diff --git a/.azuredevops/pipelineTemplates/jobs.publishModule.yml b/.azuredevops/pipelineTemplates/jobs.publishModule.yml index f22e1761c3..f2b1075ca1 100644 --- a/.azuredevops/pipelineTemplates/jobs.publishModule.yml +++ b/.azuredevops/pipelineTemplates/jobs.publishModule.yml @@ -18,28 +18,29 @@ ## ## NOTE: If you don't need to overwrite a shared value, you can IGNORE this section ## -## |======================================================================================================================================================================================================================| -## | Parameter | Default Value | Description | Example | -## |---------------------------------|--------------------------------------|---------------------------------------------------------------------------------------------------------|-----------------------------------| -## | displayName | 'Publishing' | Name for the pipeline job | 'Publish KeyVault' | -## | serviceConnection | '$(serviceConnection)' | The service connection that connects to Azure | 'demo-internal' | -## | poolName | '$(poolName)' | You can provide either a [poolname] or [vmImage] to run the job on | 'Custom Deployment Pool' | -## | vmImage | '$(vmImage)' | You can provide either a [poolname] or [vmImage] to run the job on | 'ubuntu20.04' | -## | defaultJobTimeoutInMinutes | 120 | The timeout for the job in this pipeline | 120 | -## | modulePath | '$(modulePath)' | The path to the module to deploy. E.g. [c:/KeyVault] | 'c:/KeyVault' | -## | templateSpecsRGName | '$(templateSpecsRGName)' | Required to publish to template spec. ResourceGroup of the template spec to publish to | 'mgmt-rg' | -## | templateSpecsRGLocation | '$(templateSpecsRGLocation)' | Required to publish to template spec. Location of the template spec resource group | 'West Europe' | -## | templateSpecsDescription | '$(templateSpecsDescription)' | Required to publish to template spec. Description of the template spec to publish to | 'IaCs module' | -## | vstsFeedToken | '$(vstsFeedToken)' | Required to publish to a DevOps feed. Token with access to the feed to publish to. | '...' | -## | vstsFeedName | '$(vstsFeedName)' | Required to publish to a DevOps feed. Name to the feed to publish to. | 'modules' | -## | vstsFeedProject | '$(vstsFeedProject)' | Required to publish to a DevOps feed. Name of the project hosting the artifacts feed. May be empty. | 'iacs' | -## | bicepRegistryName | '$(bicepRegistryName)' | Required to publish to the private bicep registry. Name of the hosting container registry | 'adpsxxazacrx001' | -## | bicepRegistryRGName | '$(bicepRegistryRGName)' | Required to publish to the private bicep registry. Resource group of the hosting container registry | 'artifacts-rg' | -## | bicepRegistryRgLocation | '$(bicepRegistryRgLocation)' | Required to publish to the private bicep registry. Location of the RG of the hosting container registry | 'West Europe' | -## | vstsOrganizationUri | '$(vstsOrganizationUri)' | Required to publish to a DevOps feed. Name of the organization hosting the artifacts feed. | 'servicescode' | -## | azurePowerShellVersion | '$(azurePowerShellVersion)' | Used for configuring the Azure PowerShell Version, one of the example values. | 'latestVersion' or 'OtherVersion' | -## | preferredAzurePowerShellVersion | '$(preferredAzurePowerShellVersion)' | Used for configuring the Azure PowerShell Version, either an empty string or specific version. | '4.4.0' | -## |======================================================================================================================================================================================================================| +## |===========================================================================================================================================================================================================================| +## | Parameter | Default Value | Description | Example | +## |---------------------------------|--------------------------------------|---------------------------------------------------------------------------------------------------------|----------------------------------------| +## | displayName | 'Publishing' | Name for the pipeline job | 'Publish KeyVault' | +## | serviceConnection | '$(serviceConnectionPublishing)' | The service connection that connects to Azure | 'demo-internal' | +## | subscriptionId | '$(ARM_PUBLISHING_SUBSCRIPTION_ID)' | The id of the subscription to deploy into when using a Management group service connection | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | +## | poolName | '$(poolName)' | You can provide either a [poolname] or [vmImage] to run the job on | 'Custom Deployment Pool' | +## | vmImage | '$(vmImage)' | You can provide either a [poolname] or [vmImage] to run the job on | 'ubuntu20.04' | +## | defaultJobTimeoutInMinutes | 120 | The timeout for the job in this pipeline | 120 | +## | modulePath | '$(modulePath)' | The path to the module to deploy. E.g. [c:/KeyVault] | 'c:/KeyVault' | +## | templateSpecsRGName | '$(templateSpecsRGName)' | Required to publish to template spec. ResourceGroup of the template spec to publish to | 'mgmt-rg' | +## | templateSpecsRGLocation | '$(templateSpecsRGLocation)' | Required to publish to template spec. Location of the template spec resource group | 'West Europe' | +## | templateSpecsDescription | '$(templateSpecsDescription)' | Required to publish to template spec. Description of the template spec to publish to | 'IaCs module' | +## | vstsFeedToken | '$(vstsFeedToken)' | Required to publish to a DevOps feed. Token with access to the feed to publish to. | '...' | +## | vstsFeedName | '$(vstsFeedName)' | Required to publish to a DevOps feed. Name to the feed to publish to. | 'modules' | +## | vstsFeedProject | '$(vstsFeedProject)' | Required to publish to a DevOps feed. Name of the project hosting the artifacts feed. May be empty. | 'iacs' | +## | bicepRegistryName | '$(bicepRegistryName)' | Required to publish to the private bicep registry. Name of the hosting container registry | 'adpsxxazacrx001' | +## | bicepRegistryRGName | '$(bicepRegistryRGName)' | Required to publish to the private bicep registry. Resource group of the hosting container registry | 'artifacts-rg' | +## | bicepRegistryRgLocation | '$(bicepRegistryRgLocation)' | Required to publish to the private bicep registry. Location of the RG of the hosting container registry | 'West Europe' | +## | vstsOrganizationUri | '$(vstsOrganizationUri)' | Required to publish to a DevOps feed. Name of the organization hosting the artifacts feed. | 'servicescode' | +## | azurePowerShellVersion | '$(azurePowerShellVersion)' | Used for configuring the Azure PowerShell Version, one of the example values. | 'latestVersion' or 'OtherVersion' | +## | preferredAzurePowerShellVersion | '$(preferredAzurePowerShellVersion)' | Used for configuring the Azure PowerShell Version, either an empty string or specific version. | '4.4.0' | +## |===========================================================================================================================================================================================================================| ## ##---------------------------------------------## @@ -47,11 +48,12 @@ parameters: # Pipeline-related parameters checkoutRepositories: '' displayName: 'Publishing' - serviceConnection: '$(serviceConnection)' + serviceConnection: '$(serviceConnectionPublishing)' poolName: '$(poolName)' vmImage: '$(vmImage)' defaultJobTimeoutInMinutes: 120 modulesRepository: '$(modulesRepository)' + subscriptionId: '$(ARM_PUBLISHING_SUBSCRIPTION_ID)' # Logic-related parameters ## Module-related @@ -200,7 +202,7 @@ jobs: # [template-spec publish] task(s) #-------------------------------- - task: AzurePowerShell@5 - displayName: 'Publish module to template specs' + displayName: 'Publish module to template specs via connection [${{ parameters.serviceConnection }}]' condition: and( eq(variables['templateSpecsDoPublish'], true), succeeded() @@ -243,6 +245,7 @@ jobs: TemplateSpecsRgName = '${{ parameters.templateSpecsRgName }}' TemplateSpecsRgLocation = '${{ parameters.templateSpecsRgLocation }}' TemplateSpecsDescription = '${{ parameters.templateSpecsDescription }}' + SubscriptionId = '${{ parameters.subscriptionId }}' ModuleVersion = $ModuleToPublish.Version } @@ -256,7 +259,7 @@ jobs: # [private bicep registry publish] task(s) #------------------------------------------- - task: AzureCLI@2 - displayName: 'Publish module to private bicep registry' + displayName: 'Publish module to private bicep registry via connection [${{ parameters.serviceConnection }}]' condition: and( eq(variables['bicepRegistryDoPublish'], true), succeeded() @@ -303,6 +306,7 @@ jobs: BicepRegistryName = '${{ parameters.bicepRegistryName }}' BicepRegistryRgName = '${{ parameters.bicepRegistryRgName }}' BicepRegistryRgLocation = '${{ parameters.bicepRegistryRgLocation }}' + SubscriptionId = '${{ parameters.subscriptionId }}' ModuleVersion = $ModuleToPublish.Version } diff --git a/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml b/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml index 207b45e811..6f0ed46015 100644 --- a/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml +++ b/.