Deploy-Your-AI-Application-In-Production/.github/workflows/azure-dev.yml at main · microsoft/Deploy-Your-AI-Application-In-Production · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: AZD Deployment
on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - 'infra/**'
      - 'azure.yaml'
      - 'scripts/**'
      - '.github/workflows/azure-dev.yml'

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
      AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
      AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
      AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
      AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
      AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
      AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
      TEMP: /tmp
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive

      - name: Install azd
        uses: Azure/setup-azd@v2

      - name: Azure Developer CLI Login
        run: |
          azd auth login `
            --client-id "$Env:AZURE_CLIENT_ID" `
            --federated-credential-provider "github" `
            --tenant-id "$Env:AZURE_TENANT_ID"
        shell: pwsh

      - name: Azure CLI Login
        uses: azure/login@v2
        with:
          client-id: ${{ vars.AZURE_CLIENT_ID }}
          tenant-id: ${{ vars.AZURE_TENANT_ID }}
          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}

      - name: Resolve Service Principal Object ID
        run: |
          # If PRINCIPAL_ID repo variable is set and is a valid GUID, use it directly
          if [[ "${{ vars.PRINCIPAL_ID }}" =~ ^[0-9a-fA-F-]{36}$ ]]; then
            echo "Using PRINCIPAL_ID from repo variables"
            echo "AZURE_PRINCIPAL_ID=${{ vars.PRINCIPAL_ID }}" >> $GITHUB_ENV
          else
            # Resolve the Object ID from the Application (Client) ID
            # Role assignments require the SP Object ID, not the Client/App ID
            echo "Resolving Service Principal Object ID from Client ID..."
            SP_OBJECT_ID=$(az ad sp show --id "${{ vars.AZURE_CLIENT_ID }}" --query id -o tsv 2>/dev/null)
            if [[ -z "$SP_OBJECT_ID" ]]; then
              echo "::error::Failed to resolve Service Principal Object ID from Client ID: ${{ vars.AZURE_CLIENT_ID }}"
              exit 1
            fi
            echo "Resolved SP Object ID: $SP_OBJECT_ID"
            echo "AZURE_PRINCIPAL_ID=$SP_OBJECT_ID" >> $GITHUB_ENV
          fi

      - name: Create Resource Group if needed
        run: |
          # Use provided RG name or derive from environment name
          RESOURCE_GROUP="${AZURE_RESOURCE_GROUP:-rg-${AZURE_ENV_NAME}}"
          echo "Using resource group: $RESOURCE_GROUP"

          RG_EXISTS=$(az group exists --name "$RESOURCE_GROUP")
          if [ "$RG_EXISTS" = "false" ]; then
            echo "Creating resource group: $RESOURCE_GROUP"
            az group create --name "$RESOURCE_GROUP" --location ${{ vars.AZURE_LOCATION }}
          else
            echo "Resource group already exists: $RESOURCE_GROUP"
          fi

          # Set for subsequent steps
          echo "RESOURCE_GROUP=$RESOURCE_GROUP" >> $GITHUB_ENV

      - name: Provision Infrastructure
        id: provision-main
        run: azd provision --no-prompt
        env:
          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
          AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
          fabricCapacityMode: 'none'
          fabricWorkspaceMode: 'none'