Support protected files and some input cleanup (#39)

* protected files support and input cleanup in deploy-config.sh

This change also adds support for the protected files
feature supported by NGINXaaS. Users can give a new optional
input called protected-files that contains a comma
separated list of all the files that need to be marked
as protected. For more information, visit:
https://docs.nginx.com/nginxaas/azure/getting-started/nginx-configuration/nginx-configuration-portal/#add-an-nginx-configuration

* Input cleanup in deploy-certificate.sh

This brings deploy-certificate.sh up to
parity with the input validation changes
made in deploy-config.sh. Adds some more
input validation for certificate parameters.

* restore previous action name

* update README.md to reflect new version of the action

Author: kuthiala

README.md

@@ -34,7 +34,7 @@ jobs:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
+      uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -77,7 +77,7 @@ jobs:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
+      uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -106,7 +106,7 @@ To use this action to sync the configuration files from this example, the direct
 
 ```yaml
     - name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
+      uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -139,7 +139,7 @@ The action supports an optional input `transformed-nginx-config-directory-path`
 
 ```yaml
     - name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment'
-      uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
+      uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
       with:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
         resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -172,7 +172,7 @@ See the example below
 
 ```yaml
 - name: "Sync NGINX certificates to NGINXaaS for Azure"
-        uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
+        uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -186,7 +186,7 @@ See the example below
 
 ```yaml
  - name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure"
-        uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
+        uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
         with:
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}

action.yml

@@ -1,4 +1,4 @@
-name: "NGINXaaS for Azure Deployment Sync"
+name: "NGINXaaS Configuration Sync"
 description: "Sync NGINX configuration from a git repo and/or certificates from an Azure Key Vault to an NGINXaaS for Azure deployment"
 inputs:
   subscription-id:
@@ -20,14 +20,19 @@ inputs:
     default: "nginx.conf"
   transformed-nginx-config-directory-path:
     description: >
-      'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/".
-      If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation
-      can be used to overwrite the file paths when the action synchronizes the files to the NGINXaaS for Azure deployment.'
+      'The absolute directory path in the NGINXaaS for Azure deployment where your configuration files will be placed. 
+      All files found in the nginx-config-directory-path will be copied to this location in the deployment. 
+      For example, use "/etc/nginx/" to match the standard NGINX directory structure on your NGINXaaS deployment.
+      If your NGINX configuration files use absolute paths in "include" directives, this setting ensures those paths are correctly mapped in the deployment by prepending the specified directory.'
     required: false
     default: ""
   nginx-certificates:
-    description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server1.crt", "keyVirtualPath": "/etc/ssl/certs/server1.key"  }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server2.crt", "keyVirtualPath": "/etc/ssl/certs/server2.key"  }] '
+    description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/nginx/certs/server1.crt", "keyVirtualPath": "/etc/nginx/certs/server1.key"  }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/nginx/certs/server2.crt", "keyVirtualPath": "/etc/nginx/certs/server2.key"  }] '
     required: false
+  protected-files:
+    description: "Comma-separated list of file paths relative to nginx-config-directory-path that should be marked as protected. Example: 'ssl/private.key,conf.d/secrets.conf'"
+    required: false
+    default: ""
   debug:
     description: "Enable/Disable debug output."
     required: false
@@ -36,10 +41,10 @@ runs:
   using: "composite"
   steps:
     - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
+      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
       if: ${{ inputs.nginx-certificates != '' }}
       shell: bash
     - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}
+      run: ${{github.action_path}}/src/deploy-config.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --nginx-config-directory-path=${{ inputs.nginx-config-directory-path }} --nginx-root-config-file=${{ inputs.nginx-root-config-file }} --transformed-nginx-config-directory-path=${{ inputs.transformed-nginx-config-directory-path }} --protected-files=${{ inputs.protected-files }} --debug=${{ inputs.debug }}
       if: ${{ inputs.nginx-config-directory-path != '' }}
       shell: bash

src/deploy-certificate.sh

@@ -1,19 +1,19 @@
 #!/bin/bash
-set -euo pipefail
+set -eo pipefail
 IFS=$'\n\t'
 
 for i in "$@"
 do
 case $i in
-    --subscription_id=*)
+    --subscription-id=*)
     subscription_id="${i#*=}"
     shift
     ;;
-    --resource_group_name=*)
+    --resource-group-name=*)
     resource_group_name="${i#*=}"
     shift
     ;;
-    --nginx_deployment_name=*)
+    --nginx-deployment-name=*)
     nginx_deployment_name="${i#*=}"
     shift
     ;;
@@ -26,35 +26,47 @@ case $i in
     shift
     ;;
     *)
-    echo "Not matched option '${i#*=}' passed in."
+    echo "Unknown option '${i}' passed in."
     exit 1
     ;;
 esac
 done
 
-if [[ ! -v subscription_id ]];
-then
-    echo "Please set 'subscription-id' ..."
-    exit 1
+# Validate Required Parameters
+missing_params=()
+if [ -z "$subscription_id" ]; then
+    missing_params+=("subscription-id")
 fi
-if [[ ! -v resource_group_name ]];
-then
-    echo "Please set 'resource-group-name' ..."
-    exit 1
+if [ -z "$resource_group_name" ]; then
+    missing_params+=("resource-group-name")
 fi
-if [[ ! -v nginx_deployment_name ]];
-then
-    echo "Please set 'nginx-deployment-name' ..."
-    exit 1
+if [ -z "$nginx_deployment_name" ]; then
+    missing_params+=("nginx-deployment-name")
+fi
+if [ -z "$certificates" ]; then
+    missing_params+=("certificates")
 fi
-if [[ ! -v certificates ]];
-then
-    echo "Please set 'nginx-certificates' ..."
+
+# Check and print if any required params are missing
+if [ ${#missing_params[@]} -gt 0 ]; then
+    echo "Error: Missing required variables in the workflow:"
+    echo "${missing_params[*]}"
     exit 1
 fi
 
