In this step we're going to set up a Bicep Module Registry, create service principals and credentials and add secrets to our GitHub repo such that the actions in the repo can push and pull to our registry.
Login with your Azure account and set the context:
Connect-AzAccount
Set-AzContext -SubscriptionName "<subscription name>"To host our Bicep Module Registry we're going to set up an Azure Container Registry in a dedicated resource group.
- Create a resource group for the Bicep Module Registry
# Please use the same name to make it easier to follow this guide
$resourceGroup = New-AzResourceGroup -Name "bicep-registry-demo" -Location "westeurope"- Create a resource group for the workload we're going to deploy
To have separate lifecycle between our Bicep Module Registry and other workloads we're going to deploy we're going to create a separate resource group for this purpose. This will also allow us to set appropriate role assignments following the least privileged principle.
# Please use the same name to make it easier to follow this guide
$workloadResourceGroup = New-AzResourceGroup -Name "bicep-workload-demo" -Location "westeurope"- Create an Azure Container Registry
❗ Make note of the registry name you choose. This name must be globally unique.
$registryName = "" #example: 'br<your initials><4 digits>'
$registry = New-AzContainerRegistry -Name $registryName -ResourceGroupName $resourceGroup.ResourceGroupName -Location "westeurope" -Sku "Basic"- Add the registry url to the bicepconfig.json in your clone
Find the registry url with:
$registry.LoginServer
# <registryname>.azurecr.ioOpen the file and set the correct registry value:
{
"moduleAliases": {
"br": {
"demoRegistry": {
"registry": "<your registry url>" // Change this value
}
}
}
}- Commit and push the changes:
git add bicepconfig.json
git commit -m "fix: update registry value"
git pushTo use the Bicep Module Registry we're going to set up two service principals. This is because we are going to run two different workflows with two separate permissions.
For the first principal we're going to assign it the AcrPush role on the registry. For the second we're going to assign in the AcrPull role on the registry, in addition to Contributor on the workload resource group.
💡 This would typically be setup with more than one repository and subscription, where one repository is the source of the modules (with push permissions) and the others would act as workload deployment repositories and deploy to other subscriptions. Since we're mimicking this behaviour within one repository and subscription we're setting up two environments, two resource groups and two service principals to demonstrate the principle of least privilege.
- Create service principals and role assignments
# Verify your registry
$registry = Get-AzContainerRegistry -Name "$registryName" -ResourceGroupName $resourceGroup.ResourceGroupName
# Set up AcrPush SP
$appPush = New-AzADApplication -DisplayName "bicep-registry-demo-ci-push"
$spPush = New-AzADServicePrincipal -ApplicationId $appPush.AppId
New-AzRoleAssignment -ObjectId $spPush.Id `
-RoleDefinitionName "AcrPush" `
-Scope $registry.Id
# Set up AcrPull SP
$appPull = New-AzADApplication -DisplayName "bicep-registry-demo-ci-pull"
$spPull = New-AzADServicePrincipal -ApplicationId $appPull.AppId
New-AzRoleAssignment -ObjectId $spPull.Id `
-RoleDefinitionName "AcrPull" `
-Scope $registry.Id
# Add deploy permissions to the workload resource group
New-AzRoleAssignment -ObjectId $spPull.Id `
-RoleDefinitionName Contributor `
-ResourceGroupName $workloadResourceGroup.ResourceGroupName- Add Federated Credentials for GitHub
For our Github Actions workflows to be able to login to Azure and push/pull modules we need to set up some credentials. This step adds federated credentials to use OpenID Connect to authenticate. This remove the need of maintaining (updating and rotating) a client secret in our GitHub repository.
#! Set this value to match your own repository!
$githubUser = "matsest"
# Add push credentials (Azure-Push environment)
New-AzADAppFederatedCredential -ApplicationObjectId $appPush.Id `
-Name 'AcrPush' `
-Audience 'api://AzureADTokenExchange' `
-Issuer 'https://token.actions.githubusercontent.com' `
-Subject "repo:$githubUser/bicep-registry-demo:environment:Azure-Push" `
-Description "Bicep Module Registry Demo - Push"
# Add pull credentials (Azure Environment)
New-AzADAppFederatedCredential -ApplicationObjectId $appPull.Id `
-Name 'AcrPull' `
-Audience 'api://AzureADTokenExchange' `
-Issuer 'https://token.actions.githubusercontent.com' `
-Subject "repo:$githubUser/bicep-registry-demo:environment:Azure" `
-Description "Bicep Module Registry Demo - Pull"- Add secrets to Github repo
Even though we're not adding client secrets to our GitHub repository we still need to add some repository secrets that tell GitHub Actions which registry, service principal, subscription and tenant to use.
If you have the GitHub CLI installed you can do this step from the command line. If you do not have it you can add the secrets manually in the browser.
$registryUrl = $registry.LoginServer
$pushClientId = $appPush.AppId
$pullClientId = $appPull.AppId
$subscriptionId = (Get-AzContext).Subscription.Id
$tenantId = (Get-AzContext).Subscription.TenantId
# Continue if you have GitHub CLI
gh secret set ACR_REGISTRY --body "$registryUrl"
gh secret set AZURE_TENANT_ID --body "$tenantId"
gh secret set AZURE_SUBSCRIPTION_ID --body "$subscriptionId"
gh secret set ACR_PUSH_CLIENT_ID --body "$pushClientId" --env Azure-Push
gh secret set ACR_PULL_CLIENT_ID --body "$pullClientId" --env AzureYou should now have the following secrets present:
✔️ You've now successfully:
- Set up a Bicep Module Registry in a dedicated resource group
- Set up a resource group for workload deployments
- Set up dedicated service principals for push and pull to the registry
- Added Federated Identity credentials to authenticate GitHub Actions to Azure
- Added secrets to your GitHub repository
Continue to the next step to publish your first Bicep module!