Skip to content

Latest commit

 

History

History
166 lines (115 loc) · 6.21 KB

CI_CD.md

File metadata and controls

166 lines (115 loc) · 6.21 KB

Use Pulumi in CI/CD Pipelines with GitHub Actions

Prerequisites

  • Pulumi account
  • Azure Subscription
  • Azure CLI
  • GitHub CLI

Follow the instructions on this page to install the GitHub CLI.

On Windows, you can install the GitHub CLI using PowerShell and Windows Package Manager like this:

winget install -e --id GitHub.cli

You should have completed the Getting Started Provisionning Infrastructure on Azure with Pulumi tutorial before doing this tutorial

Note

If you have not completed the previous tutorial, you can just create a new directory and create a new Azure Pulumi project in an infra subdirectory using the command pulumi new azure-csharp.

Initialize a new GitHub repository

  • Go in the root directory for this workshop (it should be the parent of the infra folder), all future shell commands should be executed from this folder.
  • Create a .github\workflows folder.
  • Copy the infra.yml workflow file (located alongside these instructions) in this .github\workflows folder.

The workflow file contains the pipeline to provision the infrastructure defined in the infra folder. It uses the Pulumi GitHub Actions that will execute the pulumi up command on the dev stack. Have a look at the infra.yml file to understand what it's doing.

Note

The Pulumi GitHub Actions is configured in the file to work with Pulumi Cloud. If you are not using Pulumi Cloud as your backend and encryption provider, you will have to make some adjustments to the configuration, you can check these examples.

If you are using .NET or Go, dependencies will be automatically restored when running the pulumi up command in the pipeline, so you don't need to add a step before to restore the dependencies. You may do it anyway to specify a version of .NET or Go to use. Otherwise (for Python or Node.js runtimes for instance) you should modify the infra.yml workflow file to restore the dependencies.

Steps to add for TypeScript 
- name: Install pnpm
  uses: pnpm/action-setup@v4
  with:
    version: latest

- name: Use Node.js LTS version
  uses: actions/setup-node@v4
  with:
    node-version: 'lts/*'
    cache: 'pnpm'
    cache-dependency-path: './infra/pnpm-lock.yaml'

- name: Install dependencies
  run: pnpm install
  working-directory: 'infra'
  • Initialize the git repository with your Pulumi project and the workflow file
git init
git add .
git commit -m "Initialize repository with infrastructure code"
  • Create a new remote private GitHub repository
gh repo create pulumi-azure-workshop-lab --private --source=. --push

Create the identity in Microsoft Entra ID for the GitHub Actions workflow and register the configuration in the GitHub Secrets

  • Create a Pulumi access token from your Pulumi account to be able to interact with the Pulumi Cloud backend of your project from the pipeline.

Note

You could also use OpenID Connect to authenticate to your Pulumi account instead of relying on a personal access token. You can check this article to see how to do that.

  • Copy the configureAzureWorkloadIdentity.ps1 or the configureAzureWorkloadIdentity.shscript (depending on your preference) in your repository folder.

  • Replace 'pul-********' by your access token, and execute the configureAzureWorkloadIdentity script that will configure everything needed for the pipeline to provision the infrastructure in Azure:

Command in PowerShell 
.\configureAzureWorkloadIdentity.ps1 -PulumiToken 'pul-********'
Command in Bash

(first, make the script executable by running chmod +x configureAzureWorkloadIdentity.sh)

./configureAzureWorkloadIdentity.sh --PulumiToken='pul-********'

Note

The script configures an Azure App Registration and its federated identity credentials in Microsoft Entra Id. That will allow the GitHub Actions workflow to authenticate to Azure from the main branch of this GitHub repository. The script will also register the GitHub Secrets for the federated identity that will be used by the GitHub Actions workflow. Because this does not rely on a service principal secret, it's a more secure way of authenticating to Azure from a CI/CD pipeline. Check the documentation if you want to better understand how Workload Identity Federation works.

Run the workflow to provision Azure resources

  • Run the infra workflow
gh workflow run infra.yml
  • Watch the workflow progress
Command in PowerShell 
$runId=$(gh run list --workflow=infra.yml --json databaseId -q ".[0].databaseId");
gh run watch $runId;
Command in Bash 
runId=$(gh run list --workflow=infra.yml --json databaseId -q ".[0].databaseId");
gh run watch $runId;
  • Open the GitHub repository in the browser
gh repo view -w
  • Check the Azure resources have been created in the azure portal

Note

Instead of using scripts to create and configure the GitHub repository and the workload identity federation, we could also have used Pulumi like explained in this article

Use stack outputs

  • Check the Pulumi GitHub Actions documentation and add a step in the workflow to echo the appServiceUrl stack output.
GitHub Actions workflow 
- name: Provision infrastructure
  uses: pulumi/actions@v6
  id: pulumi
  with:
    command: up
    stack-name: dev
    work-dir: infra
  env:
    PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}

- run: echo "App service url is ${{ steps.pulumi.outputs.appServiceUrl }}"