nginxinc · puneetsarna · Jun 10, 2025 · Jun 9, 2025 · Jun 9, 2025 · Jun 10, 2025
diff --git a/.github/workflows/github-action-test-nginxaas-deploy.yml b/.github/workflows/github-action-test-nginxaas-deploy.yml
@@ -9,7 +9,7 @@ env:
   NGINX_DEPLOYMENT_NAME: github-action-test-dep
   NGINX_TRANSFORMED_CONFIG_DIR_PATH: /etc/nginx/
   NGINX_ROOT_CONFIG_FILE: nginx.conf
-  TEST_RESOURCE_GROUP_NAME: testenv-0da38993-workload
+  TEST_RESOURCE_GROUP_NAME: github-action-test
   NGINX_CERT_NAME: github-action-test-crt
   NGINX_VAULT_NAME: nlbtest-customer
 
@@ -24,7 +24,7 @@ jobs:
       - name: "Checkout repository"
         uses: actions/checkout@v2
       - name: "AZ CLI Login"
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -33,7 +33,7 @@ jobs:
       - name: "Update config - single file"
         shell: bash
         run: |
-          sed -i 's/000000/'"$GITHUB_RUN_NUMBER"'/g' github-action/test/configs/single/nginx.conf
+          sed -i 's/000000/'"$GITHUB_RUN_ID"'/g' github-action/test/configs/single/nginx.conf
           cat github-action/test/configs/single/nginx.conf
       - name: "Sync NGINX configuration to NGINXaaS for Azure - single file"
         uses: nginxinc/[email protected]
@@ -47,7 +47,7 @@ jobs:
       - name: "Validate config update - single file"
         shell: bash
         run: |
-          wget -O - -o /dev/null http://${{ secrets.NGINX_DEPLOYMENT_IP }} | jq '.request.headers."Github-Run-Id"  | test( "'"$GITHUB_RUN_NUMBER"'")'
+          curl -s -o /dev/null -D - http://${{ secrets.NGINX_DEPLOYMENT_IP }} | grep "Github-Run-Id: $GITHUB_RUN_ID"
       - name: "Update config - multi file"
         shell: bash
         run: |
@@ -70,12 +70,12 @@ jobs:
       - name: "Validate config update"
         shell: bash
         run: |
-          wget -O - -o /dev/null http://${{ secrets.NGINX_DEPLOYMENT_IP }} | jq '.request.headers."Github-Run-Id"  | test( "'"$GITHUB_RUN_ID"'")'
+          curl -s -o /dev/null -D - http://${{ secrets.NGINX_DEPLOYMENT_IP }} | grep "Github-Run-Id: $GITHUB_RUN_ID"
       - name: "Validate certificate update"
-        uses: azure/CLI@v1
+        uses: azure/cli@v2
         with:
           inlineScript: |
             echo "-----BEGIN CERTIFICATE-----" > /tmp/$GITHUB_RUN_ID.tmp
             az keyvault certificate show --vault-name $NGINX_VAULT_NAME  -n $NGINX_CERT_NAME | jq -r .cer | cat >> /tmp/$GITHUB_RUN_ID.tmp
             echo "-----END CERTIFICATE-----" >> /tmp/$GITHUB_RUN_ID.tmp
-            wget -O - -o /dev/null https://${{ secrets.NGINX_DEPLOYMENT_IP }} --ca-certificate=/tmp/$GITHUB_RUN_ID.tmp | jq '.request.headers."Github-Run-Id"  | test( "'"$GITHUB_RUN_ID"'")'
+            curl -s -o /dev/null -D - https://${{ secrets.NGINX_DEPLOYMENT_IP }} --cacert /tmp/$GITHUB_RUN_ID.tmp | grep "Github-Run-Id: $GITHUB_RUN_ID"
diff --git a/github-action/README.md b/github-action/README.md
@@ -29,12 +29,12 @@ jobs:
       uses: actions/checkout@v2
 
     - name: 'Run Azure Login using an Azure service principal with a secret'
-      uses: azure/login@v1
+      uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/[email protected].0
+      uses: nginxinc/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -69,14 +69,14 @@ jobs:
       uses: actions/checkout@v2
 