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml @@ -24,7 +24,7 @@ ## |=================================================================================================================================================================================================================================| ## | Parameter | Default Value | Description | Example | ## |---------------------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------| -## | serviceConnection | '$(serviceConnection)' | The service connection that connects to Azure | 'demo-internal' | +## | serviceConnection | '$(serviceConnectionValidation)' | The service connection that connects to Azure | 'demo-internal' | ## | removeDeployment | '$(removeDeployment)' | Set to [true] to flag resource for removal. If not provided, defaults to false. | 'true' | ## | poolName | '$(poolName)' | You can provide either a [poolname] or [vmImage] to run the job on | 'Custom Deployment Pool' | ## | vmImage | '$(vmImage)' | You can provide either a [poolname] or [vmImage] to run the job on | 'ubuntu20.04' | @@ -32,9 +32,9 @@ ## | checkoutRepositories | '' | An optional list of repositories to check out at the beginning of this job in addition to the source | 'Components' | ## | modulePath | '$(modulePath)' | The path to the module to deploy. E.g. [c:/KeyVault] | 'c:/KeyVault' | ## | deploymentBlocks | | The parameter file(s) to deploy with. Must be provided | path: 'C:/parameters.json' | -## | location | '$(location)' | The location to deploy with | 'EastUs2' | -## | resourceGroupName | '$(resourceGroupName)' | The resourcegroup to deploy into. Required only for Resource-Group-Level deployments | 'validation-rg' | -## | subscriptionId | '$(ARM_SUBSCRIPTION_ID)' | The id of the subscription to deploy into when using a Management group service connection | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | +## | location | '$(location)' | The location to deploy with | 'EastUs2' | +## | resourceGroupName | '$(resourceGroupName)' | The resourcegroup to deploy into. Required only for Resource-Group-Level deployments | 'validation-rg' | +## | subscriptionId | '$(ARM_VALIDATION_SUBSCRIPTION_ID)' | The id of the subscription to deploy into when using a Management group service connection | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | ## | managementGroupId | '$(ARM_MGMTGROUP_ID)' | The id of the management group to deploy into. Required only for Management-Group-Level deployments | '6ycc9620-cb01-454f-9ebc-fc6b1df48d64' | ## | parametersRepository | '$(Build.Repository.Name)' | The respository with the parameter files. Defaults to the triggering repository | 'Solutions' | ## | modulesRepository | '$(modulesRepository)' | The respository with the modules. | 'Components' | @@ -46,7 +46,7 @@ parameters: # Pipeline-related parameters - serviceConnection: '$(serviceConnection)' + serviceConnection: '$(serviceConnectionValidation)' poolName: '$(poolName)' vmImage: '$(vmImage)' defaultJobTimeoutInMinutes: 120 @@ -58,7 +58,7 @@ parameters: deploymentBlocks: '' location: '$(location)' resourceGroupName: '$(resourceGroupName)' - subscriptionId: '$(ARM_SUBSCRIPTION_ID)' + subscriptionId: '$(ARM_VALIDATION_SUBSCRIPTION_ID)' managementGroupId: '$(ARM_MGMTGROUP_ID)' parametersRepository: '$(Build.Repository.Name)' modulesRepository: '$(modulesRepository)' @@ -180,7 +180,7 @@ jobs: resourceGroupName = '${{ parameters.resourceGroupName }}' subscriptionId = '${{ parameters.subscriptionId }}' managementGroupId = '${{ parameters.managementGroupId }}' - tenantId = '$(ARM_TENANT_ID)' + tenantId = '$(AZURE_TENANT_ID)' deploymentSpId = '$(DEPLOYMENT_SP_ID)' } diff --git a/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml b/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml index 8e36f369d8..1b9fb33c10 100644 --- a/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml +++ b/.azuredevops/pipelineTemplates/jobs.validateModulePester.yml @@ -24,7 +24,7 @@ ## |=============================================================================================================================================================================================================================| ## | Parameter | Default Value | Description | Example | ## |---------------------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|----------------------------------------| -## | serviceConnection | '$(serviceConnection)' | The service connection that connects to Azure | 'demo-internal' | +## | serviceConnection | '$(serviceConnectionValidation)' | The service connection that connects to Azure | 'demo-internal' | ## | poolName | '$(poolName)' | You can provide either a [poolname] or [vmImage] to run the job on | 'Custom Deployment Pool' | ## | vmImage | '$(vmImage)' | You can provide either a [poolname] or [vmImage] to run the job on | 'ubuntu20.04' | ## | defaultJobTimeoutInMinutes | 120 | The timeout for the job in this pipeline | 120 | @@ -32,7 +32,7 @@ ## | modulePath | '$(modulePath)' | The path to the module to deploy. E.g. [c:/KeyVault] | 'c:/KeyVault' | ## | location | '$(location)' | The location to validate with | 'France Central' | ## | resourceGroupName | '$(resourceGroupName)' | The resourcegroup to validate into. Required only for Resource-Group-Level validations | 'validation-rg' | -## | subscriptionId | '$(ARM_SUBSCRIPTION_ID)' | The id of the subscription to validate with when using a Management group service connection | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | +## | subscriptionId | '$(ARM_VALIDATION_SUBSCRIPTION_ID)' | The id of the subscription to validate with when using a Management group service connection | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | ## | managementGroupId | '$(ARM_MGMTGROUP_ID)' | The id of the management group to validate with. Required only for Management-Group-Level validations | '477c9620-cb01-454f-9ebc-fc6b1df48c14' | ## | parametersRepository | '$(Build.Repository.Name)' | The respository with the parameter files. Defaults to the triggering repository | 'Solutions' | ## | modulesRepository | '$(modulesRepository)' | The respository with the modules. | 'Components' | @@ -44,7 +44,7 @@ parameters: # Pipeline-related parameters - serviceConnection: '$(serviceConnection)' + serviceConnection: '$(serviceConnectionValidation)' poolName: '$(poolName)' vmImage: '$(vmImage)' defaultJobTimeoutInMinutes: 120 @@ -54,7 +54,7 @@ parameters: parametersRepository: '$(Build.Repository.Name)' location: '$(location)' resourceGroupName: '$(resourceGroupName)' - subscriptionId: '$(ARM_SUBSCRIPTION_ID)' + subscriptionId: '$(ARM_VALIDATION_SUBSCRIPTION_ID)' managementGroupId: '$(ARM_MGMTGROUP_ID)' modulesRepository: '$(modulesRepository)' # Azure PowerShell Version parameter @@ -155,8 +155,8 @@ jobs: if (-not [String]::IsNullOrEmpty('$(DEPLOYMENT_SP_ID)')) { $enforcedTokenList['deploymentSpId'] = '$(DEPLOYMENT_SP_ID)' } - if (-not [String]::IsNullOrEmpty('$(ARM_TENANT_ID)')) { - $enforcedTokenList['tenantId'] = '$(ARM_TENANT_ID)' + if (-not [String]::IsNullOrEmpty('$(AZURE_TENANT_ID)')) { + $enforcedTokenList['tenantId'] = '$(AZURE_TENANT_ID)' } # --------------------- # diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index dc97836ddc..d1f6fd79f3 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -238,7 +238,7 @@ stages: - task: AzurePowerShell@5 displayName: Upload files to storage account inputs: - azureSubscription: $(serviceConnection) + azureSubscription: $(serviceConnectionValidation) ScriptType: 'InlineScript' Inline: | $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' @@ -350,7 +350,7 @@ stages: - task: AzurePowerShell@5 displayName: Trigger building new image inputs: - azureSubscription: $(serviceConnection) + azureSubscription: $(serviceConnectionValidation) ScriptType: 'InlineScript' Inline: | # Retrieving parameters from previous job outputs @@ -366,10 +366,9 @@ stages: - task: AzurePowerShell@5 displayName: Copy baked vhd to a storage account inputs: - azureSubscription: $(serviceConnection) + azureSubscription: $(serviceConnectionValidation) ScriptType: 'InlineScript' Inline: | - # Load used functions . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') @@ -553,6 +552,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/bas.additional.parameters.json templateFilePath: $(templateFilePath) displayName: Bastion Additional Public IP + - stage: deploy_appi displayName: Deploy application insight dependsOn: @@ -687,7 +687,7 @@ stages: - task: AzurePowerShell@5 displayName: Set key vault secrets keys and certificates inputs: - azureSubscription: $(serviceConnection) + azureSubscription: $(serviceConnectionValidation) ScriptType: 'InlineScript' Inline: | $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' @@ -825,10 +825,9 @@ stages: - task: AzurePowerShell@5 displayName: Set sqlmi key vault secrets and keys inputs: - azureSubscription: $(serviceConnection) + azureSubscription: $(serviceConnectionValidation) ScriptType: 'InlineScript' Inline: | - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' # Load used functions . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') diff --git a/.github/actions/templates/publishModule/action.yml b/.github/actions/templates/publishModule/action.yml index c88cdfcd03..ac8fb174bc 100644 --- a/.github/actions/templates/publishModule/action.yml +++ b/.github/actions/templates/publishModule/action.yml @@ -88,7 +88,9 @@ runs: - name: Azure Login uses: Azure/login@v1 with: - creds: ${{ env.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true - name: 'Publish module to template specs' diff --git a/.github/actions/templates/setEnvironmentVariables/action.yml b/.github/actions/templates/setEnvironmentVariables/action.yml index ee49e32e82..44f4d51b4c 100644 --- a/.github/actions/templates/setEnvironmentVariables/action.yml +++ b/.github/actions/templates/setEnvironmentVariables/action.yml @@ -68,7 +68,7 @@ runs: $functionInput = @{ InputFilePath = '${{ inputs.variablesPath }}' ListName = 'variables' - OutputFilePath = $Env:GITHUB_ENV + OutputFilePath = $Env:GITHUB_ENV } Write-Verbose "Invoke task with" -Verbose diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 9addde2a80..64ce37696d 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -113,7 +113,9 @@ runs: - name: Azure Login uses: Azure/login@v1 with: - creds: ${{ env.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true # [Token replacement] task(s) @@ -145,7 +147,7 @@ runs: resourceGroupName = '${{ inputs.resourceGroupName }}' subscriptionId = '${{ inputs.subscriptionId }}' managementGroupId = '${{ inputs.managementGroupId }}' - tenantId = '${{ env.ARM_TENANT_ID }}' + tenantId = '${{ env.AZURE_TENANT_ID }}' deploymentSpId = '${{ env.DEPLOYMENT_SP_ID }}' } diff --git a/.github/actions/templates/validateModulePester/action.yml b/.github/actions/templates/validateModulePester/action.yml index 957b94643d..b8dbdc26d1 100644 --- a/.github/actions/templates/validateModulePester/action.yml +++ b/.github/actions/templates/validateModulePester/action.yml @@ -55,7 +55,9 @@ runs: - name: 'Azure Login' uses: Azure/login@v1 with: - creds: ${{ env.