Limit permissions needed by the service principal to run actions (#44)

* use NGINX cli to do configuration updates

This change enables the use of "az nginx deployment" cli
to do configuration updates. This helps limit the permissions
needed by the service principal to do config updates.

* change deploy certificate to use az nginx cli

move from using ARM deployment templates to
`az nginx deployment certificate update`. This
change prevents the need for contributor level
permissions on the resource group of the NGINXaaS
deployment.

* update README to change the version to 0.4.1

Author: kuthiala

github-action/README.md

@@ -34,7 +34,7 @@ jobs:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -77,7 +77,7 @@ jobs:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -106,7 +106,7 @@ To use this action to sync the configuration files from this example, the direct
 
 ```yaml
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -139,7 +139,7 @@ The action supports an optional input `transformed-nginx-config-directory-path`
 
 ```yaml
     - name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+      uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -172,7 +172,7 @@ See the example below
 
 ```yaml
 - name: "Sync NGINX certificates to NGINXaaS for Azure"
-        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -186,7 +186,7 @@ See the example below
 
 ```yaml
  - name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure"
-        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].0
+        uses: nginxinc/nginx-for-azure-deploy-action/[email protected].1
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}

github-action/action.yml

@@ -10,10 +10,6 @@ inputs:
   nginx-deployment-name:
     description: "The name of the NGINXaaS for Azure deployment."
     required: true
-  nginx-deployment-location:
-    description: "The location where the NGINX deployment is located. Example westcentralus"
-    required: false
-    deprecationMessage: "This field is not in use and will be removed in a future release. Consider dropping it from your Github Action configuration."
   nginx-config-directory-path:
     description: 'The NGINX configuration directory path relative to the root of the Git repository, example: "config/".'
     required: false
@@ -40,8 +36,8 @@ runs:
   using: "composite"
   steps:
     - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
-      if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }}
+      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
+      if: ${{ inputs.nginx-certificates != '' }}
       shell: bash
     - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
       run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}

github-action/src/deploy-certificate.sh

@@ -17,10 +17,6 @@ case $i in
     nginx_deployment_name="${i#*=}"
     shift
     ;;
-    --nginx_resource_location=*)
-    nginx_resource_location="${i#*=}"
-    shift
-    ;;
     --certificates=*)
     certificates="${i#*=}"
     shift
@@ -51,26 +47,12 @@ then
     echo "Please set 'nginx-deployment-name' ..."
     exit 1
 fi
-if [[ ! -v nginx_resource_location ]];
-then
-    echo "Please set 'nginx-resource-location' ..."
-    exit 1
-fi
 if [[ ! -v certificates ]];
 then
     echo "Please set 'nginx-certificates' ..."
     exit 1
 fi
 
-arm_template_file="nginx-for-azure-certificate-template.json"
-
-#get the ARM template file
-wget -O "$arm_template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/a69d33feaa1a8a012ec44c138ca78c6ec4db9f29/src/nginx-for-azure-certificate-template.json
-echo "Downloaded the ARM template for synchronizing NGINX certificate."
-
-cat "$arm_template_file"
-echo ""
-
 az account set -s "$subscription_id" --verbose
 
 count=$(echo "$certificates" | jq '. | length')
@@ -104,41 +86,33 @@ do
         do_nginx_arm_deployment=0
     fi
 
-    uuid="$(cat /proc/sys/kernel/random/uuid)"
-    template_file="template-$uuid.json"
-    template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
-
-    cp "$arm_template_file" "$template_file"
-
     echo "Synchronizing NGINX certificate"
     echo "Subscription ID: $subscription_id"
     echo "Resource group name: $resource_group_name"
     echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-    echo "NGINXaaS for Azure Location: $nginx_resource_location"
-    echo "ARM template deployment name: $template_deployment_name"
     echo ""
     echo "NGINXaaS for Azure cert name: $nginx_cert_name"
     echo "NGINXaaS for Azure cert file location: $nginx_cert_file"
     echo "NGINXaaS for Azure key file location: $nginx_key_file"
     echo ""
 
+    echo "Installing the az nginx extension if not already installed."
+    az extension add --name nginx --allow-preview true
+
     if [ $do_nginx_arm_deployment -eq 1 ]
     then
         az_cmd=(
             "az"
+            "nginx"
             "deployment"
-            "group"
+            "certificate"
             "create"
-            "--name" "$template_deployment_name"
             "--resource-group" "$resource_group_name"
-            "--template-file" "$template_file"
-            "--parameters"
-            "name=$nginx_cert_name"
-            "location=$nginx_resource_location"
-            "nginxDeploymentName=$nginx_deployment_name"
-            "certificateVirtualPath=$nginx_cert_file"
-            "keyVirtualPath=$nginx_key_file"
-            "keyVaultSecretID=$keyvault_secret"
+            "--certificate-name" "$nginx_cert_name"
+            "--deployment-name" "$nginx_deployment_name"
+            "--certificate-path" "$nginx_cert_file"
+            "--key-path" "$nginx_key_file"
+            "--key-vault-secret-id" "$keyvault_secret"
             "--verbose"
         )
         if [[ "$debug" == true ]]; then

github-action/src/deploy-config.sh

@@ -132,7 +132,7 @@ echo "Successfully created the tarball from the NGINX configuration directory."
 echo "Listing the NGINX configuration file paths in the tarball."
 tar -tf "$config_tarball"
 
-encoded_config_tarball=$(base64 "$config_tarball")
+encoded_config_tarball=$(base64 "$config_tarball" -w 0)
 
 if [[ "$debug" == true ]]; then
     echo "The base64 encoded NGINX configuration tarball"
@@ -142,36 +142,28 @@ echo ""
 
 # Synchronize the NGINX configuration tarball to the NGINXaaS for Azure deployment.
 
-uuid="$(cat /proc/sys/kernel/random/uuid)"
-template_file="template-$uuid.json"
-template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
-
-wget -O "$template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/487d1394d6115d4f42ece6200cbd20859595557d/src/nginx-for-azure-configuration-template.json
-echo "Downloaded the ARM template for synchronizing NGINX configuration."
-cat "$template_file"
-echo ""
-
 echo "Synchronizing NGINX configuration"
 echo "Subscription ID: $subscription_id"
 echo "Resource group name: $resource_group_name"
 echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-echo "ARM template deployment name: $template_deployment_name"
 echo ""
 
 az account set -s "$subscription_id" --verbose
 
+echo "Installing the az nginx extension if not already installed."
+az extension add --name nginx --allow-preview true
+
 az_cmd=(
     "az"
+    "nginx"
     "deployment"
-    "group"
-    "create"
-    "--name" "$template_deployment_name"
+    "configuration"
+    "update"
+    "--name" "default"
+    "--deployment-name" "$nginx_deployment_name"
     "--resource-group" "$resource_group_name"
-    "--template-file" "$template_file"
-    "--parameters"
-    "nginxDeploymentName=$nginx_deployment_name"
-    "rootFile=$transformed_root_config_file_path"
-    "tarball=$encoded_config_tarball"
+    "--root-file" "$transformed_root_config_file_path"
+    "--package" "data=$encoded_config_tarball"
     "--verbose"
 )