aks-baseline-automation/.github/workflows/IaC-bicep-AKS.yml


name: 'Deploy CARML based AKS Cluster'

on:
  workflow_dispatch:
    inputs:
      ENVIRONMENT:
        description: 'A GitHub Environment to pull action secrets from'
        required: true
        type: environment
      REGION:
        description: 'The Azure region to deploy to'
        required: true
        default: eastus

env:
  event_sha: +refs/pull/${{ github.event.issue.number }}/merge

jobs:
  prereqs:
    runs-on: ubuntu-latest
    environment: ${{ inputs.ENVIRONMENT }}
    name: Prerequisite Checks
    steps:
      - name: "Checkout"
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: "Azure Login"
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      #Helps with errors that can occur during deployment: OIDCIssuerFeatureFlagNotEnabled: Enabling OIDC issuer is not allowed since feature 'Microsoft.ContainerService/EnableOIDCIssuerPreview' is not enabled
      #                                                    AzureDefenderFeatureFlagNotEnabled: AzureDefender installation is not allowed since feature 'Microsoft.ContainerService/AKS-AzureDefender' is not enabled.
      - name: "Check Preview Features"
        shell: pwsh
        run: |
          write-output "Verifying required Resource Providers Features are registered"
          $aksfeatures = az feature list --query "[?contains(name, 'Microsoft.ContainerService')]" | ConvertFrom-Json

          $featureName='AKS-ExtensionManager'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

          $featureName='EnableOIDCIssuerPreview'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

          $featureName='AKS-AzureDefender'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

  deployment:
    runs-on: ubuntu-latest
    environment: ${{ inputs.ENVIRONMENT }}
    name: Deployment
    needs: [prereqs]
    steps:
      - name: "Checkout"
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: "Azure Login"
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: "Deploy Hub"
        id: hub
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
          region: ${{ inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/rg-hub/hub-default.bicep
          parameters: ./IaC/bicep/rg-hub/hub-default.parameters.json
          failOnStdErr: false

      - name: "Deploy Spoke"
        id: spoke
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
          region: ${{ inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/rg-spoke/spoke.bicep
          parameters: ./IaC/bicep/rg-spoke/spoke.parameters.json hubVnetResourceId=${{ steps.hub.outputs.hubVnetId }} hubLaWorkspaceResourceId=${{ steps.hub.outputs.hubLaWorkspaceResourceId }} hubFwResourceId=${{ steps.hub.outputs.hubFwResourceId }}
          failOnStdErr: false

      - name: "Deploy Cluster"
        id: cluster
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
          region: ${{ inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/rg-spoke/cluster.bicep
          parameters: ./IaC/bicep/rg-spoke/cluster.parameters.json targetVnetResourceId=${{ steps.spoke.outputs.clusterVnetResourceId }}
          #clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }}
          failOnStdErr: false

      - name: "Deploy Registry"
        id: registry
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
          region: ${{ inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/rg-spoke/acr.bicep
          parameters: ./IaC/bicep/rg-spoke/acr.parameters.json targetVnetResourceId=${{ steps.spoke.outputs.clusterVnetResourceId }}
          failOnStdErr: false
final 2022-03-11 19:20:08 +03:00
workflow name 2022-03-30 13:39:18 +03:00			`name: 'Deploy CARML based AKS Cluster'`

final 2022-03-11 19:20:08 +03:00			`on:`
			`workflow_dispatch:`
Promoting AAD Group Object ID's to pipeline input 2022-03-23 13:35:50 +03:00			`inputs:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`ENVIRONMENT:`
			`description: 'A GitHub Environment to pull action secrets from'`
Promoting AAD Group Object ID's to pipeline input 2022-03-23 13:35:50 +03:00			`required: true`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`type: environment`
			`REGION:`
			`description: 'The Azure region to deploy to'`
Promoting AAD Group Object ID's to pipeline input 2022-03-23 13:35:50 +03:00			`required: true`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`default: eastus`
final 2022-03-11 19:20:08 +03:00
			`env:`
			`event_sha: +refs/pull/${{ github.event.issue.number }}/merge`

			`jobs:`
adding prereq stage 2022-03-23 14:15:58 +03:00			`prereqs:`
			`runs-on: ubuntu-latest`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`environment: ${{ inputs.ENVIRONMENT }}`
Added Defender check 2022-03-23 14:21:31 +03:00			`name: Prerequisite Checks`
adding prereq stage 2022-03-23 14:15:58 +03:00			`steps:`
			`- name: "Checkout"`
			`uses: actions/checkout@v2`
			`with:`
			`fetch-depth: 0`

			`- name: "Azure Login"`
			`uses: azure/login@v1`
			`with:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`creds: ${{ secrets.AZURE_CREDENTIALS }}`
adding prereq stage 2022-03-23 14:15:58 +03:00
			`#Helps with errors that can occur during deployment: OIDCIssuerFeatureFlagNotEnabled: Enabling OIDC issuer is not allowed since feature 'Microsoft.ContainerService/EnableOIDCIssuerPreview' is not enabled`
			`# AzureDefenderFeatureFlagNotEnabled: AzureDefender installation is not allowed since feature 'Microsoft.ContainerService/AKS-AzureDefender' is not enabled.`
			`- name: "Check Preview Features"`
			`shell: pwsh`
			`run: \|`
Adding AKS-ExtensionManager 2022-03-28 17:27:54 +03:00			`write-output "Verifying required Resource Providers Features are registered"`
adding prereq stage 2022-03-23 14:15:58 +03:00			`$aksfeatures = az feature list --query "[?contains(name, 'Microsoft.ContainerService')]" \| ConvertFrom-Json`

