A secretless implementation of a Bicep module registry using GitHub Open ID Connect and Azure AD workload identity federation.
The solution deploys Azure Container Registry and configures Azure Role Based Access Control to allow the GitHub Repository to push bicep modules to it through OIDC. However, the deployment workflow and approach can be reused to support many other Azure deployment scenarios.
Guidance/Scripts are Linux/bash.
- Configure the GitHub cli to access your GitHub account.
- Login to your target subscription with Azure CLI and ensure it's the current default subscription.
az account show -o json --query name- Set the target Resource Group by configuring the environment variable AZURE_RG_NAME (default:bicepregistry)
- Set the Azure Region by configuring the environment variable AZURE_LOCATION (default:westeurope)
- Set the Azure AD Application names for both the deployment credential and the Module Push credential (defaults: bicepregistrydeploy and bicepregistryacrpush)
- Set the Azure Container Registry name. This is required to be globally unique and defaults to a random name.
export AZURE_RG_NAME='bicepregistry'
export AZURE_LOCATION='westeurope'
export AAD_DEPLOY_APP_NAME='bicepregistrydeploy'
export AAD_ACRPUSH_APP_NAME='bicepregistryacrpush'
export AZURE_ACR_NAME=$(echo $RANDOM | md5sum | head -c32)- Run the deployment pre-requisites script
./deploy/deploy.sh- Run the solution deployment workflow
gh workflow run deploy.yml- Optionally, run the individual module deployment workflows
gh workflow run
- Support for GitHub Releases, waiting on Federated identity credentials support for wildcards #373