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true # [Module Pester Test] task(s) @@ -77,8 +79,8 @@ runs: } $enforcedTokenList = @{} - if (-not [String]::IsNullOrEmpty('${{ env.ARM_SUBSCRIPTION_ID }}')) { - $enforcedTokenList['subscriptionId'] = '${{ env.ARM_SUBSCRIPTION_ID }}' + if (-not [String]::IsNullOrEmpty('${{ env.AZURE_SUBSCRIPTION_ID }}')) { + $enforcedTokenList['subscriptionId'] = '${{ env.AZURE_SUBSCRIPTION_ID }}' } if (-not [String]::IsNullOrEmpty('${{ env.ARM_MGMTGROUP_ID }}')) { $enforcedTokenList['managementGroupId'] = '${{ env.ARM_MGMTGROUP_ID }}' @@ -86,8 +88,8 @@ runs: if (-not [String]::IsNullOrEmpty('${{ env.DEPLOYMENT_SP_ID }}')) { $enforcedTokenList['deploymentSpId'] = '${{ env.DEPLOYMENT_SP_ID }}' } - if (-not [String]::IsNullOrEmpty('${{ env.ARM_TENANT_ID }}')) { - $enforcedTokenList['tenantId'] = '${{ env.ARM_TENANT_ID }}' + if (-not [String]::IsNullOrEmpty('${{ env.AZURE_TENANT_ID }}')) { + $enforcedTokenList['tenantId'] = '${{ env.AZURE_TENANT_ID }}' } # --------------------- # diff --git a/.github/workflows/ms.aad.domainservices.yml b/.github/workflows/ms.aad.domainservices.yml index 9c7dc030c4..bfef6cf9f5 100644 --- a/.github/workflows/ms.aad.domainservices.yml +++ b/.github/workflows/ms.aad.domainservices.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.AAD/DomainServices' workflowPath: '.github/workflows/ms.aad.domainservices.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.analysisservices.servers.yml b/.github/workflows/ms.analysisservices.servers.yml index d89e4b0956..1839000d1c 100644 --- a/.github/workflows/ms.analysisservices.servers.yml +++ b/.github/workflows/ms.analysisservices.servers.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.AnalysisServices/servers' workflowPath: '.github/workflows/ms.analysisservices.servers.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.apimanagement.service.yml b/.github/workflows/ms.apimanagement.service.yml index b04a8a7374..bf43ea50f3 100644 --- a/.github/workflows/ms.apimanagement.service.yml +++ b/.github/workflows/ms.apimanagement.service.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ApiManagement/service' workflowPath: '.github/workflows/ms.apimanagement.service.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.appconfiguration.configurationstores.yml b/.github/workflows/ms.appconfiguration.configurationstores.yml index 73bc29e477..f4741e6e92 100644 --- a/.github/workflows/ms.appconfiguration.configurationstores.yml +++ b/.github/workflows/ms.appconfiguration.configurationstores.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.AppConfiguration/configurationStores' workflowPath: '.github/workflows/ms.appconfiguration.configurationstores.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.locks.yml b/.github/workflows/ms.authorization.locks.yml index 53ae10acd3..1ec08f6382 100644 --- a/.github/workflows/ms.authorization.locks.yml +++ b/.github/workflows/ms.authorization.locks.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/locks' workflowPath: '.github/workflows/ms.authorization.locks.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.policyassignments.yml b/.github/workflows/ms.authorization.policyassignments.yml index e1710d9ae2..714b20bb40 100644 --- a/.github/workflows/ms.authorization.policyassignments.yml +++ b/.github/workflows/ms.authorization.policyassignments.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/policyAssignments' workflowPath: '.github/workflows/ms.authorization.policyassignments.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.policydefinitions.yml b/.github/workflows/ms.authorization.policydefinitions.yml index f3f6b3eee5..f72e21891f 100644 --- a/.github/workflows/ms.authorization.policydefinitions.yml +++ b/.github/workflows/ms.authorization.policydefinitions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/policyDefinitions' workflowPath: '.github/workflows/ms.authorization.policydefinitions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.policyexemptions.yml b/.github/workflows/ms.authorization.policyexemptions.yml index 64d0f4c63e..de2b25394b 100644 --- a/.github/workflows/ms.authorization.policyexemptions.yml +++ b/.github/workflows/ms.authorization.policyexemptions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/policyExemptions' workflowPath: '.github/workflows/ms.authorization.policyexemptions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.policysetdefinitions.yml b/.github/workflows/ms.authorization.policysetdefinitions.yml index 38a3a40b79..30af07577e 100644 --- a/.github/workflows/ms.authorization.policysetdefinitions.yml +++ b/.github/workflows/ms.authorization.policysetdefinitions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/policySetDefinitions' workflowPath: '.github/workflows/ms.authorization.policysetdefinitions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.roleassignments.yml b/.github/workflows/ms.authorization.roleassignments.yml index 8d0f8a65c9..8871119d47 100644 --- a/.github/workflows/ms.authorization.roleassignments.yml +++ b/.github/workflows/ms.authorization.roleassignments.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/roleAssignments' workflowPath: '.github/workflows/ms.authorization.roleassignments.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index dfc4ff4114..3323186074 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Authorization/roleDefinitions' workflowPath: '.github/workflows/ms.authorization.roledefinitions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -109,7 +118,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -118,6 +127,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.automation.automationaccounts.yml b/.github/workflows/ms.automation.automationaccounts.yml index 223913b69a..9a8bb01f77 100644 --- a/.github/workflows/ms.automation.automationaccounts.yml +++ b/.github/workflows/ms.automation.automationaccounts.yml @@ -26,14 +26,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Automation/automationAccounts' workflowPath: '.github/workflows/ms.automation.automationaccounts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_MGMTGROUP_ID: ${{ secrets.ARM_MGMTGROUP_ID }} - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -43,6 +49,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -68,6 +75,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -84,6 +92,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -107,7 +116,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -116,6 +125,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.batch.batchaccounts.yml b/.github/workflows/ms.batch.batchaccounts.yml index 99438c8f5e..f86125dd1d 100644 --- a/.github/workflows/ms.batch.batchaccounts.yml +++ b/.github/workflows/ms.batch.batchaccounts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Batch/batchAccounts' workflowPath: '.github/workflows/ms.batch.batchaccounts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.cognitiveservices.accounts.yml b/.github/workflows/ms.cognitiveservices.accounts.yml index 5ea5e69477..df01948d81 100644 --- a/.github/workflows/ms.cognitiveservices.accounts.yml +++ b/.github/workflows/ms.cognitiveservices.accounts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.CognitiveServices/accounts' workflowPath: '.github/workflows/ms.cognitiveservices.accounts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.availabilitysets.yml b/.github/workflows/ms.compute.availabilitysets.yml index 24ee9e6810..28c4455349 100644 --- a/.github/workflows/ms.compute.availabilitysets.yml +++ b/.github/workflows/ms.compute.availabilitysets.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/availabilitySets' workflowPath: '.github/workflows/ms.compute.availabilitysets.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.diskencryptionsets.yml b/.github/workflows/ms.compute.diskencryptionsets.yml index 2ec3d0070a..e149984b37 100644 --- a/.github/workflows/ms.compute.diskencryptionsets.yml +++ b/.github/workflows/ms.compute.diskencryptionsets.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/diskEncryptionSets' workflowPath: '.github/workflows/ms.compute.diskencryptionsets.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.disks.yml b/.github/workflows/ms.compute.disks.yml index b7e448c3f8..2697bb16e1 100644 --- a/.github/workflows/ms.compute.disks.yml +++ b/.github/workflows/ms.compute.disks.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/disks' workflowPath: '.github/workflows/ms.compute.disks.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.galleries.yml b/.github/workflows/ms.compute.galleries.yml index d1253419b2..8aa0c2f1ba 100644 --- a/.github/workflows/ms.compute.galleries.yml +++ b/.github/workflows/ms.compute.galleries.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/galleries' workflowPath: '.github/workflows/ms.compute.galleries.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.images.yml b/.github/workflows/ms.compute.images.yml index 429badf603..496ddc68ff 100644 --- a/.github/workflows/ms.compute.images.yml +++ b/.github/workflows/ms.compute.images.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/images' workflowPath: '.github/workflows/ms.compute.images.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.proximityplacementgroups.yml b/.github/workflows/ms.compute.proximityplacementgroups.yml index 039369a56c..a52c544115 100644 --- a/.github/workflows/ms.compute.proximityplacementgroups.yml +++ b/.github/workflows/ms.compute.proximityplacementgroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/proximityPlacementGroups' workflowPath: '.github/workflows/ms.compute.proximityplacementgroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.virtualmachines.yml b/.github/workflows/ms.compute.virtualmachines.yml index 607ff5ae93..4b592562d6 100644 --- a/.github/workflows/ms.compute.virtualmachines.yml +++ b/.github/workflows/ms.compute.virtualmachines.