Skip to content

GitHub / Azure Integration

Note

Ensure you have completed the prerequisites for this workshop before this exercise.

The integration between GitHub and Microsoft Azure comes in two parts and we will address them one after the other.

On GitHub: integrate Microsoft Azure

In this exercise we address the part of introducing Microsoft Azure to GitHub. For this we need to create a GitHub Environment, which is a collection of secrets, environment variables, and other information that GitHub Actions may use when running workflows.

Here are the three Microsoft Azure information we should make known to GitHub, by registering them as environment variables:

  • AZURE_SUBSCRIPTION_ID
  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID

We will be interacting with GitHub and this can be done in several ways, either on GitHub.com, GitHub CLI or calling the GitHub ReST API with cURL. We will use the GitHub CLI.

Use a single terminal session

Ensure the subsequent commands are executed in the same terminal sessions.

Re-Login to GitHub CLI

This ensures the CLI has the necessary permissions for the actions we will be taking next.

unset GITHUB_TOKEN && gh auth logout
gh auth status
gh auth login
gh auth status

When prompted, answer as follows:

  • Where do you use GitHub?: GitHub.com
  • What is your preferred protocol for Git operations on this host?: HTTPS
  • Authenticate Git with your GitHub credentials?: Yes
  • How would you like to authenticate GitHub CLI?: Login with a web browser

Again, follow the prompts and Authorize when asked.

✓ Authentication complete.
- gh config set -h github.com git_protocol https
✓ Configured git protocol
! Authentication credentials saved in plain text
✓ Logged in as akbast

Create staging GitHub Environment

A GitHub Environment can be created in several ways, over the GitHub UI, GitHub CLI or calling the GitHub ReST API. As we already configured the GitHub CLI, we will use it for creating the environments.

export GITHUB_ENVIRONMENT="staging"

gh api \
  --method PUT \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/repos/$GITHUB_REPOSITORY/environments/$GITHUB_ENVIRONMENT" #(1)!
  1. The variable $GITHUB_REPOSITORY is set in the codespace environment per default and contains the name of the repository you are working in.

You should see an output similar to this:

{
  "id": 123456789,
  "node_id": "EN_aokjwn3-dr6y6fpkwqj",
  "name": "staging",
  "url": "https://api.github.com/repos/demos-by-igwejk/continuous-deployments-the-github-way/environments/$GITHUB_ENVIRONMENT",
  "html_url": "https://github.com/demos-by-igwejk/continuous-deployments-the-github-way/deployments/activity_log?environments_filter=staging",
  "created_at": "2024-08-20T03:43:23Z",
  "updated_at": "2024-08-20T03:43:23Z",
  "can_admins_bypass": true,
  "protection_rules": [],
  "deployment_branch_policy": null
}

Add Variables to the Environment

Now that we have created the environment, we can add the variables to it. We will add the following variables:

Register Azure Subscription ID environment variable

# Get Microsoft Azure subscription id from the deployment output
AZURE_SUBSCRIPTION_ID=$(jq -r '.properties.outputs.site.value.outputs.appService.value.subscriptionId' infrastructure/day-0/deployment-outputs.json)

# Add the subscription id to GitHub environment.
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/repos/$GITHUB_REPOSITORY/environments/$GITHUB_ENVIRONMENT/variables" \
   -f "name=AZURE_SUBSCRIPTION_ID" -f "value=$AZURE_SUBSCRIPTION_ID"

Register Azure Tenant ID environment variable

# Get Microsoft Azure tenant id from the deployment output.
AZURE_TENANT_ID=$(jq -r '.properties.outputs.site.value.outputs.appService.value.identity.tenantId' infrastructure/day-0/deployment-outputs.json)

# Add the tenant id to GitHub environment.
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/repos/$GITHUB_REPOSITORY/environments/$GITHUB_ENVIRONMENT/variables" \
   -f "name=AZURE_TENANT_ID" -f "value=$AZURE_TENANT_ID"

Register Azure Client ID environment variable

# Get App Registration client id from the deployment output.
AZURE_CLIENT_ID=$(jq -r '.properties.outputs.githubIntegrationApp.value.outputs.applicationRegistration.value.appId' infrastructure/day-0/deployment-outputs.json)

