From a9d09b0f7c4be963ede1a2be84a63e2a5b64a236 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:22:55 -0700 Subject: [PATCH 01/48] Scripts and YML for OIDC setup with GitHub Actions --- .../scripts/setup-managed-identity-oidc.ps1 | 200 ++++++++++++ .../scripts/setup-managed-identity-oidc.sh | 299 ++++++++++++++++++ .github/workflows/azd-oidc-simple.yml | 73 +++++ .github/workflows/azure-dev.yml | 52 +++ 4 files changed, 624 insertions(+) create mode 100644 .github/scripts/setup-managed-identity-oidc.ps1 create mode 100755 .github/scripts/setup-managed-identity-oidc.sh create mode 100644 .github/workflows/azd-oidc-simple.yml create mode 100644 .github/workflows/azure-dev.yml diff --git a/.github/scripts/setup-managed-identity-oidc.ps1 b/.github/scripts/setup-managed-identity-oidc.ps1 new file mode 100644 index 0000000..f238915 --- /dev/null +++ b/.github/scripts/setup-managed-identity-oidc.ps1 @@ -0,0 +1,200 @@ +# Azure OIDC Setup Script using User-Assigned Managed Identity +# This script is perfect when you don't have permissions to create Service Principals + +param( + [Parameter(Mandatory=$true)] + [string]$SubscriptionId, + + [Parameter(Mandatory=$true)] + [string]$ResourceGroupName, + + [Parameter(Mandatory=$true)] + [string]$GitHubRepo, + + [Parameter(Mandatory=$false)] + [string]$AzureLocation = "eastus2", + + [Parameter(Mandatory=$false)] + [string]$IdentityName = "github-actions-identity" +) + +Write-Host "πŸš€ Setting up OIDC with User-Assigned Managed Identity" -ForegroundColor Green +Write-Host "πŸ“‹ Configuration:" -ForegroundColor Cyan +Write-Host " Subscription: $SubscriptionId" -ForegroundColor White +Write-Host " Resource Group: $ResourceGroupName" -ForegroundColor White +Write-Host " Managed Identity: $IdentityName" -ForegroundColor White +Write-Host " GitHub Repository: $GitHubRepo" -ForegroundColor White +Write-Host " Location: $AzureLocation" -ForegroundColor White + +# Check if user is logged in to Azure +Write-Host "`nπŸ” Checking Azure authentication..." -ForegroundColor Blue +$currentAccount = az account show --query "user.name" -o tsv 2>$null +if (-not $currentAccount) { + Write-Host "❌ Please login to Azure CLI first: az login" -ForegroundColor Red + exit 1 +} + +Write-Host "βœ… Logged in as: $currentAccount" -ForegroundColor Green + +# Set subscription +Write-Host "πŸ”§ Setting subscription..." -ForegroundColor Blue +az account set --subscription $SubscriptionId + +# Check if resource group exists, create if not +Write-Host "πŸ”§ Checking resource group..." -ForegroundColor Blue +$rgExists = az group exists --name $ResourceGroupName +if ($rgExists -eq "false") { + Write-Host "πŸ“¦ Creating resource group: $ResourceGroupName" -ForegroundColor Yellow + az group create --name $ResourceGroupName --location $AzureLocation + Write-Host "βœ… Resource group created successfully!" -ForegroundColor Green +} else { + Write-Host "βœ… Resource group exists: $ResourceGroupName" -ForegroundColor Green +} + +# Check if managed identity already exists +Write-Host "πŸ”§ Checking if managed identity exists..." -ForegroundColor Blue +$existingIdentity = az identity show --resource-group $ResourceGroupName --name $IdentityName 2>$null +if ($existingIdentity) { + Write-Host "⚠️ Managed identity '$IdentityName' already exists" -ForegroundColor Yellow + + # Ensure the output is valid JSON + Write-Host "πŸ”§ Debugging raw output before parsing..." -ForegroundColor Blue + Write-Host "Raw output: $existingIdentity" -ForegroundColor White + + if (-not $existingIdentity) { + Write-Host "❌ Invalid JSON output from az identity show" -ForegroundColor Red + Write-Host "Raw output: $existingIdentity" -ForegroundColor White + exit 1 + } + + $identity = $existingIdentity | ConvertFrom-Json + $clientId = $identity.clientId + $principalId = $identity.principalId + + # Validate extracted values + if (-not $clientId -or -not $principalId) { + Write-Host "❌ Failed to extract Client ID or Principal ID" -ForegroundColor Red + Write-Host "Raw output: $existingIdentity" -ForegroundColor White + exit 1 + } + + Write-Host "βœ… Extracted Client ID: $clientId" -ForegroundColor Green + Write-Host "βœ… Extracted Principal ID: $principalId" -ForegroundColor Green + Write-Host "βœ… Using existing managed identity" -ForegroundColor Green +} else { + # Create user-assigned managed identity + Write-Host "πŸ”§ Creating user-assigned managed identity..." -ForegroundColor Blue + $identity = az identity create ` + --resource-group $ResourceGroupName ` + --name $IdentityName ` + --location $AzureLocation | ConvertFrom-Json + + Write-Host "βœ… User-Assigned Managed Identity created successfully!" -ForegroundColor Green + + $clientId = $identity.clientId + $principalId = $identity.principalId +} + +Write-Host " Client ID: $clientId" -ForegroundColor White +Write-Host " Principal ID: $principalId" -ForegroundColor White + +# Get tenant ID +$tenantId = az account show --query tenantId --output tsv + +# Check current role assignments +Write-Host "πŸ”§ Checking role assignments..." -ForegroundColor Blue +$existingRoles = az role assignment list --assignee $principalId --scope "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName" | ConvertFrom-Json + +$hasContributor = $existingRoles | Where-Object { $_.roleDefinitionName -eq "Contributor" } + +if (-not $hasContributor) { + # Assign Contributor role to the managed identity + Write-Host "πŸ”§ Assigning Contributor role..." -ForegroundColor Blue + az role assignment create ` + --assignee-object-id $principalId ` + --assignee-principal-type ServicePrincipal ` + --role "Contributor" ` + --scope "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName" + + Write-Host "βœ… Contributor role assigned successfully!" -ForegroundColor Green +} else { + Write-Host "βœ… Contributor role already assigned" -ForegroundColor Green +} + +# List existing federated credentials +Write-Host "πŸ”§ Checking existing federated credentials..." -ForegroundColor Blue +$existingCreds = az identity federated-credential list --identity-name $IdentityName --resource-group $ResourceGroupName | ConvertFrom-Json + +$mainBranchCred = $existingCreds | Where-Object { $_.subject -eq "repo:${GitHubRepo}:ref:refs/heads/main" } +$prCred = $existingCreds | Where-Object { $_.subject -eq "repo:${GitHubRepo}:pull_request" } + +# Create federated credential for main branch +if (-not $mainBranchCred) { + Write-Host "πŸ”§ Creating federated credential for main branch..." -ForegroundColor Blue + az identity federated-credential create ` + --name "github-main" ` + --identity-name $IdentityName ` + --resource-group $ResourceGroupName ` + --issuer "https://token.actions.githubusercontent.com" ` + --subject "repo:${GitHubRepo}:ref:refs/heads/main" ` + --audiences "api://AzureADTokenExchange" + + Write-Host "βœ… Main branch federated credential created!" -ForegroundColor Green +} else { + Write-Host "βœ… Main branch federated credential already exists" -ForegroundColor Green +} + +# Create federated credential for pull requests +if (-not $prCred) { + Write-Host "πŸ”§ Creating federated credential for pull requests..." -ForegroundColor Blue + az identity federated-credential create ` + --name "github-pr" ` + --identity-name $IdentityName ` + --resource-group $ResourceGroupName ` + --issuer "https://token.actions.githubusercontent.com" ` + --subject "repo:${GitHubRepo}:pull_request" ` + --audiences "api://AzureADTokenExchange" + + Write-Host "βœ… Pull request federated credential created!" -ForegroundColor Green +} else { + Write-Host "βœ… Pull request federated credential already exists" -ForegroundColor Green +} + +Write-Host "`nπŸŽ‰ OIDC setup completed successfully!" -ForegroundColor Green + +# Display GitHub secrets to set +Write-Host "`nπŸ“‹ GitHub Secrets to Configure:" -ForegroundColor Cyan +Write-Host "================================" -ForegroundColor Cyan +Write-Host "AZURE_CLIENT_ID: $clientId" -ForegroundColor White +Write-Host "AZURE_TENANT_ID: $tenantId" -ForegroundColor White +Write-Host "AZURE_SUBSCRIPTION_ID: $SubscriptionId" -ForegroundColor White + +Write-Host "`nπŸ“‹ GitHub Variables to Configure:" -ForegroundColor Cyan +Write-Host "==================================" -ForegroundColor Cyan +Write-Host "AZURE_ENV_NAME: dev (or your preferred environment name)" -ForegroundColor White +Write-Host "AZURE_LOCATION: $AzureLocation" -ForegroundColor White + +Write-Host "`nπŸ”— Setup Instructions:" -ForegroundColor Magenta +Write-Host "1. Go to your GitHub repository: https://github.com/$GitHubRepo" -ForegroundColor White +Write-Host "2. Navigate to Settings > Secrets and variables > Actions" -ForegroundColor White +Write-Host "3. Click 'New repository secret' and add each secret above" -ForegroundColor White +Write-Host "4. Click the 'Variables' tab and add each variable above" -ForegroundColor White +Write-Host "5. Commit and push your .github/workflows/*.yml files" -ForegroundColor White +Write-Host "6. Test by creating a pull request or pushing to main branch" -ForegroundColor White + +Write-Host "`nπŸ›‘οΈ Security Benefits of Managed Identity:" -ForegroundColor Green +Write-Host "βœ… No secrets to manage or rotate" -ForegroundColor White +Write-Host "βœ… Azure-managed lifecycle" -ForegroundColor White +Write-Host "βœ… Integrated with Azure RBAC" -ForegroundColor White +Write-Host "βœ… Short-lived tokens only" -ForegroundColor White + +Write-Host "`nπŸ’‘ Pro Tips:" -ForegroundColor Cyan +Write-Host "β€’ Use validate-oidc.ps1 to verify your setup" -ForegroundColor White +Write-Host "β€’ Consider different managed identities for dev/staging/prod" -ForegroundColor White +Write-Host "β€’ The managed identity is scoped to your resource group only" -ForegroundColor White + +Write-Host "`nπŸ” Troubleshooting:" -ForegroundColor Yellow +Write-Host "If you get permission errors, ensure you have:" -ForegroundColor White +Write-Host "β€’ 'Managed Identity Contributor' role in the subscription/RG" -ForegroundColor White +Write-Host "β€’ 'User Access Administrator' role to assign roles" -ForegroundColor White +Write-Host "β€’ Or ask an admin to run this script for you" -ForegroundColor White diff --git a/.github/scripts/setup-managed-identity-oidc.sh b/.github/scripts/setup-managed-identity-oidc.sh new file mode 100755 index 0000000..2198e26 --- /dev/null +++ b/.github/scripts/setup-managed-identity-oidc.sh @@ -0,0 +1,299 @@ +#!