GitHub-Bitwarden
/
gh-actions
mirror of https://github.com/bitwarden/gh-actions.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

[BRE-847] Adding composite action to do azure login (#400)

pull/404/head
Andy Pixley 7 months ago committed by GitHub
parent
4a7676e8a0
commit
1c631c6d4b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 291 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 85
      .github/workflows/test-get-secrets.yml
  2. 123
      azure-login/README.md
  3. 21
      azure-login/action.yml
  4. 52
      azure-logout/README.md
  5. 10
      azure-logout/action.yml

85
.github/workflows/test-get-secrets.yml
Unescape View File

@ -0,0 +1,85 @@
name: Test Azure Login and Get Key Vault Action
on:
pull_request:
paths:
- "azure-login/**"
- "azure-logout/**"
- "get-keyvault-secrets/**"
- ".github/workflows/test-get-secrets.yml"
push:
branches:
- "main"
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
test-repo-secrets:
name: Test Get Secrets
runs-on: ubuntu-22.04
env:
_TEST_SECRET_VALUE_1: Test Value 1
_TEST_SECRET_VALUE_2: Test Value 2
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Azure Login
id: azure-login
uses: ./azure-login # Use the local action for testing
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Verify Azure Login
id: verify-login
run: |
az account show --query name --output tsv
- name: Get KV Secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main # TODO: Use ./get-keyvault-secrets for testing of local action changes
with:
keyvault: gh-gh-actions
secrets: "test-secret-1,test-secret-2"
- name: Azure Logout
id: azure-logout
uses: ./azure-logout # Use the local action for testing
- name: Verify Logged Out
id: verify-logout
run: |
az account show --query name --output tsv && (echo "Unexpectedly returned account name instead of being logged out" && exit 1) || echo "Successfully logged out of Azure"
- name: Verify test secret value
run: |
if [[ "${{ steps.get-kv-secrets.outputs.test-secret-1 }}" != "$_TEST_SECRET_VALUE_1" ]]; then
echo "test-secret-1 value is not as expected"
exit 1
fi
if [[ "${{ steps.get-kv-secrets.outputs.test-secret-2 }}" != "$_TEST_SECRET_VALUE_2" ]]; then
echo "test-secret-2 value is not as expected"
exit 1
fi
echo "Test secret values checks successful!"
- name: Check environment
run: |
exit_code=0
env | grep -q "test-secret" || exit_code=$?
if [ $exit_code -eq 0 ]; then
echo "Found test secrets in environment"
exit 1
elif [ $exit_code -eq 1 ]; then
echo "Correctly found no secrets found in environment"
else
exit $exit_code
fi

123
azure-login/README.md
Unescape View File

@ -0,0 +1,123 @@
# Composite Action for logging into Azure
This action provides a centralized way to login to Azure.
## Inputs
- Required
- subscription_id
- Description: Provides the Azure subscription ID.
- Example:
```
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
```
- tenant_id
- Description: Provides the Azure tenant ID.
- Example:
```
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
```
- client_id
- Description: Provides the Azure client ID.
- Example:
```
client_id: ${{ secrets.AZURE_CLIENT_ID }}
```
## Required Permissions
This action requires the `id-token: write` permission to be able to obtain the OIDC token.
__Note that GitHub will set this to `id-token: none` for pull requests from forks, which means the login will fail. [(GitHub Documentation)](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication)__
## Examples
### Job Snippet
```
- name: Azure Login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
```
### Workflow
#### Repository without environment specific secrets
```
on:
workflow_dispatch:
push:
branches:
- "main"
pull_request:
types: [opened, synchronize, reopened]
jobs:
example:
name: Example Job
runs-on: ubuntu-24.04
permissions:
id-token: write # Necessary for getting OIDC token
steps:
- name: Azure Login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Get KV Secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-example-repository
secrets: "example-secret-1,example-secret-2"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Use Secrets
shell: bash
run: |
# Use ${{ steps.get-kv-secrets.output.example-secret-1}} in some way
```
#### Repository with environment specific secrets
```
on:
workflow_dispatch:
push:
branches:
- "main"
pull_request:
types: [opened, synchronize, reopened]
jobs:
example:
name: Example Job
runs-on: ubuntu-24.04
environment: Development # This will be used during login to authenticate
permissions:
id-token: write # Necessary for getting OIDC token
steps:
- name: Azure Login
uses: bitwarden/gh-actions/get-secrets@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Get KV Secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-example-repository
secrets: "example-secret-1,example-secret-2"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Use Secrets
shell: bash
run: |
# Use ${{ steps.get-kv-secrets.output.example-secret-1}} in some way

21
azure-login/action.yml
Unescape View File

@ -0,0 +1,21 @@
name: "Azure Login"
description: "A composite action to login to Azure"
inputs:
subscription_id:
description: "Azure Subscription ID"
required: true
tenant_id:
description: "Azure Tentant ID"
required: true
client_id:
description: "Azure Client ID"
required: true
runs:
using: "composite"
steps:
- name: Login to Azure using OIDC
uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
subscription-id: ${{ inputs.subscription_id }}
tenant-id: ${{ inputs.tenant_id }}
client-id: ${{ inputs.client_id }}

52
azure-logout/README.md
Unescape View File

@ -0,0 +1,52 @@
# Composite Action for logging out of Azure
This action provides a centralized way to logout to Azure.<br/>
## Inputs
None
## Examples
### Step Snippet
```
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
```
### Workflow
```
on:
workflow_dispatch:
push:
branches:
- "main"
pull_request:
types: [opened, synchronize, reopened]
jobs:
example:
name: Example Job
runs-on: ubuntu-24.04
steps:
- name: Azure Login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Get KV Secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-example-repository
secrets: "example-secret-1,example-secret-2"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Use Secrets
shell: bash
run: |
# Use ${{ steps.get-kv-secrets.output.example-secret-1}} in some way

10
azure-logout/action.yml
Unescape View File

@ -0,0 +1,10 @@
name: "Azure Login"
description: "A composite action to logout of Azure"
runs:
using: "composite"
steps:
# This allows for updating logout functionality in a centralized area than all workflows
- name: Login to Azure using OIDC
shell: bash
run:
az logout || true
Write Preview
Loading…
Cancel
Save