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/virtualMachines' workflowPath: '.github/workflows/ms.compute.virtualmachines.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.compute.virtualmachinescalesets.yml b/.github/workflows/ms.compute.virtualmachinescalesets.yml index 7a5bfa94cd..bb4b15d64f 100644 --- a/.github/workflows/ms.compute.virtualmachinescalesets.yml +++ b/.github/workflows/ms.compute.virtualmachinescalesets.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Compute/virtualMachineScaleSets' workflowPath: '.github/workflows/ms.compute.virtualmachinescalesets.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.consumption.budgets.yml b/.github/workflows/ms.consumption.budgets.yml index 0dcc0234b2..3c843fbd4a 100644 --- a/.github/workflows/ms.consumption.budgets.yml +++ b/.github/workflows/ms.consumption.budgets.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Consumption/budgets' workflowPath: '.github/workflows/ms.consumption.budgets.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.containerinstance.containergroups.yml b/.github/workflows/ms.containerinstance.containergroups.yml index ca09181a94..24fe9027c3 100644 --- a/.github/workflows/ms.containerinstance.containergroups.yml +++ b/.github/workflows/ms.containerinstance.containergroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ContainerInstance/containerGroups' workflowPath: '.github/workflows/ms.containerinstance.containergroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.containerregistry.registries.yml b/.github/workflows/ms.containerregistry.registries.yml index 85bc59ab19..a10f438d9f 100644 --- a/.github/workflows/ms.containerregistry.registries.yml +++ b/.github/workflows/ms.containerregistry.registries.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ContainerRegistry/registries' workflowPath: '.github/workflows/ms.containerregistry.registries.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.containerservice.managedclusters.yml b/.github/workflows/ms.containerservice.managedclusters.yml index a8ecaa5331..c337b80cbd 100644 --- a/.github/workflows/ms.containerservice.managedclusters.yml +++ b/.github/workflows/ms.containerservice.managedclusters.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ContainerService/managedClusters' workflowPath: '.github/workflows/ms.containerservice.managedclusters.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.databricks.workspaces.yml b/.github/workflows/ms.databricks.workspaces.yml index 74cabd195b..2cd2df8e94 100644 --- a/.github/workflows/ms.databricks.workspaces.yml +++ b/.github/workflows/ms.databricks.workspaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Databricks/workspaces' workflowPath: '.github/workflows/ms.databricks.workspaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.datafactory.factories.yml b/.github/workflows/ms.datafactory.factories.yml index 1ae1fbb5ee..1026e8e89f 100644 --- a/.github/workflows/ms.datafactory.factories.yml +++ b/.github/workflows/ms.datafactory.factories.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DataFactory/factories' workflowPath: '.github/workflows/ms.datafactory.factories.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.dataprotection.backupvaults.yml b/.github/workflows/ms.dataprotection.backupvaults.yml index c56adbc3f1..5599a34245 100644 --- a/.github/workflows/ms.dataprotection.backupvaults.yml +++ b/.github/workflows/ms.dataprotection.backupvaults.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DataProtection/backupVaults' workflowPath: '.github/workflows/ms.dataprotection.backupvaults.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.desktopvirtualization.applicationgroups.yml b/.github/workflows/ms.desktopvirtualization.applicationgroups.yml index 08233297a9..021e5ada47 100644 --- a/.github/workflows/ms.desktopvirtualization.applicationgroups.yml +++ b/.github/workflows/ms.desktopvirtualization.applicationgroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DesktopVirtualization/applicationgroups' workflowPath: '.github/workflows/ms.desktopvirtualization.applicationgroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.desktopvirtualization.hostpools.yml b/.github/workflows/ms.desktopvirtualization.hostpools.yml index e9467fc5f2..1e6029909c 100644 --- a/.github/workflows/ms.desktopvirtualization.hostpools.yml +++ b/.github/workflows/ms.desktopvirtualization.hostpools.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DesktopVirtualization/hostpools' workflowPath: '.github/workflows/ms.desktopvirtualization.hostpools.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.desktopvirtualization.scalingplans.yml b/.github/workflows/ms.desktopvirtualization.scalingplans.yml index 2be99b6d5c..ec376d94d8 100644 --- a/.github/workflows/ms.desktopvirtualization.scalingplans.yml +++ b/.github/workflows/ms.desktopvirtualization.scalingplans.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DesktopVirtualization/scalingplans' workflowPath: '.github/workflows/ms.desktopvirtualization.scalingplans.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.desktopvirtualization.workspaces.yml b/.github/workflows/ms.desktopvirtualization.workspaces.yml index c5598aa7af..072c095b9e 100644 --- a/.github/workflows/ms.desktopvirtualization.workspaces.yml +++ b/.github/workflows/ms.desktopvirtualization.workspaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DesktopVirtualization/workspaces' workflowPath: '.github/workflows/ms.desktopvirtualization.workspaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.documentdb.databaseaccounts.yml b/.github/workflows/ms.documentdb.databaseaccounts.yml index bf98c479d8..54eba4c06b 100644 --- a/.github/workflows/ms.documentdb.databaseaccounts.yml +++ b/.github/workflows/ms.documentdb.databaseaccounts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.DocumentDB/databaseAccounts' workflowPath: '.github/workflows/ms.documentdb.databaseaccounts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.eventgrid.systemtopics.yml b/.github/workflows/ms.eventgrid.systemtopics.yml index f4f5ab3a06..8c12336ede 100644 --- a/.github/workflows/ms.eventgrid.systemtopics.yml +++ b/.github/workflows/ms.eventgrid.systemtopics.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.EventGrid/systemTopics' workflowPath: '.github/workflows/ms.eventgrid.systemtopics.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.eventgrid.topics.yml b/.github/workflows/ms.eventgrid.topics.yml index 16a7384c71..ffe3bb3507 100644 --- a/.github/workflows/ms.eventgrid.topics.yml +++ b/.github/workflows/ms.eventgrid.topics.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.EventGrid/topics' workflowPath: '.github/workflows/ms.eventgrid.topics.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.eventhub.namespaces.yml b/.github/workflows/ms.eventhub.namespaces.yml index 1a75f805fe..398ab1befb 100644 --- a/.github/workflows/ms.eventhub.namespaces.yml +++ b/.github/workflows/ms.eventhub.namespaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.EventHub/namespaces' workflowPath: '.github/workflows/ms.eventhub.namespaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.healthbot.healthbots.yml b/.github/workflows/ms.healthbot.healthbots.yml index 43530361a9..09e633f58e 100644 --- a/.github/workflows/ms.healthbot.healthbots.yml +++ b/.github/workflows/ms.healthbot.healthbots.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.HealthBot/healthBots' workflowPath: '.github/workflows/ms.healthbot.healthbots.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.actiongroups.yml b/.github/workflows/ms.insights.actiongroups.yml index d388901c80..8348a2e693 100644 --- a/.github/workflows/ms.insights.actiongroups.yml +++ b/.github/workflows/ms.insights.actiongroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/actionGroups' workflowPath: '.github/workflows/ms.insights.actiongroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.activitylogalerts.yml b/.github/workflows/ms.insights.activitylogalerts.yml index 97e287c8fd..8b9cfc8a1d 100644 --- a/.github/workflows/ms.insights.activitylogalerts.yml +++ b/.github/workflows/ms.insights.activitylogalerts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/activityLogAlerts' workflowPath: '.github/workflows/ms.insights.activitylogalerts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.components.yml b/.github/workflows/ms.insights.components.yml index ad8569778e..c6adf248fd 100644 --- a/.github/workflows/ms.insights.components.yml +++ b/.github/workflows/ms.insights.components.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/components' workflowPath: '.github/workflows/ms.insights.components.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.diagnosticsettings.yml b/.github/workflows/ms.insights.diagnosticsettings.yml index 556e6d95af..045abeffb5 100644 --- a/.github/workflows/ms.insights.diagnosticsettings.yml +++ b/.github/workflows/ms.insights.diagnosticsettings.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/diagnosticSettings' workflowPath: '.github/workflows/ms.insights.diagnosticsettings.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.metricalerts.yml b/.github/workflows/ms.insights.metricalerts.yml index c238711b06..6e22b6b476 100644 --- a/.github/workflows/ms.insights.metricalerts.yml +++ b/.github/workflows/ms.insights.metricalerts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/metricAlerts' workflowPath: '.github/workflows/ms.insights.metricalerts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.privatelinkscopes.yml b/.github/workflows/ms.insights.privatelinkscopes.yml index c342b41a94..eab350b631 100644 --- a/.github/workflows/ms.insights.privatelinkscopes.yml +++ b/.github/workflows/ms.insights.privatelinkscopes.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/privateLinkScopes' workflowPath: '.github/workflows/ms.insights.privatelinkscopes.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.insights.scheduledqueryrules.yml b/.github/workflows/ms.insights.scheduledqueryrules.yml index f94d3e3fe9..e3c0bd138a 100644 --- a/.github/workflows/ms.insights.scheduledqueryrules.yml +++ b/.github/workflows/ms.insights.scheduledqueryrules.