/bin/bash + +# Azure OIDC Setup Script using User-Assigned Managed Identity (Bash version) +# This script is perfect when you don't have permissions to create Service Principals + +set -e # Exit on any error + +# Function to print colored output +print_status() { + echo -e "\033[32mβœ… $1\033[0m" +} + +print_info() { + echo -e "\033[34mπŸ”§ $1\033[0m" +} + +print_error() { + echo -e "\033[31m❌ $1\033[0m" +} + +print_warning() { + echo -e "\033[33m⚠️ $1\033[0m" +} + +print_header() { + echo -e "\033[36m$1\033[0m" +} + +# Function to show usage +show_usage() { + echo "Usage: $0 [OPTIONS]" + echo "" + echo "Required Options:" + echo " -s, --subscription-id SUBSCRIPTION_ID Azure subscription ID" + echo " -g, --resource-group RESOURCE_GROUP Resource group name" + echo " -r, --github-repo GITHUB_REPO GitHub repository (format: owner/repo)" + echo "" + echo "Optional Options:" + echo " -l, --location LOCATION Azure location (default: eastus2)" + echo " -i, --identity-name IDENTITY_NAME Managed identity name (default: github-actions-identity)" + echo " -h, --help Show this help message" + echo "" + echo "Example:" + echo " $0 -s 'your-subscription-id' -g 'rg-recipe-app' -r 'username/repo-name'" +} + +# Parse command line arguments +SUBSCRIPTION_ID="" +RESOURCE_GROUP_NAME="" +GITHUB_REPO="" +AZURE_LOCATION="eastus2" +IDENTITY_NAME="github-actions-identity" + +while [[ $# -gt 0 ]]; do + case $1 in + -s|--subscription-id) + SUBSCRIPTION_ID="$2" + shift 2 + ;; + -g|--resource-group) + RESOURCE_GROUP_NAME="$2" + shift 2 + ;; + -r|--github-repo) + GITHUB_REPO="$2" + shift 2 + ;; + -l|--location) + AZURE_LOCATION="$2" + shift 2 + ;; + -i|--identity-name) + IDENTITY_NAME="$2" + shift 2 + ;; + -h|--help) + show_usage + exit 0 + ;; + *) + print_error "Unknown option: $1" + show_usage + exit 1 + ;; + esac +done + +# Validate required parameters +if [[ -z "$SUBSCRIPTION_ID" || -z "$RESOURCE_GROUP_NAME" || -z "$GITHUB_REPO" ]]; then + print_error "Missing required parameters" + show_usage + exit 1 +fi + +print_header "πŸš€ Setting up OIDC with User-Assigned Managed Identity" +print_header "πŸ“‹ Configuration:" +echo " Subscription: $SUBSCRIPTION_ID" +echo " Resource Group: $RESOURCE_GROUP_NAME" +echo " Managed Identity: $IDENTITY_NAME" +echo " GitHub Repository: $GITHUB_REPO" +echo " Location: $AZURE_LOCATION" + +# Check if Azure CLI is installed +if ! command -v az &> /dev/null; then + print_error "Azure CLI is not installed. Please install it first:" + echo " https://docs.microsoft.com/en-us/cli/azure/install-azure-cli" + exit 1 +fi + +# Check if user is logged in to Azure +print_info "Checking Azure authentication..." +if ! CURRENT_ACCOUNT=$(az account show --query "user.name" -o tsv 2>/dev/null); then + print_error "Please login to Azure CLI first: az login" + exit 1 +fi + +print_status "Logged in as: $CURRENT_ACCOUNT" + +# Set subscription +print_info "Setting subscription..." +az account set --subscription "$SUBSCRIPTION_ID" + +# Check if resource group exists, create if not +print_info "Checking resource group..." +if az group exists --name "$RESOURCE_GROUP_NAME" | grep -q "false"; then + print_warning "Creating resource group: $RESOURCE_GROUP_NAME" + az group create --name "$RESOURCE_GROUP_NAME" --location "$AZURE_LOCATION" + print_status "Resource group created successfully!" +else + print_status "Resource group exists: $RESOURCE_GROUP_NAME" +fi + +# Check if managed identity already exists +print_info "Checking if managed identity exists..." +if EXISTING_IDENTITY=$(az identity show --resource-group "$RESOURCE_GROUP_NAME" --name "$IDENTITY_NAME" --output json 2>/dev/null); then + print_warning "Managed identity '$IDENTITY_NAME' already exists" + print_status "Using existing managed identity" + + # Debug: Print raw output before parsing + print_info "Debugging raw output before parsing..." + echo "Raw output: $EXISTING_IDENTITY" + + # Ensure the output is valid JSON + if ! echo "$EXISTING_IDENTITY" | jq empty; then + print_error "Invalid JSON output from az identity show" + echo "Raw output: $EXISTING_IDENTITY" + + # Fallback parsing if jq fails + CLIENT_ID=$(echo "$EXISTING_IDENTITY" | grep -o '"clientId":"[^"]*' | cut -d'"' -f4) + PRINCIPAL_ID=$(echo "$EXISTING_IDENTITY" | grep -o '"principalId":"[^"]*' | cut -d'"' -f4) + else + CLIENT_ID=$(echo "$EXISTING_IDENTITY" | jq -r '.clientId') + PRINCIPAL_ID=$(echo "$EXISTING_IDENTITY" | jq -r '.principalId') + fi + + # Debug: Print extracted values after parsing + print_info "Debugging extracted values..." + echo "Extracted Client ID: $CLIENT_ID" + echo "Extracted Principal ID: $PRINCIPAL_ID" + + # Validate extracted values + if [[ -z "$CLIENT_ID" || -z "$PRINCIPAL_ID" ]]; then + print_error "Failed to extract Client ID or Principal ID" + echo "Raw output: $EXISTING_IDENTITY" + exit 1 + fi +else + # Create user-assigned managed identity + print_info "Creating user-assigned managed identity..." + IDENTITY_JSON=$(az identity create \ + --resource-group "$RESOURCE_GROUP_NAME" \ + --name "$IDENTITY_NAME" \ + --location "$AZURE_LOCATION" \ + --output json) + + # Debug: Print raw output + echo "Raw output of az identity create: $IDENTITY_JSON" + + # Ensure the output is valid JSON + if ! echo "$IDENTITY_JSON" | jq empty; then + print_error "Invalid JSON output from az identity create" + echo "Raw output: $IDENTITY_JSON" + exit 1 + fi + + CLIENT_ID=$(echo "$IDENTITY_JSON" | jq -r '.clientId') + PRINCIPAL_ID=$(echo "$IDENTITY_JSON" | jq -r '.principalId') + + print_status "User-Assigned Managed Identity created successfully!" +fi + +# Debug: Print extracted values +print_info "Using extracted values for Client ID and Principal ID" +echo "Client ID: $CLIENT_ID" +echo "Principal ID: $PRINCIPAL_ID" + +# Get tenant ID +TENANT_ID=$(az account show --query tenantId --output tsv) + +# Check current role assignments +print_info "Checking role assignments..." +EXISTING_ROLES=$(az role assignment list --assignee "$PRINCIPAL_ID" --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME") + +if echo "$EXISTING_ROLES" | jq -e '.[] | select(.roleDefinitionName == "Contributor")' > /dev/null; then + print_status "Contributor role already assigned" +else + # Assign Contributor role to the managed identity + print_info "Assigning Contributor role..." + az role assignment create \ + --assignee-object-id "$PRINCIPAL_ID" \ + --assignee-principal-type ServicePrincipal \ + --role "Contributor" \ + --scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME" + + print_status "Contributor role assigned successfully!" +fi + +# List existing federated credentials +print_info "Checking existing federated credentials..." +EXISTING_CREDS=$(az identity federated-credential list --identity-name "$IDENTITY_NAME" --resource-group "$RESOURCE_GROUP_NAME") + +# Check for main branch credential +if echo "$EXISTING_CREDS" | jq -e ".[] | select(.subject == \"repo:${GITHUB_REPO}:ref:refs/heads/main\")" > /dev/null; then + print_status "Main branch federated credential already exists" +else + # Create federated credential for main branch + print_info "Creating federated credential for main branch..." + az identity federated-credential create \ + --name "github-main" \ + --identity-name "$IDENTITY_NAME" \ + --resource-group "$RESOURCE_GROUP_NAME" \ + --issuer "https://token.actions.githubusercontent.com" \ + --subject "repo:${GITHUB_REPO}:ref:refs/heads/main" \ + --audiences "api://AzureADTokenExchange" + + print_status "Main branch federated credential created!" +fi + +# Check for pull request credential +if echo "$EXISTING_CREDS" | jq -e ".[] | select(.subject == \"repo:${GITHUB_REPO}:pull_request\")" > /dev/null; then + print_status "Pull request federated credential already exists" +else + # Create federated credential for pull requests + print_info "Creating federated credential for pull requests..." + az identity federated-credential create \ + --name "github-pr" \ + --identity-name "$IDENTITY_NAME" \ + --resource-group "$RESOURCE_GROUP_NAME" \ + --issuer "https://token.actions.githubusercontent.com" \ + --subject "repo:${GITHUB_REPO}:pull_request" \ + --audiences "api://AzureADTokenExchange" + + print_status "Pull request federated credential created!" +fi + +print_header "πŸŽ‰ OIDC setup completed successfully!" + +# Display GitHub secrets to set +print_header "" +print_header "πŸ“‹ GitHub Secrets to Configure:" +print_header "================================" +echo "AZURE_CLIENT_ID: $CLIENT_ID" +echo "AZURE_TENANT_ID: $TENANT_ID" +echo "AZURE_SUBSCRIPTION_ID: $SUBSCRIPTION_ID" + +print_header "" +print_header "πŸ“‹ GitHub Variables to Configure:" +print_header "==================================" +echo "AZURE_ENV_NAME: dev (or your preferred environment name)" +echo "AZURE_LOCATION: $AZURE_LOCATION" + +print_header "" +print_header "πŸ”— Setup Instructions:" +echo "1. Go to your GitHub repository: https://github.com/$GITHUB_REPO" +echo "2. Navigate to Settings > Secrets and variables > Actions" +echo "3. Click 'New repository secret' and add each secret above" +echo "4. Click the 'Variables' tab and add each variable above" +echo "5. Commit and push your .github/workflows/*.yml files" +echo "6. Test by creating a pull request or pushing to main branch" + +print_header "" +print_header "πŸ›‘οΈ Security Benefits of Managed Identity:" +print_status "No secrets to manage or rotate" +print_status "Azure-managed lifecycle" +print_status "Integrated with Azure RBAC" +print_status "Short-lived tokens only" + +print_header "" +print_header "πŸ’‘ Pro Tips:" +echo "β€’ Use validate-oidc.sh to verify your setup" +echo "β€’ Consider different managed identities for dev/staging/prod" +echo "β€’ The managed identity is scoped to your resource group only" + +print_header "" +print_header "πŸ” Troubleshooting:" +echo "If you get permission errors, ensure you have:" +echo "β€’ 'Managed Identity Contributor' role in the subscription/RG" +echo "β€’ 'User Access Administrator' role to assign roles" +echo "β€’ Or ask an admin to run this script for you" diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml new file mode 100644 index 0000000..deca9de --- /dev/null +++ b/.github/workflows/azd-oidc-simple.yml @@ -0,0 +1,73 @@ +name: Deploy with AZD and OIDC + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +# Required permissions for OIDC +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + deploy: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install azd + uses: Azure/setup-azd@v1.0.0 + + - name: Log in with Azure (OIDC) + uses: Azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Deploy with azd + shell: bash + run: | + # Set environment variables + export AZURE_ENV_NAME="${{ vars.AZURE_ENV_NAME || 'dev' }}" + export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + + echo "πŸš€ Starting deployment with azd..." + echo "Environment: $AZURE_ENV_NAME" + echo "Location: $AZURE_LOCATION" + + # Initialize azd environment if it doesn't exist + if ! azd env select $AZURE_ENV_NAME 2>/dev/null; then + echo "πŸ“¦ Creating new azd environment: $AZURE_ENV_NAME" + azd env new $AZURE_ENV_NAME --location $AZURE_LOCATION --subscription $AZURE_SUBSCRIPTION_ID + fi + + # Deploy the application + if [ "${{ github.event_name }}" == "pull_request" ]; then + echo "πŸ” PR detected - running provision with preview" + azd provision --preview + else + echo "πŸš€ Main branch - deploying application" + azd up --no-prompt + fi + + - name: Get deployment outputs + if: github.event_name != 'pull_request' + shell: bash + run: | + echo "πŸ“‹ Getting deployment information..." + azd show --output table || true + + # Try to get endpoint + ENDPOINT=$(azd show --output json 2>/dev/null | jq -r '.services | to_entries | .