The Enterprise-scale-APIM
- acrhitecture solution template is intended to provision a single region premium API Management instance within an internal VNet exposed through Application Gateway for external traffic with Azure Functions as the backend (exposed through private endpoint)
- An Azure Subscription
- An active GitHub repository
- Az CLI latest version OR
- Azure cloud shell
git clone https://github.com/cykreng/Enterprise-Scale-APIM.git
You can automate workflows using Azure Login Action using a Service Principal and you can do this by running Az CLI or Azure PowerShell scripts
The Azure login action supports two different ways of authenticating with Azure :
-
Service principal with secrets
-
OpenID Connect (OIDC) with a Azure service principal using a Federated Identity Credential
3. Create a Service Principal using Az CLI commands by signing-in interactively OR using Cloud Shell
a) Interactive sign-in using Az CLI
az login
- If the CLI can open your default browser, it will do so and load an Azure sign-in page
- Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal
- Sign in with your account credentials in the browser
- Run the below command if you have multiple subscriptions
az account set --subscription <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx>
az account show
OR, if you have just have a single subscription, run the below command to ensure the correct subscription
az account show
b) Sign-in using Cloud Shell
az account show
For using credentials like a Service Principal we will need to add them as GitHub secrets in your GitHub repository
Follow the below steps to configure secrets for the authentication within the GitHub workflow :
- Go to your GitHub repository settings and add a new Actions secrets by clicking ‘New repository secrets’ from the Secrets menu
- Store the output of the below az cli command as a secret (e.g. AZURE_CREDENTIALS). This will be referenced back in the workflow file
az ad sp create-for-rbac --name "enterprise-scale-apim-app" --role contributor \
--scopes /subscriptions/{subscription-id} \
--sdk-auth
- Replace {subscription-id} with the subscription details
- the above command should output a JSON object like below
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
There is a workflow file es-apim.yml created under .github/workflows
a) Generate the following secrets in your GitHub repository settings
AZURE_SUBSCRIPTION
- Azure target subscription idPAT
- Azure DevOps or GitHub personal access token (PAT) used to setup the CI/CD agentVM_PW
- The password to be used as the Administrator for all VMs created by this deployment
b) In order to run the deployment successfully we will need to modify the values in config.yml file located here
AZURE_LOCATION |
'Azure ergion where you want to deploy the resources |
RESOURCE_NAME_PREFIX |
'Standardized suffix text to be added to resource names' |
ENVIRONMENT_TAG |
'The environment for which the deployment is being executed' |
DEPLOYMENT_NAME |
'Unique name of the Bicep Deployment' |
VM_USERNAME |
'The user name to be used as the Administrator for all VMs created by this deployment' |
ACCOUNT_NAME |
'The Azure DevOps or GitHub account name to be used when configuring the CI/CD agent, in the format https://dev.azure.com/ORGNAME OR github.com/ORGUSERNAME OR none' |
CICD_AGENT_TYPE |
'The CI/CD platform to be used, and for which an agent will be configured for the ASE deployment. Specify 'none' if no agent needed') |
c) Push the latest changes to your feature branch and create a Pull Request to main branch which will trigger the workflow
Alternatively, you can also trigger the workflow by going to Actions tab and run the AzureBicepDeploy
workflow manually
There will be four resource groups created as follows -
- Outputs from Backend :
- Outputs from Shared module :
- Outputs from APIM module :
- Outputs from Networking module :