👷 Add Reusable Workflows; Instructions (#2)

rahulpatidar0191 · web-flow · commit 61448cd308d7 · 2025-08-21T20:14:53.000-07:00
* test deployment

* remove azd

* add env

* try with env

* change envs

* test client ID

* typpo

* new env to fix ERROR: getting target resource: getting default resource groups for environment: dev: resource not found: 0 resource groups with prefix or suffix with value: 'dev'

* add env

* update readme

* add reusable workflows

* add env back

* add envs

* add path for testing

* try as secrets

* fix expression error

* fix more envs

* try with env at step

* add env s

* fix the env name

* clean up

* add env back

* clean up

* Remove tests; more cleanup

* add  bicep as resusable

* remove redundant info

* improve docs

* enable azd for non self hosted runners
diff --git a/.github/workflows/backend-integration-azure-bicep-validate.yml b/.github/workflows/backend-integration-azure-bicep-validate.yml
@@ -1,35 +1,23 @@
-name: Validate bicep scripts
+name: Validate Bicep Scripts Backend Integration
+
 on:
   workflow_dispatch:
   push:
     branches:
       - main
     paths:
       - 'backend-integration/**'
+      - '.github/workflows/lib-azure-bicep-validation.yml'
       
 # Use concurrency to ensure that only a single job or workflow using the same concurrency group will run at a time
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
   cancel-in-progress: true  # Cancel previously queued jobs and run the latest
   
-
 jobs:
-    build:
-      timeout-minutes: 10
-      runs-on: ubuntu-latest
-      steps:
-        - name: Checkout
-          uses: actions/checkout@v2
-
-        - name: Azure CLI script
-          uses: azure/CLI@v2.1.0
-          with:
-            inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f backend-integration/infra/main.bicep
-
-        - name: Log in with Azure (Federated Credentials)
-          if: ${{ env.AZURE_CLIENT_ID != '' }}
-          run: |
-            azd auth login \
-              --client-id "$AZURE_CLIENT_ID" \
-              --federated-credential-provider "github" \
-              --tenant-id "$AZURE_TENANT_ID"
+  backend-integration-validation: 
+    uses: ./.github/workflows/lib-azure-bicep-validation.yml
+    with:
+      work-dir: backend-integration
+    secrets:
+      SELF_HOSTED_RUNNER_TOKEN: ${{ secrets.SELF_HOSTED_RUNNER_TOKEN }}
diff --git a/.github/workflows/backend-integration-azure-deploy.yml b/.github/workflows/backend-integration-azure-deploy.yml
@@ -7,15 +7,8 @@ on:
       - main
     paths:
       - 'backend-integration/**'
+      - '.github/workflows/backend-integration-azure-deploy.yml'
 
-# GitHub Actions workflow to deploy to Azure using azd
-# To configure required secrets for connecting to Azure, simply run `azd pipeline config`
-
-# Set up permissions for deploying with secretless Azure federated credentials
-# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux#set-up-azure-login-with-openid-connect-authentication
-permissions:
-  id-token: write
-  contents: read
 
 # Use concurrency to ensure that only a single job or workflow using the same concurrency group will run at a time
 concurrency:
@@ -24,76 +17,14 @@ concurrency:
   