[0].value.endpoint // empty' || echo "") + if [ -n "$ENDPOINT" ]; then + echo "🌐 Application deployed to: $ENDPOINT" + echo "ENDPOINT=$ENDPOINT" >> $GITHUB_OUTPUT + fi diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml new file mode 100644 index 0000000..3a7dba5 --- /dev/null +++ b/.github/workflows/azure-dev.yml @@ -0,0 +1,52 @@ +# Run when commits are pushed to main +on: + workflow_dispatch: + push: + # Run when commits are pushed to mainline branch (main or master) + # Set this to the mainline branch you are using + branches: + - main + +# Set up permissions for deploying with secretless Azure federated credentials +# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication +permissions: + id-token: write + contents: read + + +jobs: + build: + runs-on: ubuntu-latest + env: + AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} + AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Install azd + uses: Azure/setup-azd@v2 + - name: Setup .NET + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 8.x.x + 9.x.x + + - name: Log in with Azure (Federated Credentials) + run: | + azd auth login ` + --client-id "$Env:AZURE_CLIENT_ID" ` + --federated-credential-provider "github" ` + --tenant-id "$Env:AZURE_TENANT_ID" + shell: pwsh + + + - name: Provision Infrastructure + run: azd provision --no-prompt + + - name: Deploy Application + run: azd deploy --no-prompt + From 59cc97c3e30f0cd5e2f51aac536f5bf0285b74b0 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:37:38 -0700 Subject: [PATCH 02/48] Updating workflows with proper triggers --- .github/workflows/azd-oidc-simple.yml | 4 ---- .github/workflows/azure-dev.yml | 18 ++++++++++++++++-- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index deca9de..9e6210d 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -1,10 +1,6 @@ name: Deploy with AZD and OIDC on: - push: - branches: [main] - pull_request: - branches: [main] workflow_dispatch: # Required permissions for OIDC diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index 3a7dba5..5715d5d 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -1,11 +1,25 @@ # Run when commits are pushed to main on: - workflow_dispatch: push: # Run when commits are pushed to mainline branch (main or master) # Set this to the mainline branch you are using branches: - main + pull_request: + branches: [main] + +# Add manual trigger +on: + workflow_dispatch: + inputs: + environment: + description: "Environment to deploy to" + required: true + default: "dev" + branch: + description: "Branch to deploy from" + required: true + default: "main" # Set up permissions for deploying with secretless Azure federated credentials # https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication @@ -49,4 +63,4 @@ jobs: - name: Deploy Application run: azd deploy --no-prompt - + From 26840ec7bcca16e6b2be61bab561a5bc7d1bf34e Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:39:59 -0700 Subject: [PATCH 03/48] Updating action for azd install --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 9e6210d..413b406 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -18,7 +18,7 @@ jobs: uses: actions/checkout@v4 - name: Install azd - uses: Azure/setup-azd@v1.0.0 + uses: Azure/setup-azd@v2 - name: Log in with Azure (OIDC) uses: Azure/login@v2 From 4ad357f003177160a766ecdc23c7ff0f5f07c4f5 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:41:06 -0700 Subject: [PATCH 04/48] Fixes "You have an error in your yaml syntax on line 12 --- .github/workflows/azure-dev.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index 5715d5d..c310d49 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -27,7 +27,6 @@ permissions: id-token: write contents: read - jobs: build: runs-on: ubuntu-latest From 3f22beae30f3ef110efc3e921a3a7e140aa4eb6b Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:42:22 -0700 Subject: [PATCH 05/48] fixes line 12 error --- .github/workflows/azure-dev.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index c310d49..ab406b6 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -7,9 +7,6 @@ on: - main pull_request: branches: [main] - -# Add manual trigger -on: workflow_dispatch: inputs: environment: From c62639ccfc49287dbc7ba0a712aeb40b5b00ecf0 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:52:03 -0700 Subject: [PATCH 06/48] Setting auth-type to identity --- .github/workflows/azd-oidc-simple.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 413b406..99979e0 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -23,6 +23,7 @@ jobs: - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: + auth-type: IDENTITY client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} From fc6cfe695bbf0806d9f6faa951b4a6ac4c8949e7 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 20:55:11 -0700 Subject: [PATCH 07/48] Setting OIDC --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 99979e0..f19805f 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -23,10 +23,10 @@ jobs: - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: - auth-type: IDENTITY client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + enable-oidc: true - name: Deploy with azd shell: bash From b6dbeda30e68e8951382a5eb4d97a00afd7ed089 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:09:42 -0700 Subject: [PATCH 08/48] Trying no browser flag --- .github/workflows/azd-oidc-simple.yml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index f19805f..1a4e615 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -18,15 +18,25 @@ jobs: uses: actions/checkout@v4 - name: Install azd - uses: Azure/setup-azd@v2 - - - name: Log in with Azure (OIDC) + uses: Azure/setup-azd@v2 - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-oidc: true + federated-credential-provider: github + + - name: AZD Login (Headless) + shell: bash + run: | + echo "πŸ”‘ Logging in with AZD using federated credentials..." + azd auth login \ + --client-id "${{ secrets.AZURE_CLIENT_ID }}" \ + --federated-credential-provider "github" \ + --tenant-id "${{ secrets.AZURE_TENANT_ID }}" \ + --no-browser + echo "βœ… AZD login successful" - name: Deploy with azd shell: bash From 6d6fe9574602b64a51c7c53c74891ad79e92b4df Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:12:20 -0700 Subject: [PATCH 09/48] syntax error fix --- .github/workflows/azd-oidc-simple.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 1a4e615..5f9e908 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -18,7 +18,8 @@ jobs: uses: actions/checkout@v4 - name: Install azd - uses: Azure/setup-azd@v2 - name: Log in with Azure (OIDC) + uses: Azure/setup-azd@v2 + - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} From a10a04393131d73a69f2d5e456db14c88ca3bec9 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:19:08 -0700 Subject: [PATCH 10/48] trying az login as alternative --- .github/workflows/azd-oidc-simple.yml | 59 +++++++++++++++++++++------ 1 file changed, 47 insertions(+), 12 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 5f9e908..1b0ba4b 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -1,7 +1,17 @@ name: Deploy with AZD and OIDC on: - workflow_dispatch: + workflow_d echo "βœ… AZD configured to use Azure CLI authentication" + + - name: Deploy with azd + shell: bash + run: | + # Set environment variables + export AZURE_ENV_NAME="${{ vars.AZURE_ENV_NAME || 'dev' }}" + export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" # Required permissions for OIDC permissions: @@ -18,7 +28,8 @@ jobs: uses: actions/checkout@v4 - name: Install azd - uses: Azure/setup-azd@v2 + uses: Azure/setup-azd@v2 + - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: @@ -27,30 +38,54 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-oidc: true federated-credential-provider: github + # Ensure additional settings for headless operation allow-no-subscriptions: false - - name: AZD Login (Headless) + - name: Configure AZD for Azure CLI authentication shell: bash run: | - echo "πŸ”‘ Logging in with AZD using federated credentials..." - azd auth login \ - --client-id "${{ secrets.AZURE_CLIENT_ID }}" \ - --federated-credential-provider "github" \ - --tenant-id "${{ secrets.AZURE_TENANT_ID }}" \ - --no-browser - echo "βœ… AZD login successful" - - - name: Deploy with azd + echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." + + # Explicitly set environment variables + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + + # Create the azd config directory if it doesn't exist + mkdir -p ~/.azd + + # Configure AZD to use Azure CLI authentication instead of interactive browser login + echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json + + # Verify AZD is using the correct configuration + cat ~/.azd/config.json + + echo "βœ… AZD configured to use Azure CLI authentication"- name: Deploy with azd shell: bash run: | # Set environment variables export AZURE_ENV_NAME="${{ vars.AZURE_ENV_NAME || 'dev' }}" export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + + # Display diagnostic information + echo "πŸ” Diagnostic information:" + echo "Azure CLI version: $(az --version | head -n 1)" + echo "AZD version: $(azd version)" + echo "Current account: $(az account show --query name -o tsv || echo 'Not logged in')" + echo "Current OIDC token: $(if [[ -n $ACTIONS_ID_TOKEN_REQUEST_TOKEN ]]; then echo "Present"; else echo "Not found"; fi)" echo "πŸš€ Starting deployment with azd..." echo "Environment: $AZURE_ENV_NAME" echo "Location: $AZURE_LOCATION" + # Verify Azure CLI login status + if ! az account show &>/dev/null; then + echo "❌ Azure CLI is not logged in. The Azure/login action should have handled this." + exit 1 + fi + # Initialize azd environment if it doesn't exist if ! azd env select $AZURE_ENV_NAME 2>/dev/null; then echo "πŸ“¦ Creating new azd environment: $AZURE_ENV_NAME" From 3014e5e14e1761cad66315facc1554c4ae51c7be Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:29:02 -0700 Subject: [PATCH 11/48] fixing syntax --- .github/workflows/azd-oidc-simple.yml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 1b0ba4b..ecbc74e 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -1,17 +1,7 @@ name: Deploy with AZD and OIDC on: - workflow_d echo "βœ… AZD configured to use Azure CLI authentication" - - - name: Deploy with azd - shell: bash - run: | - # Set environment variables - export AZURE_ENV_NAME="${{ vars.AZURE_ENV_NAME || 'dev' }}" - export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + workflow_dispatch: # Required permissions for OIDC permissions: @@ -38,7 +28,7 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-oidc: true federated-credential-provider: github - # Ensure additional settings for headless operation allow-no-subscriptions: false + allow-no-subscriptions: false - name: Configure AZD for Azure CLI authentication shell: bash @@ -59,7 +49,9 @@ jobs: # Verify AZD is using the correct configuration cat ~/.azd/config.json - echo "βœ… AZD configured to use Azure CLI authentication"- name: Deploy with azd + echo "βœ… AZD configured to use Azure CLI authentication" + + - name: Deploy with azd shell: bash run: | # Set environment variables From cbd363b4b94f48467e43a81f5628470be2f8f5c0 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:30:15 -0700 Subject: [PATCH 12/48] manual trigger only --- .github/workflows/azure-dev.yml | 60 ++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 15 deletions(-) diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index ab406b6..25ae35e 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -1,12 +1,12 @@ # Run when commits are pushed to main on: - push: - # Run when commits are pushed to mainline branch (main or master) - # Set this to the mainline branch you are using - branches: - - main - pull_request: - branches: [main] + # push: + # # Run when commits are pushed to mainline branch (main or master) + # # Set this to the mainline branch you are using + # branches: + # - main + # pull_request: + # branches: [main] workflow_dispatch: inputs: environment: @@ -45,18 +45,48 @@ jobs: 8.x.x 9.x.x - - name: Log in with Azure (Federated Credentials) - run: | - azd auth login ` - --client-id "$Env:AZURE_CLIENT_ID" ` - --federated-credential-provider "github" ` - --tenant-id "$Env:AZURE_TENANT_ID" + - name: Log in with Azure (OIDC) + uses: Azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID || vars.