Add debug mode and detailed error output to terraform-validate workflow #261
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "CI-Deploy" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| azd_environment_name: | |
| description: "Name of the AZD Environment" | |
| required: true | |
| default: "CICD" | |
| azure_location: | |
| description: "Azure location for the environment" | |
| required: true | |
| default: "eastus" | |
| run_azd_down: | |
| description: "Run AZD Down to destroy the deployed resources." | |
| type: boolean | |
| required: true | |
| default: false | |
| push: | |
| # Run when commits are pushed to mainline branch | |
| # Set this to the mainline branch you are using | |
| branches: | |
| - main | |
| pull_request: | |
| # Run when pull requests are opened or updated | |
| branches: | |
| - main | |
| # GitHub Actions workflow to deploy to Azure using azd | |
| # Ensure only one deployment runs at a time to prevent conflicts | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| actions: read # Needed for uploading SARIF reports | |
| security-events: write # Needed for uploading SARIF reports | |
| id-token: write # Needed for OIDC Authentication | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ${{ fromJson(vars.ACTIONS_RUNNER_NAME || '["ubuntu-latest"]') }} | |
| env: | |
| AZURE_ENV_NAME: ${{ github.event.inputs.azd_environment_name || (github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number)) || 'CICD' }} | |
| AZURE_LOCATION: ${{ github.event.inputs.azure_location || 'eastus' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | |
| with: | |
| persist-credentials: false | |
| - name: Install azd | |
| uses: Azure/setup-azd@cf638ffd167fc81e1851241a478a723c05fa9cb3 # v2.2.0 | |
| with: | |
| version: '1.20.0' # Specify your desired azd version here | |
| - name: Setup Node.js | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 | |
| with: | |
| node-version: '18.x' | |
| - name: Install Terraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: 1.13.3 | |
| - name: Install TFLint | |
| uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 | |
| with: | |
| tflint_version: v0.58.1 | |
| github_token: ${{ secrets.GITHUB_TOKEN }} # Used to avoid rate | |
| - name: Install GitLeaks | |
| run: | | |
| curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.28.0/gitleaks_8.28.0_linux_x64.tar.gz -o gitleaks.tar.gz | |
| tar -xzf gitleaks.tar.gz | |
| chmod +x gitleaks | |
| sudo mv gitleaks /usr/local/bin/ | |
| rm gitleaks.tar.gz | |
| gitleaks version | |
| - name: Run GitLeaks Scan | |
| env: | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| run: | | |
| gitleaks detect \ | |
| --verbose \ | |
| --max-archive-depth 50 \ | |
| --report-format sarif \ | |
| --report-path ./gitleaks-report.sarif \ | |
| --source . \ | |
| --exit-code 0 || true | |
| echo "GitLeaks scan completed" | |
| - name: Setup .NET SDK | |
| shell: bash | |
| run: | | |
| # Install .NET SDK to temp directory for self-hosted runners to avoid permission issues | |
| DOTNET_INSTALL_DIR="${{ runner.temp }}/dotnet" | |
| mkdir -p "$DOTNET_INSTALL_DIR" | |
| # Download and run the dotnet-install script | |
| curl -sSL https://dot.net/v1/dotnet-install.sh -o dotnet-install.sh | |
| chmod +x dotnet-install.sh | |
| ./dotnet-install.sh --channel 9.0 --install-dir "$DOTNET_INSTALL_DIR" | |
| rm dotnet-install.sh | |
| # Add to PATH for subsequent steps | |
| echo "$DOTNET_INSTALL_DIR" >> $GITHUB_PATH | |
| echo "DOTNET_ROOT=$DOTNET_INSTALL_DIR" >> $GITHUB_ENV | |
| - name: Install Power Platform Tools | |
| uses: microsoft/powerplatform-actions/actions-install@6c7b538671a040d11afd8ab94d77bfe3b3ed87e6 # v1.9.1 | |
| with: | |
| add-tools-to-path: true | |
| - name: Install Power Platform CLI | |
| run: | | |
| pac help | |
| - name: Set Up Python | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # 6.0.0 | |
| with: | |
| python-version: "3.x" | |
| - name: Install Checkov | |
| run: pip install checkov | |
| - name: Login to Azure with Federated Identity | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ vars.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ vars.AZURE_TENANT_ID }} | |
| subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| - name: Provision Infrastructure | |
| env: | |
| POWER_PLATFORM_USE_OIDC: "true" | |
| POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| ARM_USE_AZUREAD: "true" | |
| ARM_STORAGE_USE_AZUREAD: "true" | |
| ARM_USE_OIDC: "true" | |
| ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} | |
| RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} | |
| RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} | |
| RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} | |
| RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} | |
| GITHUB_PAT: ${{ secrets.MCS_RUNNER }} | |
| GITHUB_REPO_OWNER: ${{ github.repository_owner }} | |
| GITHUB_REPO_NAME: ${{ github.event.repository.name }} | |
| GITHUB_RUNNER_IMAGE_NAME: "github-runner" | |
| GITHUB_RUNNER_IMAGE_TAG: "latest" | |
| GITHUB_RUNNER_IMAGE_BRANCH: ${{ github.ref_name }} | |
| shell: bash | |
| run: | | |
| azd config set auth.useAzCliAuth "true" | |
| azd env new "$AZURE_ENV_NAME" --location "$AZURE_LOCATION" --no-prompt | |
| azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER" | |
| azd env set RESOURCE_TAGS "$RESOURCE_TAGS" | |
| azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT" | |
| azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME" | |
| azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP" | |
| azd env set GITHUB_PAT "$GITHUB_PAT" | |
| azd env set GITHUB_REPO_OWNER "$GITHUB_REPO_OWNER" | |
| azd env set GITHUB_REPO_NAME "$GITHUB_REPO_NAME" | |
| azd env set GITHUB_RUNNER_IMAGE_NAME "$GITHUB_RUNNER_IMAGE_NAME" | |
| azd env set GITHUB_RUNNER_IMAGE_TAG "$GITHUB_RUNNER_IMAGE_TAG" | |
| azd env set GITHUB_RUNNER_IMAGE_BRANCH "$GITHUB_RUNNER_IMAGE_BRANCH" | |
| azd provision --no-prompt | |
| - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| if: success() || failure() | |
| with: | |
| name: sarif-reports | |
| path: | | |
| ./gitleaks-report.sarif | |
| ./checkov-results.sarif/results_sarif.sarif | |
| - name: Upload Gitleaks SARIF report to Github | |
| uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1 | |
| with: | |
| sarif_file: ./gitleaks-report.sarif | |
| - name: Upload Checkov SARIF Report to GitHub | |
| uses: github/codeql-action/upload-sarif@9b02dc2f60288b463e7a66e39c78829b62780db7 # v2.22.1 | |
| with: | |
| sarif_file: ./checkov-results.sarif/results_sarif.sarif | |
| - name: Destroy Infrastructure | |
| if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }} | |
| env: | |
| POWER_PLATFORM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| POWER_PLATFORM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| POWER_PLATFORM_USE_OIDC: "true" | |
| ARM_USE_AZUREAD: "true" | |
| ARM_STORAGE_USE_AZUREAD: "true" | |
| ARM_USE_OIDC: "true" | |
| ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} | |
| ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} | |
| ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} | |
| RS_STORAGE_ACCOUNT: ${{ vars.RS_STORAGE_ACCOUNT }} | |
| RS_CONTAINER_NAME: ${{ vars.RS_CONTAINER_NAME }} | |
| RS_RESOURCE_GROUP: ${{ vars.RS_RESOURCE_GROUP }} | |
| RESOURCE_SHARE_USER: ${{ vars.RESOURCE_SHARE_USER }} | |
| RESOURCE_TAGS: ${{ vars.RESOURCE_TAGS }} | |
| shell: bash | |
| run: | | |
| azd env set RS_STORAGE_ACCOUNT "$RS_STORAGE_ACCOUNT" | |
| azd env set RS_CONTAINER_NAME "$RS_CONTAINER_NAME" | |
| azd env set RS_RESOURCE_GROUP "$RS_RESOURCE_GROUP" | |
| azd env set RESOURCE_SHARE_USER "$RESOURCE_SHARE_USER" | |
| azd env set RESOURCE_TAGS "$RESOURCE_TAGS" | |
| azd env select "$AZURE_ENV_NAME" | |
| azd down --no-prompt --force --purge | |
| - name: Purge Soft-Deleted Azure OpenAI Resources | |
| if: ${{ github.event.inputs.run_azd_down == 'true' || github.event_name == 'pull_request' }} | |
| shell: bash | |
| run: | | |
| # Get the OpenAI resource name and location from environment outputs | |
| OPENAI_RESOURCE_NAME=$(azd env get-values --output json | jq -r '.openai_resource_name // empty') | |
| AZURE_REGION=$(azd env get-values --output json | jq -r '.primary_azure_region // empty') | |
| RESOURCE_GROUP=$(azd env get-values --output json | jq -r '.resource_group_name // empty') | |
| # Only attempt to purge if we have the required information | |
| if [[ -n "$OPENAI_RESOURCE_NAME" && -n "$AZURE_REGION" ]]; then | |
| echo "Attempting to purge soft-deleted Azure OpenAI resource: $OPENAI_RESOURCE_NAME in $AZURE_REGION" | |
| # Purge the soft-deleted Cognitive Services account (continue on error if resource not found) | |
| az cognitiveservices account purge \ | |
| --location "$AZURE_REGION" \ | |
| --resource-group "$RESOURCE_GROUP" \ | |
| --name "$OPENAI_RESOURCE_NAME" || echo "Resource may not be in soft-delete state or already purged" | |
| else | |
| echo "OpenAI resource information not found in environment outputs. Skipping purge." | |
| fi |