-
Notifications
You must be signed in to change notification settings - Fork 0
/
kv_access.yml
104 lines (94 loc) · 3.43 KB
/
kv_access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Enable ACI access to KV
on:
workflow_call:
inputs:
environment:
required: true
type: string
resource_group:
required: true
type: string
acr_name:
required: true
type: string
aci_name:
required: true
type: string
build_number:
required: true
type: string
short_name:
required: true
type: string
kv_name:
required: true
type: string
cpu:
required: true
type: string
memory:
required: true
type: string
secrets:
azure_credentials:
required: true
jobs:
access-to-kv:
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- uses: actions/checkout@v2
- uses: azure/login@v1
with:
creds: ${{ secrets.azure_credentials }}
- run: |
export rgID=$(az group show --name ${{ inputs.resource_group }} --query 'id' --output tsv)
echo "::set-output name=rg_id::$rgID"
name: 'Get RG id'
id: rg_id_step
- run: |
export acrPW=$(az acr credential show --name ${{ inputs.acr_name }} --resource-group ${{ inputs.resource_group }} --query 'passwords[0].value' --output tsv)
echo "::set-output name=acr_password::$acrPW"
name: 'Get ACR password'
id: acr_password_step
- run: |
az container stop --name ${{ inputs.aci_name }} --resource-group ${{ inputs.resource_group }}
name: 'Stop container before'
id: stop_aci_step1
- run: |
az container create \
--resource-group ${{ inputs.resource_group }} \
--dns-name-label ${{ inputs.resource_group }}${{ github.run_number }} \
--name ${{ inputs.aci_name }} \
--image ${{ inputs.acr_name }}.azurecr.io/${{ inputs.short_name }}-${{ inputs.environment }}-image:${{ inputs.build_number }} \
--registry-login-server ${{ inputs.acr_name }}.azurecr.io \
--assign-identity --scope ${{ steps.rg_id_step.outputs.rg_id }} \
--registry-password ${{ steps.acr_password_step.outputs.acr_password }} \
--registry-username ${{ inputs.acr_name }} \
--restart-policy OnFailure \
--cpu ${{ inputs.cpu }} \
--memory ${{ inputs.memory }}
name: 'Enable managed identity'
id: enable_identity_step
- run: |
az container stop --name ${{ inputs.aci_name }} --resource-group ${{ inputs.resource_group }}
name: 'Stop container after'
id: stop_aci_step2
- run: |
export spID=$(az container show \
--resource-group ${{ inputs.resource_group }} \
--name ${{ inputs.aci_name }} \
--query identity.principalId --out tsv)
echo "::set-output name=sp_id::$spID"
name: 'Get Service Principal (obj id)'
id: get_sp_step
- run: |
az keyvault set-policy \
--name ${{ inputs.kv_name }} \
--resource-group ${{ inputs.resource_group }} \
--object-id ${{ steps.get_sp_step.outputs.sp_id }} \
--secret-permissions get
outputs:
rg_id: ${{ steps.rg_id_step.outputs.rg_id }}
acr_password: ${{ steps.acr_password_step.outputs.acr_password }}
sp_id: ${{ steps.get_sp_step.outputs.rg_id_step.sp_id }}