From 3d6ef3f6f7609ffc06602abe2302c4f009005d4c Mon Sep 17 00:00:00 2001 From: Aniruddh Kuthiala Date: Thu, 7 Aug 2025 05:17:22 -0600 Subject: [PATCH 1/3] use NGINX cli to do configuration updates This change enables the use of "az nginx deployment" cli to do configuration updates. This helps limit the permissions needed by the service principal to do config updates. --- github-action/src/deploy-config.sh | 30 ++++++-------- ...ginx-for-azure-configuration-template.json | 39 ------------------- 2 files changed, 11 insertions(+), 58 deletions(-) delete mode 100644 github-action/src/nginx-for-azure-configuration-template.json diff --git a/github-action/src/deploy-config.sh b/github-action/src/deploy-config.sh index 5d1a6e0..8291cee 100755 --- a/github-action/src/deploy-config.sh +++ b/github-action/src/deploy-config.sh @@ -132,7 +132,7 @@ echo "Successfully created the tarball from the NGINX configuration directory." echo "Listing the NGINX configuration file paths in the tarball." tar -tf "$config_tarball" -encoded_config_tarball=$(base64 "$config_tarball") +encoded_config_tarball=$(base64 "$config_tarball" -w 0) if [[ "$debug" == true ]]; then echo "The base64 encoded NGINX configuration tarball" @@ -142,36 +142,28 @@ echo "" # Synchronize the NGINX configuration tarball to the NGINXaaS for Azure deployment. -uuid="$(cat /proc/sys/kernel/random/uuid)" -template_file="template-$uuid.json" -template_deployment_name="${nginx_deployment_name:0:20}-$uuid" - -wget -O "$template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/487d1394d6115d4f42ece6200cbd20859595557d/src/nginx-for-azure-configuration-template.json -echo "Downloaded the ARM template for synchronizing NGINX configuration." -cat "$template_file" -echo "" - echo "Synchronizing NGINX configuration" echo "Subscription ID: $subscription_id" echo "Resource group name: $resource_group_name" echo "NGINXaaS for Azure deployment name: $nginx_deployment_name" -echo "ARM template deployment name: $template_deployment_name" echo "" az account set -s "$subscription_id" --verbose +echo "Installing the az nginx extension if not already installed." +az extension add --name nginx --allow-preview true + az_cmd=( "az" + "nginx" "deployment" - "group" - "create" - "--name" "$template_deployment_name" + "configuration" + "update" + "--name" "default" + "--deployment-name" "$nginx_deployment_name" "--resource-group" "$resource_group_name" - "--template-file" "$template_file" - "--parameters" - "nginxDeploymentName=$nginx_deployment_name" - "rootFile=$transformed_root_config_file_path" - "tarball=$encoded_config_tarball" + "--root-file" "$transformed_root_config_file_path" + "--package" "data=$encoded_config_tarball" "--verbose" ) diff --git a/github-action/src/nginx-for-azure-configuration-template.json b/github-action/src/nginx-for-azure-configuration-template.json deleted file mode 100644 index 9d1064c..0000000 --- a/github-action/src/nginx-for-azure-configuration-template.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "nginxDeploymentName": { - "type": "string", - "metadata": { - "description": "The name of the NGINXaaS for Azure deployment to synchronize the configuration." - } - }, - "rootFile": { - "type": "string", - "defaultValue": "nginx.conf", - "metadata": { - "description": "The file path of the root NGINX configuration file." - } - }, - "tarball": { - "type": "string", - "metadata": { - "description": "The based64 encoded NGINX configuration tarball." - } - } - }, - "variables": {}, - "resources": [ - { - "type": "NGINX.NGINXPLUS/nginxDeployments/configurations", - "apiVersion": "2024-11-01-preview", - "name": "[concat(parameters('nginxDeploymentName'), '/default')]", - "properties": { - "rootFile": "[parameters('rootFile')]", - "package": { - "data": "[parameters('tarball')]" - } - } - } - ] -} From b7bc9e7b343d0afc2aa7ae8361b181e7c9da7ad3 Mon Sep 17 00:00:00 2001 From: Aniruddh Kuthiala Date: Thu, 7 Aug 2025 16:43:41 -0600 Subject: [PATCH 2/3] change deploy certificate to use az nginx cli move from using ARM deployment templates to `az nginx deployment certificate update`. This change prevents the need for contributor level permissions on the resource group of the NGINXaaS deployment. --- github-action/action.yml | 8 +-- github-action/src/deploy-certificate.sh | 46 ++++------------ .../nginx-for-azure-certificate-template.json | 55 ------------------- 3 files changed, 12 insertions(+), 97 deletions(-) delete mode 100644 github-action/src/nginx-for-azure-certificate-template.json diff --git a/github-action/action.yml b/github-action/action.yml index 3d2aa6c..1f4e4d1 100644 --- a/github-action/action.yml +++ b/github-action/action.yml @@ -10,10 +10,6 @@ inputs: nginx-deployment-name: description: "The name of the NGINXaaS for Azure deployment." required: true - nginx-deployment-location: - description: "The location where the NGINX deployment is located. Example westcentralus" - required: false - deprecationMessage: "This field is not in use and will be removed in a future release. Consider dropping it from your Github Action configuration." nginx-config-directory-path: description: 'The NGINX configuration directory path relative to the root of the Git repository, example: "config/".' required: false @@ -40,8 +36,8 @@ runs: using: "composite" steps: - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment" - run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }} - if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }} + run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }} + if: ${{ inputs.nginx-certificates != '' }} shell: bash - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment" run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }} diff --git a/github-action/src/deploy-certificate.sh b/github-action/src/deploy-certificate.sh index adbfcda..98725ef 