Skip to content

Commit a0d07f7

Browse files
authored
Support protected files and some input cleanup (#39)
* protected files support and input cleanup in deploy-config.sh This change also adds support for the protected files feature supported by NGINXaaS. Users can give a new optional input called protected-files that contains a comma separated list of all the files that need to be marked as protected. For more information, visit: https://docs.nginx.com/nginxaas/azure/getting-started/nginx-configuration/nginx-configuration-portal/#add-an-nginx-configuration * Input cleanup in deploy-certificate.sh This brings deploy-certificate.sh up to parity with the input validation changes made in deploy-config.sh. Adds some more input validation for certificate parameters. * restore previous action name * update README.md to reflect new version of the action
1 parent 7fad20e commit a0d07f7

File tree

5 files changed

+155
-203
lines changed

5 files changed

+155
-203
lines changed

README.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
creds: ${{ secrets.AZURE_CREDENTIALS }}
3535

3636
- name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
37-
uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
37+
uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
3838
with:
3939
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
4040
resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -77,7 +77,7 @@ jobs:
7777
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
7878

7979
- name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
80-
uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
80+
uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
8181
with:
8282
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
8383
resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -106,7 +106,7 @@ To use this action to sync the configuration files from this example, the direct
106106

107107
```yaml
108108
- name: 'Sync the NGINX configuration from the GitHub repository to the NGINXaaS for Azure deployment'
109-
uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
109+
uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
110110
with:
111111
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
112112
resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -139,7 +139,7 @@ The action supports an optional input `transformed-nginx-config-directory-path`
139139

140140
```yaml
141141
- name: 'Sync the NGINX configuration from the Git repository to the NGINXaaS for Azure deployment'
142-
uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
142+
uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
143143
with:
144144
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
145145
resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -172,7 +172,7 @@ See the example below
172172

173173
```yaml
174174
- name: "Sync NGINX certificates to NGINXaaS for Azure"
175-
uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
175+
uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
176176
with:
177177
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
178178
resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
@@ -186,7 +186,7 @@ See the example below
186186

187187
```yaml
188188
- name: "Sync NGINX configuration- multi file and certificate to NGINXaaS for Azure"
189-
uses: nginxinc/nginx-for-azure-deploy-action@v0.4.2
189+
uses: nginxinc/nginx-for-azure-deploy-action@v0.5.0
190190
with:
191191
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
192192
resource-group-name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}

action.yml

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: "NGINXaaS for Azure Deployment Sync"
1+
name: "NGINXaaS Configuration Sync"
22
description: "Sync NGINX configuration from a git repo and/or certificates from an Azure Key Vault to an NGINXaaS for Azure deployment"
33
inputs:
44
subscription-id:
@@ -20,14 +20,19 @@ inputs:
2020
default: "nginx.conf"
2121
transformed-nginx-config-directory-path:
2222
description: >
23-
'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/".
24-
If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation
25-
can be used to overwrite the file paths when the action synchronizes the files to the NGINXaaS for Azure deployment.'
23+
'The absolute directory path in the NGINXaaS for Azure deployment where your configuration files will be placed.
24+
All files found in the nginx-config-directory-path will be copied to this location in the deployment.
25+
For example, use "/etc/nginx/" to match the standard NGINX directory structure on your NGINXaaS deployment.
26+
If your NGINX configuration files use absolute paths in "include" directives, this setting ensures those paths are correctly mapped in the deployment by prepending the specified directory.'
2627
required: false
2728
default: ""
2829
nginx-certificates:
29-
description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server1.crt", "keyVirtualPath": "/etc/ssl/certs/server1.key" }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server2.crt", "keyVirtualPath": "/etc/ssl/certs/server2.key" }] '
30+
description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/nginx/certs/server1.crt", "keyVirtualPath": "/etc/nginx/certs/server1.key" }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/nginx/certs/server2.crt", "keyVirtualPath": "/etc/nginx/certs/server2.key" }] '
3031
required: false
32+
protected-files:
33+
description: "Comma-separated list of file paths relative to nginx-config-directory-path that should be marked as protected. Example: 'ssl/private.key,conf.d/secrets.conf'"
34+
required: false
35+
default: ""
3136
debug:
3237
description: "Enable/Disable debug output."
3338
required: false
@@ -36,10 +41,10 @@ runs:
3641
using: "composite"
3742
steps:
3843
- name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
39-
run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
44+
run: ${{github.action_path}}/src/deploy-certificate.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
4045
if: ${{ inputs.nginx-certificates != '' }}
4146
shell: bash
4247
- name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
43-
run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}
48+
run: ${{github.action_path}}/src/deploy-config.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --nginx-config-directory-path=${{ inputs.nginx-config-directory-path }} --nginx-root-config-file=${{ inputs.nginx-root-config-file }} --transformed-nginx-config-directory-path=${{ inputs.transformed-nginx-config-directory-path }} --protected-files=${{ inputs.protected-files }} --debug=${{ inputs.debug }}
4449
if: ${{ inputs.nginx-config-directory-path != '' }}
4550
shell: bash

src/deploy-certificate.sh

Lines changed: 71 additions & 74 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,19 @@
11
#!/bin/bash
2-
set -euo pipefail
2+
set -eo pipefail
33
IFS=$'\n\t'
44

