9.1 KiB
Data Management Landing Zone - GitHub Action Deployment
In the previous step we have generated a JSON output similar to the following, which will be required in the next steps:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
Adding Secrets to GitHub respository
If you want to use GitHub Actions for deploying the resources, add the JSON output as a repository secret with the name AZURE_CREDENTIALS in your GitHub repository:
To do so, execute the following steps:
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click on the Settings tab.
- In the left sidebar, click Secrets.
- Click New repository secret.
- Type the name
AZURE_CREDENTIALSfor your secret in the Name input box. - Enter the JSON output from above as value for your secret.
- Click Add secret.
Update Parameters
In order to deploy the Infrastructure as Code (IaC) templates to the desired Azure subscription, you will need to modify some parameters in the forked repository. Therefore, this step should not be skipped for neither Azure DevOps/GitHub options. There are two files that require updates:
.github/workflows/dataManagementZoneDeployment.ymlandinfra/params.dev.json.
Update these files in a seperate branch and then merge via Pull Request to trigger the initial deployment.
Configure dataManagementZoneDeployment.yml
To begin, please open .github/workflows/dataManagementZoneDeployment.yml. In this file you need to update the environment variables section. Just click on .github/workflows/dataManagementZoneDeployment.yml and edit the following section:
env:
AZURE_SUBSCRIPTION_ID: "17588eb2-2943-461a-ab3f-00a3ceac3112" # Update to '{dataHubSubscriptionId}'
AZURE_LOCATION: "northeurope" # Update to '{regionName}'
The following table explains each of the parameters:
| Parameter | Description | Sample value |
|---|---|---|
| AZURE_SUBSCRIPTION_ID | Specifies the subscription ID of the Data Management Landing Zone where all the resources will be deployed | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| AZURE_LOCATION | Specifies the region where you want the resources to be deployed. Please check Supported Regions | northeurope |
Configure params.dev.json
To begin, please open the infra/params.dev.json. In this file you need to update the variable values. Just click on infra/params.dev.json and edit the values. An explanation of the values is given in the table below:
| Parameter | Description | Sample value |
|---|---|---|
location |
Specifies the location for all resources. | northeurope |
environment |
Specifies the environment of the deployment. | dev, tst or prd |
prefix |
Specifies the prefix for all resources created in this deployment. | prefi |
tags |
Specifies the tags that you want to apply to all resources. | {key: value} |
purviewRootCollectionAdminObjectIds |
Specifies the list of user object IDs that are assigned as collection admin to the root collection in Purview. To get the object ID for a user use the following Azure CLI command: az ad user list --display-name "{user name}" --query "[].objectId". |
[{object-id-1}, {object-id-2}] |
vnetAddressPrefix |
Specifies the address space of the vnet. | 10.0.0.0/16 |
azureFirewallSubnetAddressPrefix |
Specifies the address space of the subnet that is use for Azure Firewall. Optional if enableDnsAndFirewallDeployment is set to true. |
10.0.0.0/24 |
servicesSubnetAddressPrefix |
Specifies the address space of the subnet that is used for the services. | 10.0.1.0/24 |
enableDnsAndFirewallDeployment |
Specifies whether firewall and private DNS Zones should be deployed. | true |
firewallPrivateIp |
Specifies the private IP address of the central firewall. Optional if enableDnsAndFirewallDeployment is set to true. |
10.0.0.4 |
dnsServerAdresses |
Specifies the private IP addresses of the dns servers. Optional if enableDnsAndFirewallDeployment is set to true. |
[ 10.0.0.4 ] |
firewallPolicyId |
Specifies the resource ID of the Azure Firewall Policy. Optional parameter allows you to deploy Firewall rules to an existing Firewall Policy if enableDnsAndFirewallDeployment is set to false. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/firewallPolicies/{firewallpolicy-name} |
privateDnsZoneIdContainerRegistry |
Specifies the resource ID of the private DNS zone for Container Registry. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.azurecr.io |
privateDnsZoneIdKeyVault |
Specifies the resource ID of the private DNS zone for Key Vault. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net |
privateDnsZoneIdNamespace |
Specifies the resource ID of the private DNS zone for EventHub namespaces. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net |
privateDnsZoneIdPurview |
Specifies the resource ID of the private DNS zone for Purview. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.purview.azure.com |
privateDnsZoneIdPurviewPortal |
Specifies the resource ID of the private DNS zone for Purview Portal. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.purviewstudio.azure.com |
privateDnsZoneIdBlob |
Specifies the resource ID of the private DNS zone for Blob storage. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net |
privateDnsZoneIdQueue |
Specifies the resource ID of the private DNS zone for Queue storage. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net |
privateDnsZoneIdSynapse |
Specifies the resource ID of the private DNS zone for Synapse. Optional if enableDnsAndFirewallDeployment is set to true. |
/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.Network/privateDnsZones/privatelink.azuresynapse.net |
Merge these changes back to the main branch of your repository
After following the instructions and updating the parameters and variables in your repository in a separate branch and opening the pull request, you can merge the pull request back into the main branch of your repository by clicking on Merge pull request. Finally, you can click on Delete branch to clean up your repository. By doing this, you trigger the deployment workflow.
Follow the workflow deployment
Congratulations! You have successfully executed all steps to deploy the template into your environment through GitHub Actions.
Now, you can navigate to the Actions tab of the main page of the repository, where you will see a workflow with the name Data Management Zone Deployment running. Click on it to see how it deploys the environment. If you run into any issues, please check the Known Issues first and open an issue if you come accross a potential bug in the repository.
Add Root Collection Administrator role to Purview account
Since the Purview account is being deployed using a Service Principal, at this point, the only identity that has access to the Purview data plane, is the Service Principal. Use the instructions in this guide to assign additional user accounts to the Purview Root Collection as Collection Admin.