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID || vars.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID || vars.AZURE_SUBSCRIPTION_ID }} + enable-oidc: true + federated-credential-provider: github + # Ensure additional settings for headless operation + allow-no-subscriptions: false + + - name: Configure AZD for Azure CLI authentication shell: pwsh + run: | + Write-Host "πŸ”‘ Setting up AZD to use Azure CLI authentication..." + + # Create the azd config directory if it doesn't exist + New-Item -Path ~/.azd -ItemType Directory -Force + + # Configure AZD to use Azure CLI authentication instead of interactive browser login + Set-Content -Path ~/.azd/config.json -Value '{"defaults":{"auth":{"useAzureCli":true}}}' + + # Verify AZD is using the correct configuration + Get-Content -Path ~/.azd/config.json + + Write-Host "βœ… AZD configured to use Azure CLI authentication" - name: Provision Infrastructure - run: azd provision --no-prompt + shell: pwsh + run: | + Write-Host "πŸ” Diagnostic information:" + Write-Host "Azure CLI version: $(az --version | Select-Object -First 1)" + Write-Host "AZD version: $(azd version)" + Write-Host "Current account: $(az account show --query name -o tsv || echo 'Not logged in')" + + Write-Host "πŸš€ Provisioning infrastructure..." + azd provision --no-prompt - name: Deploy Application - run: azd deploy --no-prompt + shell: pwsh + run: | + Write-Host "πŸš€ Deploying application..." + azd deploy --no-prompt From 5a605f51e2580babf3b130f19f678f88984a4960 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:34:31 -0700 Subject: [PATCH 13/48] more oidc --- .github/workflows/azd-oidc-simple.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index ecbc74e..26d87cc 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -26,9 +26,7 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - enable-oidc: true - federated-credential-provider: github - allow-no-subscriptions: false + auth-type: OIDC - name: Configure AZD for Azure CLI authentication shell: bash From 1102a9a5f0746b9a550c88755550174bc4d7b9bf Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:43:48 -0700 Subject: [PATCH 14/48] more oidc --- .github/workflows/azd-oidc-simple.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 26d87cc..68561d7 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -19,14 +19,13 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2 - - - name: Log in with Azure (OIDC) + - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - auth-type: OIDC + audience: api://AzureADTokenExchange - name: Configure AZD for Azure CLI authentication shell: bash From af15a32b5cf6597de143fdcca22ac40729076796 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:49:33 -0700 Subject: [PATCH 15/48] More OIDC --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 68561d7..1e2e4a7 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -19,7 +19,7 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2 - - name: Log in with Azure (OIDC) + - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} From 1b0542bbd927da876364d3147bfc8e7442db86af Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:51:58 -0700 Subject: [PATCH 16/48] Adding identity auth type --- .github/workflows/azd-oidc-simple.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 1e2e4a7..6788ad5 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -22,6 +22,7 @@ jobs: - name: Log in with Azure (OIDC) uses: Azure/login@v2 with: + auth-type: IDENTITY client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} From 23b79d451d065835a5404964e22cb9b46331013f Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:53:43 -0700 Subject: [PATCH 17/48] more oidc --- .github/workflows/azd-oidc-simple.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 6788ad5..b46dd67 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -26,7 +26,6 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - audience: api://AzureADTokenExchange - name: Configure AZD for Azure CLI authentication shell: bash From 38e0ca8e09d57588ae5abef823af081ec1d77f6d Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 21:56:15 -0700 Subject: [PATCH 18/48] UAMI login --- .github/workflows/azd-oidc-simple.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index b46dd67..a1bdbf5 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -20,12 +20,13 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2 - name: Log in with Azure (OIDC) - uses: Azure/login@v2 + uses: azure/login@v2 with: auth-type: IDENTITY client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + enable-AzPSSession: true - name: Configure AZD for Azure CLI authentication shell: bash From 077557b11118ab0126cb83364c26c6c4cdf5996b Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:09:45 -0700 Subject: [PATCH 19/48] Using vars to debug --- .github/workflows/azd-oidc-simple.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index a1bdbf5..ce6d3e4 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -22,11 +22,9 @@ jobs: - name: Log in with Azure (OIDC) uses: azure/login@v2 with: - auth-type: IDENTITY - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - enable-AzPSSession: true + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Configure AZD for Azure CLI authentication shell: bash From b495c9494a594859f9ef8ade5e408597cb635e0a Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:16:16 -0700 Subject: [PATCH 20/48] adding debug lines --- .github/workflows/azd-oidc-simple.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index ce6d3e4..b3b826f 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -19,6 +19,17 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2 + + - name: Configure Azure CLI authentication + shell: bash + run: | + echo "πŸ”‘ Setting up Azure CLI authentication..." + + # Explicitly set environment variables + export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" + - name: Log in with Azure (OIDC) uses: azure/login@v2 with: From 3a38a90b9de074d40dae3bbc5ee2dce1f374a1b1 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:21:27 -0700 Subject: [PATCH 21/48] setting explicit dev env --- .github/workflows/azd-oidc-simple.yml | 38 ++++++++++++++++----------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index b3b826f..a1b6319 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -2,6 +2,16 @@ name: Deploy with AZD and OIDC on: workflow_dispatch: + inputs: + environment: + description: 'Environment to deploy to' + required: true + default: 'dev' + type: choice + options: + - dev + - prod + - test # Required permissions for OIDC permissions: @@ -12,30 +22,27 @@ permissions: jobs: deploy: runs-on: ubuntu-latest + environment: ${{ github.event.inputs.environment || 'dev' }} steps: - name: Checkout uses: actions/checkout@v4 - name: Install azd - uses: Azure/setup-azd@v2 - - - name: Configure Azure CLI authentication + uses: Azure/setup-azd@v2 - name: Configure Azure CLI authentication shell: bash run: | echo "πŸ”‘ Setting up Azure CLI authentication..." # Explicitly set environment variables - export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" - export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" - - - name: Log in with Azure (OIDC) + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"- name: Log in with Azure (OIDC) uses: azure/login@v2 with: - client-id: ${{ vars.AZURE_CLIENT_ID }} - tenant-id: ${{ vars.AZURE_TENANT_ID }} - subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Configure AZD for Azure CLI authentication shell: bash @@ -57,13 +64,12 @@ jobs: cat ~/.azd/config.json echo "βœ… AZD configured to use Azure CLI authentication" - - - name: Deploy with azd + - name: Deploy with azd shell: bash run: | - # Set environment variables - export AZURE_ENV_NAME="${{ vars.AZURE_ENV_NAME || 'dev' }}" - export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" + # Set environment variables based on GitHub environment + export AZURE_ENV_NAME="${{ github.event.inputs.environment || 'dev' }}" + export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus' }}" export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" From 32640128e806992920a70e3bb042f59a5fae8d35 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:25:11 -0700 Subject: [PATCH 22/48] quotes --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index a1b6319..ee5b4a2 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -6,7 +6,7 @@ on: environment: description: 'Environment to deploy to' required: true - default: 'dev' + default: dev type: choice options: - dev From 4620475170d7f88cb1ce1fcb5785344f39f8bf0e Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:27:55 -0700 Subject: [PATCH 23/48] syntax fixes --- .github/workflows/azd-oidc-simple.yml | 169 ++++++++++++-------------- 1 file changed, 77 insertions(+), 92 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index ee5b4a2..cb3d509 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -25,97 +25,82 @@ jobs: environment: ${{ github.event.inputs.environment || 'dev' }} steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install azd - uses: Azure/setup-azd@v2 - name: Configure Azure CLI authentication - shell: bash - run: | - echo "πŸ”‘ Setting up Azure CLI authentication..." - - # Explicitly set environment variables - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"- name: Log in with Azure (OIDC) - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Configure AZD for Azure CLI authentication - shell: bash - run: | - echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." - - # Explicitly set environment variables - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" - - # Create the azd config directory if it doesn't exist - mkdir -p ~/.azd - - # Configure AZD to use Azure CLI authentication instead of interactive browser login - echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json - - # Verify AZD is using the correct configuration - cat ~/.azd/config.json - - echo "βœ… AZD