|
| 1 | +# GitHub Action for deploying updates to Azure Database for PostgreSQL server |
| 2 | + |
| 3 | +With the Azure PostgreSQL Action for GitHub, you can automate your workflow to deploy updates to [Azure Database for PostgreSQL server](https://azure.microsoft.com/en-in/services/postgresql/). You can run a single SQL file or multiple sql files from a single parent folder against your Azure Database for PostgreSQL server. |
| 4 | + |
| 5 | +Get started today with a [free Azure account](https://azure.com/free/open-source)! |
| 6 | + |
| 7 | +This repository contains GitHub Action for [Azure database for PostgreSQL server](https://github.com/Azure/postgresql-action) to deploy . |
| 8 | + |
| 9 | +The action uses Connection String for authentication and SQL scripts to deploy to your PostgreSQL database. |
| 10 | + |
| 11 | +If you are looking for more Github Actions to deploy code or a customized image into an Azure Webapp or a Kubernetes service, consider using [Azure Actions](https://github.com/Azure/actions). |
| 12 | + |
| 13 | +The definition of this Github Action is in [action.yml](https://github.com/Azure/postgresql-action/blob/master/action.yml). |
| 14 | + |
| 15 | +# End-to-End Sample Workflow |
| 16 | + |
| 17 | +## Running for multiple SQL scripts |
| 18 | +Using [Azure PostgreSQL action](https://github.com/Azure/postgresql-action), either a single SQL script/multiple SQL scripts from a single parent folder can be run. Following are the sample values which can be used in plsql-file input: filename.sql, *.sql, folder1/folder2/*.sql, folder1/<any regex>.sql |
| 19 | + |
| 20 | +In case of multiple files, filenames are ordered lexicographically and run in order. Additional arguments provided for PSQL shell will be applied to all the files. |
| 21 | + |
| 22 | +## Dependencies on other Github Actions |
| 23 | + |
| 24 | +* Authenticate using [Azure Login](https://github.com/Azure/login) |
| 25 | + |
| 26 | +For the action to run, the IP Address of the GitHub Action runner (automation agent) must be added to the 'Allowed IP Addresses' by setting [PostgreSQL server firewall rules](https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-portal) in Azure. Without the firewall rules, the runner cannot communicate with Azure database for PostgreSQL. |
| 27 | + |
| 28 | +By default, the action would auto-detect the IP Address of the runner to automatically add firewall exception rule. These firewall rules will be deleted after the action executes. |
| 29 | + |
| 30 | +However, this auto-provisioning of firewall rules needs a pre-req that the workflow includes an `azure/login@v1` action before the `azure/postgresql-action@v1` action. Also, the service principal used in the Azure login action needs to have elevated permissions, i.e. membership in SQL Security Manager RBAC role, or a similarly high permission in the database to create the firewall rule. |
| 31 | + |
| 32 | +Alternatively, if enough permissions are not granted on the service principal or login action is not included, then the firewall rules have to be explicitly managed by user using CLI/PS scripts. |
| 33 | + |
| 34 | +* Configuring firewall rules before running the action |
| 35 | + |
| 36 | +If firewall rules are already added in Azure database for PostgreSQL, [Azure Login](https://github.com/Azure/login) action is not required in the workflow and postgresql-action will proceed to execute the SQL scripts. |
| 37 | + |
| 38 | +For Github hosted runners which are usually Azure VMs, users could handle the firewall rules by enabling the option on the PostgreSQL DB in Azure portal to allow any Azure VMs in the tenant to have access to the DB. |
| 39 | + |
| 40 | +For self-hosted runners, firewall rules need to be explicitly managed by user using CLI/PS scripts. |
| 41 | + |
