diff --git a/.github/workflows/azd-template-validation.yml b/.github/workflows/azd-template-validation.yml new file mode 100644 index 000000000..5be410d0c --- /dev/null +++ b/.github/workflows/azd-template-validation.yml @@ -0,0 +1,48 @@ +name: AZD Template Validation +on: + schedule: + - cron: '30 1 * * 4' # Every Thursday at 7:00 AM IST (1:30 AM UTC) + workflow_dispatch: + push: + branches: + - main + paths: + - 'infra/**' + - 'azure.yaml' + - 'scripts/**' + - '.github/workflows/azd-template-validation.yml' + + pull_request: + branches: + - dev + +permissions: + contents: read + id-token: write + pull-requests: write + +jobs: + template_validation: + runs-on: ubuntu-latest + environment: production + name: azd template validation + steps: + - uses: actions/checkout@v4 + + - uses: microsoft/template-validation-action@Latest + with: + validateAzd: ${{ vars.TEMPLATE_VALIDATE_AZD }} + useDevContainer: ${{ vars.TEMPLATE_USE_DEV_CONTAINER }} + id: validation + env: + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }} + AZURE_LOCATION: ${{ vars.AZURE_LOCATION }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TEMP: /tmp + AZURE_PRINCIPAL_ID: ${{ secrets.PRINCIPAL_ID || secrets.AZURE_CLIENT_ID }} + AZURE_PRINCIPAL_TYPE: 'ServicePrincipal' + - name: print result + run: cat ${{ steps.validation.outputs.resultFile }} diff --git a/infra/main.bicep b/infra/main.bicep index f80f39afc..19238b64c 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -1013,7 +1013,7 @@ module keyvault './modules/key-vault/vault/vault.bicep' = { { principalId: managedIdentityModule.outputs.principalId principalType: 'ServicePrincipal' - roleDefinitionIdOrName: 'Key Vault Secrets User' + roleDefinitionIdOrName: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User } ] : [], @@ -1021,7 +1021,7 @@ module keyvault './modules/key-vault/vault/vault.bicep' = { ? [ { principalId: principal.id - roleDefinitionIdOrName: 'Key Vault Secrets User' + roleDefinitionIdOrName: '4633458b-17de-408a-b874-0445c86b69e' // Key Vault Secrets User } ] : [] @@ -1812,7 +1812,7 @@ module storage './modules/storage/storage-account/storage-account.bicep' = { } { principalId: managedIdentityModule.outputs.principalId - roleDefinitionIdOrName: 'Storage File Data Privileged Contributor' + roleDefinitionIdOrName: '69566ab7-960f-475b-8e7c-b3118f30c6bd' // Storage File Data Privileged Contributor principalType: 'ServicePrincipal' } ] diff --git a/infra/main.json b/infra/main.json index ceba936a0..1109bcb71 100644 --- a/infra/main.json +++ b/infra/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.43.8.12551", - "templateHash": "8257042867279369414" + "templateHash": "9642437726761388509" } }, "parameters": { @@ -21540,7 +21540,7 @@ "diagnosticSettings": "[if(parameters('enableMonitoring'), createObject('value', createArray(createObject('workspaceResourceId', reference('monitoring').outputs.logAnalyticsWorkspaceId.value))), createObject('value', null()))]", "privateEndpoints": "[if(parameters('enablePrivateNetworking'), createObject('value', createArray(createObject('name', format('pep-{0}', variables('keyVaultName')), 'customNetworkInterfaceName', format('nic-{0}', variables('keyVaultName')), 'privateDnsZoneGroup', createObject('privateDnsZoneGroupConfigs', createArray(createObject('privateDnsZoneResourceId', reference(format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').keyVault)).outputs.resourceId.value))), 'service', 'vault', 'subnetResourceId', reference('virtualNetwork').outputs.pepsSubnetResourceId.value))), createObject('value', createArray()))]", "roleAssignments": { - "value": "[concat(if(not(equals(reference('managedIdentityModule').outputs.principalId.value, '')), createArray(createObject('principalId', reference('managedIdentityModule').outputs.principalId.value, 'principalType', 'ServicePrincipal', 'roleDefinitionIdOrName', 'Key Vault Secrets User')), createArray()), if(not(empty(parameters('principal').id)), createArray(createObject('principalId', parameters('principal').id, 'roleDefinitionIdOrName', 'Key Vault Secrets User')), createArray()))]" + "value": "[concat(if(not(equals(reference('managedIdentityModule').outputs.principalId.value, '')), createArray(createObject('principalId', reference('managedIdentityModule').outputs.principalId.value, 'principalType', 'ServicePrincipal', 'roleDefinitionIdOrName', '4633458b-17de-408a-b874-0445c86b69e6')), createArray()), if(not(empty(parameters('principal').id)), createArray(createObject('principalId', parameters('principal').id, 'roleDefinitionIdOrName', '4633458b-17de-408a-b874-0445c86b69e')), createArray()))]" }, "secrets": { "value": [ @@ -52724,7 +52724,7 @@ }, { "principalId": "[reference('managedIdentityModule').outputs.principalId.value]", - "roleDefinitionIdOrName": "Storage File Data Privileged Contributor", + "roleDefinitionIdOrName": "69566ab7-960f-475b-8e7c-b3118f30c6bd", "principalType": "ServicePrincipal" } ] @@ -55924,9 +55924,9 @@ } }, "dependsOn": [ + "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageFile)]", "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageBlob)]", - "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').storageQueue)]", "managedIdentityModule", "virtualNetwork" ]