configured to use Azure CLI authentication" - - name: Deploy with azd - shell: bash - run: | - # Set environment variables based on GitHub environment - export AZURE_ENV_NAME="${{ github.event.inputs.environment || 'dev' }}" - export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus' }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" - - # Display diagnostic information - echo "πŸ” Diagnostic information:" - echo "Azure CLI version: $(az --version | head -n 1)" - echo "AZD version: $(azd version)" - echo "Current account: $(az account show --query name -o tsv || echo 'Not logged in')" - echo "Current OIDC token: $(if [[ -n $ACTIONS_ID_TOKEN_REQUEST_TOKEN ]]; then echo "Present"; else echo "Not found"; fi)" - - echo "πŸš€ Starting deployment with azd..." - echo "Environment: $AZURE_ENV_NAME" - echo "Location: $AZURE_LOCATION" - - # Verify Azure CLI login status - if ! az account show &>/dev/null; then - echo "❌ Azure CLI is not logged in. The Azure/login action should have handled this." - exit 1 - fi - - # Initialize azd environment if it doesn't exist - if ! azd env select $AZURE_ENV_NAME 2>/dev/null; then - echo "πŸ“¦ Creating new azd environment: $AZURE_ENV_NAME" - azd env new $AZURE_ENV_NAME --location $AZURE_LOCATION --subscription $AZURE_SUBSCRIPTION_ID - fi - - # Deploy the application - if [ "${{ github.event_name }}" == "pull_request" ]; then - echo "πŸ” PR detected - running provision with preview" - azd provision --preview - else - echo "πŸš€ Main branch - deploying application" - azd up --no-prompt - fi + - name: Install azd + uses: Azure/setup-azd@v2 - - name: Get deployment outputs - if: github.event_name != 'pull_request' - shell: bash - run: | - echo "πŸ“‹ Getting deployment information..." - azd show --output table || true - - # Try to get endpoint - ENDPOINT=$(azd show --output json 2>/dev/null | jq -r '.services | to_entries | .[0].value.endpoint // empty' || echo "") - if [ -n "$ENDPOINT" ]; then - echo "🌐 Application deployed to: $ENDPOINT" - echo "ENDPOINT=$ENDPOINT" >> $GITHUB_OUTPUT - fi + - name: Configure Azure CLI authentication + shell: bash + run: | + echo "πŸ”‘ Setting up Azure CLI authentication..." + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + + - name: Log in with Azure (OIDC) + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Configure AZD for Azure CLI authentication + shell: bash + run: | + echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + mkdir -p ~/.azd + echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json + cat ~/.azd/config.json + echo "βœ… AZD configured to use Azure CLI authentication" + + - name: Deploy with azd + shell: bash + run: | + export AZURE_ENV_NAME="${{ github.event.inputs.environment || 'dev' }}" + export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus' }}" + export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + + echo "πŸ” Diagnostic information:" + echo "Azure CLI version: $(az --version | head -n 1)" + echo "AZD version: $(azd version)" + echo "Current account: $(az account show --query name -o tsv || echo 'Not logged in')" + echo "Current OIDC token: $(if [[ -n $ACTIONS_ID_TOKEN_REQUEST_TOKEN ]]; then echo 'Present'; else echo 'Not found'; fi)" + + echo "πŸš€ Starting deployment with azd..." + echo "Environment: $AZURE_ENV_NAME" + echo "Location: $AZURE_LOCATION" + + if ! az account show &>/dev/null; then + echo "❌ Azure CLI is not logged in. The Azure/login action should have handled this." + exit 1 + fi + + if ! azd env select $AZURE_ENV_NAME 2>/dev/null; then + echo "πŸ“¦ Creating new azd environment: $AZURE_ENV_NAME" + azd env new $AZURE_ENV_NAME --location $AZURE_LOCATION --subscription $AZURE_SUBSCRIPTION_ID + fi + + if [ "${{ github.event_name }}" == "pull_request" ]; then + echo "πŸ” PR detected - running provision with preview" + azd provision --preview + else + echo "πŸš€ Main branch - deploying application" + azd up --no-prompt + fi + + - name: Get deployment outputs + if: github.event_name != 'pull_request' + shell: bash + run: | + echo "πŸ“‹ Getting deployment information..." + azd show --output table || true + + ENDPOINT=$(azd show --output json 2>/dev/null | jq -r '.services | to_entries](#) +ξ€€ \ No newline at end of file From 05cec351b1bb7ca850cd8dc78406f778f55e241e Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:49:18 -0700 Subject: [PATCH 24/48] eliminating environments to simplify --- .github/workflows/azd-oidc-simple.yml | 34 ++++++++++----------------- 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index cb3d509..eb406d9 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -2,16 +2,6 @@ name: Deploy with AZD and OIDC on: workflow_dispatch: - inputs: - environment: - description: 'Environment to deploy to' - required: true - default: dev - type: choice - options: - - dev - - prod - - test # Required permissions for OIDC permissions: @@ -35,24 +25,24 @@ jobs: shell: bash run: | echo "πŸ”‘ Setting up Azure CLI authentication..." - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" - name: Log in with Azure (OIDC) uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Configure AZD for Azure CLI authentication shell: bash run: | echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" + export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" mkdir -p ~/.azd echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json cat ~/.azd/config.json @@ -63,9 +53,9 @@ jobs: run: | export AZURE_ENV_NAME="${{ github.event.inputs.environment || 'dev' }}" export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus' }}" - export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}" - export AZURE_CLIENT_ID="${{ secrets.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ secrets.AZURE_TENANT_ID }}" + export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" + export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" + export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" echo "πŸ” Diagnostic information:" echo "Azure CLI version: $(az --version | head -n 1)" From a9c29bd1a9f28d6b2424c4203b0cc8997327f0f4 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 22:57:57 -0700 Subject: [PATCH 25/48] syntax --- .github/workflows/azd-oidc-simple.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index eb406d9..8a7c860 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -1,5 +1,3 @@ -name: Deploy with AZD and OIDC - on: workflow_dispatch: @@ -12,7 +10,12 @@ permissions: jobs: deploy: runs-on: ubuntu-latest - environment: ${{ github.event.inputs.environment || 'dev' }} + env: + AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} + AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} steps: - name: Checkout From 360ab80b95f0f2d74e8a9a5f1b7067497ecf85ef Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 23:01:19 -0700 Subject: [PATCH 26/48] Update azd-oidc-simple.yml --- .github/workflows/azd-oidc-simple.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 8a7c860..cdcd979 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -96,4 +96,3 @@ jobs: azd show --output table || true ENDPOINT=$(azd show --output json 2>/dev/null | jq -r '.services | to_entries](#) -ξ€€ \ No newline at end of file From 4d917736aeb47bb605d5f802f7d92f896e3bcd8b Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 23:10:43 -0700 Subject: [PATCH 27/48] changing workng dir for azd --- .github/workflows/azd-oidc-simple.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 8a7c860..920c477 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -55,7 +55,7 @@ jobs: shell: bash run: | export AZURE_ENV_NAME="${{ github.event.inputs.environment || 'dev' }}" - export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus' }}" + export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" @@ -75,6 +75,11 @@ jobs: exit 1 fi + echo "πŸ” Changing working directory to ./apphost ..." + pwd + cd apphost + pwd + if ! azd env select $AZURE_ENV_NAME 2>/dev/null; then echo "πŸ“¦ Creating new azd environment: $AZURE_ENV_NAME" azd env new $AZURE_ENV_NAME --location $AZURE_LOCATION --subscription $AZURE_SUBSCRIPTION_ID From 9817a12222e8a7d4895302e3b942a7282840a27d Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 23:35:28 -0700 Subject: [PATCH 28/48] with oidc based login in native azd --- .github/workflows/azd-oidc-simple.yml | 46 ++++++++++++++++----------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 3d0dbe7..8701228 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -31,25 +31,34 @@ jobs: export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" + + # Display last 4 characters of client ID for debugging + if [[ -n "$AZURE_CLIENT_ID" ]]; then + CLIENT_ID_LENGTH=${#AZURE_CLIENT_ID} + LAST_FOUR=${AZURE_CLIENT_ID:$CLIENT_ID_LENGTH-4:4} + echo "πŸ”‘ Using client ID ending with: $LAST_FOUR" + else + echo "⚠️ Client ID is not set" + fi - - name: Log in with Azure (OIDC) - uses: azure/login@v2 - with: - client-id: ${{ vars.AZURE_CLIENT_ID }} - tenant-id: ${{ vars.AZURE_TENANT_ID }} - subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + # - name: Log in with Azure (OIDC) + # uses: azure/login@v2 + # with: + # client-id: ${{ vars.AZURE_CLIENT_ID }} + # tenant-id: ${{ vars.AZURE_TENANT_ID }} + # subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - - name: Configure AZD for Azure CLI authentication - shell: bash - run: | - echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." - export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" - export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" - export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" - mkdir -p ~/.azd - echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json - cat ~/.azd/config.json - echo "βœ… AZD configured to use Azure CLI authentication" + # - name: Configure AZD for Azure CLI authentication + # shell: bash + # run: | + # echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." + # export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" + # export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" + # export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" + # mkdir -p ~/.azd + # echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json + # cat ~/.azd/config.json + # echo "βœ… AZD configured to use Azure CLI authentication" - name: Deploy with azd shell: bash @@ -61,15 +70,14 @@ jobs: export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" echo "πŸ” Diagnostic information:" - echo "Azure CLI version: $(az --version | head -n 1)" echo "AZD version: $(azd version)" - echo "Current account: $(az account show --query name -o tsv || echo 'Not logged in')" echo "Current OIDC token: $(if [[ -n $ACTIONS_ID_TOKEN_REQUEST_TOKEN ]]; then echo 'Present'; else echo 'Not found'; fi)" echo "πŸš€ Starting deployment with azd..." echo "Environment: $AZURE_ENV_NAME" echo "Location: $AZURE_LOCATION" + azd auth login --client-id $AZURE_CLIENT_ID --federated-credential-provider github --tenant-id $AZURE_TENANT_ID --no-browser if ! az account show &>/dev/null; then echo "❌ Azure CLI is not logged in. The Azure/login action should have handled this." exit 1 From 