100755 --- a/github-action/src/deploy-certificate.sh +++ b/github-action/src/deploy-certificate.sh @@ -17,10 +17,6 @@ case $i in nginx_deployment_name="${i#*=}" shift ;; - --nginx_resource_location=*) - nginx_resource_location="${i#*=}" - shift - ;; --certificates=*) certificates="${i#*=}" shift @@ -51,26 +47,12 @@ then echo "Please set 'nginx-deployment-name' ..." exit 1 fi -if [[ ! -v nginx_resource_location ]]; -then - echo "Please set 'nginx-resource-location' ..." - exit 1 -fi if [[ ! -v certificates ]]; then echo "Please set 'nginx-certificates' ..." exit 1 fi -arm_template_file="nginx-for-azure-certificate-template.json" - -#get the ARM template file -wget -O "$arm_template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/a69d33feaa1a8a012ec44c138ca78c6ec4db9f29/src/nginx-for-azure-certificate-template.json -echo "Downloaded the ARM template for synchronizing NGINX certificate." - -cat "$arm_template_file" -echo "" - az account set -s "$subscription_id" --verbose count=$(echo "$certificates" | jq '. | length') @@ -104,41 +86,33 @@ do do_nginx_arm_deployment=0 fi - uuid="$(cat /proc/sys/kernel/random/uuid)" - template_file="template-$uuid.json" - template_deployment_name="${nginx_deployment_name:0:20}-$uuid" - - cp "$arm_template_file" "$template_file" - echo "Synchronizing NGINX certificate" echo "Subscription ID: $subscription_id" echo "Resource group name: $resource_group_name" echo "NGINXaaS for Azure deployment name: $nginx_deployment_name" - echo "NGINXaaS for Azure Location: $nginx_resource_location" - echo "ARM template deployment name: $template_deployment_name" echo "" echo "NGINXaaS for Azure cert name: $nginx_cert_name" echo "NGINXaaS for Azure cert file location: $nginx_cert_file" echo "NGINXaaS for Azure key file location: $nginx_key_file" echo "" + echo "Installing the az nginx extension if not already installed." + az extension add --name nginx --allow-preview true + if [ $do_nginx_arm_deployment -eq 1 ] then az_cmd=( "az" + "nginx" "deployment" - "group" + "certificate" "create" - "--name" "$template_deployment_name" "--resource-group" "$resource_group_name" - "--template-file" "$template_file" - "--parameters" - "name=$nginx_cert_name" - "location=$nginx_resource_location" - "nginxDeploymentName=$nginx_deployment_name" - "certificateVirtualPath=$nginx_cert_file" - "keyVirtualPath=$nginx_key_file" - "keyVaultSecretID=$keyvault_secret" + "--certificate-name" "$nginx_cert_name" + "--deployment-name" "$nginx_deployment_name" + "--certificate-path" "$nginx_cert_file" + "--key-path" "$nginx_key_file" + "--key-vault-secret-id" "$keyvault_secret" "--verbose" ) if [[ "$debug" == true ]]; then diff --git a/github-action/src/nginx-for-azure-certificate-template.json b/github-action/src/nginx-for-azure-certificate-template.json deleted file mode 100644 index de21263..0000000 --- a/github-action/src/nginx-for-azure-certificate-template.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the cert resource" - } - }, - "location": { - "type": "string", - "metadata": { - "description": "The location for all resources" - } - }, - "nginxDeploymentName": { - "type": "string", - "metadata": { - "description": "The name of your NGINX deployment resource" - } - }, - "certificateVirtualPath": { - "type": "string", - "metadata": { - "description": "The file path of the certificate file" - } - }, - "keyVirtualPath": { - "type": "string", - "metadata": { - "description": "The file path of the certificate key file" - } - }, - "keyVaultSecretID": { - "type": "string", - "metadata": { - "description": "The secret ID of the key vault holding the certificate" - } - } - }, - "resources": [ - { - "type": "NGINX.NGINXPLUS/nginxDeployments/certificates", - "apiVersion": "2024-11-01-preview", - "name": "[concat(parameters('nginxDeploymentName'), concat('/', parameters('name')))]", - "location": "[parameters('location')]", - "properties": { - "certificateVirtualPath": "[parameters('certificateVirtualPath')]", - "keyVirtualPath": "[parameters('keyVirtualPath')]", - "keyVaultSecretId": "[parameters('keyVaultSecretID')]" - } - } - ] -} From 35fdf1499dcc591dd84ef39851bd7227ac6a4365 Mon Sep 17 00:00:00 2001 From: Aniruddh Kuthiala Date: Fri, 8 Aug 2025 15:08:15 -0600 Subject: [PATCH 3/3] update README to change the version to 0.4.1 --- github-action/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/github-action/README.md b/github-action/README.md index 6076693..1437526 100644 --- a/github-action/README.md +++ b/github-action/README.md @@ -34,7 +34,7 @@ jobs: creds: ${{ secrets.AZURE_CREDENTIALS }} - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.0 + uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -77,7 +77,7 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.0 + uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -106,7 +106,7 @@ To use this action to sync the configuration files from this example, the direct ```yaml - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.0 + uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -139,7 +139,7 @@ The action supports an optional input `transformed-nginx-config-directory-path` ```yaml - name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment' - uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.0 + uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -172,7 +172,7 @@ See the example below ```yaml - name: "Sync NGINX certificates to NGINXaaS for Azure" - uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.0 + uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} @@ -186,7 +186,7 @@ See the example below ```yaml - name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure" - uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.0 + uses: nginxinc/nginx-for-azure-deploy-action/github-action@v0.4.1 with: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}