Updating the azure/login version to latest (v2) and adding a validati… (

#16707) * Updating the azure/login version to latest (v2). * Migrating to the GHA azure/login v2 and normalize the AZURE_CREDENTIALS environment variable. * Removing the validation block as it's failing to pass with this error MICROSOFT_AZURE_CLI_1733341427667_CONTAINER. --------- Co-authored-by: matts <[email protected]>
CDCgov · Dec 4, 2024 · 62207ec · 62207ec
1 parent 34a481c
commit 62207ec
Show file tree

Hide file tree

Showing 19 changed files with 115 additions and 62 deletions.
diff --git a/.github/actions/build-vars/action.yml b/.github/actions/build-vars/action.yml
@@ -170,7 +170,7 @@ runs:
             - 'frontend-react/**/!(*.md)'
             - '.github/actions/build-vars/action.yml'
             - '.github/actions/build-frontend/action.yml'
-            - '.github/workflows/frontend_ci.yml'          
+            - '.github/workflows/frontend_ci.yml'
           terraform:
             - 'operations/app/terraform/**/!(*.md)'
             - '.github/workflows/validate_terraform.yml'
@@ -215,7 +215,7 @@ runs:
         else
           echo "has_router_change=${{ steps.filter.outputs.router }}" >> $GITHUB_OUTPUT
         fi
-    
+
     - name: Determine if frontend changed
       if: github.event_name != 'schedule'
       id: frontend_change_result
@@ -234,7 +234,7 @@ runs:
           echo "has_frontend_change=${{ steps.filter.outputs.frontend_react }}" >> $GITHUB_OUTPUT
         fi
 
-    - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+    - uses: azure/login@v2
       if: inputs.sp-creds != 'false'
       with:
         creds: ${{ inputs.sp-creds }}

diff --git a/.github/actions/vpn-azure/action.yml b/.github/actions/vpn-azure/action.yml
@@ -63,7 +63,7 @@ runs:
         fi
       shell: bash
 
-    - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+    - uses: azure/login@v2
       if: inputs.sp-creds
       with:
         creds: ${{ inputs.sp-creds }}

diff --git a/.github/workflows/alert_cert_expire.yml b/.github/workflows/alert_cert_expire.yml
@@ -5,6 +5,9 @@ on:
     # The workflow runs every day at 8:07am
     - cron: "7 13 * * *"  #UTC-5
 
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   check-certificates:
     runs-on: ubuntu-latest
@@ -23,7 +26,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Add Runner IP to Key Vault Firewall
         run: |
@@ -48,7 +51,7 @@ jobs:
           echo "LIST<<$EOF" >> $GITHUB_OUTPUT
           cat certificates.json >> $GITHUB_OUTPUT
           echo "$EOF" >> $GITHUB_OUTPUT
-      
+
       - name: Slack Notification
         if: ${{ steps.format_out.outputs.LIST  != '' }}
         uses: ./.github/actions/notifications

diff --git a/.github/workflows/alert_resource_costs.yml b/.github/workflows/alert_resource_costs.yml
@@ -7,6 +7,7 @@ on:
 env:
   ALERT_THRESHOLD: 60
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 
 jobs:
   alert_costs:
@@ -23,7 +24,7 @@ jobs:
       - name: Login into Azure
         uses: ./.github/actions/vpn-azure
         with:
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Run Az Cost CLI
         id: az-cost
@@ -59,7 +60,7 @@ jobs:
           message: |
             Resource Group \`${{ matrix.rg }}\` is exceeding the cost threshold and is ${{ steps.env-age.outputs.age_in_days }} days old.
             If still running and no longer needed, please [destroy](https://github.com/CDCgov/prime-reportstream/actions/workflows/destroy_demo_environment.yml).
-            
+
             * **Cost per day: 💲${{ steps.az-cost.outputs.result }}**
             * **Provisioned by: \`${{ steps.last-pusher.outputs.username }}\`**
             * **Last Change Date: \`${{ steps.last-pusher.outputs.last_change_date }}\`**

diff --git a/.github/workflows/alert_terraform_changes.yml b/.github/workflows/alert_terraform_changes.yml
@@ -4,6 +4,10 @@ on:
   schedule:
     # The workflow runs every day at 8:20am
     - cron: "7 13 * * *"  #UTC-5
+
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   alert_tf_changes:
     name: Check Terraform plan for ${{ matrix.env }}
@@ -24,7 +28,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: true
 
       - name: Collect Terraform stats

diff --git a/.github/workflows/build_hub.yml b/.github/workflows/build_hub.yml
@@ -21,6 +21,7 @@ env:
   # These are for CI and not credentials of any system
   DB_USER: prime
   DB_PASSWORD: changeIT!
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 
 jobs:
   pre_job:
@@ -64,7 +65,7 @@ jobs:
           version: ${{ github.run_id }}
           upload-build: false
           run-integration-tests: true
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Generate New Schema Docs
         working-directory: ./

diff --git a/.github/workflows/cleanup_acr_images.yml b/.github/workflows/cleanup_acr_images.yml
@@ -4,6 +4,10 @@ on:
   schedule:
     - cron:  "0 0 * * *" # Runs daily at midnight UTC
 
+
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   cleanup_images:
     runs-on: ubuntu-latest
@@ -22,7 +26,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: List ${{ matrix.env }} repository images
         run: |
@@ -35,7 +39,7 @@ jobs:
 
