diff --git a/.github/workflows/azfunction-deploy.yaml b/.github/workflows/azfunction-deploy.yaml index bfbbd544..229e125e 100644 --- a/.github/workflows/azfunction-deploy.yaml +++ b/.github/workflows/azfunction-deploy.yaml @@ -162,6 +162,107 @@ jobs: package: "${{ inputs.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output" publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE }} + - name: Enable identity for Azure Function + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + if [[ "${{ inputs.environment }}" == "production" ]]; then + az functionapp identity assign \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" | tee + else + az functionapp identity assign \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot "${{ inputs.environment }}" | tee + fi + + - name: Get Azure Function Managed Identity + id: identity + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + if [[ "${{ inputs.environment }}" == "production" ]]; then + IDENTITY=$(az functionapp identity show \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" | tee) + else + IDENTITY=$(az functionapp identity show \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot "${{ inputs.environment }}" | tee) + fi + echo "functionAppIdentity=$(echo $IDENTITY | jq -r '.principalId')" >> $GITHUB_ENV + + - name: Retrieve key vault name + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + ENVIRONMENT="${{ inputs.environment }}" + REPOSITORY_NAME="${{ github.event.repository.name }}" + + echo -e "Searching for key vault with tags: \"repository-name=${REPOSITORY_NAME};environment=${ENVIRONMENT}\"" + KEYVAULT_NAME=$(az keyvault list --query "[?tags.\"repository-name\" == '${REPOSITORY_NAME}' && tags.environment == '${ENVIRONMENT}'].name" --output tsv) + + # Check if key vault was found + if [[ -z "$KEYVAULT_NAME" ]]; then + echo "Key Vault not found with tags: repository-name=${REPOSITORY_NAME};environment=${ENVIRONMENT}" + exit 1 + fi + + # Get key vault object + KEYVAULT_NAME=${KEYVAULT_NAME// /} + echo "keyVaultName=${KEYVAULT_NAME}" >> $GITHUB_ENV + + - name: Assign Azure Function System Managed Identity to Key Vault + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + # Retrieve the Key Vault ID + keyVaultId=$(az keyvault show --name ${{ env.keyVaultName }} --query id --output tsv) + + # Assign the Key Vault Secrets User role to the managed identity using object ID and principal type + az role assignment create --role "Key Vault Secrets User" --assignee-object-id ${{ env.functionAppIdentity }} --assignee-principal-type ServicePrincipal --scope $keyVaultId + + - name: Retrieve environment variables + if: ${{ env.AZURE_CREDENTIALS_SET != 'false' }} + id: get-envs + uses: Andrews-McMeel-Universal/get-envs@v1 + with: + azurecredentials: ${{ secrets.AZURE_CREDENTIALS }} + environment: ${{ inputs.environment }} + contentTypes: Env + + - name: Add environment variables to function app + uses: azure/cli@v2 + with: + inlineScript: | + set -eu + # Iterate over each environment variable + + ENV_VARS=($(echo '${{ steps.get-envs.outputs.environmentVariables }}')) + + for part in ${ENV_VARS[@]}; do + IFS='=' read -r key value <<< "$part" + VARIABLE_LC=$(echo "$key" | tr '[:upper:]' '[:lower:]' | tr "_" "-") + if [[ "${{ inputs.environment }}" == "production" ]]; then + az functionapp config appsettings set \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot-settings "$key=@Microsoft.KeyVault(VaultName=${{ env.keyVaultName }};SecretName=${VARIABLE_LC})" | tee + else + az functionapp config appsettings set \ + -g "${{ inputs.AZURE_FUNCTIONAPP_RESOURCEGROUP }}" \ + -n "${{ inputs.AZURE_FUNCTIONAPP_NAME }}" \ + --slot "${{ inputs.environment }}" \ + --slot-settings "$key=@Microsoft.KeyVault(VaultName=${{ env.keyVaultName }};SecretName=${VARIABLE_LC})" | tee + fi + done + - name: Remove GitHub Runner IP from Whitelist if: always() uses: azure/cli@v2