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Insights/scheduledQueryRules' workflowPath: '.github/workflows/ms.insights.scheduledqueryrules.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.keyvault.vaults.yml b/.github/workflows/ms.keyvault.vaults.yml index 1067ceab94..7ba1ea2fec 100644 --- a/.github/workflows/ms.keyvault.vaults.yml +++ b/.github/workflows/ms.keyvault.vaults.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.KeyVault/vaults' workflowPath: '.github/workflows/ms.keyvault.vaults.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.kubernetesconfiguration.extensions.yml b/.github/workflows/ms.kubernetesconfiguration.extensions.yml index 03163a781c..0532ee1d86 100644 --- a/.github/workflows/ms.kubernetesconfiguration.extensions.yml +++ b/.github/workflows/ms.kubernetesconfiguration.extensions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.KubernetesConfiguration/extensions' workflowPath: '.github/workflows/ms.kubernetesconfiguration.extensions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml b/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml index 9d6e7ae21c..14631903e6 100644 --- a/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml +++ b/.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.KubernetesConfiguration/fluxConfigurations' workflowPath: '.github/workflows/ms.kubernetesconfiguration.fluxconfigurations.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.logic.workflows.yml b/.github/workflows/ms.logic.workflows.yml index 19a4d65ea3..7a4909c672 100644 --- a/.github/workflows/ms.logic.workflows.yml +++ b/.github/workflows/ms.logic.workflows.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Logic/workflows' workflowPath: '.github/workflows/ms.logic.workflows.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.machinelearningservices.workspaces.yml b/.github/workflows/ms.machinelearningservices.workspaces.yml index 5df607c47b..5496a8c301 100644 --- a/.github/workflows/ms.machinelearningservices.workspaces.yml +++ b/.github/workflows/ms.machinelearningservices.workspaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.MachineLearningServices/workspaces' workflowPath: '.github/workflows/ms.machinelearningservices.workspaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.managedidentity.userassignedidentities.yml b/.github/workflows/ms.managedidentity.userassignedidentities.yml index d0c233a4c4..3f0b911521 100644 --- a/.github/workflows/ms.managedidentity.userassignedidentities.yml +++ b/.github/workflows/ms.managedidentity.userassignedidentities.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ManagedIdentity/userAssignedIdentities' workflowPath: '.github/workflows/ms.managedidentity.userassignedidentities.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.managedservices.registrationdefinitions.yml b/.github/workflows/ms.managedservices.registrationdefinitions.yml index 9825845d2a..417aeb3ec4 100644 --- a/.github/workflows/ms.managedservices.registrationdefinitions.yml +++ b/.github/workflows/ms.managedservices.registrationdefinitions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ManagedServices/registrationDefinitions' workflowPath: '.github/workflows/ms.managedservices.registrationdefinitions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.management.managementgroups.yml b/.github/workflows/ms.management.managementgroups.yml index ff7edf7a55..5068517c7e 100644 --- a/.github/workflows/ms.management.managementgroups.yml +++ b/.github/workflows/ms.management.managementgroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Management/managementGroups' workflowPath: '.github/workflows/ms.management.managementgroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.netapp.netappaccounts.yml b/.github/workflows/ms.netapp.netappaccounts.yml index 0c1aa8555b..dbb8144eba 100644 --- a/.github/workflows/ms.netapp.netappaccounts.yml +++ b/.github/workflows/ms.netapp.netappaccounts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.NetApp/netAppAccounts' workflowPath: '.github/workflows/ms.netapp.netappaccounts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.applicationgateways.yml b/.github/workflows/ms.network.applicationgateways.yml index 930f387bce..e655d667f8 100644 --- a/.github/workflows/ms.network.applicationgateways.yml +++ b/.github/workflows/ms.network.applicationgateways.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/applicationGateways' workflowPath: '.github/workflows/ms.network.applicationgateways.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.applicationsecuritygroups.yml b/.github/workflows/ms.network.applicationsecuritygroups.yml index 49f9bb3071..1feb6722f3 100644 --- a/.github/workflows/ms.network.applicationsecuritygroups.yml +++ b/.github/workflows/ms.network.applicationsecuritygroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/applicationSecurityGroups' workflowPath: '.github/workflows/ms.network.applicationsecuritygroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.azurefirewalls.yml b/.github/workflows/ms.network.azurefirewalls.yml index 2de448b7af..cc44bfaf97 100644 --- a/.github/workflows/ms.network.azurefirewalls.yml +++ b/.github/workflows/ms.network.azurefirewalls.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/azureFirewalls' workflowPath: '.github/workflows/ms.network.azurefirewalls.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.bastionhosts.yml b/.github/workflows/ms.network.bastionhosts.yml index 7bb3d48b6a..dc8a4a5158 100644 --- a/.github/workflows/ms.network.bastionhosts.yml +++ b/.github/workflows/ms.network.bastionhosts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/bastionHosts' workflowPath: '.github/workflows/ms.network.bastionhosts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.connections.yml b/.github/workflows/ms.network.connections.yml index 76bb4cd9bd..bce5f1db13 100644 --- a/.github/workflows/ms.network.connections.yml +++ b/.github/workflows/ms.network.connections.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/connections' workflowPath: '.github/workflows/ms.network.connections.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.ddosprotectionplans.yml b/.github/workflows/ms.network.ddosprotectionplans.yml index 4582c415a7..681932fea8 100644 --- a/.github/workflows/ms.network.ddosprotectionplans.yml +++ b/.github/workflows/ms.network.ddosprotectionplans.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/ddosProtectionPlans' workflowPath: '.github/workflows/ms.network.ddosprotectionplans.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.expressroutecircuits.yml b/.github/workflows/ms.network.expressroutecircuits.yml index 4f1d1c87f1..d5abc9683e 100644 --- a/.github/workflows/ms.network.expressroutecircuits.yml +++ b/.github/workflows/ms.network.expressroutecircuits.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/expressRouteCircuits' workflowPath: '.github/workflows/ms.network.expressroutecircuits.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.firewallpolicies.yml b/.github/workflows/ms.network.firewallpolicies.yml index fab9e32a34..655eabc836 100644 --- a/.github/workflows/ms.network.firewallpolicies.yml +++ b/.github/workflows/ms.network.firewallpolicies.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/firewallPolicies' workflowPath: '.github/workflows/ms.network.firewallpolicies.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.frontdoors.yml b/.github/workflows/ms.network.frontdoors.yml index 65d1960ddc..050118275b 100644 --- a/.github/workflows/ms.network.frontdoors.yml +++ b/.github/workflows/ms.network.frontdoors.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/frontDoors' workflowPath: '.github/workflows/ms.network.frontdoors.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.ipgroups.yml b/.github/workflows/ms.network.ipgroups.yml index c2e71a6c59..222843a9b4 100644 --- a/.github/workflows/ms.network.ipgroups.yml +++ b/.github/workflows/ms.network.ipgroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/ipGroups' workflowPath: '.github/workflows/ms.network.ipgroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.loadbalancers.yml b/.github/workflows/ms.network.loadbalancers.yml index 6eb3b3acf4..4cfee0e22b 100644 --- a/.github/workflows/ms.network.loadbalancers.yml +++ b/.github/workflows/ms.network.loadbalancers.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/loadBalancers' workflowPath: '.github/workflows/ms.network.loadbalancers.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.localnetworkgateways.yml b/.github/workflows/ms.network.localnetworkgateways.yml index 704d6dc29c..c1aae47458 100644 --- a/.github/workflows/ms.network.localnetworkgateways.yml +++ b/.github/workflows/ms.network.localnetworkgateways.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/localNetworkGateways' workflowPath: '.github/workflows/ms.network.localnetworkgateways.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.natgateways.yml b/.github/workflows/ms.network.natgateways.yml index fd3b0b0f4c..87719515ef 100644 --- a/.github/workflows/ms.network.natgateways.yml +++ b/.github/workflows/ms.network.natgateways.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/natGateways' workflowPath: '.github/workflows/ms.network.natgateways.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.networkinterfaces.yml b/.github/workflows/ms.network.networkinterfaces.yml index 3351651662..12e3de6167 100644 --- a/.github/workflows/ms.network.networkinterfaces.yml +++ b/.github/workflows/ms.network.networkinterfaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/networkInterfaces' workflowPath: '.github/workflows/ms.network.networkinterfaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.networksecuritygroups.yml b/.github/workflows/ms.network.networksecuritygroups.yml index ec4143097d..c339977115 100644 --- a/.github/workflows/ms.network.networksecuritygroups.yml +++ b/.github/workflows/ms.network.networksecuritygroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/networkSecurityGroups' workflowPath: '.github/workflows/ms.network.networksecuritygroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.networkwatchers.yml b/.github/workflows/ms.network.networkwatchers.yml index 1f1773ba2e..5c7e8095de 100644 --- a/.github/workflows/ms.network.networkwatchers.yml +++ b/.github/workflows/ms.network.networkwatchers.