsername '${{secrets.NVA_USERNAME}}' `
-NvaPassword '${{secrets.NVA_PASSWORD}}'
-NvaUsername (ConvertTo-SecureString -String '${{secrets.NVA_USERNAME}}' -AsPlainText -Force) `
-NvaPassword (ConvertTo-SecureString -String '${{secrets.NVA_PASSWORD}} '-AsPlainText -Force)
- name: Deploy Subscriptions
if: github.event.inputs.subscriptionIds != ''
run: |
./RunWorkflows.ps1 `
-DeploySubscriptionIds ${{github.event.inputs.subscriptionIds}} `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-DeploySubscriptionIds '${{github.event.inputs.subscriptionIds}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
11 changes: 9 additions & 2 deletions .github/workflows/1-management-groups.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

name: 1 - Management Groups

on: workflow_dispatch
on:
workflow_dispatch:
inputs:
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -34,6 +40,7 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployManagementGroups `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
11 changes: 9 additions & 2 deletions .github/workflows/2-roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

name: 2 - Roles

on: workflow_dispatch
on:
workflow_dispatch:
inputs:
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -34,6 +40,7 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployRoles `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
11 changes: 9 additions & 2 deletions .github/workflows/3-logging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

name: 3 - Logging

on: workflow_dispatch
on:
workflow_dispatch:
inputs:
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -34,6 +40,7 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployLogging `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
11 changes: 9 additions & 2 deletions .github/workflows/4-policy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

name: 4 - Policy

on: workflow_dispatch
on:
workflow_dispatch:
inputs:
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -34,6 +40,7 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployPolicy `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
11 changes: 9 additions & 2 deletions .github/workflows/5-hub-network-with-azure-firewall.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

name: 5 - Hub Network with Azure Firewall

on: workflow_dispatch
on:
workflow_dispatch:
inputs:
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -34,6 +40,7 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployHubNetworkWithAzureFirewall `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
15 changes: 11 additions & 4 deletions .github/workflows/5-hub-network-with-nva.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@

name: 5 - Hub Network with NVA

on: workflow_dispatch
on:
workflow_dispatch:
inputs:
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -34,8 +40,9 @@ jobs:
run: |
./RunWorkflows.ps1 `
-DeployHubNetworkWithNVA `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF} `
-NvaUsername '${{secrets.NVA_USERNAME}}' `
-NvaPassword '${{secrets.NVA_PASSWORD}}'
-NvaUsername (ConvertTo-SecureString -String '${{secrets.NVA_USERNAME}}' -AsPlainText -Force) `
-NvaPassword (ConvertTo-SecureString -String '${{secrets.NVA_PASSWORD}} '-AsPlainText -Force)
13 changes: 9 additions & 4 deletions .github/workflows/6-subscriptions.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,12 @@ on:
inputs:
subscriptionIds:
type: string
description: The subscription ID(s) to use for the deployment.
required: true
description: Subscription ID(s)
required: false
environmentName:
type: string
description: Environment name
required: false

defaults:
run:
Expand All @@ -39,7 +43,8 @@ jobs:
- name: Deploy Subscriptions
run: |
./RunWorkflows.ps1 `
-DeploySubscriptionIds ${{github.event.inputs.subscriptionIds}} `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-DeploySubscriptionIds '${{github.event.inputs.subscriptionIds}}' `
-EnvironmentName '${{github.event.inputs.environmentName}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
2 changes: 2 additions & 0 deletions .github/workflows/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ The subscription ids input value can be one of:

There are two `Hub Networking` workflows, but you only need to run one of them. The networking workflow you run is based on whether you choose to implement the Azure Firewall or a Network Virtual Appliance (NVA).

All workflows take an optional `Environment Name` input. By default, the environment name is derived from a combination of the GitHub repository name and branch name, i.e. `repo-branch`. You can use the `Environment Name` input value to override the derived value, forcing the workflow to use configuration folders and files for a specific `repo-branch`.

In the default implementation, all workflows are run manually. This behavior can be changed by modifying the corresponding YAML workflow definition files. For example, to trigger workflow on a push or pull request to the repository.

These workflow definitions are implemented using modularized PowerShell scripts in the `scripts/deployments` path. The main entry point for these scripts is `scripts/deployments/RunWorkflows.ps1`.
Expand Down
48 changes: 26 additions & 22 deletions scripts/deployments/RunWorkflows.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
Deploy 2 subscriptions interactively.
.EXAMPLE
PS> .\RunWorkflows.ps1 -GitHubRepo 'Azure/CanadaPubSecALZ' -GitHubRef 'refs/head/main' -LoginServicePrincipalJson '<output from: az ad sp create-for-rbac>' -DeployManagementGroups
PS> .\RunWorkflows.ps1 -GitHubRepo 'Azure/CanadaPubSecALZ' -GitHubRef 'refs/head/main' -LoginServicePrincipalJson (ConvertTo-SecureString -String '<output from: az ad sp create-for-rbac>' -AsPlainText -Force) -DeployManagementGroups
Deploy management groups using service principal authentication.
Expand All @@ -89,7 +89,7 @@ OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
run: |
./RunWorkflows.ps1 `
-DeployManagementGroups `
-LoginServicePrincipalJson '${{secrets.ALZ_CREDENTIALS}}' `
-LoginServicePrincipalJson (ConvertTo-SecureString -String '${{secrets.ALZ_CREDENTIALS}}' -AsPlainText -Force) `
-GitHubRepo ${env:GITHUB_REPOSITORY} `
-GitHubRef ${env:GITHUB_REF}
#>
Expand All @@ -106,14 +106,14 @@ Param(
[string[]]$DeploySubscriptionIds=@(),

