From fd2a86d743064008ccf6329c15568261a7493bd9 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Fri, 19 Jul 2024 17:18:57 +0200 Subject: [PATCH] Create alz-pattern-update-policies.yml --- .../workflows/alz-pattern-update-policies.yml | 154 ++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 .github/workflows/alz-pattern-update-policies.yml diff --git a/.github/workflows/alz-pattern-update-policies.yml b/.github/workflows/alz-pattern-update-policies.yml new file mode 100644 index 000000000..988bc1606 --- /dev/null +++ b/.github/workflows/alz-pattern-update-policies.yml @@ -0,0 +1,154 @@ +--- +name: Update Policy Deployment Templates + +########################################## +# Start the job on push for all branches # +########################################## + +# yamllint disable-line rule:truthy +on: + pull_request_target: + types: + - opened + - reopened + - synchronize + - ready_for_review + paths: + - "services/**.json" + - "patterns/alz/**.json" + - "patterns/alz/templates/**.bicep" + +env: + github_user_name: "github-actions" + github_email: "41898282+github-actions[bot]@users.noreply.github.com" + github_commit_message: "Auto-update Policies" + github_pr_number: ${{ github.event.number }} + github_pr_repo: ${{ github.event.pull_request.head.repo.full_name }} + +permissions: + contents: write + +############### +# Set the Job # +############### + +jobs: + update-portal: + name: Update Policy Deployment Templates + runs-on: ubuntu-latest + if: | + ( + github.event.pull_request.head.repo.full_name == 'Azure/azure-monitor-baseline-alerts' + ) + || + ( + github.event.pull_request.head.repo.full_name != 'Azure/azure-monitor-baseline-alerts' + && + contains(github.event.pull_request.labels.*.name, 'PR: Safe to test :test_tube:') + ) + || + ( + github.event_name == 'workflow_dispatch' + ) + || + ( + github.event_name == 'merge_group' + ) + + steps: + - name: Check out repository + uses: actions/checkout@v3 + + - name: Show env + run: env | sort + + - name: Check out PR + run: | + echo "==> Check out PR..." + gh pr checkout "$github_pr_number" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Configure local git + run: | + echo "git user name : $github_user_name" + git config --global user.name "$github_user_name" + echo "git user email : $github_email" + git config --global user.email "$github_email" + + - name: Update policies + run: bicep build ./patterns/alz/templates/policies-Automation.bicep --outfile ./patterns/alz/policyDefinitions/policies-Automation.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-Compute.bicep --outfile ./patterns/alz/policyDefinitions/policies-Compute.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-Hybrid.bicep --outfile ./patterns/alz/policyDefinitions/policies-Hybrid.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-KeyManagement.bicep --outfile ./patterns/alz/policyDefinitions/policies-KeyManagement.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-Monitoring.bicep --outfile ./patterns/alz/policyDefinitions/policies-Monitoring.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-Network.bicep --outfile ./patterns/alz/policyDefinitions/policies-Network.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-NotificationAssets.bicep --outfile ./patterns/alz/policyDefinitions/policies-NotificationAssets.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-RecoveryServices.bicep --outfile ./patterns/alz/policyDefinitions/policies-RecoveryServices.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-ServiceHealth.bicep --outfile ./patterns/alz/policyDefinitions/policies-ServiceHealth.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-Storage.bicep --outfile ./patterns/alz/policyDefinitions/policies-Storage.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policies-Web.bicep --outfile ./patterns/alz/policyDefinitions/policies-Web.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./patterns/alz/templates/policySets.bicep --outfile ./patterns/alz/policyDefinitions/policySets.json + + - name: Update policy set definitions (initiatives) + run: bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json + + - name: Check git status + run: | + echo "==> Check git status..." + git status --short --branch + + - name: Stage changes + run: | + echo "==> Stage changes..." + mapfile -t STATUS_LOG < <(git status --short | grep eslzArm/) + if [ ${#STATUS_LOG[@]} -gt 0 ]; then + echo "Found changes to the following files:" + printf "%s\n" "${STATUS_LOG[@]}" + git add --all ./eslzArm + else + echo "No changes to add." + fi + + - name: Push changes + run: | + echo "==> Check git diff..." + mapfile -t GIT_DIFF < <(git diff --cached) + printf "%s\n" "${GIT_DIFF[@]}" + + if [ ${#GIT_DIFF[@]} -gt 0 ]; then + + echo "==> Commit changes..." + git commit --message "$github_commit_message [$GITHUB_ACTOR/${GITHUB_SHA::8}]" + + echo "==> Push changes..." + echo "Pushing changes to: $github_pr_repo" + git push "https://$GITHUB_TOKEN@github.com/$github_pr_repo.git" "HEAD:$GITHUB_HEAD_REF" + + else + echo "No changes found." + fi + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}