Connecting dev subscription's container registry while deploying the appservice in test subscription.

Bicky Shaw 1

I am a devOps Engineer, deploying three app services in dev and test environment using azure bicep and github action. While deploying the app services in dev I am connecting to dev subscription through github action p[ipeline and while deploying test app services we are connecting to test subscription through github action but the point is that we need to connect the app services to container registry and the container registry exist only in dev subcription then while deploying the appservice to test subcription we need to connect container registry of dev subcription how to do this through bicep script one way is to directly give the dockerRegistryUrl to appsetting in bicep code but I do not want to hard code the url in bicep script?

Deepanshu katara 5,145 Reputation points

2024-04-26T14:22:26.11+00:00

Please check and let us know
Sina Salam 3,881 Reputation points

2024-04-26T14:50:52.5966667+00:00
Hello Bicky Shaw,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

Sequel to your questions, I understand that you are having issue to link your app services to a container registry, which is only available in the dev subscription. Your goal is to connect the app services deployed in the test subscription to the container registry in the dev subscription without embedding the URL directly into the Bicep script.

Scenario

You're tasked with deploying app services to both dev and test environments using Azure Bicep and GitHub Actions. The GitHub Action pipeline is configured to connect to the respective Azure subscriptions based on the deployment environment. However, a complication arises as the app services in the test environment need to connect to a container registry located in the dev subscription.

Solution

This solution was based on the scenario given and your questions, while focusing on the problem statement. To retrieve the container registry URL from the dev subscription and pass it to the app service in the test subscription without hardcoding it in the Bicep script.

There are little pretty things basically you will need to do:

Set up Azure Key Vault in the dev subscription.

Create an Azure Key Vault in the dev subscription.

Store the container registry URL as a secret in the Key Vault. To create Key Vault using Azure CLI: az keyvault create --name <keyvault-name> --resource-group <resource-group-name> --location <location>

Store the container registry URL as a secret in the Key Vault.

Add a secret to the Key Vault az keyvault secret set --vault-name <keyvault-name> --name <secret-name> --value <container-registry-url>

Grant appropriate permissions to access the Key Vault secrets. Grant necessary permissions to the service principal used by GitHub Actions to access the Key Vault. This can be achieved through Azure RBAC or using Azure CLI/PowerShell.

Update the GitHub Actions workflow.

Modify your GitHub Actions workflow YAML file to include a step that retrieves the container registry URL from the Key Vault.

Use Azure CLI or Azure PowerShell in the workflow to fetch the secret from the Key Vault like in the example code below:
- name: Retrieve Container Registry URL from Key Vault env: AZURE_KEYVAULT_NAME: <keyvault-name> SECRET_NAME: <secret-name> run: | az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} CONTAINER_REGISTRY_URL=$(az keyvault secret show --vault-name $AZURE_KEYVAULT_NAME --name $SECRET_NAME --query value -o tsv) echo "Container Registry URL: $CONTAINER_REGISTRY_URL" # Pass CONTAINER_REGISTRY_URL to subsequent steps or export it as an environment variable

Finally

Pass the retrieved URL to the app service.

During the deployment to the test subscription, pass the retrieved container registry URL to the app service. This can be achieved by setting an environment variable or configuration setting in your deployment script or Bicep file.

References

For more learning and study, use the additional resource provided by the right side of this page.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam

1 answer

Deepanshu katara 5,145 Reputation points

2024-04-26T14:22:08.9033333+00:00
Hi ,

In the GitHub Actions workflow, you would need to:

Authenticate to Azure using a service principal or managed identity.

Retrieve the secret value from Azure Key Vault.

Pass the secret value as a parameter to the Bicep script during deployment. For ex- .

- name: Get secret from Azure Key Vault run: | # Azure CLI command to retrieve secret value SECRET_VALUE=$(az keyvault secret show --name ${containerRegistrySecretName} --vault-name ${keyVaultName} --query value -o tsv) echo "##vso[task.setvariable variable=DOCKER_REGISTRY_URL]$SECRET_VALUE" - name: Deploy Bicep template run: bicep deploy --template-file main.bicep --parameters dockerRegistryUrl=${{ env.DOCKER_REGISTRY_URL }}

In your Bicep script (main.bicep):

param dockerRegistryUrl string resource appService 'Microsoft.Web/sites@2021-02-01' = { name: 'example-appservice' location: 'WestUS' properties: { serverFarmId: exampleServicePlan.id siteConfig: { appSettings: [ { name: 'DOCKER_REGISTRY_URL' value: dockerRegistryUrl } ] } } }

This approach ensures that your Bicep script remains dynamic and does not contain hardcoded sensitive information. Instead, it fetches the required values securely during deployment from Azure Key Vault.

Kindly accept answer if it helps , Thanks!
Please sign in to rate this answer.
Deepanshu katara 5,145 Reputation points

2024-04-29T09:52:21.88+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Deepanshu katara 5,145 Reputation points

2024-05-02T04:55:45.1733333+00:00

can you please accept answer or update on this , Thankyou!

Deepanshu katara 5,145 Reputation points

2024-05-06T05:23:22.4333333+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Sign in to comment

Connecting dev subscription's container registry while deploying the appservice in test subscription.

Problem

Scenario

Solution

Finally

References

Accept Answer

1 answer