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/networkWatchers' workflowPath: '.github/workflows/ms.network.networkwatchers.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.privatednszones.yml b/.github/workflows/ms.network.privatednszones.yml index 5186987b00..0acefe2260 100644 --- a/.github/workflows/ms.network.privatednszones.yml +++ b/.github/workflows/ms.network.privatednszones.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/privateDnsZones' workflowPath: '.github/workflows/ms.network.privatednszones.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.privateendpoints.yml b/.github/workflows/ms.network.privateendpoints.yml index b7fed464dd..a80df2a83e 100644 --- a/.github/workflows/ms.network.privateendpoints.yml +++ b/.github/workflows/ms.network.privateendpoints.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/privateEndpoints' workflowPath: '.github/workflows/ms.network.privateendpoints.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.publicipaddresses.yml b/.github/workflows/ms.network.publicipaddresses.yml index b1e9fbcc11..c755dc69f5 100644 --- a/.github/workflows/ms.network.publicipaddresses.yml +++ b/.github/workflows/ms.network.publicipaddresses.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/publicIPAddresses' workflowPath: '.github/workflows/ms.network.publicipaddresses.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.publicipprefixes.yml b/.github/workflows/ms.network.publicipprefixes.yml index 714bc5bdb2..0105e5b4f5 100644 --- a/.github/workflows/ms.network.publicipprefixes.yml +++ b/.github/workflows/ms.network.publicipprefixes.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/publicIPPrefixes' workflowPath: '.github/workflows/ms.network.publicipprefixes.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.routetables.yml b/.github/workflows/ms.network.routetables.yml index 9f4bb512c4..3a7914b0b7 100644 --- a/.github/workflows/ms.network.routetables.yml +++ b/.github/workflows/ms.network.routetables.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/routeTables' workflowPath: '.github/workflows/ms.network.routetables.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.trafficmanagerprofiles.yml b/.github/workflows/ms.network.trafficmanagerprofiles.yml index d1a0a6b561..9b840f0da5 100644 --- a/.github/workflows/ms.network.trafficmanagerprofiles.yml +++ b/.github/workflows/ms.network.trafficmanagerprofiles.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/trafficmanagerprofiles' workflowPath: '.github/workflows/ms.network.trafficmanagerprofiles.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.virtualhubs.yml b/.github/workflows/ms.network.virtualhubs.yml index 9e2221dff4..b360232bfd 100644 --- a/.github/workflows/ms.network.virtualhubs.yml +++ b/.github/workflows/ms.network.virtualhubs.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/virtualHubs' workflowPath: '.github/workflows/ms.network.virtualhubs.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.virtualnetworkgateways.yml b/.github/workflows/ms.network.virtualnetworkgateways.yml index a96f19b58f..c3f0998ccc 100644 --- a/.github/workflows/ms.network.virtualnetworkgateways.yml +++ b/.github/workflows/ms.network.virtualnetworkgateways.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/virtualNetworkGateways' workflowPath: '.github/workflows/ms.network.virtualnetworkgateways.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.virtualnetworks.yml b/.github/workflows/ms.network.virtualnetworks.yml index 8ffde5c19e..5d338bf191 100644 --- a/.github/workflows/ms.network.virtualnetworks.yml +++ b/.github/workflows/ms.network.virtualnetworks.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/virtualNetworks' workflowPath: '.github/workflows/ms.network.virtualnetworks.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.virtualwans.yml b/.github/workflows/ms.network.virtualwans.yml index 911e6fe50a..85e2332e22 100644 --- a/.github/workflows/ms.network.virtualwans.yml +++ b/.github/workflows/ms.network.virtualwans.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/virtualWans' workflowPath: '.github/workflows/ms.network.virtualwans.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.vpngateways.yml b/.github/workflows/ms.network.vpngateways.yml index 2fb8cc1797..1664b4e452 100644 --- a/.github/workflows/ms.network.vpngateways.yml +++ b/.github/workflows/ms.network.vpngateways.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/vpnGateways' workflowPath: '.github/workflows/ms.network.vpngateways.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.network.vpnsites.yml b/.github/workflows/ms.network.vpnsites.yml index b72ddae6e1..610b3d6eef 100644 --- a/.github/workflows/ms.network.vpnsites.yml +++ b/.github/workflows/ms.network.vpnsites.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Network/vpnSites' workflowPath: '.github/workflows/ms.network.vpnsites.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.operationalinsights.workspaces.yml b/.github/workflows/ms.operationalinsights.workspaces.yml index fd0c3c685a..054d8fbaf8 100644 --- a/.github/workflows/ms.operationalinsights.workspaces.yml +++ b/.github/workflows/ms.operationalinsights.workspaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.OperationalInsights/workspaces' workflowPath: '.github/workflows/ms.operationalinsights.workspaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.operationsmanagement.solutions.yml b/.github/workflows/ms.operationsmanagement.solutions.yml index da92a74b21..2fe57829d0 100644 --- a/.github/workflows/ms.operationsmanagement.solutions.yml +++ b/.github/workflows/ms.operationsmanagement.solutions.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.OperationsManagement/solutions' workflowPath: '.github/workflows/ms.operationsmanagement.solutions.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.recoveryservices.vaults.yml b/.github/workflows/ms.recoveryservices.vaults.yml index 275e0498de..515a27a207 100644 --- a/.github/workflows/ms.recoveryservices.vaults.yml +++ b/.github/workflows/ms.recoveryservices.vaults.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.RecoveryServices/vaults' workflowPath: '.github/workflows/ms.recoveryservices.vaults.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.resources.deploymentscripts.yml b/.github/workflows/ms.resources.deploymentscripts.yml index 32b6b0f767..5d1ce534ed 100644 --- a/.github/workflows/ms.resources.deploymentscripts.yml +++ b/.github/workflows/ms.resources.deploymentscripts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Resources/deploymentScripts' workflowPath: '.github/workflows/ms.resources.deploymentscripts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.resources.resourcegroups.yml b/.github/workflows/ms.resources.resourcegroups.yml index 60de42f8b8..91498f5c55 100644 --- a/.github/workflows/ms.resources.resourcegroups.yml +++ b/.github/workflows/ms.resources.resourcegroups.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Resources/resourceGroups' workflowPath: '.github/workflows/ms.resources.resourcegroups.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.resources.tags.yml b/.github/workflows/ms.resources.tags.yml index fb54367126..fed5022cc2 100644 --- a/.github/workflows/ms.resources.tags.yml +++ b/.github/workflows/ms.resources.tags.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Resources/tags' workflowPath: '.github/workflows/ms.resources.tags.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.security.azuresecuritycenter.yml b/.github/workflows/ms.security.azuresecuritycenter.yml index bca0ebedff..795c1b8630 100644 --- a/.github/workflows/ms.security.azuresecuritycenter.yml +++ b/.github/workflows/ms.security.azuresecuritycenter.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Security/azureSecurityCenter' workflowPath: '.github/workflows/ms.security.azuresecuritycenter.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.servicebus.namespaces.yml b/.github/workflows/ms.servicebus.namespaces.yml index fb84ab7ccd..48c21f4b9e 100644 --- a/.github/workflows/ms.servicebus.namespaces.yml +++ b/.github/workflows/ms.servicebus.namespaces.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ServiceBus/namespaces' workflowPath: '.github/workflows/ms.servicebus.namespaces.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.servicefabric.clusters.yml b/.github/workflows/ms.servicefabric.clusters.yml index 9895c4f192..0b12f7ff6d 100644 --- a/.github/workflows/ms.servicefabric.clusters.yml +++ b/.github/workflows/ms.servicefabric.clusters.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.ServiceFabric/clusters' workflowPath: '.github/workflows/ms.servicefabric.clusters.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.sql.managedinstances.yml b/.github/workflows/ms.sql.managedinstances.yml index e3c6df7041..8cff126b85 100644 --- a/.github/workflows/ms.sql.managedinstances.yml +++ b/.github/workflows/ms.sql.managedinstances.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Sql/managedInstances' workflowPath: '.github/workflows/ms.sql.managedinstances.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.sql.servers.yml b/.github/workflows/ms.sql.servers.yml index 61623e9bfb..b67bab0183 100644 --- a/.github/workflows/ms.sql.servers.yml +++ b/.github/workflows/ms.sql.servers.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Sql/servers' workflowPath: '.github/workflows/ms.sql.servers.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.storage.storageaccounts.yml b/.github/workflows/ms.storage.storageaccounts.yml index dfd7c811fc..4d7003b0a9 100644 --- a/.github/workflows/ms.storage.storageaccounts.yml +++ b/.github/workflows/ms.storage.storageaccounts.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Storage/storageAccounts' workflowPath: '.github/workflows/ms.storage.storageaccounts.