Skip to content

Commit 56a1009

Browse files
pixman20pixman20
committed
[BRE-1022] Replace SPs with Managed Identities (#15844)
(cherry picked from commit 74bfc1c)
1 parent 3d09e83 commit 56a1009

File tree

1 file changed

+18
-43
lines changed

1 file changed

+18
-43
lines changed

.github/workflows/deploy-web.yml

Lines changed: 18 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,6 @@ jobs:
6969
azure_login_client_key_name: ${{ steps.config.outputs.azure_login_client_key_name }}
7070
azure_login_subscription_id_key_name: ${{ steps.config.outputs.azure_login_subscription_id_key_name }}
7171
retrieve_secrets_keyvault: ${{ steps.config.outputs.retrieve_secrets_keyvault }}
72-
sync_utility: ${{ steps.config.outputs.sync_utility }}
7372
sync_delete_destination_files: ${{ steps.config.outputs.sync_delete_destination_files }}
7473
slack_channel_name: ${{ steps.config.outputs.slack_channel_name }}
7574
steps:
@@ -127,8 +126,6 @@ jobs:
127126
echo "slack_channel_name=alerts-deploy-dev" >> $GITHUB_OUTPUT
128127
;;
129128
esac
130-
# Set the sync utility to use for deployment to the environment (az-sync or azcopy)
131-
echo "sync_utility=azcopy" >> $GITHUB_OUTPUT
132129
133130
- name: Environment Protection
134131
env:
@@ -337,32 +334,6 @@ jobs:
337334
description: 'Deployment from branch/tag: ${{ inputs.branch-or-tag }}'
338335
ref: ${{ needs.artifact-check.outputs.artifact_build_commit }}
339336

340-
- name: Login to Azure
341-
uses: bitwarden/gh-actions/azure-login@main
342-
with:
343-
subscription_id: ${{ secrets[needs.setup.outputs.azure_login_subscription_id_key_name] }}
344-
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
345-
client_id: ${{ secrets[needs.setup.outputs.azure_login_client_key_name] }}
346-
347-
- name: Retrieve Storage Account connection string for az sync
348-
if: ${{ needs.setup.outputs.sync_utility == 'az-sync' }}
349-
id: retrieve-secrets-az-sync
350-
uses: bitwarden/gh-actions/get-keyvault-secrets@main
351-
with:
352-
keyvault: ${{ needs.setup.outputs.retrieve_secrets_keyvault }}
353-
secrets: "sa-bitwarden-web-vault-dev-key-temp"
354-
355-
- name: Retrieve Storage Account name and SPN credentials for azcopy
356-
if: ${{ needs.setup.outputs.sync_utility == 'azcopy' }}
357-
id: retrieve-secrets-azcopy
358-
uses: bitwarden/gh-actions/get-keyvault-secrets@main
359-
with:
360-
keyvault: ${{ needs.setup.outputs.retrieve_secrets_keyvault }}
361-
secrets: "sa-bitwarden-web-vault-name,sp-bitwarden-web-vault-password,sp-bitwarden-web-vault-appid,sp-bitwarden-web-vault-tenant"
362-
363-
- name: Log out from Azure
364-
uses: bitwarden/gh-actions/azure-logout@main
365-
366337
- name: 'Download latest cloud asset using GitHub Run ID: ${{ inputs.build-web-run-id }}'
367338
if: ${{ inputs.build-web-run-id }}
368339
uses: bitwarden/gh-actions/download-artifacts@main
@@ -389,28 +360,32 @@ jobs:
389360
working-directory: apps/web
390361
run: unzip ${{ env._ENVIRONMENT_ARTIFACT }}
391362

392-
- name: Sync to Azure Storage Account using az storage blob sync
393-
if: ${{ needs.setup.outputs.sync_utility == 'az-sync' }}
394-
working-directory: apps/web
395-
run: |
396-
az storage blob sync \
397-
--source "./build" \
398-
--container '$web' \
399-
--connection-string "${{ steps.retrieve-secrets-az-sync.outputs.sa-bitwarden-web-vault-dev-key-temp }}" \
400-
--delete-destination=${{ inputs.force-delete-destination }}
363+
- name: Login to Azure
364+
uses: bitwarden/gh-actions/azure-login@main
365+
with:
366+
subscription_id: ${{ secrets[needs.setup.outputs.azure_login_subscription_id_key_name] }}
367+
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
368+
client_id: ${{ secrets[needs.setup.outputs.azure_login_client_key_name] }}
369+
370+
- name: Retrieve Storage Account name
371+
id: retrieve-secrets-azcopy
372+
uses: bitwarden/gh-actions/get-keyvault-secrets@main
373+
with:
374+
keyvault: ${{ needs.setup.outputs.retrieve_secrets_keyvault }}
375+
secrets: "sa-bitwarden-web-vault-name"
401376

402377
- name: Sync to Azure Storage Account using azcopy
403-
if: ${{ needs.setup.outputs.sync_utility == 'azcopy' }}
404378
working-directory: apps/web
405379
env:
406-
AZCOPY_AUTO_LOGIN_TYPE: SPN
407-
AZCOPY_SPA_APPLICATION_ID: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-appid }}
408-
AZCOPY_SPA_CLIENT_SECRET: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-password }}
409-
AZCOPY_TENANT_ID: ${{ steps.retrieve-secrets-azcopy.outputs.sp-bitwarden-web-vault-tenant }}
380+
AZCOPY_AUTO_LOGIN_TYPE: AZCLI
381+
AZCOPY_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
410382
run: |
411383
azcopy sync ./build 'https://${{ steps.retrieve-secrets-azcopy.outputs.sa-bitwarden-web-vault-name }}.blob.core.windows.net/$web/' \
412384
--delete-destination=${{ inputs.force-delete-destination }} --compare-hash="MD5"
413385
386+
- name: Log out from Azure
387+
uses: bitwarden/gh-actions/azure-logout@main
388+
414389
- name: Debug sync logs
415390
if: ${{ inputs.debug }}
416391
run: cat /home/runner/.azcopy/*.log

0 commit comments

Comments
 (0)