azurenoops / ref-scca-enclave-landing-zone-starter

A reference implementation of an SCCA-compliant Mission Enclave landing zone that supports running Azure PaaS services using Azure NoOps.
5 stars 8 forks source link

Document required GitHub Action Repository Secrets #47

Open timothymeyers opened 1 year ago

matross-gh commented 1 year ago

Using PowerShell, issue the following commands:

Create App Registration and Principal (assign Owner for management group creation, otherwise Contributor)

Connect-AzAccount -Tenant '#####' -Subscription ‘#####' $appName = 'app-starterenclave-001' $app = New-AzADApplication -DisplayName $appName $secretStartDate = Get-Date $secretEndDate = $secretStartDate.AddMonths(1) $secret = New-AzADAppCredential -StartDate $secretStartDate -EndDate $secretEndDate -ApplicationId $app.AppId $clientId = (Get-AzADApplication -DisplayName $appName).AppId $sp = New-AzADServicePrincipal -ApplicationId $clientId $objectId = (Get-AzADServicePrincipal -DisplayName $appName).Id $role = New-AzRoleAssignment -ObjectId $objectId -RoleDefinitionName Owner $clientId = (Get-AzADApplication -DisplayName $appName).AppId $subscriptionId = (Get-AzContext).Subscription.Id $tenantId = (Get-AzContext).Tenant.Id

Create Storage Account and Container for Terraform State Storage

$rg = New-AzResourceGroup -Name 'anoa-tfstate-network-artifacts-rg' -Location 'southcentralus' $sa = New-AzStorageAccount -ResourceGroupName 'anoa-tfstate-network-artifacts-rg' -Name 'anoaterraform' -Location '~azure region~' -SkuName 'Standard_LRS' -Kind 'StorageV2' $ctx = New-AzStorageContext -StorageAccountName 'anoaterraform' -UseConnectedAccount $cnt = New-AzStorageContainer -Name 'tfstate' -Context $ctx

Output the Values and Variables to add to GitHub Secrets

Out-Host -InputObject " AZURE_CLIENT_ID = $($clientId) AZURE_CLIENT_SECRET = $($secret.SecretText) AZURE_TENANT_ID = $($tenantId) AZURE_SUBSCRIPTION_ID = $($subscriptionId) AZURE_STORAGE_ACCOUNT_NAME = $($sa.StorageAccountName) AZURE_STORAGE_CONTAINER_NAME = $($cnt.Name) TFSTATE_RG = $($rg.ResourceGroupName)"

Add to GitHub Secrets

  1. Navigate to your ref-scca-enclave-landing-zone-starter, then click on Settings. In the left navigation Security section expand the Secrets and Variables section and click on Actions

  2. Click on New repository secret and create a new secret name named AZURE_CLIENT_ID using the value from the PowerShell session

  1. Click on New repository secret and create a new secret name named AZURE_CLIENT_SECRET using the value from the PowerShell session

  2. Click on New repository secret and create a new secret name named AZURE_TENANT_ID using the value from the PowerShell session

  3. Click on New repository secret and create a new secret name named AZURE_SUBSCRIPTION_ID using the value from the PowerShell session

  4. Click on New repository secret and create a new secret name named AZURE_STORAGE_ACCOUNT_NAME using the value from the PowerShell session

  5. Click on New repository secret and create a new secret name named AZURE_STORAGE_CONTAINER_NAME using the value from the PowerShell session

  6. Click on New repository secret and create a new secret name named TFSTATE_RG using the value from the PowerShell session

matross-gh commented 1 year ago

Depends on #58 and recommending this correction to coincide with this issue.