4e6a9bfde523604c0d6abb8273d58d76ca52c33a Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 23:37:15 -0700 Subject: [PATCH 29/48] removing no-browser flag --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 8701228..cd87b17 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -77,7 +77,7 @@ jobs: echo "Environment: $AZURE_ENV_NAME" echo "Location: $AZURE_LOCATION" - azd auth login --client-id $AZURE_CLIENT_ID --federated-credential-provider github --tenant-id $AZURE_TENANT_ID --no-browser + azd auth login --client-id $AZURE_CLIENT_ID --federated-credential-provider github --tenant-id $AZURE_TENANT_ID if ! az account show &>/dev/null; then echo "❌ Azure CLI is not logged in. The Azure/login action should have handled this." exit 1 From 573c128b50ac4a7e64ad3292b182c13771be30f4 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 23:39:18 -0700 Subject: [PATCH 30/48] removing az command that failed --- .github/prompts/sreagent.prompt.md | 2 +- .github/scripts/create-appinsights-alert.sh | 4 +- .github/workflows/azd-oidc-pwsh.yml | 97 +++++++++++++++++++++ .github/workflows/azd-oidc-simple.yml | 4 - .github/workflows/azure-dev.yml | 41 +++++++++ 5 files changed, 141 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/azd-oidc-pwsh.yml diff --git a/.github/prompts/sreagent.prompt.md b/.github/prompts/sreagent.prompt.md index 0454ca5..f708e22 100644 --- a/.github/prompts/sreagent.prompt.md +++ b/.github/prompts/sreagent.prompt.md @@ -1,6 +1,6 @@ The following Container App is experiencing 500 errors and is down: -- my subscription: 12345678-abcd-9e8f-7g6h-5i4j3k2l1m0n +- my subscription: ca5ce512-88e1-44b1-97c6-22caf84fb2b0 - resource group name: rg-octopets - container app name: octopetsapi diff --git a/.github/scripts/create-appinsights-alert.sh b/.github/scripts/create-appinsights-alert.sh index 8c650e6..953299f 100755 --- a/.github/scripts/create-appinsights-alert.sh +++ b/.github/scripts/create-appinsights-alert.sh @@ -17,8 +17,8 @@ # Set parameters with defaults RESOURCE_GROUP=${1:-"rg-octopets"} CONTAINER_APP_NAME=${2:-"octopetsapi"} -APP_INSIGHTS_NAME=${3:-"octopets_appinsights-abc123xyz456"} -SUBSCRIPTION_ID=${4:-"12345678-abcd-9e8f-7g6h-5i4j3k2l1m0n"} +APP_INSIGHTS_NAME=${3:-"octopets_appinsights-gkgt7sifzriwg"} +SUBSCRIPTION_ID=${4:-"ca5ce512-88e1-44b1-97c6-22caf84fb2b0"} LOCATION=${5:-"eastus"} # Display parameter info diff --git a/.github/workflows/azd-oidc-pwsh.yml b/.github/workflows/azd-oidc-pwsh.yml new file mode 100644 index 0000000..d548540 --- /dev/null +++ b/.github/workflows/azd-oidc-pwsh.yml @@ -0,0 +1,97 @@ +name: Deploy with AZD and OIDC (PowerShell) + +on: + workflow_dispatch: + +# Required permissions for OIDC +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + deploy: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install azd + uses: Azure/setup-azd@v2 + + - name: Log in with Azure (OIDC) + uses: Azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + enable-oidc: true + federated-credential-provider: github + + - name: AZD Login (Headless) + shell: pwsh + run: | + Write-Host "πŸ”‘ Logging in with AZD using federated credentials..." + azd auth login ` + --client-id "$Env:AZURE_CLIENT_ID" ` + --federated-credential-provider "github" ` + --tenant-id "$Env:AZURE_TENANT_ID" ` + --no-browser + Write-Host "βœ… AZD login successful" + env: + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Deploy with azd + shell: pwsh + run: | + # Set environment variables + $Env:AZURE_ENV_NAME = "${{ vars.AZURE_ENV_NAME }}" -or "dev" + $Env:AZURE_LOCATION = "${{ vars.AZURE_LOCATION }}" -or "eastus2" + $Env:AZURE_SUBSCRIPTION_ID = "${{ secrets.AZURE_SUBSCRIPTION_ID }}" + + Write-Host "πŸš€ Starting deployment with azd..." + Write-Host "Environment: $Env:AZURE_ENV_NAME" + Write-Host "Location: $Env:AZURE_LOCATION" + + # Initialize azd environment if it doesn't exist + try { + azd env select $Env:AZURE_ENV_NAME 2>$null + } catch { + Write-Host "πŸ“¦ Creating new azd environment: $Env:AZURE_ENV_NAME" + azd env new $Env:AZURE_ENV_NAME --location $Env:AZURE_LOCATION --subscription $Env:AZURE_SUBSCRIPTION_ID + } + + # Deploy the application + if ("${{ github.event_name }}" -eq "pull_request") { + Write-Host "πŸ” PR detected - running provision with preview" + azd provision --preview + } else { + Write-Host "πŸš€ Main branch - deploying application" + azd up --no-prompt + } + env: + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Get deployment outputs + if: github.event_name != 'pull_request' + shell: pwsh + run: | + Write-Host "πŸ“‹ Getting deployment information..." + azd show --output table + + # Try to get endpoint + try { + $output = azd show --output json | ConvertFrom-Json + $endpoint = $output.services[0].endpoint + if ($endpoint) { + Write-Host "🌐 Application deployed to: $endpoint" + echo "ENDPOINT=$endpoint" >> $env:GITHUB_OUTPUT + } + } catch { + Write-Host "⚠️ Could not retrieve endpoint information" + } diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index cd87b17..0798efb 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -78,10 +78,6 @@ jobs: echo "Location: $AZURE_LOCATION" azd auth login --client-id $AZURE_CLIENT_ID --federated-credential-provider github --tenant-id $AZURE_TENANT_ID - if ! az account show &>/dev/null; then - echo "❌ Azure CLI is not logged in. The Azure/login action should have handled this." - exit 1 - fi echo "πŸ” Changing working directory to ./apphost ..." pwd diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml index 25ae35e..cc65edc 100644 --- a/.github/workflows/azure-dev.yml +++ b/.github/workflows/azure-dev.yml @@ -55,6 +55,18 @@ jobs: federated-credential-provider: github # Ensure additional settings for headless operation allow-no-subscriptions: false + + - name: Verify Client ID + shell: pwsh + run: | + Write-Host "πŸ” Verifying authentication configuration..." + $clientId = "${{ secrets.AZURE_CLIENT_ID || vars.AZURE_CLIENT_ID }}" + if ($clientId) { + $lastFour = $clientId.Substring($clientId.Length - 4) + Write-Host "πŸ”‘ Using client ID ending with: $lastFour" + } else { + Write-Host "⚠️ Client ID is not set" -ForegroundColor Yellow + } - name: Configure AZD for Azure CLI authentication shell: pwsh @@ -70,7 +82,14 @@ jobs: # Verify AZD is using the correct configuration Get-Content -Path ~/.azd/config.json + # Set environment variables for the deployment + $env:AZURE_ENV_NAME = "${{ github.event.inputs.environment || 'dev' }}" + $env:AZURE_LOCATION = "${{ vars.AZURE_LOCATION || 'eastus2' }}" + $env:AZURE_SUBSCRIPTION_ID = "${{ secrets.AZURE_SUBSCRIPTION_ID || vars.AZURE_SUBSCRIPTION_ID }}" + Write-Host "βœ… AZD configured to use Azure CLI authentication" + Write-Host "🌍 Environment: $env:AZURE_ENV_NAME" + Write-Host "πŸ“ Location: $env:AZURE_LOCATION" - name: Provision Infrastructure @@ -80,13 +99,35 @@ jobs: Write-Host "Azure CLI version: $(az --version | Select-Object -First 1)" Write-Host "AZD version: $(azd version)" Write-Host "Current account: $(az account show --query name -o tsv || echo 'Not logged in')" + Write-Host "Current OIDC token: $(if ($env:ACTIONS_ID_TOKEN_REQUEST_TOKEN) { 'Present' } else { 'Not found' })" + + # Verify Azure login status + if (-not (az account show 2>$null)) { + Write-Host "❌ Azure CLI is not logged in. The Azure/login action should have handled this." -ForegroundColor Red + exit 1 + } Write-Host "πŸš€ Provisioning infrastructure..." + cd apphost + + # Select or create environment + if (-not (azd env select $env:AZURE_ENV_NAME 2>$null)) { + Write-Host "πŸ“¦ Creating new azd environment: $env:AZURE_ENV_NAME" + azd env new $env:AZURE_ENV_NAME --location $env:AZURE_LOCATION --subscription $env:AZURE_SUBSCRIPTION_ID + } + azd provision --no-prompt - name: Deploy Application shell: pwsh run: | Write-Host "πŸš€ Deploying application..." + # Ensure we're in the right directory + cd apphost + + # Deploy the application azd deploy --no-prompt + + Write-Host "πŸ“‹ Getting deployment information..." + azd show --output table From 5d66c88c98c1c88e7b250cd3c6da42a7080bd411 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Wed, 11 Jun 2025 23:43:31 -0700 Subject: [PATCH 31/48] adding .net 9 sdk --- .github/workflows/azd-oidc-simple.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 0798efb..e2b1db8 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -1,5 +1,11 @@ on: workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main # Required permissions for OIDC permissions: @@ -16,11 +22,17 @@ jobs: AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} + DOTNET_CORE_VERSION: 9.0.x steps: - name: Checkout uses: actions/checkout@v4 + - name: Setup .NET SDK + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.DOTNET_CORE_VERSION }} + - name: Install azd uses: Azure/setup-azd@v2 From d824c5c7833c5393e1656b1d4f55c268ef999f3d Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 00:18:30 -0700 Subject: [PATCH 32/48] Updating workflow name and cleaning end job --- .github/workflows/azd-oidc-simple.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index e2b1db8..f185f95 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -1,3 +1,5 @@ +name: Deploy with AZD and OIDC + on: workflow_dispatch: push: @@ -115,5 +117,3 @@ jobs: run: | echo "πŸ“‹ Getting deployment information..." azd show --output table || true - - ENDPOINT=$(azd show --output json 2>/dev/null | jq -r '.services | to_entries](#) From b68e04af483572af1c33dcf146afc3dc35c75058 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 00:23:05 -0700 Subject: [PATCH 33/48] Updating env vars for RG/env being octopets --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index f185f95..4e3ff28 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -77,7 +77,7 @@ jobs: - name: Deploy with azd shell: bash run: | - export AZURE_ENV_NAME="${{ github.event.inputs.environment || 'dev' }}" + export AZURE_ENV_NAME=${{ vars.AZURE_ENV_NAME || 'octopets' }} export AZURE_LOCATION="${{ vars.AZURE_LOCATION || 'eastus2' }}" export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" From 7bc9ca665018b3413d8dbdb58af0ce05b8215a69 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 00:42:29 -0700 Subject: [PATCH 34/48] Experiment - setting docker Tag with unique ID --- .github/workflows/azd-oidc-simple.yml | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 4e3ff28..149d979 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -55,24 +55,15 @@ jobs: echo "⚠️ Client ID is not set" fi - # - name: Log in with Azure (OIDC) - # uses: azure/login@v2 - # with: - # client-id: ${{ vars.AZURE_CLIENT_ID }} - # tenant-id: ${{ vars.AZURE_TENANT_ID }} - # subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Set Docker Image Tag Environment Variable + run: | + # Using a descriptive tag that combines branch, run number, and short SHA + # This is the best practice for traceability and immutability. + COMMIT_SHA_SHORT=${GITHUB_SHA::7} + IMAGE_TAG="${{ github.ref_name }}-${{ github.run_number }}-${COMMIT_SHA_SHORT}" - # - name: Configure AZD for Azure CLI authentication - # shell: bash - # run: | - # echo "πŸ”‘ Setting up AZD to use Azure CLI authentication..." - # export AZURE_CLIENT_ID="${{ vars.AZURE_CLIENT_ID }}" - # export AZURE_TENANT_ID="${{ vars.AZURE_TENANT_ID }}" - # export AZURE_SUBSCRIPTION_ID="${{ vars.AZURE_SUBSCRIPTION_ID }}" - # mkdir -p ~/.azd - # echo '{"defaults":{"auth":{"useAzureCli":true}}}' > ~/.azd/config.json - # cat ~/.azd/config.json - # echo "βœ… AZD configured to use Azure CLI authentication" + echo "AZURE_CONTAINER_IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV + echo "Generated image tag: ${IMAGE_TAG}" - name: Deploy with azd shell: bash From 128d543cc2d8c7313557072f039557a4723509b1 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 00:51:30 -0700 Subject: [PATCH 35/48] Updating image tag --- .github/workflows/azd-oidc-simple.