# Add the client id to GitHub environment.
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/repos/$GITHUB_REPOSITORY/environments/$GITHUB_ENVIRONMENT/variables" \
   -f "name=AZURE_CLIENT_ID" -f "value=$AZURE_CLIENT_ID"

Register App Service Name environment variable

# Get App service name from the deployment output.
APP_SERVICE_NAME=$(jq -r '.properties.outputs.site.value.outputs.appService.value.properties.name' infrastructure/day-0/deployment-outputs.json)

# Add the client id to GitHub environment.
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/repos/$GITHUB_REPOSITORY/environments/$GITHUB_ENVIRONMENT/variables" \
   -f "name=APP_SERVICE_NAME" -f "value=$APP_SERVICE_NAME"

Register Container Registry Name environment variable

# Get Container registry name from the deployment output.
CONTAINER_REGISTRY=$(jq -r '.properties.outputs.containerRegistry.value.outputs.containerRegistry.value.properties.loginServer' infrastructure/day-0/deployment-outputs.json)

# Add the client id to GitHub environment.
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/repos/$GITHUB_REPOSITORY/environments/$GITHUB_ENVIRONMENT/variables" \
   -f "name=CONTAINER_REGISTRY" -f "value=$CONTAINER_REGISTRY"

Register PLATFORM_LIBRARY_WORKFLOWS as environment variable

This one has been done for you already 🙂.

On Azure: integrate GitHub

Previously, we have introduced Microsoft Azure to GitHub and made some changes in the code to see how deployment works but it did not work, because we have not introduced our GitHub repository to Microsoft Azure yet.

For achieving this, we will use Workload Identity Federation. With Workload Identity Federation, you can allow other identities to impersonate your Application Registration by establishing a trust with an external OpenID Connect (OIDC) provider. For more detailed information about workload identity federation, you can visit the official documentation on Microsoft Azure.

Create parameters for federated credentials

We will now configure our Azure application registration to know about our repository and environment. There are a few steps to do this, and we will guide you through the process. This can be done in several ways, but we will use the Microsoft Azure CLI.

For this step, we should first create our parameters, which will include our repository and environment which we had created before. Navigate to infrastructure/day-1/oidc-config.json and replace the placeholder ${GITHUB_REPOSITORY} with your repository name in the format <YOUR_ORGANIZATION>/<YOUR-REPOSITORY>. Running echo $GITHUB_REPOSITORY on the terminal will print the repository name as expected 😉.

!!! tip "You may execute the instruction via on the terminal

1
2
3
4
5
The following command will full the expectation for the current step.

```bash
echo "$(envsubst < infrastructure/day-1/oidc-config.json)" > infrastructure/day-1/oidc-config.json
```

Configure Azure application registration

After we have created the parameters for federated credentials, we can now configure our Azure application registration to know about our repository and environment. We need our Application ID to tell Microsoft Azure, which Application Registration we want to configure.

Run following command in your terminal to configure your Azure application registration to know about our repository and environment: 

APP_REGISTRATION_ID=$(jq -r '.properties.outputs.githubIntegrationApp.value.outputs.applicationRegistration.value.appId' infrastructure/day-0/deployment-outputs.json)
az ad app federated-credential create --id $APP_REGISTRATION_ID --parameters infrastructure/day-1/oidc-config.json

You should see an output similar to this: 

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('63a62e2c-3a37-4d61-8ea3-f755f068697f')/federatedIdentityCredentials/$entity",
  "audiences": [
    "api://AzureADTokenExchange"
  ],
  "description": "Staging",
  "id": "<YOUR_APPLICATION_ID>",
  "issuer": "https://token.actions.githubusercontent.com/",
  "name": "Staging",
  "subject": "repo:<YOUR_REPOSITORY>:environment:staging"
}

Now that we have configured our Azure application registration to know about our repository and environment, we can now authenticate and interact with Microsoft Azure in the next exercise.

To do this, we will just go to our GitHub Repository and restart our failing action, which has failed at the step of publishing the image to Azure Container Registry. Go to your GitHub Repository and click on the "Actions" tab. You will see the failed action. Click on the failed action and then click on the "Re-run jobs" button. This will trigger the workflow again and try to publish the image to Azure Container Registry.