 
 jobs:
-    self-hosted-status:
-      runs-on: ubuntu-latest
-      timeout-minutes: 5
-      outputs:
-        runner-status: ${{ steps.runnerstatus.outputs.status }}
-      steps:
-        - name: Check runner status
-          id: runnerstatus
-          uses: SatelCreative/satel-gh-runner-check@1.0.3
-          with:       
-            github-runner-token: ${{ secrets.SELF_HOSTED_RUNNER_TOKEN }} #Should have access to manage runner
-            org-name: SatelCreative
-    build:
-      needs: [self-hosted-status]
-      timeout-minutes: 10
-      runs-on: ${{ contains(needs.self-hosted-status.outputs.runner-status, 'online') && 'self-hosted' || 'ubuntu-latest' }}
-      environment: dev
-      env:
-        AZURE_CLIENT_ID: ${{ vars.BACKEND_INTEGRATION_CLIENT_ID }}
-        AZURE_TENANT_ID: ${{ vars.BACKEND_INTEGRATION_TENANT_ID }}
-        AZURE_SUBSCRIPTION_ID: ${{ vars.BACKEND_INTEGRATION_SUBSCRIPTION_ID }}
-        AZURE_CREDENTIALS: ${{ secrets.BACKEND_INTEGRATION_CREDENTIALS }}
-      steps:
-        - name: Checkout
-          uses: actions/checkout@v4
-
-        - name: Install azd
-          uses: Azure/setup-azd@v2.0.0
-
-        - name: Log in with Azure (Federated Credentials)
-          if: ${{ env.AZURE_CLIENT_ID != '' }}
-          run: |
-            azd auth login \
-              --client-id "$AZURE_CLIENT_ID" \
-              --federated-credential-provider "github" \
-              --tenant-id "$AZURE_TENANT_ID"
-
-
-        - name: Log in with Azure (Client Credentials)
-          if: ${{ env.AZURE_CREDENTIALS != '' }}
-          run: |
-            $info = $Env:AZURE_CREDENTIALS | ConvertFrom-Json -AsHashtable;
-            Write-Host "::add-mask::$($info.clientSecret)"
-
-            azd auth login \
-              --client-id "$($info.clientId)" \
-              --client-secret "$($info.clientSecret)" \
-              --tenant-id "$($info.tenantId)"
-
-          env:
-            AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
-
-        # Commented out to preserve existing application settings
-        # Uncomment when infrastructure changes are needed
-        #- name: Provision Infrastructure
-        #  run: |
-        #    cd backend-integration
-        #    azd provision --no-prompt
-        #  env:
-        #    AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
-        #    AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-        #    AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-
-        - name: Deploy Application
-          run: 
-            |
-            cd backend-integration
-            azd deploy --no-prompt
-          env:
-            AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
-            AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-            AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-      
+  backend-integration-dev: 
+    uses: ./.github/workflows/lib-azure-deploy.yml
+    with:
+      work-dir: backend-integration
+      environment: ${{ vars.BACKEND_INTEGRATION_ENV_NAME }}
+    secrets:
+      SELF_HOSTED_RUNNER_TOKEN: ${{ secrets.SELF_HOSTED_RUNNER_TOKEN }}
+      AZURE_CLIENT_ID: ${{ vars.BACKEND_INTEGRATION_CLIENT_ID }}
+      AZURE_TENANT_ID: ${{ vars.BACKEND_INTEGRATION_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ vars.BACKEND_INTEGRATION_SUBSCRIPTION_ID }}
+      AZURE_LOCATION: ${{ vars.BACKEND_INTEGRATION_LOCATION }}
diff --git a/.github/workflows/lib-azure-bicep-validation.yml b/.github/workflows/lib-azure-bicep-validation.yml
@@ -0,0 +1,47 @@
+name: Validate Bicep Scripts
+
+on:
+  workflow_call:
+    inputs:
+      work-dir:
+        required: true
+        type: string 
+
+    secrets:
+      SELF_HOSTED_RUNNER_TOKEN: 
+        required: true   
+
+jobs:
+    self-hosted-status:
+      runs-on: ubuntu-latest
+      timeout-minutes: 5
+      outputs:
+        runner-status: ${{ steps.runnerstatus.outputs.status }}
+      steps:
+        - name: Check runner status
+          id: runnerstatus
+          uses: SatelCreative/satel-gh-runner-check@1.0.3
+          with:       
+            github-runner-token: ${{ secrets.SELF_HOSTED_RUNNER_TOKEN }} #Should have access to manage runner
+            org-name: SatelCreative
+
+    validate-bicep:
+      timeout-minutes: 10
+      needs: [self-hosted-status]
+      runs-on: ${{ contains(needs.self-hosted-status.outputs.runner-status, 'online') && 'self-hosted' || 'ubuntu-latest' }}
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v4
+
+        - name: Azure CLI script
+          uses: azure/CLI@v2.1.0
+          with:
+            inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f ${{ inputs.work-dir }}/infra/main.bicep
+
+        - name: Log in with Azure (Federated Credentials)
+          if: ${{ env.AZURE_CLIENT_ID != '' }}
+          run: |
+            azd auth login \
+              --client-id "$AZURE_CLIENT_ID" \
+              --federated-credential-provider "github" \
+              --tenant-id "$AZURE_TENANT_ID"
diff --git a/.github/workflows/lib-azure-deploy.yml b/.github/workflows/lib-azure-deploy.yml
@@ -0,0 +1,82 @@
+name: Deploys to Azure Function App
+
+on:
+  workflow_call:
+    inputs:
+      work-dir:
+        required: true
