Pre-requisites
Requirements
- Azure Subscription (if you don’t have one, you can create a free account here)
- Azure CLI (if you don’t have one, you can install it here)
- Github Account (if you don’t have one, you can create one here
AKS Cluster Deployment via GitHub Actions using OpenID Connect and Bicep (IaC)
For this workshop, we will be using GitHub Actions using OpenID Connect and Infrastructure-as-Code (IaC) using Bicep to deploy the AKS cluster, to derive following benefits:
- Infrastructure-as-Code (IaC) - Infrastructure is defined as code, and can be version controlled and reviewed.
- OpenID Connect - OpenID Connect is an authentication protocol that allows you to connect securely to Azure resources using your GitHub account.
- GitHub Actions - GitHub Actions is a feature of GitHub that allows you to automate your software development workflows.
- Bicep - Bicep is a Domain Specific Language (DSL) for deploying Azure resources declaratively. It aims to drastically simplify the authoring experience with a cleaner syntax, improved type safety, and better support for modularity and code re-use.
This will require performing the following tasks:
- Forking this repository into your GitHub account
- Creating an Azure Resource Group
- Configuring OpenID Connect in Azure.
- Setting Github Actions secrets
- Triggering the GitHub Actions workflow
Forking this repository into your GitHub account
- Fork this repository into your GitHub account by clicking on the “Fork” button at the top right of its page.
- Clone your newly forked repository to your local machine.
Creating an Azure Resource Group
az login
resourceGroupName="rg-aks-gha"
location="eastus"
az group create --name $resourceGroupName --location $location
Configuring OpenID Connect in Azure
-
Create an Azure AD application
uniqueAppName=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c10 ; echo '') echo $uniqueAppName appId=$(az ad app create --display-name $uniqueAppName --query appId --output tsv) echo $appId
-
Create a service principal for the Azure AD app.
assigneeObjectId=$(az ad sp create --id $appId --query id --output tsv) echo $assigneeObjectId
-
Create a role assignment for the Azure AD app.
subscriptionId=$(az account show --query id --output tsv) echo $subscriptionId az role assignment create --role owner --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal --scope /subscriptions/$subscriptionId
-
Configure a federated identity credential on the Azure AD app.
You use workload identity federation to configure an Azure AD app registration to trust tokens from an external identity provider (IdP), such as GitHub.
In /tools/deploy/module0/credential.json file, replace
<your-github-username>
with your GitHub username (in your locally cloned repo)."subject": "repo:<your-github-username>/AKS-DevSecOps-Workshop:ref:refs/heads/main",
If you name your new repository something other than
AKS-DevSecOps-Workshop
, you will need to replaceAKS-DevSecOps-Workshop
above with the name of your repository. Also, if your deployment branch is notmain
, you will need to replacemain
with the name of your deployment branch.Then run the following command from the root folder of the cloned repo to create a federated credential for the Azure AD app.
az ad app federated-credential create --id $appId --parameters tools/deploy/module0/credential.json
Setting Github Actions secrets
- Open your forked Github repository and click on the
Settings
tab. - In the left-hand menu, expand
Secrets and variables
, and click onActions
. - Click on the
New repository secret
button for each of the following secrets:AZURE_SUBSCRIPTION_ID
(this is thesubscriptionId
from the previous step)AZURE_TENANT_ID
(runaz account show --query tenantId --output tsv
to get the value)AZURE_CLIENT_ID
(this is theappId
from the JSON output of theaz ad app create
command)CLUSTER_RESOURCE_GROUP
(this is theresourceGroupName
from earlier step)
Triggering the GitHub Actions workflow
- Enable GitHub Actions for your repository by clicking on the “Actions” tab, and clicking on the
I understand my workflows, go ahead and enable them
button. - To trigger the AKS deployment workflow manually:
- click on the
Actions
tab. - Select
.github/workflows/infra-deployment-workflow.yml
. - Click on the
Run workflow
button.
- click on the
- Alternatively, you can make a change to the aks.bicep file (e.g. change the
clusterName
parameter), andpush
the change to your Github repo. This will trigger the GitHub Actions workflow.
Alternative AKS Cluster Deployment - via Azure CLI
- Create a Resource Group.
az login
resourceGroupName="rg-aks-gha"
location="eastus"
az group create --name $resourceGroupName --location $location
-
Deploy the AKS cluster bicep template, register the
EnableWorkloadIdentityPreview
feature, and attach ACR to AKS.az deployment group create --template-file tools/deploy/module0/aks.bicep --resource-group $resourceGroupName --parameters location=$location az feature register --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview" CLUSTER_NAME=$(az aks list --resource-group $resourceGroupName --query "[].name" -o tsv) ACR_NAME=$(az acr list --resource-group $resourceGroupName --query "[].name" -o tsv) az aks update -n $CLUSTER_NAME -g $resourceGroupName --attach-acr $ACR_NAME
Connect to your cluster
-
To connect to your cluster:
clusterName=devsecops-aks az aks get-credentials --name $clusterName --resource-group $resourceGroupName --admin kubectl get nodes