-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Bicep contribution guidelines - OIDC setup #1773
base: main
Are you sure you want to change the base?
Conversation
docs/content/contributing/bicep/bicep-contribution-flow/_index.md
Outdated
Show resolved
Hide resolved
docs/content/contributing/bicep/bicep-contribution-flow/_index.md
Outdated
Show resolved
Hide resolved
docs/content/contributing/bicep/bicep-contribution-flow/_index.md
Outdated
Show resolved
Hide resolved
docs/content/contributing/bicep/bicep-contribution-flow/_index.md
Outdated
Show resolved
Hide resolved
{{< /hint >}} | ||
To do so, simply navigate to the [Public Bicep Registry](https://github.com/Azure/bicep-registry-modules) repository, select the `'Fork'` button to the top right of the UI, select where the fork should be created (i.e., the owning organization) and finally click 'Create fork'. | ||
|
||
### 1.1 Create a GitHub environment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this environment also required without OIDC? If not, would it make sense to move the instructions into 'Option 1' below?
|
||
Module owners are expected to fork the [`Azure/bicep-registry-modules`](https://github.com/Azure/bicep-registry-modules) repository and work on a branch from within their fork, before then creating a Pull Request (PR) back into the [`Azure/bicep-registry-modules`](https://github.com/Azure/bicep-registry-modules) repository's `main` branch. | ||
1. Create a new or leverage an existing user-assigned managed identity with at least `Contributor` & `User Access Administrator` permissions on the Management-Group/Subscription you want to test the modules in. You might find the following links useful: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If wonder if it would make sense to recommend the newer Role Based Access Control Administrator
role instead if the original User Access Administrator
.
docs/content/contributing/bicep/bicep-contribution-flow/_index.md
Outdated
Show resolved
Hide resolved
- In the Federated credential scenario dropdown box, select `GitHub Actions deploying Azure resources` | ||
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_02.png" alt="OIDC scenario" width=80%> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- In the Federated credential scenario dropdown box, select `GitHub Actions deploying Azure resources` | |
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_02.png" alt="OIDC scenario" width=80%> | |
- In the Federated credential scenario dropdown box, select `GitHub Actions deploying Azure resources` | |
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_02.png" alt="OIDC scenario" width=80%> |
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_01.png" alt="OIDC federated credentials" width=60%> | ||
- In the Federated credential scenario dropdown box, select `GitHub Actions deploying Azure resources` | ||
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_02.png" alt="OIDC scenario" width=80%> | ||
- For Organization, specify your GitHub organization name, for Repository specify the value `bicep-registry-modules`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- For Organization, specify your GitHub organization name, for Repository specify the value `bicep-registry-modules`. | |
- For the `Organization`, specify your GitHub organization name, for the `Repository` the value `bicep-registry-modules`. |
- In the Federated credential scenario dropdown box, select `GitHub Actions deploying Azure resources` | ||
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_02.png" alt="OIDC scenario" width=80%> | ||
- For Organization, specify your GitHub organization name, for Repository specify the value `bicep-registry-modules`. | ||
- For Entity type, select `Environment` and specify the value `avm-validation`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- For Entity type, select `Environment` and specify the value `avm-validation`. | |
- For the `Entity` type, select `Environment` and specify the value `avm-validation`. |
- For Organization, specify your GitHub organization name, for Repository specify the value `bicep-registry-modules`. | ||
- For Entity type, select `Environment` and specify the value `avm-validation`. | ||
- Add a Name for the federated credential, for example, `avm-gh-env-validation`. | ||
- The Issuer, Audiences, and Subject identifier fields autopopulate based on the values you entered. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- The Issuer, Audiences, and Subject identifier fields autopopulate based on the values you entered. | |
- The `Issuer`, `Audiences`, and `Subject identifier` fields autopopulate based on the values you entered. |
- Select `Add` to configure the federated credential. | ||
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_03.png" alt="OIDC Add" width=80%> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Select `Add` to configure the federated credential. | |
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_03.png" alt="OIDC Add" width=80%> | |
- Select `Add` to configure the federated credential. | |
<img src="../../../img/bicep-ci/msiOIDCAddFederatedIdentity_03.png" alt="OIDC Add" width=80%> |
|
||
{{< expand "➕ Option 2 [Deprecated]: Configure Service Principal + Secret" "expand/collapse" >}} | ||
|
||
1. Create a new or leverage an existing Service Principal with at least `Contributor` & `User Access Administrator` permissions on the Management-Group/Subscription you want to test the modules in. You might find the following links useful: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same ask as in this comment, whether we should recommend a different role than User Access Administrator
To use the environment's pipelines you should use the information you gathered during the [Azure setup](#1-setup-your-azure-test-environment) to set up the following repository secrets: | ||
#### 3.1.1 Shared repository secrets | ||
|
||
To use the environment's pipelines you should set up the following repository secrets: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To use the environment's pipelines you should set up the following repository secrets: | |
To use the _Continuous Integration_ environment's workflows you should set up the following repository secrets: |
|
||
To lower the barrier to entry and allow users to easily define their own naming conventions, we introduced a default 'name prefix' for all deployed resources. | ||
|
||
This prefix is **only** used by the CI environment you validate your modules in, and doesn't affect the naming of any resources you deploy as part of any multi-module solutions (applications/workloads) based on the modules. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This prefix is **only** used by the CI environment you validate your modules in, and doesn't affect the naming of any resources you deploy as part of any multi-module solutions (applications/workloads) based on the modules. | |
This prefix is **only** used by the CI environment you validate your modules in, and doesn't affect the naming of any resources you deploy as part of any solutions (applications/workloads) based on the modules. |
Would just recommend to remove that one word as some solutions (e.g., my image creation construct) only use a single module.