     - name: 'Run Azure Login using OIDC'
-      uses: azure/login@v1
+      uses: azure/login@v2
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/[email protected].0
+      uses: nginxinc/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -86,6 +86,9 @@ jobs:
         transformed-nginx-config-directory-path: /etc/nginx/
 ```
 
+> **Note:**
+The service principal being used for authenticating with Azure should have access to manage the NGINXaaS deployment. For simplicity, this guide assumes that the service principal has `Contributor` role to manage the deployment. Refer [prerequisites](https://docs.nginx.com/nginxaas/azure/getting-started/prerequisites/) for details.
+
 ## Handling NGINX configuration file paths
 
 To facilitate the migration of the existing NGINX configuration, NGINXaaS for Azure supports multiple-files configuration with each file uniquely identified by a file path, just like how NGINX configuration files are created and used in a self-hosting machine. An NGINX configuration file can include another file using the [include directive](https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/). The file path used in an `include` directive can either be an absolute path or a relative path to the [prefix path](https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions/).
@@ -101,7 +104,7 @@ To use this action to sync the configuration files from this example, the direct
 
 ```yaml
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/[email protected].0
+      uses: nginxinc/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -133,7 +136,7 @@ The action supports an optional input `transformed-nginx-config-directory-path`
 
 ```yaml
     - name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/[email protected].0
+      uses: nginxinc/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -151,11 +154,11 @@ The transformed paths of the two configuration files in the NGINXaaS for Azure d
 
 ## Handling NGINX certificates
 
-Since certificates are secrets, it is assumed they are stored in Azure key vault. One can provide multiple certificate entries to the github action as an array of JSON objects with keys: 
+Since certificates are secrets, it is assumed they are stored in Azure key vault. One can provide multiple certificate entries to the github action as an array of JSON objects with keys:
 
 `certificateName`- A unique name for the certificate entry
 
-`keyvaultSecret`- The secret ID for the certificate on Azure key vault 
+`keyvaultSecret`- The secret ID for the certificate on Azure key vault
 
 `certificateVirtualPath`- This path must match one or more ssl_certificate directive file arguments in your Nginx configuration; and must be unique between certificates within the same deployment
 
@@ -165,7 +168,7 @@ See the example below
 