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 149d979..bfd2dd4 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -61,6 +61,7 @@ jobs: # This is the best practice for traceability and immutability. COMMIT_SHA_SHORT=${GITHUB_SHA::7} IMAGE_TAG="${{ github.ref_name }}-${{ github.run_number }}-${COMMIT_SHA_SHORT}" + export AZURE_CONTAINER_IMAGE_TAG=${IMAGE_TAG} echo "AZURE_CONTAINER_IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV echo "Generated image tag: ${IMAGE_TAG}" @@ -81,6 +82,7 @@ jobs: echo "πŸš€ Starting deployment with azd..." echo "Environment: $AZURE_ENV_NAME" echo "Location: $AZURE_LOCATION" + echo "Azure container image tag: $IMAGE_TAG" azd auth login --client-id $AZURE_CLIENT_ID --federated-credential-provider github --tenant-id $AZURE_TENANT_ID From 44cd466427221f3523fb309ece5cafd408222068 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 00:54:01 -0700 Subject: [PATCH 36/48] Tag update --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index bfd2dd4..61998d0 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -82,7 +82,7 @@ jobs: echo "πŸš€ Starting deployment with azd..." echo "Environment: $AZURE_ENV_NAME" echo "Location: $AZURE_LOCATION" - echo "Azure container image tag: $IMAGE_TAG" + echo "Azure container image tag: $AZURE_CONTAINER_IMAGE_TAG" azd auth login --client-id $AZURE_CLIENT_ID --federated-credential-provider github --tenant-id $AZURE_TENANT_ID From 5476f33d92e91849d97452bd9f261d3db7d53e50 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 00:57:21 -0700 Subject: [PATCH 37/48] Tag update --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 61998d0..cfa97b5 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -101,7 +101,7 @@ jobs: azd provision --preview else echo "πŸš€ Main branch - deploying application" - azd up --no-prompt + azd up --no-prompt --environment $AZURE_CONTAINER_IMAGE_TAG fi - name: Get deployment outputs From c6b693c9afd897a01598bd643fb2aeff0196fbf0 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 01:03:43 -0700 Subject: [PATCH 38/48] Adding debug to see image tag --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index cfa97b5..e82153a 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -101,7 +101,7 @@ jobs: azd provision --preview else echo "πŸš€ Main branch - deploying application" - azd up --no-prompt --environment $AZURE_CONTAINER_IMAGE_TAG + azd up --no-prompt --debug --environment $AZURE_CONTAINER_IMAGE_TAG fi - name: Get deployment outputs From 03bc4e01cc5e6c1a6e149e46f9240f49347b3186 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 01:08:26 -0700 Subject: [PATCH 39/48] Setting image tag with alternate command --- .github/workflows/azd-oidc-simple.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index e82153a..e4afbc7 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -101,7 +101,12 @@ jobs: azd provision --preview else echo "πŸš€ Main branch - deploying application" - azd up --no-prompt --debug --environment $AZURE_CONTAINER_IMAGE_TAG + # Set container image tag before running azd up + azd env set AZURE_CONTAINER_IMAGE_TAG $AZURE_CONTAINER_IMAGE_TAG + echo "βœ… Set container image tag to: $AZURE_CONTAINER_IMAGE_TAG" + + # Run azd up with the correct environment name + azd up --no-prompt --debug fi - name: Get deployment outputs From 42050d0cc080e1e28dab556b56c99f547fe99cf4 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 01:41:42 -0700 Subject: [PATCH 40/48] experiment with container app resource tag --- .github/workflows/azd-oidc-simple.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index e4afbc7..577d6ab 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -55,6 +55,13 @@ jobs: echo "⚠️ Client ID is not set" fi + - name: Log in with Azure (OIDC) + uses: azure/login@v2 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - name: Set Docker Image Tag Environment Variable run: | # Using a descriptive tag that combines branch, run number, and short SHA @@ -107,6 +114,23 @@ jobs: # Run azd up with the correct environment name azd up --no-prompt --debug + + # Add resource tag to container app with the image tag + echo "🏷️ Adding resource tag to container app..." + # Get the container app resource ID + RESOURCE_GROUP=$(azd env get-values | grep AZURE_RESOURCE_GROUP | cut -d '=' -f2) + CONTAINER_APP_NAME=$(azd env get-values | grep AZURE_CONTAINER_APPS_ENDPOINT | cut -d '.' -f1) + + if [ -n "$RESOURCE_GROUP" ] && [ -n "$CONTAINER_APP_NAME" ]; then + echo "Resource Group: $RESOURCE_GROUP, Container App: $CONTAINER_APP_NAME" + # Tag the container app resource with the image tag + az tag update --resource-id "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/containerApps/$CONTAINER_APP_NAME" \ + --operation Merge \ + --tags "AZURE_CONTAINER_IMAGE_TAG=$AZURE_CONTAINER_IMAGE_TAG" + echo "βœ… Container app tagged with image tag: $AZURE_CONTAINER_IMAGE_TAG" + else + echo "⚠️ Could not determine container app details for tagging" + fi fi - name: Get deployment outputs From e385cb37193cdd219f60d7912da0a2f4175de1e8 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 01:51:13 -0700 Subject: [PATCH 41/48] updating resource tag --- .github/workflows/azd-oidc-simple.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 577d6ab..bfaea55 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -107,8 +107,7 @@ jobs: echo "πŸ” PR detected - running provision with preview" azd provision --preview else - echo "πŸš€ Main branch - deploying application" - # Set container image tag before running azd up + echo "πŸš€ Main branch - deploying application" # Set container image tag before running azd up azd env set AZURE_CONTAINER_IMAGE_TAG $AZURE_CONTAINER_IMAGE_TAG echo "βœ… Set container image tag to: $AZURE_CONTAINER_IMAGE_TAG" @@ -119,7 +118,7 @@ jobs: echo "🏷️ Adding resource tag to container app..." # Get the container app resource ID RESOURCE_GROUP=$(azd env get-values | grep AZURE_RESOURCE_GROUP | cut -d '=' -f2) - CONTAINER_APP_NAME=$(azd env get-values | grep AZURE_CONTAINER_APPS_ENDPOINT | cut -d '.' -f1) + CONTAINER_APP_NAME="octopetsapi" if [ -n "$RESOURCE_GROUP" ] && [ -n "$CONTAINER_APP_NAME" ]; then echo "Resource Group: $RESOURCE_GROUP, Container App: $CONTAINER_APP_NAME" From 57f223639134a0b2cee99d8fbf29e86105d92f05 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 01:54:02 -0700 Subject: [PATCH 42/48] Adding AZD_DEBUG flag check --- .github/workflows/azd-oidc-simple.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index bfaea55..f5853c0 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -25,6 +25,7 @@ jobs: AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} DOTNET_CORE_VERSION: 9.0.x + AZD_DEBUG: ${{ vars.AZD_DEBUG || false }} steps: - name: Checkout @@ -112,7 +113,13 @@ jobs: echo "βœ… Set container image tag to: $AZURE_CONTAINER_IMAGE_TAG" # Run azd up with the correct environment name - azd up --no-prompt --debug + if [ "$AZD_DEBUG" = "true" ]; then + echo "🐞 Debug mode enabled for AZD" + azd up --no-prompt --debug + else + echo "πŸš€ Running AZD in normal mode" + azd up --no-prompt + fi # Add resource tag to container app with the image tag echo "🏷️ Adding resource tag to container app..." From 4698871139576309cb3137e605c9e071d4ac04a2 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 01:56:59 -0700 Subject: [PATCH 43/48] hardening script for az command --- .github/workflows/azd-oidc-simple.yml | 29 +++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index f5853c0..8e568ab 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -124,16 +124,33 @@ jobs: # Add resource tag to container app with the image tag echo "🏷️ Adding resource tag to container app..." # Get the container app resource ID - RESOURCE_GROUP=$(azd env get-values | grep AZURE_RESOURCE_GROUP | cut -d '=' -f2) + RESOURCE_GROUP=$(azd env get-values | grep AZURE_RESOURCE_GROUP | cut -d '=' -f2 || echo "") CONTAINER_APP_NAME="octopetsapi" + if [ -z "$RESOURCE_GROUP" ]; then + echo "⚠️ Could not determine resource group from azd env get-values" + # Try alternate method to get resource group + RESOURCE_GROUP=$(az group list --query "[?contains(name,'$AZURE_ENV_NAME')].name" -o tsv | head -n 1) + echo "Alternate method found resource group: $RESOURCE_GROUP" + fi + if [ -n "$RESOURCE_GROUP" ] && [ -n "$CONTAINER_APP_NAME" ]; then echo "Resource Group: $RESOURCE_GROUP, Container App: $CONTAINER_APP_NAME" - # Tag the container app resource with the image tag - az tag update --resource-id "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/containerApps/$CONTAINER_APP_NAME" \ - --operation Merge \ - --tags "AZURE_CONTAINER_IMAGE_TAG=$AZURE_CONTAINER_IMAGE_TAG" - echo "βœ… Container app tagged with image tag: $AZURE_CONTAINER_IMAGE_TAG" + + # Check if container app exists + if az containerapp show --resource-group "$RESOURCE_GROUP" --name "$CONTAINER_APP_NAME" &>/dev/null; then + echo "βœ… Container app found, applying tag..." + # Tag the container app resource with the image tag + az tag update --resource-id "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/containerApps/$CONTAINER_APP_NAME" \ + --operation Merge \ + --tags "AZURE_CONTAINER_IMAGE_TAG=$AZURE_CONTAINER_IMAGE_TAG" || \ + echo "⚠️ Failed to add tag to container app, but continuing workflow" + else + echo "⚠️ Container app '$CONTAINER_APP_NAME' not found in resource group '$RESOURCE_GROUP'" + # List existing container apps in the resource group + echo "Available container apps in the resource group:" + az containerapp list --resource-group "$RESOURCE_GROUP" --query "[].name" -o tsv || echo "No container apps found or failed to list" + fi else echo "⚠️ Could not determine container app details for tagging" fi From 8844db669564db0bfe6cb6be53d9fdd74c859e96 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 02:01:08 -0700 Subject: [PATCH 44/48] Removes reserved AZURE word from resource tag --- .github/workflows/azd-oidc-simple.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 8e568ab..66f66a4 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -143,7 +143,7 @@ jobs: # Tag the container app resource with the image tag az tag update --resource-id "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/containerApps/$CONTAINER_APP_NAME" \ --operation Merge \ - --tags "AZURE_CONTAINER_IMAGE_TAG=$AZURE_CONTAINER_IMAGE_TAG" || \ + --tags "CONTAINER_IMAGE_TAG=$AZURE_CONTAINER_IMAGE_TAG" || \ echo "⚠️ Failed to add tag to container app, but continuing workflow" else echo "⚠️ Container app '$CONTAINER_APP_NAME' not found in resource group '$RESOURCE_GROUP'" From 58ddce901972c6b5428d77aa25510be355a62fde Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Thu, 12 Jun 2025 02:04:15 -0700 Subject: [PATCH 45/48] Echo resource tag being added to logs --- .github/workflows/azd-oidc-simple.