From 9653d2b8c7e5bd2e70e0d6f6181d866acea0d192 Mon Sep 17 00:00:00 2001 From: Ella Bronson <111298136+ebronson68@users.noreply.github.com> Date: Wed, 21 Aug 2024 15:09:18 -0500 Subject: [PATCH] [DEVOPS-513] Update Azure Function Environment Variables on Deploy (#144) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
DEVOPS-513
Summary Azure Function deploy workflows not updating environment variables
Type Bug Bug
Status Peer Review
Points N/A
Labels -
--- ## Description - Update Azure Function Environment Variables on Deploy Result: ![Screenshot 2024-08-21 at 9 24 24 AM](https://github.com/user-attachments/assets/77e426da-e552-4b39-978b-ee6f6c997a60) ## Related Links - Jira Issue: DEVOPS-513 - Testing environment: [![🚀 Deploy](https://github.com/Andrews-McMeel-Universal/subscription-webhook-manager_function/actions/workflows/deploy.yml/badge.svg?branch=bug%2FDEVOPS-513%2Ftest-functionapp-env-set-workflow)](https://github.com/Andrews-McMeel-Universal/subscription-webhook-manager_function/actions/workflows/deploy.yml) --- .github/workflows/azfunction-deploy.yaml | 101 +++++++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/.github/workflows/azfunction-deploy.yaml b/.github/workflows/azfunction-deploy.yaml index bfbbd544..229e125e 100644 --- a/.github/workflows/azfunction-deploy.yaml +++ b/.github/workflows/azfunction-deploy.yaml @@ -162,6 +162,107 @@ jobs: package: "${{ inputs.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output" publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE }} + - name: Enable identity for Azure Function + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + if [[ "${{ inputs.environment }}" == "production" ]]; then + az functionapp identity assign \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" | tee + else + az functionapp identity assign \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot "${{ inputs.environment }}" | tee + fi + + - name: Get Azure Function Managed Identity + id: identity + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + if [[ "${{ inputs.environment }}" == "production" ]]; then + IDENTITY=$(az functionapp identity show \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" | tee) + else + IDENTITY=$(az functionapp identity show \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot "${{ inputs.environment }}" | tee) + fi + echo "functionAppIdentity=$(echo $IDENTITY | jq -r '.principalId')" >> $GITHUB_ENV + + - name: Retrieve key vault name + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + ENVIRONMENT="${{ inputs.environment }}" + REPOSITORY_NAME="${{ github.event.repository.name }}" + + echo -e "Searching for key vault with tags: \"repository-name=${REPOSITORY_NAME};environment=${ENVIRONMENT}\"" + KEYVAULT_NAME=$(az keyvault list --query "[?tags.\"repository-name\" == '${REPOSITORY_NAME}' && tags.environment == '${ENVIRONMENT}'].name" --output tsv) + + # Check if key vault was found + if [[ -z "$KEYVAULT_NAME" ]]; then + echo "Key Vault not found with tags: repository-name=${REPOSITORY_NAME};environment=${ENVIRONMENT}" + exit 1 + fi + + # Get key vault object + KEYVAULT_NAME=${KEYVAULT_NAME// /} + echo "keyVaultName=${KEYVAULT_NAME}" >> $GITHUB_ENV + + - name: Assign Azure Function System Managed Identity to Key Vault + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + # Retrieve the Key Vault ID + keyVaultId=$(az keyvault show --name ${{ env.keyVaultName }} --query id --output tsv) + + # Assign the Key Vault Secrets User role to the managed identity using object ID and principal type + az role assignment create --role "Key Vault Secrets User" --assignee-object-id ${{ env.functionAppIdentity }} --assignee-principal-type ServicePrincipal --scope $keyVaultId + + - name: Retrieve environment variables + if: ${{ env.AZURE_CREDENTIALS_SET != 'false' }} + id: get-envs + uses: Andrews-McMeel-Universal/get-envs@v1 + with: + azurecredentials: ${{ secrets.AZURE_CREDENTIALS }} + environment: ${{ inputs.environment }} + contentTypes: Env + + - name: Add environment variables to function app + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + # Iterate over each environment variable + + ENV_VARS=($(echo '${{ steps.get-envs.outputs.environmentVariables }}')) + + for part in ${ENV_VARS[@]}; do + IFS='=' read -r key value <<< "$part" + VARIABLE_LC=$(echo "$key" | tr '[:upper:]' '[:lower:]' | tr "_" "-") + if [[ "${{ inputs.environment }}" == "production" ]]; then + az functionapp config appsettings set \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot-settings "$key=@Microsoft.KeyVault(VaultName=${{ env.keyVaultName }};SecretName=${VARIABLE_LC})" | tee + else + az functionapp config appsettings set \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot "${{ inputs.environment }}" \ + --slot-settings "$key=@Microsoft.KeyVault(VaultName=${{ env.keyVaultName }};SecretName=${VARIABLE_LC})" | tee + fi + done + - name: Remove GitHub Runner IP from Whitelist if: always() uses: azure/cli@v2