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.synapse.privatelinkhubs.yml b/.github/workflows/ms.synapse.privatelinkhubs.yml index d0287ac8d3..7b50538841 100644 --- a/.github/workflows/ms.synapse.privatelinkhubs.yml +++ b/.github/workflows/ms.synapse.privatelinkhubs.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Synapse/privateLinkHubs' workflowPath: '.github/workflows/ms.synapse.privatelinkhubs.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.virtualmachineimages.imagetemplates.yml b/.github/workflows/ms.virtualmachineimages.imagetemplates.yml index 7d1c122891..2bb5da2f97 100644 --- a/.github/workflows/ms.virtualmachineimages.imagetemplates.yml +++ b/.github/workflows/ms.virtualmachineimages.imagetemplates.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.VirtualMachineImages/imageTemplates' workflowPath: '.github/workflows/ms.virtualmachineimages.imagetemplates.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.web.connections.yml b/.github/workflows/ms.web.connections.yml index 24a5452946..ca53a332e4 100644 --- a/.github/workflows/ms.web.connections.yml +++ b/.github/workflows/ms.web.connections.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Web/connections' workflowPath: '.github/workflows/ms.web.connections.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.web.hostingenvironments.yml b/.github/workflows/ms.web.hostingenvironments.yml index cc7f884c27..aaf574827a 100644 --- a/.github/workflows/ms.web.hostingenvironments.yml +++ b/.github/workflows/ms.web.hostingenvironments.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Web/hostingEnvironments' workflowPath: '.github/workflows/ms.web.hostingenvironments.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.web.serverfarms.yml b/.github/workflows/ms.web.serverfarms.yml index d0d6a3a41d..b82541bc27 100644 --- a/.github/workflows/ms.web.serverfarms.yml +++ b/.github/workflows/ms.web.serverfarms.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Web/serverfarms' workflowPath: '.github/workflows/ms.web.serverfarms.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.web.sites.yml b/.github/workflows/ms.web.sites.yml index 5f69a15df6..a0615cc3ab 100644 --- a/.github/workflows/ms.web.sites.yml +++ b/.github/workflows/ms.web.sites.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Web/sites' workflowPath: '.github/workflows/ms.web.sites.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/ms.web.staticsites.yml b/.github/workflows/ms.web.staticsites.yml index b387de58ae..eb8cd455b7 100644 --- a/.github/workflows/ms.web.staticsites.yml +++ b/.github/workflows/ms.web.staticsites.yml @@ -25,14 +25,20 @@ on: - 'utilities/pipelines/**' - '!utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + checks: write # enricomi/publish-unit-test-result-action + pull-requests: write # enricomi/publish-unit-test-result-action + env: variablesPath: 'global.variables.yml' modulePath: 'modules/Microsoft.Web/staticSites' workflowPath: '.github/workflows/ms.web.staticsites.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -42,6 +48,7 @@ jobs: job_initialize_pipeline: runs-on: ubuntu-20.04 name: 'Initialize pipeline' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -67,6 +74,7 @@ jobs: job_module_pester_validation: runs-on: ubuntu-20.04 name: 'Static validation' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -83,6 +91,7 @@ jobs: job_module_deploy_validation: runs-on: ubuntu-20.04 name: 'Deployment validation' + environment: 'Validation' needs: - job_initialize_pipeline - job_module_pester_validation @@ -106,7 +115,7 @@ jobs: parameterFilePath: '${{ env.modulePath }}/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' @@ -115,6 +124,7 @@ jobs: ################## job_publish_module: name: 'Publishing' + environment: 'Publishing' if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event.inputs.prerelease == 'true' runs-on: ubuntu-20.04 needs: diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index a1addb1653..87088afd13 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -22,16 +22,20 @@ on: # - '.github/workflows/platform.dependencies.yml' # - 'utilities/pipelines/dependencies/**' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + env: location: 'WestEurope' defaultResourceGroupName: 'validation-rg' resourceGroupNameArtifacts: 'artifacts-rg' removeDeployment: 'false' dependencyPath: 'utilities/pipelines/dependencies' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + AZURE_CLIENT_ID: '${{ secrets.AZURE_CLIENT_ID }}' + AZURE_SUBSCRIPTION_ID: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + AZURE_TENANT_ID: '${{ secrets.AZURE_TENANT_ID }}' DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: @@ -45,6 +49,7 @@ jobs: matrix: parameterFilePaths: ['validation.parameters.json', 'locks.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -57,7 +62,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -72,6 +77,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -85,7 +91,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -102,6 +108,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -116,7 +123,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -142,6 +149,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -155,7 +163,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -170,6 +178,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -183,7 +192,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -198,6 +207,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['mg.parameters.json', 'sub.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -211,7 +221,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -226,6 +236,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -239,7 +250,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -260,6 +271,7 @@ jobs: 'sol.parameters.json', 'parameters.json', ] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -273,7 +285,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -289,6 +301,7 @@ jobs: matrix: parameterFilePaths: ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -302,7 +315,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -313,6 +326,7 @@ jobs: namespace: 'Microsoft.Storage\storageAccounts' needs: - job_deploy_sa + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -336,7 +350,9 @@ jobs: - name: Azure Login uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true - name: Run PowerShell @@ -397,6 +413,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -410,7 +427,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -430,6 +447,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -444,7 +462,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -472,6 +490,7 @@ jobs: needs: - job_deploy_imgt - job_deploy_sa + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -496,7 +515,9 @@ jobs: - name: Azure Login uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true - name: 'Trigger building new image' @@ -594,6 +615,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -607,7 +629,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -622,6 +644,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -635,7 +658,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -650,6 +673,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -663,7 +687,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -679,6 +703,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['sqlMi.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -692,7 +717,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -716,6 +741,7 @@ jobs: 'aadds.parameters.json', 'parameters.json', ] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -729,7 +755,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -747,6 +773,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['sqlmi.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -760,7 +787,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -786,6 +813,7 @@ jobs: 'fw.parameters.json', 'fw.additional.parameters.json', ] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -799,7 +827,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -816,6 +844,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -829,7 +858,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -846,6 +875,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -859,7 +889,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -876,6 +906,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -889,7 +920,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -907,6 +938,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -920,7 +952,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' @@ -940,6 +972,7 @@ jobs: matrix: parameterFilePaths: ['parameters.json', 'pe.parameters.json', 'nopr.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -953,7 +986,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' @@ -966,6 +999,7 @@ jobs: namespace: 'Microsoft.KeyVault\vaults' needs: - job_deploy_kv + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -989,7 +1023,9 @@ jobs: - name: Azure Login uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true - name: 'Set key vault secrets keys and certificates' @@ -1120,6 +1156,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['sqlmi.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1133,7 +1170,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' @@ -1146,6 +1183,7 @@ jobs: - job_deploy_sqlmi_kv env: namespace: 'Microsoft.KeyVault\vaults' + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1169,7 +1207,9 @@ jobs: - name: Azure Login uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: '${{ env.AZURE_CLIENT_ID }}' + tenant-id: '${{ env.AZURE_TENANT_ID }}' + subscription-id: '${{ env.AZURE_SUBSCRIPTION_ID }}' enable-AzPSSession: true - name: 'Set sqlmi key vault secrets and keys' @@ -1242,6 +1282,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1255,7 +1296,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -1270,6 +1311,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1283,7 +1325,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' @@ -1314,6 +1356,7 @@ jobs: '13.bastion.parameters.json', 'parameters.json', ] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1327,7 +1370,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -1344,6 +1387,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['6.sqlmi.