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/azd-oidc-simple.yml b/.github/workflows/azd-oidc-simple.yml index 66f66a4..05f1572 100644 --- a/.github/workflows/azd-oidc-simple.yml +++ b/.github/workflows/azd-oidc-simple.yml @@ -140,6 +140,8 @@ jobs: # Check if container app exists if az containerapp show --resource-group "$RESOURCE_GROUP" --name "$CONTAINER_APP_NAME" &>/dev/null; then echo "βœ… Container app found, applying tag..." + # Echo the exact tag being set + echo "🏷️ Setting tag: CONTAINER_IMAGE_TAG=$AZURE_CONTAINER_IMAGE_TAG" on resource $CONTAINER_APP_NAME # Tag the container app resource with the image tag az tag update --resource-id "/subscriptions/$AZURE_SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.App/containerApps/$CONTAINER_APP_NAME" \ --operation Merge \ From 7ce938e7629043077ad28e6e01f57df8b4fb7031 Mon Sep 17 00:00:00 2001 From: Paul Yuknewicz Date: Fri, 25 Jul 2025 17:26:42 -0700 Subject: [PATCH 46/48] Updated custom prompt to improve reliability and adherence --- .github/prompts/sreagent.prompt.md | 34 ++++++++++++-------- .github/scripts/create-pagerduty-incident.sh | 15 +++++++-- 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/.github/prompts/sreagent.prompt.md b/.github/prompts/sreagent.prompt.md index f708e22..8cc58bf 100644 --- a/.github/prompts/sreagent.prompt.md +++ b/.github/prompts/sreagent.prompt.md @@ -1,14 +1,20 @@ -The following Container App is experiencing 500 errors and is down: - -- my subscription: ca5ce512-88e1-44b1-97c6-22caf84fb2b0 -- resource group name: rg-octopets -- container app name: octopetsapi - -Important: - -- Please investigate the issue and take necessary actions to automatically remediate issues accepting all next steps. -- Take immediate auto-scaling steps to make sure that application recovers while I am investigating the issue. -- Always increase memory to 2GB -- Give me all the GC Root chains in detail. -- Open a GitHub issue and include the stack trace for the problem. -- Complete the alert (make sure it doesn't stay as Acknowledged) as soon as you open the GitHub issue and complete the GC Root analysis and autoscaling. +Title: octopetsapi container app listings api is down with 500 errors + +Description in incident +octopets-backend container app listings api is down with 500 errors +subscription ID: 12345678-abcd-9e8f-7g6h-5i4j3k2l1m0n +resource group:rg-octopets + +You must follow these Custom instructions: + +For the incidents that are related to app down with 500 errors, please do following step by step- +- Check activity logs for deployments and draw area chart correlation of 500 errors and deployment times +- Also look at exceptions in azure monitor +- You must show me chart of 500 errors before mitigation and chart of 500 errors vs deployment activity correlation (don’t skip this), check last 15 mins of metrics to validate this +- Give me updates of your actions at every step +- Based on these, limit yourself to these mitigations only and perform the action autonomously +- If this issue is caused due to a bad deployment then Revert to previous healthy deployment. After you roll back, just give it few seconds to check the roll back status by checking the request metrics +- If this issue is caused due to low cpu or memory, Scale out container app +- Create an issue in associated GitHub repo +- In the end, Give me detailed summary and report of all the things you did to mitigate the issue +- Include the revision you reverted to in the summary diff --git a/.github/scripts/create-pagerduty-incident.sh b/.github/scripts/create-pagerduty-incident.sh index e0ee390..7cd3d85 100755 --- a/.github/scripts/create-pagerduty-incident.sh +++ b/.github/scripts/create-pagerduty-incident.sh @@ -8,6 +8,8 @@ # # Environment variables required: # PAGERDUTY_API_TOKEN - PagerDuty API token with appropriate permissions +# PAGERDUTY_SERVICE_ID - PagerDuty Service ID +# PAGERDUTY_PRIORITY_ID - PagerDuty Priority ID (optional, defaults to P28K36R for P1) # # Usage examples: # ./create-pagerduty-incident.sh # Use all defaults @@ -28,6 +30,9 @@ if [ -z "$PAGERDUTY_SERVICE_ID" ]; then exit 1 fi +# Check if PAGERDUTY_PRIORITY_ID is set (optional, defaults to P1) +PAGERDUTY_PRIORITY_ID=${PAGERDUTY_PRIORITY_ID:-"P28K36R"} + # Set parameters with defaults CONTAINER_APP_NAME=${1:-"octopetsapi"} PAGERDUTY_SERVICE_NAME=${2:-"Default Service"} @@ -38,10 +43,12 @@ echo "Using the following parameters:" echo "Container App: $CONTAINER_APP_NAME" echo "PagerDuty Service Name: $PAGERDUTY_SERVICE_NAME" echo "PagerDuty Service ID: $PAGERDUTY_SERVICE_ID" +echo "PagerDuty Priority ID: $PAGERDUTY_PRIORITY_ID" echo "PagerDuty Urgency: $PAGERDUTY_URGENCY" -# Set the incident title -INCIDENT_TITLE="Container App $CONTAINER_APP_NAME is down with 500 errors" +# Set the incident title with timestamp +TIMESTAMP=$(date +"%Y%m%d-%H%M") +INCIDENT_TITLE="Container App $CONTAINER_APP_NAME is down with 500 errors [$TIMESTAMP]" # Get the description from the prompt file # Go up one directory if running from within .github/scripts @@ -74,6 +81,10 @@ JSON_PAYLOAD=$(cat < Date: Fri, 25 Jul 2025 17:48:25 -0700 Subject: [PATCH 47/48] Revert "Updated custom prompt to improve reliability and adherence" This reverts commit 7ce938e7629043077ad28e6e01f57df8b4fb7031. --- .github/prompts/sreagent.prompt.md | 34 ++++++++------------ .github/scripts/create-pagerduty-incident.sh | 15 ++------- 2 files changed, 16 insertions(+), 33 deletions(-) diff --git a/.github/prompts/sreagent.prompt.md b/.github/prompts/sreagent.prompt.md index 8cc58bf..f708e22 100644 --- a/.github/prompts/sreagent.prompt.md +++ b/.github/prompts/sreagent.prompt.md @@ -1,20 +1,14 @@ -Title: octopetsapi container app listings api is down with 500 errors - -Description in incident -octopets-backend container app listings api is down with 500 errors -subscription ID: 12345678-abcd-9e8f-7g6h-5i4j3k2l1m0n -resource group:rg-octopets - -You must follow these Custom instructions: - -For the incidents that are related to app down with 500 errors, please do following step by step- -- Check activity logs for deployments and draw area chart correlation of 500 errors and deployment times -- Also look at exceptions in azure monitor -- You must show me chart of 500 errors before mitigation and chart of 500 errors vs deployment activity correlation (don’t skip this), check last 15 mins of metrics to validate this -- Give me updates of your actions at every step -- Based on these, limit yourself to these mitigations only and perform the action autonomously -- If this issue is caused due to a bad deployment then Revert to previous healthy deployment. After you roll back, just give it few seconds to check the roll back status by checking the request metrics -- If this issue is caused due to low cpu or memory, Scale out container app -- Create an issue in associated GitHub repo -- In the end, Give me detailed summary and report of all the things you did to mitigate the issue -- Include the revision you reverted to in the summary +The following Container App is experiencing 500 errors and is down: + +- my subscription: ca5ce512-88e1-44b1-97c6-22caf84fb2b0 +- resource group name: rg-octopets +- container app name: octopetsapi + +Important: + +- Please investigate the issue and take necessary actions to automatically remediate issues accepting all next steps. +- Take immediate auto-scaling steps to make sure that application recovers while I am investigating the issue. +- Always increase memory to 2GB +- Give me all the GC Root chains in detail. +- Open a GitHub issue and include the stack trace for the problem. +- Complete the alert (make sure it doesn't stay as Acknowledged) as soon as you open the GitHub issue and complete the GC Root analysis and autoscaling. diff --git a/.github/scripts/create-pagerduty-incident.sh b/.github/scripts/create-pagerduty-incident.sh index 7cd3d85..e0ee390 100755 --- a/.github/scripts/create-pagerduty-incident.sh +++ b/.github/scripts/create-pagerduty-incident.sh @@ -8,8 +8,6 @@ # # Environment variables required: # PAGERDUTY_API_TOKEN - PagerDuty API token with appropriate permissions -# PAGERDUTY_SERVICE_ID - PagerDuty Service ID -# PAGERDUTY_PRIORITY_ID - PagerDuty Priority ID (optional, defaults to P28K36R for P1) # # Usage examples: # ./create-pagerduty-incident.sh # Use all defaults @@ -30,9 +28,6 @@ if [ -z "$PAGERDUTY_SERVICE_ID" ]; then exit 1 fi -# Check if PAGERDUTY_PRIORITY_ID is set (optional, defaults to P1) -PAGERDUTY_PRIORITY_ID=${PAGERDUTY_PRIORITY_ID:-"P28K36R"} - # Set parameters with defaults CONTAINER_APP_NAME=${1:-"octopetsapi"} PAGERDUTY_SERVICE_NAME=${2:-"Default Service"} @@ -43,12 +38,10 @@ echo "Using the following parameters:" echo "Container App: $CONTAINER_APP_NAME" echo "PagerDuty Service Name: $PAGERDUTY_SERVICE_NAME" echo "PagerDuty Service ID: $PAGERDUTY_SERVICE_ID" -echo "PagerDuty Priority ID: $PAGERDUTY_PRIORITY_ID" echo "PagerDuty Urgency: $PAGERDUTY_URGENCY" -# Set the incident title with timestamp -TIMESTAMP=$(date +"%Y%m%d-%H%M") -INCIDENT_TITLE="Container App $CONTAINER_APP_NAME is down with 500 errors [$TIMESTAMP]" +# Set the incident title +INCIDENT_TITLE="Container App $CONTAINER_APP_NAME is down with 500 errors" # Get the description from the prompt file # Go up one directory if running from within .github/scripts @@ -81,10 +74,6 @@ JSON_PAYLOAD=$(cat < Date: Fri, 25 Jul 2025 17:53:21 -0700 Subject: [PATCH 48/48] Generalizing scripts --- .github/prompts/sreagent.prompt.md | 2 +- .github/scripts/create-appinsights-alert.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/prompts/sreagent.prompt.md b/.github/prompts/sreagent.prompt.md index f708e22..0454ca5 100644 --- a/.github/prompts/sreagent.prompt.md +++ b/.github/prompts/sreagent.prompt.md @@ -1,6 +1,6 @@ The following Container App is experiencing 500 errors and is down: -- my subscription: ca5ce512-88e1-44b1-97c6-22caf84fb2b0 +- my subscription: 12345678-abcd-9e8f-7g6h-5i4j3k2l1m0n - resource group name: rg-octopets - container app name: octopetsapi diff --git a/.github/scripts/create-appinsights-alert.sh b/.github/scripts/create-appinsights-alert.sh index 953299f..c4d8a7a 100755 --- a/.github/scripts/create-appinsights-alert.sh +++ b/.github/scripts/create-appinsights-alert.sh @@ -17,8 +17,8 @@ # Set parameters with defaults RESOURCE_GROUP=${1:-"rg-octopets"} CONTAINER_APP_NAME=${2:-"octopetsapi"} -APP_INSIGHTS_NAME=${3:-"octopets_appinsights-gkgt7sifzriwg"} -SUBSCRIPTION_ID=${4:-"ca5ce512-88e1-44b1-97c6-22caf84fb2b0"} +APP_INSIGHTS_NAME=${3:-"octopets_appinsights-abcd123xyz456"} +SUBSCRIPTION_ID=${4:-"12345678-abcd-9e8f-7g6h-5i4j3k2l1m0n"} LOCATION=${5:-"eastus"} # Display parameter info