az-sync by s.breen (#60)

The proposal includes already implemented az-sync action. The existing functionality stays intact

Author: eepifanova

.github/actions/az-sync/action.yml

@@ -0,0 +1,64 @@
+name: Sync Secrets from Azure Key Vault
+author: s.breen
+description: az-sync
+inputs:
+  az_client_id:
+    description: 'Azure Client ID'
+    required: true
+  az_tenant_id:
+    description: 'Azure Tenant ID'
+    required: true
+  az_subscription_id:
+    description: 'Azure Subscription ID'
+    required: true
+  keyvault:
+    description: 'Azure Key Vault name'
+    required: true
+  secrets-filter:
+    description: 'Filter for secrets to sync (comma-separated patterns)'
+    required: true
+    default: '*'
+runs:
+  using: "composite"
+  steps:
+    - name: Azure login
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      with:
+        client-id: ${{ inputs.az_client_id }}
+        tenant-id: ${{ inputs.az_tenant_id }}
+        subscription-id: ${{ inputs.az_subscription_id }}
+
+    - name: Sync
+      shell: bash
+      run: |
+        IFS=',' read -r -a array <<< "${{ inputs.secrets-filter }}"
+          for pattern in "${array[@]}"; do
+            echo "Processing pattern: $pattern"
+            for secret_name in $(az keyvault secret list --vault-name "${{ inputs.keyvault }}" --query "[?contains(name, '$pattern')].name" -o tsv); do
+              secret_value=$(az keyvault secret show --name "$secret_name" --vault-name "${{ inputs.keyvault }}" --query value -o tsv)
+              # check if value is multiline
+              if [[ "$secret_value" == *$'\n'* ]]; then
+                # Mask each line for multiline secrets
+                while IFS= read -r line; do
+                [[ -n "$line" ]] && echo "::add-mask::${line}"
+                done <<< "$secret_value"
+          
+                # Use heredoc syntax for multiline environment variables
+                delimiter="EOF_${secret_name}_$(date +%s)"
+                {
+                  echo "${secret_name}<<${delimiter}"
+                  echo "$secret_value"
+                  echo "$delimiter"
+                } >> $GITHUB_ENV
+              else
+                echo "::add-mask::${secret_value}"
+                echo "$secret_name=$secret_value" >> $GITHUB_ENV
+              fi
+              echo "Synced secret: env.$secret_name"
+            done
+          done
+
+    - name: Azure logout
+      shell: bash
+      run: |
+        az logout

README.md

@@ -1,3 +1,9 @@
+# Table of contents
+1. [docs-actions](#docs-actions)
+1. [Hugo theme version](#hugo-theme-version)
+1. [az-sync-action](#az-sync-action)
+
+
 # docs-actions
 
 This repo contains actions for building and deploying, hugo and sphinx based documentation websites for NGINX.
@@ -140,3 +146,52 @@ on:
     paths:
       - docsDirectory/**
 .......
+```
+
+# az-sync action
+
+**Path:** `.github/actions/az-sync/action.yml`
+
+A reusable composite action written by s.breen that logs into Azure, retrieves secrets from an Azure Key Vault, and exports them as environment variables for use in subsequent workflow steps. After all secrets are synced, it logs out of Azure automatically.
+
+## Inputs
+
+| Input | Description | Required | Default |
+|---|---|---|---|
+| `az_client_id` | Azure Client ID (for OIDC federated login) | Yes | — |
+| `az_tenant_id` | Azure Tenant ID | Yes | — |
+| `az_subscription_id` | Azure Subscription ID | Yes | — |
+| `keyvault` | Name of the Azure Key Vault to read secrets from | Yes | — |
+| `secrets-filter` | Comma-separated list (no spaces) of secret name patterns to sync | Yes | `*` |
+
+## Usage example
+
+```yml
+- name: Get Secrets from Azure Key Vault
+  # Always use full path while adding into called workflow
+  uses: nginxinc/docs-actions/.github/actions/az-sync
+  with:
+    az_client_id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+    az_tenant_id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+    az_subscription_id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+    keyvault: ${{ secrets.DOCS_VAULTNAME }}
+    secrets-filter: 'MySecret1,MySecret2'
+
+- name: Using secrets
+    env:
+      MySecret1: ${{ env.MySecret1 }}
+      MySecret2: ${{ env.MySecret2 }}
+    run: |
+      ...
+
+- name: Configure AWS credentials via OIDC (assume role)
+    uses: aws-actions/configure-aws-credentials@v4
+    with:
+      role-to-assume: arn:aws:iam::${{ env.MySecret1 }}:role/${{ env.MySecret1 }}
+      aws-region: eu-central-1
+```
+
+Each matched secret is exported as an environment variable named after the secret (e.g. `MySecret1`). Multiline secret values are handled using the heredoc syntax supported by `$GITHUB_ENV`.
+
+---
+