|
||
This prefix is **only** used by the CI environment you validate your modules in, and doesn't affect the naming of any resources you deploy as part of any multi-module solutions (applications/workloads) based on the modules. | ||
|
||
Each pipeline in AVM deploying resources uses a logic that automatically replaces "tokens" (i.e., placeholders) in any module test file. These tokens are, for example, included in the resources names (e.g. `'name: kvlt-${namePrefix}'`). Tokens are stored as repository secrets to facilitate maintenance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Each pipeline in AVM deploying resources uses a logic that automatically replaces "tokens" (i.e., placeholders) in any module test file. These tokens are, for example, included in the resources names (e.g. `'name: kvlt-${namePrefix}'`). Tokens are stored as repository secrets to facilitate maintenance. | |
Each workflow in AVM deploying resources uses a logic that automatically replaces "tokens" (i.e., placeholders) in any module test file. These tokens are, for example, included in the resources names (e.g. `'name: kvlt-${namePrefix}'`). Tokens are stored as repository secrets to facilitate maintenance. |
|
||
#### 3.1.2 Authentication secrets | ||
|
||
In addition to shared repository secrets detailed above, additional GitHub secrets are required to allow the deployment identity authentication to Azure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to shared repository secrets detailed above, additional GitHub secrets are required to allow the deployment identity authentication to Azure. | |
In addition to shared repository secrets detailed above, additional GitHub secrets are required to allow the deploying identity to authentication to Azure. |
|
||
{{< expand "➕ Option 1 [Recommended]: Authenticate via OIDC" "expand/collapse" >}} | ||
|
||
Create the following environment secrets in the `avm-validation` GitHub environment created at [Step 1](#1-fork-the-module-source-repository) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depending on the answer to this comment, the environment may or may not exist...
1. Navigate to the repository's `Settings`. | ||
|
||
<img src="../../../img/bicep-ci/forkSettings.png" alt="Navigate to settings" width=100%> | ||
|
||
2. In the list of settings, select `Environments`. Click on the previously created `avm-validation` environment. | ||
|
||
<img src="../../../img/bicep-ci/forkSettingsEnvironmentConfigure.png" alt="Navigate to environments" width=100%> | ||
|
||
3. In the `Environment secrets` Section click on the `Add environment secret` button. | ||
|
||
<img src="../../../img/bicep-ci/forkSettingsEnvironmentSecretAdd.png" alt="Navigate to env secrets" width=70%> | ||
|
||
3. In the opening view, you can create a secret by providing a secret `Name`, a secret `Value`, followed by a click on the `Add secret` button. | ||
|
||
<img src="../../../img/bicep-ci/forkSettingsEnvironmentSecretAdd_02.png" alt="Add env secret" width=100%> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. Navigate to the repository's `Settings`. | |
<img src="../../../img/bicep-ci/forkSettings.png" alt="Navigate to settings" width=100%> | |
2. In the list of settings, select `Environments`. Click on the previously created `avm-validation` environment. | |
<img src="../../../img/bicep-ci/forkSettingsEnvironmentConfigure.png" alt="Navigate to environments" width=100%> | |
3. In the `Environment secrets` Section click on the `Add environment secret` button. | |
<img src="../../../img/bicep-ci/forkSettingsEnvironmentSecretAdd.png" alt="Navigate to env secrets" width=70%> | |
3. In the opening view, you can create a secret by providing a secret `Name`, a secret `Value`, followed by a click on the `Add secret` button. | |
<img src="../../../img/bicep-ci/forkSettingsEnvironmentSecretAdd_02.png" alt="Add env secret" width=100%> | |
1. Navigate to the repository's `Settings`. | |
<img src="../../../img/bicep-ci/forkSettings.png" alt="Navigate to settings" width=100%> | |
2. In the list of settings, select `Environments`. Click on the previously created `avm-validation` environment. | |
<img src="../../../img/bicep-ci/forkSettingsEnvironmentConfigure.png" alt="Navigate to environments" width=100%> | |
3. In the `Environment secrets` Section click on the `Add environment secret` button. | |
<img src="../../../img/bicep-ci/forkSettingsEnvironmentSecretAdd.png" alt="Navigate to env secrets" width=70%> | |
3. In the opening view, you can create a secret by providing a secret `Name`, a secret `Value`, followed by a click on the `Add secret` button. | |
<img src="../../../img/bicep-ci/forkSettingsEnvironmentSecretAdd_02.png" alt="Add env secret" width=100%> |
Co-authored-by: Alexander Sehr <[email protected]>
Co-authored-by: Alexander Sehr <[email protected]>
Co-authored-by: Alexander Sehr <[email protected]>
Co-authored-by: Alexander Sehr <[email protected]>
Overview/Summary
Add OIDC authentication option to Bicep contribution guidelines
This PR fixes/adds/changes/removes
Breaking Changes
As part of this Pull Request I have
main
branch