       - name: Delete old images in ${{ matrix.env }} env
         env:
-          IMAGE_FILE: ${{ matrix.env }}-images.txt  
+          IMAGE_FILE: ${{ matrix.env }}-images.txt
         run: |
           if [ -e "$IMAGE_FILE" ]; then
             while IFS= read -r image_id; do
@@ -49,9 +53,9 @@ jobs:
               else
                 echo "File not found: $IMAGE_FILE"
           fi
-  
-        # Pushing a modified image using an existing tag untags the previously pushed image, 
-        # resulting in an orphaned (or "dangling") image. 
+
+        # Pushing a modified image using an existing tag untags the previously pushed image,
+        # resulting in an orphaned (or "dangling") image.
         # The previously pushed image's manifest--and its layer data--remains in the registry.
         # They still need to be removed
 
@@ -65,7 +69,7 @@ jobs:
 
       - name: Delete image manifest in ${{ matrix.env }} env
         env:
-          UNTAGED_FILE: ${{ matrix.env }}-untaged-images.txt  
+          UNTAGED_FILE: ${{ matrix.env }}-untaged-images.txt
         run: |
           if [ -e "$UNTAGED_FILE" ]; then
             while IFS= read -r manifest_id; do

diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml
@@ -8,6 +8,9 @@ on:
     paths:
       - '**.tf'
 
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   pre_job:
     name: Set Build Environment
@@ -48,7 +51,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: true
       - name: Collect Terraform stats
 
@@ -101,7 +104,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: true
       - name: Use specific version of Terraform
         uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd

diff --git a/.github/workflows/deployment_rollback.yml b/.github/workflows/deployment_rollback.yml
@@ -11,6 +11,10 @@ on:
         - staging
         - test
         type: choice
+
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   DeployToCandidateSlot:
     runs-on: ubuntu-latest
@@ -45,7 +49,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Add runner IP to Function App firewall
         run: |

diff --git a/.github/workflows/destroy_demo_environment.yml b/.github/workflows/destroy_demo_environment.yml
@@ -12,6 +12,10 @@ on:
         - demo3
         type: choice
 
+
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   destroy_demo_environment:
     name: "Destroy Environment: ${{ github.event.inputs.env_name }}"
@@ -36,7 +40,7 @@ jobs:
         uses: ./.github/actions/vpn-azure
         with:
           env-name: ${{ github.event.inputs.env_name }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: true
 
       - name: Destroy demo environment

diff --git a/.github/workflows/export_cost_data.yml b/.github/workflows/export_cost_data.yml
@@ -4,6 +4,10 @@ on:
   schedule:
     # The workflow runs every day at 3PM
     - cron: "0 19 * * *"  #UTC-5
+
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   export_cost_data:
     name: Export Azure Cost Data to Storage
@@ -27,7 +31,7 @@ jobs:
         uses: ./.github/actions/vpn-azure
         with:
           env-name: ${{ matrix.env }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: false
       - name: Run Az Cost CLI
         id: az-cost
@@ -76,7 +80,7 @@ jobs:
           user: prime
           database: prime_data_hub
           output-file: result.txt
-          query: |            
+          query: |
             CREATE TABLE IF NOT EXISTS Azure_Costs (
               Date       date,
               Cost       NUMERIC(13, 8),

diff --git a/.github/workflows/release_chatops_app.yml b/.github/workflows/release_chatops_app.yml
@@ -12,6 +12,9 @@ on:
     paths:
       - "operations/slack-boltjs-app"
 
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   pre_job:
     name: Set Build Environment
@@ -40,9 +43,9 @@ jobs:
         with:
           submodules: true
 
-      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+      - uses: azure/login@v2
         with:
-          creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Set environment variables
         shell: bash

diff --git a/.github/workflows/release_to_azure.yml b/.github/workflows/release_to_azure.yml
@@ -15,6 +15,9 @@ defaults:
   run:
     working-directory: prime-router
 
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   pre_job:
     name: "Set Build Environment"
@@ -33,7 +36,7 @@ jobs:
         id: build_vars
         uses: ./.github/actions/build-vars
         with:
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
   build_router_release:
     name: "Release: Build Router"
@@ -102,7 +105,7 @@ jobs:
         uses: ./.github/actions/vpn-azure
         with:
           env-name: ${{ needs.pre_job.outputs.env_name }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           tf-auth: true
 
       - name: Provision demo environment
@@ -138,7 +141,7 @@ jobs:
         uses: ./.github/actions/vpn-azure
         with:
           env-name: ${{ needs.pre_job.outputs.env_name }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Get function app checksum
         env:
@@ -194,7 +197,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           dns-ip: ${{ needs.pre_job.outputs.dns_ip }}
 
       - name: Deploy backend
@@ -233,7 +236,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
           dns-ip: ${{ needs.pre_job.outputs.dns_ip }}
 
       - name: Deploy frontend

diff --git a/.github/workflows/release_trial_frontend.yml b/.github/workflows/release_trial_frontend.yml
@@ -12,6 +12,9 @@ defaults:
   run:
     working-directory: prime-router
 
+env:
+  AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
+
 jobs:
   pre_job:
     name: "Set Build Environment"
@@ -76,7 +79,7 @@ jobs:
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
-          sp-creds: ${{ secrets.SERVICE_PRINCIPAL_CREDS }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
 
       - name: Deploy frontend
         uses: ./.github/actions/deploy-frontend