 ```yaml
 - name: "Sync NGINX certificates to NGINXaaS for Azure"
-        uses: nginxinc/[email protected].0
+        uses: nginxinc/[email protected].1
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -178,7 +181,7 @@ See the example below
 
 ```yaml
  - name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure"
-        uses: nginxinc/[email protected].0
+        uses: nginxinc/[email protected].1
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -188,4 +191,4 @@ See the example below
           nginx-root-config-file: nginx.conf
           transformed-nginx-config-directory-path: /etc/nginx/
           nginx-certificates: '[{"certificateName": "$NGINX_CERT_NAME", "keyvaultSecret": "https://$NGINX_VAULT_NAME.vault.azure.net/secrets/$NGINX_CERT_NAME", "certificateVirtualPath": "/etc/nginx/ssl/my-cert.crt", "keyVirtualPath": "/etc/nginx/ssl/my-cert.key"  } ]'
-```
+```
diff --git a/github-action/action.yml b/github-action/action.yml
@@ -23,22 +23,26 @@ inputs:
     default: "nginx.conf"
   transformed-nginx-config-directory-path:
     description: >
-      'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/". 
-      If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation 
+      'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/".
+      If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation
       can be used to overwrite the file paths when the action synchronizes the files to the NGINXaaS for Azure deployment.'
     required: false
     default: ""
   nginx-certificates:
     description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server1.crt", "keyVirtualPath": "/etc/ssl/certs/server1.key"  }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server2.crt", "keyVirtualPath": "/etc/ssl/certs/server2.key"  }] '
     required: false
+  debug:
+    description: "Enable/Disable debug output."
+    required: false
+    default: "false"
 runs:
   using: "composite"
   steps:
     - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }}
+      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
       if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }}
       shell: bash
     - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }}
+      run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}
       if: ${{ inputs.nginx-config-directory-path != '' }}
       shell: bash
diff --git a/github-action/src/deploy-certificate.sh b/github-action/src/deploy-certificate.sh
@@ -7,23 +7,27 @@ do
 case $i in
     --subscription_id=*)
     subscription_id="${i#*=}"
-    shift 
+    shift
     ;;
     --resource_group_name=*)
     resource_group_name="${i#*=}"
-    shift 
+    shift
     ;;
     --nginx_deployment_name=*)
     nginx_deployment_name="${i#*=}"
-    shift 
+    shift
     ;;
     --nginx_resource_location=*)
     nginx_resource_location="${i#*=}"
-    shift 
+    shift
     ;;
     --certificates=*)
     certificates="${i#*=}"
-    shift 
+    shift
+    ;;
+    --debug=*)
+    debug="${i#*=}"
+    shift
     ;;
     *)
     echo "Not matched option '${i#*=}' passed in."
@@ -35,27 +39,27 @@ done
 if [[ ! -v subscription_id ]];
 then
     echo "Please set 'subscription-id' ..."
-    exit 1 
+    exit 1
 fi
 if [[ ! -v resource_group_name ]];
 then
     echo "Please set 'resource-group-name' ..."
-    exit 1 
+    exit 1
 fi
 if [[ ! -v nginx_deployment_name ]];
 then
     echo "Please set 'nginx-deployment-name' ..."
-    exit 1 
+    exit 1
 fi
 if [[ ! -v nginx_resource_location ]];
 then
     echo "Please set 'nginx-resource-location' ..."
-    exit 1 
+    exit 1
 fi
 if [[ ! -v certificates ]];
 then
     echo "Please set 'nginx-certificates' ..."
-    exit 1 
+    exit 1
 fi
 
 arm_template_file="nginx-for-azure-certificate-template.json"
@@ -69,13 +73,13 @@ echo ""
 
 az account set -s "$subscription_id" --verbose
 
-count=$(echo $certificates | jq '. | length')
+count=$(echo "$certificates" | jq '. | length')
 for (( i=0; i<count; i++ ));
 do
-    nginx_cert_name=$(echo $certificates | jq -r '.['"$i"'].certificateName')
-    nginx_cert_file=$(echo $certificates | jq -r '.['"$i"'].certificateVirtualPath')
-    nginx_key_file=$(echo $certificates | jq -r '.['"$i"'].keyVirtualPath')
-    keyvault_secret=$(echo $certificates | jq -r '.['"$i"'].keyvaultSecret')
+    nginx_cert_name=$(echo "$certificates" | jq -r '.['"$i"'].certificateName')
+    nginx_cert_file=$(echo "$certificates" | jq -r '.['"$i"'].certificateVirtualPath')
+    nginx_key_file=$(echo "$certificates" | jq -r '.['"$i"'].keyVirtualPath')
+    keyvault_secret=$(echo "$certificates" | jq -r '.['"$i"'].keyvaultSecret')
 
     do_nginx_arm_deployment=1
     err_msg=" "
@@ -103,9 +107,9 @@ do
     uuid="$(cat /proc/sys/kernel/random/uuid)"
     template_file="template-$uuid.json"
     template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
-    
+
     cp "$arm_template_file" "$template_file"
-    
+
     echo "Synchronizing NGINX certificate"
     echo "Subscription ID: $subscription_id"
     echo "Resource group name: $resource_group_name"
@@ -120,11 +124,32 @@ do
 
     if [ $do_nginx_arm_deployment -eq 1 ]
     then
+        az_cmd=(
+            "az"
+            "deployment"
+            "group"
+            "create"
+            "--name" "$template_deployment_name"
+            "--resource-group" "$resource_group_name"
+            "--template-file" "$template_file"
+            "--parameters"
+            "name=$nginx_cert_name"
+            "location=$nginx_resource_location"
+            "nginxDeploymentName=$nginx_deployment_name"
+            "certificateVirtualPath=$nginx_cert_file"
+            "keyVirtualPath=$nginx_key_file"
+            "keyVaultSecretID=$keyvault_secret"
+            "--verbose"
+        )
+        if [[ "$debug" == true ]]; then
+            az_cmd+=("--debug")
+        fi
+        echo "${az_cmd[@]}"
         set +e
-        az deployment group create --name "$template_deployment_name" --resource-group "$resource_group_name" --template-file "$template_file" --parameters name="$nginx_cert_name" location="$nginx_resource_location" nginxDeploymentName="$nginx_deployment_name" certificateVirtualPath="$nginx_cert_file" keyVirtualPath="$nginx_key_file" keyVaultSecretID="$keyvault_secret" --verbose
-        set -e  
-    else 
+        "${az_cmd[@]}"
+        set -e
+    else
         echo "Skipping JSON object $i cert deployment with error:$err_msg"
         echo ""
-    fi     
+    fi
 done