Adding AKS-ExtensionManager 2022-03-28 17:27:54 +03:00			`$featureName='AKS-ExtensionManager'`
			`write-output "-- $featureName"`
			`$feature = $aksfeatures \| Where-Object {$_.name -like "*$featureName"}`
			`$feature.properties.state`
			`if ($feature.properties.state -ne 'Registered') {`
			`Write-Output $feature`
			`Write-Error "$featureName NOT registered"`
			`}`

Added Defender check 2022-03-23 14:21:31 +03:00			`$featureName='EnableOIDCIssuerPreview'`
			`write-output "-- $featureName"`
			`$feature = $aksfeatures \| Where-Object {$_.name -like "*$featureName"}`
			`$feature.properties.state`
			`if ($feature.properties.state -ne 'Registered') {`
			`Write-Output $feature`
			`Write-Error "$featureName NOT registered"`
			`}`

			`$featureName='AKS-AzureDefender'`
			`write-output "-- $featureName"`
			`$feature = $aksfeatures \| Where-Object {$_.name -like "*$featureName"}`
			`$feature.properties.state`
			`if ($feature.properties.state -ne 'Registered') {`
			`Write-Output $feature`
			`Write-Error "$featureName NOT registered"`
adding prereq stage 2022-03-23 14:15:58 +03:00			`}`

final 2022-03-11 19:20:08 +03:00			`deployment:`
			`runs-on: ubuntu-latest`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`environment: ${{ inputs.ENVIRONMENT }}`
job name 2022-03-28 17:28:37 +03:00			`name: Deployment`
adding prereq stage 2022-03-23 14:15:58 +03:00			`needs: [prereqs]`
final 2022-03-11 19:20:08 +03:00			`steps:`
			`- name: "Checkout"`
			`uses: actions/checkout@v2`
			`with:`
			`fetch-depth: 0`
loading certs from file 2022-03-23 13:16:53 +03:00
final 2022-03-11 19:20:08 +03:00			`- name: "Azure Login"`
			`uses: azure/login@v1`
			`with:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`creds: ${{ secrets.AZURE_CREDENTIALS }}`
loading certs from file 2022-03-23 13:16:53 +03:00
final 2022-03-11 19:20:08 +03:00			`- name: "Deploy Hub"`
			`id: hub`
			`uses: azure/arm-deploy@v1`
			`with:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}`
			`region: ${{ inputs.REGION }}`
final 2022-03-11 19:20:08 +03:00			`scope: subscription`
			`template: ./IaC/bicep/rg-hub/hub-default.bicep`
fixing parameter file extension to json 2022-03-23 12:14:58 +03:00			`parameters: ./IaC/bicep/rg-hub/hub-default.parameters.json`
final 2022-03-11 19:20:08 +03:00			`failOnStdErr: false`
loading certs from file 2022-03-23 13:16:53 +03:00
final 2022-03-11 19:20:08 +03:00			`- name: "Deploy Spoke"`
			`id: spoke`
			`uses: azure/arm-deploy@v1`
			`with:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}`
			`region: ${{ inputs.REGION }}`
final 2022-03-11 19:20:08 +03:00			`scope: subscription`
			`template: ./IaC/bicep/rg-spoke/spoke.bicep`
fixing parameter file extension to json 2022-03-23 12:14:58 +03:00			`parameters: ./IaC/bicep/rg-spoke/spoke.parameters.json hubVnetResourceId=${{ steps.hub.outputs.hubVnetId }} hubLaWorkspaceResourceId=${{ steps.hub.outputs.hubLaWorkspaceResourceId }} hubFwResourceId=${{ steps.hub.outputs.hubFwResourceId }}`
final 2022-03-11 19:20:08 +03:00			`failOnStdErr: false`
loading certs from file 2022-03-23 13:16:53 +03:00
final 2022-03-11 19:20:08 +03:00			`- name: "Deploy Cluster"`
			`id: cluster`
			`uses: azure/arm-deploy@v1`
			`with:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}`
			`region: ${{ inputs.REGION }}`
final 2022-03-11 19:20:08 +03:00			`scope: subscription`
			`template: ./IaC/bicep/rg-spoke/cluster.bicep`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`parameters: ./IaC/bicep/rg-spoke/cluster.parameters.json targetVnetResourceId=${{ steps.spoke.outputs.clusterVnetResourceId }}`
			`#clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }}`
final 2022-03-11 19:20:08 +03:00			`failOnStdErr: false`
loading certs from file 2022-03-23 13:16:53 +03:00
final 2022-03-11 19:20:08 +03:00			`- name: "Deploy Registry"`
			`id: registry`
			`uses: azure/arm-deploy@v1`
			`with:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}`
			`region: ${{ inputs.REGION }}`
final 2022-03-11 19:20:08 +03:00			`scope: subscription`
			`template: ./IaC/bicep/rg-spoke/acr.bicep`
fixing parameter file extension to json 2022-03-23 12:14:58 +03:00			`parameters: ./IaC/bicep/rg-spoke/acr.parameters.json targetVnetResourceId=${{ steps.spoke.outputs.clusterVnetResourceId }}`
final 2022-03-11 19:20:08 +03:00			`failOnStdErr: false`