Fix Defender defaults parity, expose appSubnetDelegation, document De… #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OIDC tokens from azure/login@v2 are valid for ~1 hour. Each job performs its | |
| # own fresh login, so token expiry is not a concern for typical deployments. | |
| # If a single deployment exceeds 1 hour, split it into smaller deployments or | |
| # add a second azure/login step before the long-running command. | |
| name: Deploy Landing Zone (Bicep) | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'infra/bicep/**' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'infra/bicep/**' | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Environment to deploy' | |
| required: true | |
| type: choice | |
| options: | |
| - prod | |
| - nonprod | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| env: | |
| BICEP_DIR: infra/bicep | |
| jobs: | |
| validate: | |
| name: Validate Bicep (${{ matrix.environment }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| environment: [prod, nonprod] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ matrix.environment == 'prod' && secrets.AZURE_SUBSCRIPTION_ID_PROD || secrets.AZURE_SUBSCRIPTION_ID_NONPROD }} | |
| - name: Validate Bicep | |
| run: | | |
| az deployment sub validate \ | |
| --location ${{ vars.AZURE_LOCATION || 'eastus2' }} \ | |
| --template-file ${{ env.BICEP_DIR }}/main.bicep \ | |
| --parameters ${{ env.BICEP_DIR }}/parameters/${{ matrix.environment }}.bicepparam | |
| what-if: | |
| name: What-If (${{ matrix.environment }}) | |
| runs-on: ubuntu-latest | |
| needs: validate | |
| if: github.event_name == 'pull_request' | |
| strategy: | |
| matrix: | |
| environment: [prod, nonprod] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ matrix.environment == 'prod' && secrets.AZURE_SUBSCRIPTION_ID_PROD || secrets.AZURE_SUBSCRIPTION_ID_NONPROD }} | |
| - name: What-If | |
| id: whatif | |
| run: | | |
| az deployment sub what-if \ | |
| --location ${{ vars.AZURE_LOCATION || 'eastus2' }} \ | |
| --template-file ${{ env.BICEP_DIR }}/main.bicep \ | |
| --parameters ${{ env.BICEP_DIR }}/parameters/${{ matrix.environment }}.bicepparam \ | |
| 2>&1 | tee whatif-output.txt | |
| - name: Post What-If to PR | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const whatif = fs.readFileSync('whatif-output.txt', 'utf8'); | |
| const truncated = whatif.length > 60000 ? whatif.substring(0, 60000) + '\n... (truncated)' : whatif; | |
| // Count resource changes from what-if output | |
| const createMatch = whatif.match(/Create:\s*(\d+)/); | |
| const modifyMatch = whatif.match(/Modify:\s*(\d+)/); | |
| const deleteMatch = whatif.match(/Delete:\s*(\d+)/); | |
| const noChanges = whatif.includes('no change'); | |
| let badge; | |
| if (noChanges && !createMatch && !modifyMatch && !deleteMatch) { | |
| badge = '`No changes`'; | |
| } else { | |
| const parts = []; | |
| if (createMatch) parts.push(`${createMatch[1]} to create`); | |
| if (modifyMatch) parts.push(`${modifyMatch[1]} to modify`); | |
| if (deleteMatch) parts.push(`${deleteMatch[1]} to delete`); | |
| badge = parts.length > 0 ? `\`${parts.join(', ')}\`` : '`See details`'; | |
| } | |
| const body = [ | |
| `### Bicep What-If — \`${{ matrix.environment }}\` ${badge}`, | |
| '', | |
| '<details>', | |
| '<summary>Show What-If Output</summary>', | |
| '', | |
| '```', | |
| truncated, | |
| '```', | |
| '', | |
| '</details>' | |
| ].join('\n'); | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); | |
| deploy-nonprod: | |
| name: Deploy Non-Prod | |
| runs-on: ubuntu-latest | |
| needs: validate | |
| if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request' | |
| environment: nonprod | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_NONPROD }} | |
| - name: Deploy | |
| run: | | |
| az deployment sub create \ | |
| --location ${{ vars.AZURE_LOCATION || 'eastus2' }} \ | |
| --template-file ${{ env.BICEP_DIR }}/main.bicep \ | |
| --parameters ${{ env.BICEP_DIR }}/parameters/nonprod.bicepparam \ | |
| --name "lz-nonprod-$(date +%Y%m%d-%H%M%S)" | |
| deploy-prod: | |
| name: Deploy Prod | |
| runs-on: ubuntu-latest | |
| needs: deploy-nonprod | |
| if: github.ref == 'refs/heads/main' && github.event_name != 'pull_request' | |
| environment: prod | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_PROD }} | |
| - name: Deploy | |
| run: | | |
| az deployment sub create \ | |
| --location ${{ vars.AZURE_LOCATION || 'eastus2' }} \ | |
| --template-file ${{ env.BICEP_DIR }}/main.bicep \ | |
| --parameters ${{ env.BICEP_DIR }}/parameters/prod.bicepparam \ | |
| --name "lz-prod-$(date +%Y%m%d-%H%M%S)" |