+        type: string 
+      environment:
+        required: true
+        type: string
+
+    secrets:
+      SELF_HOSTED_RUNNER_TOKEN: 
+        required: true   
+      AZURE_CLIENT_ID: 
+          required: true
+      AZURE_TENANT_ID: 
+        required: true
+      AZURE_SUBSCRIPTION_ID: 
+        required: true
+      AZURE_LOCATION:
+        required: true
+  
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+    self-hosted-status:
+      runs-on: ubuntu-latest
+      timeout-minutes: 5
+      outputs:
+        runner-status: ${{ steps.runnerstatus.outputs.status }}
+      steps:
+        - name: Check runner status
+          id: runnerstatus
+          uses: SatelCreative/satel-gh-runner-check@1.0.3
+          with:       
+            github-runner-token: ${{ secrets.SELF_HOSTED_RUNNER_TOKEN }} #Should have access to manage runner
+            org-name: SatelCreative
+
+    build-and-deploy:
+      needs: [self-hosted-status]
+      timeout-minutes: 10
+      runs-on: ${{ contains(needs.self-hosted-status.outputs.runner-status, 'online') && 'self-hosted' || 'ubuntu-latest' }}
+      environment: ${{ inputs.environment }}
+      env:
+        AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v4
+
+        - name: Install azd
+          if: ${{ runner.os == 'Linux' && runner.name == 'GitHub Actions' }}
+          uses: Azure/setup-azd@v2.0.0
+
+        - name: Log in with Azure (Federated Credentials)
+          if: ${{ env.AZURE_CLIENT_ID != '' }}
+          run: |
+            echo "Using client ID: $AZURE_CLIENT_ID"
+            azd auth login \
+              --client-id "$AZURE_CLIENT_ID" \
+              --federated-credential-provider "github" \
+              --tenant-id "$AZURE_TENANT_ID"
+
+        # Commented out to preserve existing application settings
+        # Uncomment when infrastructure changes are needed
+        #- name: Provision Infrastructure
+        #  run: |
+        #    cd ${{ inputs.work-dir }}
+        #    azd provision --no-prompt
+      
+
+        - name: Deploy Application
+          run: |
+            cd ${{ inputs.work-dir }}
+            azd env new $AZURE_ENV_NAME --location $AZURE_LOCATION --subscription $AZURE_SUBSCRIPTION_ID --no-prompt
+            azd deploy --no-prompt
diff --git a/howto.md b/howto.md
@@ -141,6 +141,80 @@ cd shopify-integration/
 azd up
 ```
 
+
+## Azure DevOps Setup
+
+### Prerequisites
+
+Before setting up Azure DevOps integration, you'll need to gather the following information:
+
+- **Azure Subscription ID**: Found in the [Azure Portal Subscriptions page](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2)
+- **Azure Tenant ID**: Available after app registration
+- **Azure Client ID**: Generated during app registration
+
+### Step-by-Step Setup
+
+#### 1. Get Azure Subscription ID
+
+Navigate to the [Azure Portal Subscriptions page](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) and copy your subscription ID.
+
+#### 2. Register Azure Application
+
+1. Go to the [Azure App Registrations page](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade)
+2. Click **"New registration"**
+3. Provide a name for your application
+4. Select the appropriate account types
+5. Click **"Register"**
+
+This will provide you with:
+- **AZURE_CLIENT_ID** (Application ID)
+- **AZURE_TENANT_ID** (Directory ID)
+
+#### 3. Configure Federated Credentials
+
+1. In your app registration, navigate to **"Certificates & secrets"**
+2. Click on **"Federated credentials"** tab
+3. Click **"Add credential"**
+4. Configure the federated credential with:
+   - **Entity type**: GitHub Actions
+   - **Repository**: `your-org/your-repo`
+   - **Environment**: `backend-integration-dev` (must match your workflow environment)
+   - **Branch**: `main` (or your default branch)
+
+> **Important**: The environment name must match exactly with the environment specified in your GitHub workflows. See the [workflow configuration](https://github.com/SatelCreative/azure-function-app-boilerplate/blob/4149c2b6f838b8b2b9ad6a091120674572347ad1/.github/workflows/backend-integration-azure-deploy.yml#L46-L47) for reference.
+
+#### 4. Assign Contributor Role
+
+The registered app needs contributor permissions for your Azure subscription. Run the following command locally:
+
+```bash
+az role assignment create \
+  --assignee "AZURE_CLIENT_ID" \
+  --role "Contributor" \
+  --scope "/subscriptions/AZURE_SUBSCRIPTION_ID"
+```
+
+**Verification**: To verify the role assignment, run:
+
+```bash
+az role assignment list \
+  --assignee "AZURE_CLIENT_ID" \
+  --scope "/subscriptions/AZURE_SUBSCRIPTION_ID" \
+  --output table
+```
+
+> **Note**: Make sure you're logged into the correct Azure organization before running these commands.
+
+### Environment Variables
+
+Once the app has been created on Azure, you'll need to add the following environment variables to your GitHub repository variables/secrets:
+
+- `<APP_NAME>_CLIENT_ID`
+- `<APP_NAME>_TENANT_ID` 
+- `<APP_NAME>_SUBSCRIPTION_ID`
+- `<APP_NAME>_ENV_NAME`
+- `<APP_NAME>_LOCATION`
+
 This boilerplate provides a production-ready foundation for building Azure
 Function-based integrations with proper monitoring, deployment pipelines, and
 infrastructure management.