| 42 | +## Create an Azure database for PostgreSQL server and deploy using GitHub Actions |
| 43 | +1. Follow the tutorial [Azure Database for PostgreSQL server Quickstart](https://docs.microsoft.com/en-us/azure/postgresql/quickstart-create-server-database-portal) |
| 44 | +2. Copy the PostgreSQL-on-Azure.yml template from [starter templates](https://github.com/Azure/actions-workflow-samples/blob/master/Database/PostgreSQL-on-Azure.yml) and paste the template contents into `.github/workflows/` within your project repository as workflow.yml. |
| 45 | +3. Change `server-name` to your Azure PostgreSQL Server name. |
| 46 | +4. Commit and push your project to GitHub repository, you should see a new GitHub Action initiated in **Actions** tab. |
| 47 | + |
| 48 | +## Configure GitHub Secrets with Azure Credentials and PostgreSQL Connection Strings |
| 49 | +For using any sensitive data/secrets like Azure Service Principal or PostgreSQL Connection strings within an Action, add them as [secrets](https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) in the GitHub repository and then use them in the workflow. |
| 50 | + |
| 51 | +Follow the steps to configure the secret: |
| 52 | + * Define a new secret under your repository **Settings** > **Secrets** > **Add a new secret** menu. |
| 53 | + * Paste the contents of the Secret (Example: Connection String) as Value |
| 54 | + * Also, copy the psql connection string from Azure PostgreSQL DB which is under **Connection strings** > **psql** and of the format: |
| 55 | +psql "host={hostname} port={port} dbname={your_database} user={user} password={your_password} sslmode=require" |
| 56 | + * For Azure credentials, paste the output of the below [az cli](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest) command as the value of secret variable, for example 'AZURE_CREDENTIALS' |
| 57 | +```bash |
| 58 | + |
| 59 | + az ad sp create-for-rbac --name {server-name} --role contributor \ |
| 60 | + --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \ |
| 61 | + --sdk-auth |
| 62 | + |
| 63 | + # Replace {subscription-id}, {resource-group} and {server-name} with the subscription, resource group and name of the Azure PostgreSQL server |
| 64 | + |
| 65 | + # The command should output a JSON object similar to this: |
| 66 | + |
| 67 | + { |
| 68 | + "clientId": "<GUID>", |
| 69 | + "clientSecret": "<GUID>", |
| 70 | + "subscriptionId": "<GUID>", |
| 71 | + "tenantId": "<GUID>", |
| 72 | + (...) |
| 73 | + } |
| 74 | + |
| 75 | +``` |
| 76 | + |
| 77 | +### Sample workflow to deploy to an Azure database for PostgreSQL server using Azure Login |
| 78 | + |
| 79 | +```yaml |
| 80 | +on: [push] |
| 81 | + |
| 82 | +jobs: |
| 83 | + build: |
| 84 | + runs-on: ubuntu-latest |
| 85 | + |
| 86 | + steps: |
| 87 | + |
| 88 | + - uses: Azure/login@v1 |
| 89 | + with: |
| 90 | + creds: ${{secrets.AZURE_CREDENTIALS}} |
| 91 | + - uses: azure/postgresql-action@v1 |
| 92 | + with: |
| 93 | + connection-string: ${{ secrets.AZURE_POSTGRESQL_CONNECTION_STRING }} |
| 94 | + server-name: REPLACE_THIS_WITH_YOUR_POSTGRESQL_SERVER_NAME |
| 95 | + plsql-file: "sql_files/*.sql" |
| 96 | +``` |
| 97 | +
|
| 98 | +### Sample workflow to deploy to an Azure database for PostgreSQL server without Azure login - when firewall rules are pre-configured |
| 99 | +
|
| 100 | +```yaml |
| 101 | +on: [push] |
| 102 | + |
| 103 | +jobs: |
| 104 | + build: |
| 105 | + runs-on: ubuntu-latest |
| 106 | + |
| 107 | + steps: |
| 108 | + |
| 109 | + - uses: azure/postgresql-action@v1 |
| 110 | + with: |
| 111 | + connection-string: ${{ secrets.AZURE_POSTGRESQL_CONNECTION_STRING }} |
| 112 | + server-name: REPLACE_THIS_WITH_YOUR_POSTGRESQL_SERVER_NAME |
| 113 | + plsql-file: "sql_files/*.sql" |
| 114 | +``` |
1 | 115 |
|
2 | 116 | # Contributing |
3 | 117 |
|
|
0 commit comments