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1357,7 +1401,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -1372,6 +1416,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1385,7 +1430,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -1402,6 +1447,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1415,7 +1461,7 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -1430,6 +1476,7 @@ jobs: fail-fast: false matrix: parameterFilePaths: ['internal.parameters.json'] + environment: 'Validation' steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -1443,6 +1490,6 @@ jobs: parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.location }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' diff --git a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md index 33b320312e..6b92336157 100644 --- a/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md +++ b/docs/wiki/Getting started - Scenario 2 Onboard module library and CI environment.md @@ -127,11 +127,12 @@ For _GitHub_, you have to perform the following environment-specific steps: To use the environment's pipelines you should use the information you gathered during the [Azure setup](#1-configure-your-azure-environment) to set up the following repository secrets: + | Secret Name | Example | Description | | - | - | - | | `ARM_MGMTGROUP_ID` | `de33a0e7-64d9-4a94-8fe9-b018cedf1e05` | The group ID of the management group to test-deploy modules in. | -| `ARM_SUBSCRIPTION_ID` | `d0312b25-9160-4550-914f-8738d9b5caf5` | The ID of the subscription to test-deploy modules in. | -| `ARM_TENANT_ID` | `9734cec9-4384-445b-bbb6-767e7be6e5ec` | The tenant ID of the Azure Active Directory tenant to test-deploy modules in. | +| `AZURE_SUBSCRIPTION_ID` | `d0312b25-9160-4550-914f-8738d9b5caf5` | The ID of the subscription to test-deploy modules in. | +| `AZURE_TENANT_ID` | `9734cec9-4384-445b-bbb6-767e7be6e5ec` | The tenant ID of the Azure Active Directory tenant to test-deploy modules in. | | `DEPLOYMENT_SP_ID` | `de33a0e7-64d9-4a94-8fe9-b018cedf1e05` | The service principal ID (Object ID) of the principal used as the Azure service connection. Also used for test Role Assignments when modules are being deployed into Azure. | | `AZURE_CREDENTIALS` | `{"clientId": "4ce8ce4c-cac0-48eb-b815-65e5763e2929", "clientSecret": "", "subscriptionId": "d0312b25-9160-4550-914f-8738d9b5caf5", "tenantId": "9734cec9-4384-445b-bbb6-767e7be6e5ec" }` | The login credentials of the deployment principal used to log into the target Azure environment to test in. The format is described [here](https://github.com/Azure/login#configure-deployment-credentials). | | `PLATFORM_REPO_UPDATE_PAT` | `` | A private access token (PAT) with enough permissions assigned to it to push into the main branch. This PAT is leveraged by pipelines that automatically generate ReadMe files to keep them up to date. | @@ -157,6 +158,7 @@ To use the environment's pipelines you should use the information you gathered d

+ > Special case: `AZURE_CREDENTIALS`, > This secret represent the service connection to Azure, and its value is a compressed JSON object that must match the following format: > @@ -258,12 +260,13 @@ The variable group `PLATFORM_VARIABLES` must be set up in Azure DevOps as descri Based on the information you gathered in the [Azure setup](#1-configure-your-azure-environment), you must configure the following secrets in the variable group: + | Secret Name | Example | Description | | - | - | - | | `ARM_MGMTGROUP_ID` | `de33a0e7-64d9-4a94-8fe9-b018cedf1e05` | The group ID of the management group to test-deploy modules in. | -| `ARM_SUBSCRIPTION_ID` | `d0312b25-9160-4550-914f-8738d9b5caf5` | The ID of the subscription to test-deploy modules in. | -| `ARM_TENANT_ID` | `9734cec9-4384-445b-bbb6-767e7be6e5ec` | The tenant ID of the Azure Active Directory tenant to test-deploy modules in. | -| `DEPLOYMENT_SP_ID` | `de33a0e7-64d9-4a94-8fe9-b018cedf1e05` | The service principal ID (Object ID) of the principal used as the Azure service connection. Also used for test Role Assignments when modules are being deployed into Azure. | +| `ARM_VALIDATION_SUBSCRIPTION_ID` | `d0312b25-9160-4550-914f-8738d9b5caf5` | The ID of the subscription to test-deploy modules in. | +| `ARM_TENANT_ID` | `9734cec9-4384-445b-bbb6-767e7be6e5ec` | The tenant ID of the tenant to test-deploy modules in. | +| `DEPLOYMENT_SP_ID` | `de33a0e7-64d9-4a94-8fe9-b018cedf1e05` | The service principal ID (Object ID) of the principal used as the Azure service connection. Also used for test Role Assignments when modules are being deployed into Azure | Make sure its name matches the `group` reference used in the module pipelines. For example diff --git a/docs/wiki/Solution creation.md b/docs/wiki/Solution creation.md index 21437dd74f..47be435d4e 100644 --- a/docs/wiki/Solution creation.md +++ b/docs/wiki/Solution creation.md @@ -405,8 +405,12 @@ on: - 'network-hub-rg/Parameters/**' - '.github/workflows/network-hub.yml' +permissions: + id-token: write # Required for OIDC + contents: read # Required for OIDC + env: - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} # TODO: Update this to use OIDC removeDeployment: false variablesPath: 'global.variables.yml' @@ -440,7 +444,7 @@ jobs: parameterFilePath: './MultiRepoTestParentFolder/network-hub-rg/Parameters/ResourceGroup/parameters.json' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: $(removeDeployment) @@ -451,7 +455,7 @@ jobs: parameterFilePath: './MultiRepoTestParentFolder/network-hub-rg/Parameters/NetworkSecurityGroups/parameters.json' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: $(removeDeployment) @@ -462,7 +466,7 @@ jobs: parameterFilePath: './MultiRepoTestParentFolder/network-hub-rg/Parameters/VirtualNetwork/vnet-A.parameters.json' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + subscriptionId: '${{ secrets.AZURE_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: $(removeDeployment) ``` diff --git a/global.variables.yml b/global.variables.yml index 7fed8d13f9..3dc3eff660 100644 --- a/global.variables.yml +++ b/global.variables.yml @@ -38,7 +38,8 @@ variables: vmImage: 'ubuntu-latest' # Use this for Microsoft-hosted agents poolName: '' # Use this for self-hosted agents - serviceConnection: 'CARML-CSU-Tenant-Connection' + serviceConnectionValidation: 'validation-svccon' + serviceConnectionPublishing: 'publishing-svccon' ###################################### # Source diff --git a/utilities/pipelines/resourcePublish/Publish-ModuleToPrivateBicepRegistry.ps1 b/utilities/pipelines/resourcePublish/Publish-ModuleToPrivateBicepRegistry.ps1 index 319c73b919..edf670e6c2 100644 --- a/utilities/pipelines/resourcePublish/Publish-ModuleToPrivateBicepRegistry.ps1 +++ b/utilities/pipelines/resourcePublish/Publish-ModuleToPrivateBicepRegistry.ps1 @@ -25,6 +25,10 @@ Example: 'artifacts-rg' Optional. The location of the resourceGroup the private bicep registry is deployed to. Required if the resource group is not yet existing. Example: 'West Europe' +.PARAMETER SubscriptionId +Optional. SubscriptionId to use for the bicep registry. If not specified, the default context/subscription is used. +Example: 'a6d228a7-0321-4099-9ef5-b3bcf0605c89' + .EXAMPLE Publish-ModuleToPrivateBicepRegistry -TemplateFilePath 'C:\modules\Microsoft.KeyVault\vaults\deploy.bicep' -ModuleVersion '3.0.0-alpha' -BicepRegistryName 'adpsxxazacrx001' -BicepRegistryRgName 'artifacts-rg' @@ -47,7 +51,10 @@ function Publish-ModuleToPrivateBicepRegistry { [string] $BicepRegistryRgName, [Parameter(Mandatory = $false)] - [string] $BicepRegistryRgLocation + [string] $BicepRegistryRgLocation, + + [Parameter(Mandatory = $false)] + [string] $SubscriptionId ) begin { @@ -62,6 +69,12 @@ function Publish-ModuleToPrivateBicepRegistry { throw "The template in path [$TemplateFilePath] is no bicep template." } + # set AzContext + if (-not [String]::IsNullOrEmpty($SubscriptionId)) { + Write-Verbose ('Setting context to subscription [{0}]' -f $SubscriptionId) + $null = Set-AzContext -Subscription $SubscriptionId + } + # Resource Group if (-not (Get-AzResourceGroup -Name $BicepRegistryRgName -ErrorAction 'SilentlyContinue')) { if ($PSCmdlet.ShouldProcess("Resource group [$BicepRegistryRgName] to location [$BicepRegistryRgLocation]", 'Deploy')) { diff --git a/utilities/pipelines/resourcePublish/Publish-ModuleToTemplateSpec.ps1 b/utilities/pipelines/resourcePublish/Publish-ModuleToTemplateSpec.ps1 index df821bd8d8..67295a49e3 100644 --- a/utilities/pipelines/resourcePublish/Publish-ModuleToTemplateSpec.ps1 +++ b/utilities/pipelines/resourcePublish/Publish-ModuleToTemplateSpec.ps1 @@ -26,6 +26,10 @@ Example: 'West Europe' Mandatory. The description of the parent template spec. Example: 'iacs key vault' +.PARAMETER SubscriptionId +Optional. SubscriptionId to publish the template spec to. If not specified, the default context/subscription is used. +Example: 'a6d228a7-0321-4099-9ef5-b3bcf0605c89' + .EXAMPLE Publish-ModuleToTemplateSpec -TemplateFilePath 'C:\modules\Microsoft.KeyVault\vaults\deploy.bicep' -ModuleVersion '3.0.0-alpha' -TemplateSpecsRgName 'artifacts-rg' -TemplateSpecsRgLocation 'West Europe' -TemplateSpecsDescription 'iacs key vault' @@ -48,7 +52,10 @@ function Publish-ModuleToTemplateSpec { [string] $TemplateSpecsRgLocation, [Parameter(Mandatory)] - [string] $TemplateSpecsDescription + [string] $TemplateSpecsDescription, + + [Parameter(Mandatory = $false)] + [string] $SubscriptionId ) begin { @@ -68,6 +75,14 @@ function Publish-ModuleToTemplateSpec { } } + ############################# + ## set AzContext ## + ############################# + if (-not [String]::IsNullOrEmpty($SubscriptionId)) { + Write-Verbose ('Setting context to subscription [{0}]' -f $SubscriptionId) + $null = Set-AzContext -Subscription $SubscriptionId + } + ################################ ## Create template spec ## ################################