# How to deploy
[string]$EnvironmentName="CanadaESLZ-main",
[string]$EnvironmentName="",
[string]$GitHubRepo=$null,
[string]$GitHubRef=$null,
[string]$LoginInteractiveTenantId=$null,
[string]$LoginServicePrincipalJson=$null,
[SecureString]$LoginServicePrincipalJson=$null,
[string]$WorkingDirectory=(Resolve-Path "../.."),
[string]$NvaUsername=$null,
[string]$NvaPassword=$null
[SecureString]$NvaUsername=$null,
[SecureString]$NvaPassword=$null
)

#Requires -Modules Az, powershell-yaml
Expand All @@ -124,19 +124,23 @@ $ErrorActionPreference = "Stop"
# Please follow the instructions on https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/onboarding/azure-devops-pipelines.md
# to setup the configuration files. Once the configuration files are setup, you can choose to run this script or use Azure DevOps.

# Construct environment name from GitHub repo and ref (result: <repo>-<branch>)
if ((-not [string]::IsNullOrEmpty($GitHubRepo)) -and (-not [string]::IsNullOrEmpty($GitHubRef))) {
$EnvironmentName = `
$GitHubRepo.Split('/')[1] + '-' + `
$GitHubRef.Split('/')[$GitHubRef.Split('/').Count-1]
Write-Host "Environment name: $EnvironmentName"
# Use $EnvironmentName parameter if specified, otherwise derive from GitHub or Azure DevOps environment.
if ([string]::IsNullOrEmpty($EnvironmentName)) {

# Construct environment name from GitHub repo and ref (result: <repo>-<branch>)
if ((-not [string]::IsNullOrEmpty($GitHubRepo)) -and (-not [string]::IsNullOrEmpty($GitHubRef))) {
$EnvironmentName = `
$GitHubRepo.Split('/')[1] + '-' + `
$GitHubRef.Split('/')[$GitHubRef.Split('/').Count-1]
Write-Host "Environment name: $EnvironmentName"
}

# Construct environment name from Azure DevOps (result: <repo>-<branch>)
<#
TO BE IMPLEMENTED
#>
}

# Construct environment name from Azure DevOps (result: <repo>-<branch>)
<#
TO BE IMPLEMENTED
#>

# Load functions
Write-Host "Loading functions..."
. ".\Functions\EnvironmentContext.ps1"
Expand All @@ -157,9 +161,9 @@ if (-not [string]::IsNullOrEmpty($LoginInteractiveTenantId)) {
}

# Az Login via Service Principal
if (-not [string]::IsNullOrEmpty($LoginServicePrincipalJson)) {
if ($LoginServicePrincipalJson -ne $null) {
Write-Host "Logging in to Azure using service principal..."
$ServicePrincipal = $LoginServicePrincipalJson | ConvertFrom-Json
$ServicePrincipal = ($LoginServicePrincipalJson | ConvertFrom-SecureString -AsPlainText) | ConvertFrom-Json
$Password = ConvertTo-SecureString $ServicePrincipal.password -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ServicePrincipal.appId, $Password
Connect-AzAccount -ServicePrincipal -TenantId $ServicePrincipal.tenant -Credential $Credential
Expand Down Expand Up @@ -255,8 +259,8 @@ if ($DeployHubNetworkWithNVA) {
-SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-nva-configurationFileName'])" `
-LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId `
-NvaUsername $NvaUsername `
-NvaPassword $NvaPassword
-NvaUsername (ConvertFrom-SecureString -SecureString $NvaUsername -AsPlainText) `
-NvaPassword (ConvertFrom-SecureString -SecureString $NvaPassword -AsPlainText)
}

# Hub Networking with Azure Firewall
Expand Down Expand Up @@ -291,7 +295,7 @@ if ($DeployHubNetworkWithAzureFirewall) {
}

# Deploy Subscription archetypes
if ($DeploySubscriptionIds.Count -gt 0) {
if (($DeploySubscriptionIds -ne $null) -and ($DeploySubscriptionIds.Count -gt 0)) {
Write-Host "Deploying Subscriptions..."
# Get Logging information using logging config file
$LoggingConfiguration = Get-LoggingConfiguration `
Expand Down

0 comments on commit a9c9419

Please sign in to comment.