+# Synchronize the NGINX certificates to the NGINXaaS for Azure deployment.
+
+echo "Synchronizing NGINX certificates"
+echo "Subscription ID: $subscription_id"
+echo "Resource group name: $resource_group_name"
+echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
+echo ""
+
 az account set -s "$subscription_id" --verbose
 
+echo "Installing the az nginx extension if not already installed."
+az extension add --name nginx --allow-preview true
+
 count=$(echo "$certificates" | jq '. | length')
 for (( i=0; i<count; i++ ));
 do
@@ -63,67 +75,52 @@ do
     nginx_key_file=$(echo "$certificates" | jq -r '.['"$i"'].keyVirtualPath')
     keyvault_secret=$(echo "$certificates" | jq -r '.['"$i"'].keyvaultSecret')
 
-    do_nginx_arm_deployment=1
-    err_msg=" "
-    if [ -z "$nginx_cert_name" ] || [ "$nginx_cert_name" = "null" ]
-    then
-        err_msg+="nginx_cert_name is empty;"
-        do_nginx_arm_deployment=0
+    # Validate certificate parameters
+    missing_cert_params=()
+    if [ -z "$nginx_cert_name" ] || [ "$nginx_cert_name" = "null" ]; then
+        missing_cert_params+=("certificateName")
     fi
-    if [ -z "$nginx_cert_file" ] || [ "$nginx_cert_file" = "null" ]
-    then
-        err_msg+="nginx_cert_file is empty;"
-        do_nginx_arm_deployment=0
+    if [ -z "$nginx_cert_file" ] || [ "$nginx_cert_file" = "null" ]; then
+        missing_cert_params+=("certificateVirtualPath")
     fi
-    if [ -z "$nginx_key_file" ] || [ "$nginx_key_file" = "null" ]
-    then
-        err_msg+="nginx_key_file is empty;"
-        do_nginx_arm_deployment=0
+    if [ -z "$nginx_key_file" ] || [ "$nginx_key_file" = "null" ]; then
+        missing_cert_params+=("keyVirtualPath")
     fi
-    if [ -z "$keyvault_secret" ] || [ "$keyvault_secret" = "null" ]
-    then
-        err_msg+="keyvault_secret is empty;"
-        do_nginx_arm_deployment=0
+    if [ -z "$keyvault_secret" ] || [ "$keyvault_secret" = "null" ]; then
+        missing_cert_params+=("keyvaultSecret")
     fi
 
-    echo "Synchronizing NGINX certificate"
-    echo "Subscription ID: $subscription_id"
-    echo "Resource group name: $resource_group_name"
-    echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-    echo ""
-    echo "NGINXaaS for Azure cert name: $nginx_cert_name"
-    echo "NGINXaaS for Azure cert file location: $nginx_cert_file"
-    echo "NGINXaaS for Azure key file location: $nginx_key_file"
+    if [ ${#missing_cert_params[@]} -gt 0 ]; then
+        echo "Skipping certificate $i deployment due to missing parameters:"
+        echo "${missing_cert_params[*]}"
+        echo ""
+        continue
+    fi
+
+    echo "Processing certificate: $nginx_cert_name"
+    echo "Certificate file location: $nginx_cert_file"
+    echo "Key file location: $nginx_key_file"
     echo ""
 
-    echo "Installing the az nginx extension if not already installed."
-    az extension add --name nginx --allow-preview true
+    az_cmd=(
+        "az"
+        "nginx"
+        "deployment"
+        "certificate"
+        "create"
+        "--resource-group" "$resource_group_name"
+        "--certificate-name" "$nginx_cert_name"
+        "--deployment-name" "$nginx_deployment_name"
+        "--certificate-path" "$nginx_cert_file"
+        "--key-path" "$nginx_key_file"
+        "--key-vault-secret-id" "$keyvault_secret"
+        "--verbose"
+    )
 
-    if [ $do_nginx_arm_deployment -eq 1 ]
-    then
-        az_cmd=(
-            "az"
-            "nginx"
-            "deployment"
-            "certificate"
-            "create"
-            "--resource-group" "$resource_group_name"
-            "--certificate-name" "$nginx_cert_name"
-            "--deployment-name" "$nginx_deployment_name"
-            "--certificate-path" "$nginx_cert_file"
-            "--key-path" "$nginx_key_file"
-            "--key-vault-secret-id" "$keyvault_secret"
-            "--verbose"
-        )
-        if [[ "$debug" == true ]]; then
-            az_cmd+=("--debug")
-            echo "${az_cmd[@]}"
-        fi
-        set +e
-        "${az_cmd[@]}"
-        set -e
-    else
-        echo "Skipping JSON object $i cert deployment with error:$err_msg"
-        echo ""
+    if [[ "$debug" == true ]]; then
+        az_cmd+=("--debug")
+        echo "${az_cmd[@]}"
     fi
+
+    "${az_cmd[@]}"
 done