-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathgithub-identity-resources.bicep
65 lines (51 loc) · 2.12 KB
/
github-identity-resources.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
param location string
param tags object
param githubRepoNameWithOwner string
param githubDefaultBranchName string
///////////////////////////////////
// Resource names
param githubIdentityName string
///////////////////////////////////
// Configuration
var config = loadJsonContent('./../config.json')
// All credentials must be in one list as concurrent writes to /federatedIdentityCredentials are not allowed.
var ghBranchCredentials = [{
name: 'github-branch-${githubDefaultBranchName}'
subject: 'repo:${githubRepoNameWithOwner}:ref:refs/heads/${githubDefaultBranchName}'
}]
var ghPlatformCredentials = [{
name: 'github-env-platform'
subject: 'repo:${githubRepoNameWithOwner}:environment:platform'
}]
var ghEnvironmentCredentials = [for item in items(config.environments): {
name: 'github-env-${item.key}'
subject: 'repo:${githubRepoNameWithOwner}:environment:${item.key}'
}]
var githubCredentials = concat(ghBranchCredentials, ghPlatformCredentials, ghEnvironmentCredentials)
///////////////////////////////////
// New resources
resource githubIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
name: githubIdentityName
location: location
tags: tags
}
// Writing more than one credential concurrently fails with the following error:
// "Concurrent Federated Identity Credentials writes under the same managed identity are not supported"
// ErrorCode: "ConcurrentFederatedIdentityCredentialsWritesForSingleManagedIdentity"
@batchSize(1)
@description('Allows GitHub Actions to deploy from any of the configured environments')
resource federatedCredentials 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2022-01-31-preview' = [for item in githubCredentials: {
name: item.name
parent: githubIdentity
properties: {
audiences: [
'api://AzureADTokenExchange'
]
issuer: 'https://token.actions.githubusercontent.com'
subject: item.subject
}
}]
///////////////////////////////////
// Outputs
output githubIdentityClientId string = githubIdentity.properties.clientId
output githubIdentityPrincipalId string = githubIdentity.properties.principalId