-
Notifications
You must be signed in to change notification settings - Fork 6
88 lines (83 loc) · 2.92 KB
/
check_bicep_code.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
on:
pull_request:
branches:
- master
paths:
- 'shared/bicep/*.*'
- 'app01/bicep/*.*'
- 'app02/bicep/*.*'
- 'app03/bicep/*.*'
- 'app03/dev/bicep/*.*'
- 'app03/qa/bicep/*.*'
- 'app03/staging/bicep/*.*'
- 'app03/prod/bicep/*.*'
name: Check correctness of bicep templates
jobs:
lint:
name: Check code syntax
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Check ipgroups_max
uses: ./.github/actions/ipgroups_max_bicep
with:
file_prefix: 'ipgroups'
file_extension: 'bicep'
max_ip_groups: '80'
- name: Check CIDR prefix length
uses: ./.github/actions/cidr_prefix_length_bicep
with:
file_prefixes: 'ipgroups rcg'
file_extension: 'bicep'
min_cidr_length: '24'
base_dir: './'
- name: Check Firewall rule priorities
uses: ./.github/actions/fw_rule_prio_bicep
with:
file_prefixes: 'rcg'
file_extension: 'bicep'
min_prio: '10000'
max_prio: '40000'
base_dir: './'
# Validate templates
# Checkout remote repo for app04 (the path is important, the AzFW bicep template expects to find it there)
- name: Checkout app04 repo
uses: actions/checkout@v2
with:
repository: erjosito/segmentation-iac-app04
ref: master
path: './app04'
# Expand app02's CSV file with NSG rules to JSON
- name: Expand CSV file with NSG rules to JSON
run: |
python3 ./scripts/nsg_csv_to_json.py --csv-file ./app02/bicep/nsg-rules-app02.csv --output-file ./app02/bicep/nsg-rules-app02.json --verbose
# Login
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
# Validate templates
- uses: azure/arm-deploy@v1
name: Run preflight validation for shared infra
with:
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./shared/bicep/azfwpolicy.bicep
deploymentMode: Validate
- uses: azure/arm-deploy@v1
name: Run preflight validation for app01 infra
with:
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app01/bicep/infra-app01.bicep
deploymentMode: Validate
- uses: azure/arm-deploy@v1
name: Run preflight validation for app02 infra
with:
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app01/bicep/infra-app02.bicep
deploymentMode: Validate
- uses: azure/arm-deploy@v1
name: Run preflight validation for app03 DEV infra
with:
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app03/dev/bicep/infra-app03-dev.bicep
deploymentMode: Validate