55
for i in "$@"
66
do
77
case $i in
8-
--subscription_id=*)
8+
--subscription-id=*)
99
subscription_id="${i#*=}"
1010
shift
1111
;;
12-
--resource_group_name=*)
12+
--resource-group-name=*)
1313
resource_group_name="${i#*=}"
1414
shift
1515
;;
16-
--nginx_deployment_name=*)
16+
--nginx-deployment-name=*)
1717
nginx_deployment_name="${i#*=}"
1818
shift
1919
;;
@@ -26,35 +26,47 @@ case $i in
2626
shift
2727
;;
2828
*)
29-
echo "Not matched option '${i#*=}' passed in."
29+
echo "Unknown option '${i}' passed in."
3030
exit 1
3131
;;
3232
esac
3333
done
3434

35-
if [[ ! -v subscription_id ]];
36-
then
37-
echo "Please set 'subscription-id' ..."
38-
exit 1
35+
# Validate Required Parameters
36+
missing_params=()
37+
if [ -z "$subscription_id" ]; then
38+
missing_params+=("subscription-id")
3939
fi
40-
if [[ ! -v resource_group_name ]];
41-
then
42-
echo "Please set 'resource-group-name' ..."
43-
exit 1
40+
if [ -z "$resource_group_name" ]; then
41+
missing_params+=("resource-group-name")
4442
fi
45-
if [[ ! -v nginx_deployment_name ]];
46-
then
47-
echo "Please set 'nginx-deployment-name' ..."
48-
exit 1
43+
if [ -z "$nginx_deployment_name" ]; then
44+
missing_params+=("nginx-deployment-name")
45+
fi
46+
if [ -z "$certificates" ]; then
47+
missing_params+=("certificates")
4948
fi
50-
if [[ ! -v certificates ]];
51-
then
52-
echo "Please set 'nginx-certificates' ..."
49+
50+
# Check and print if any required params are missing
51+
if [ ${#missing_params[@]} -gt 0 ]; then
52+
echo "Error: Missing required variables in the workflow:"
53+
echo "${missing_params[*]}"
5354
exit 1
5455
fi
5556

57+
# Synchronize the NGINX certificates to the NGINXaaS for Azure deployment.
58+
59+
echo "Synchronizing NGINX certificates"
60+
echo "Subscription ID: $subscription_id"
61+
echo "Resource group name: $resource_group_name"
62+
echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
63+
echo ""
64+
5665
az account set -s "$subscription_id" --verbose
5766

67+
echo "Installing the az nginx extension if not already installed."
68+
az extension add --name nginx --allow-preview true
69+
5870
count=$(echo "$certificates" | jq '. | length')
5971
for (( i=0; i<count; i++ ));
6072
do
@@ -63,67 +75,52 @@ do
6375
nginx_key_file=$(echo "$certificates" | jq -r '.['"$i"'].keyVirtualPath')
6476
keyvault_secret=$(echo "$certificates" | jq -r '.['"$i"'].keyvaultSecret')
6577

66-
do_nginx_arm_deployment=1
67-
err_msg=" "
68-
if [ -z "$nginx_cert_name" ] || [ "$nginx_cert_name" = "null" ]
69-
then
70-
err_msg+="nginx_cert_name is empty;"
71-
do_nginx_arm_deployment=0
78+
# Validate certificate parameters
79+
missing_cert_params=()
80+
if [ -z "$nginx_cert_name" ] || [ "$nginx_cert_name" = "null" ]; then
81+
missing_cert_params+=("certificateName")
7282
fi
73-
if [ -z "$nginx_cert_file" ] || [ "$nginx_cert_file" = "null" ]
74-
then
75-
err_msg+="nginx_cert_file is empty;"
76-
do_nginx_arm_deployment=0
83+
if [ -z "$nginx_cert_file" ] || [ "$nginx_cert_file" = "null" ]; then
84+
missing_cert_params+=("certificateVirtualPath")
7785
fi
78-
if [ -z "$nginx_key_file" ] || [ "$nginx_key_file" = "null" ]
79-
then
80-
err_msg+="nginx_key_file is empty;"
81-
do_nginx_arm_deployment=0
86+
if [ -z "$nginx_key_file" ] || [ "$nginx_key_file" = "null" ]; then
87+
missing_cert_params+=("keyVirtualPath")
8288
fi
83-
if [ -z "$keyvault_secret" ] || [ "$keyvault_secret" = "null" ]
84-
then
85-
err_msg+="keyvault_secret is empty;"
86-
do_nginx_arm_deployment=0
89+
if [ -z "$keyvault_secret" ] || [ "$keyvault_secret" = "null" ]; then
90+
missing_cert_params+=("keyvaultSecret")
8791
fi
8892

89-
echo "Synchronizing NGINX certificate"
90-
echo "Subscription ID: $subscription_id"
91-
echo "Resource group name: $resource_group_name"
92-
echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
93-
echo ""
94-
echo "NGINXaaS for Azure cert name: $nginx_cert_name"
95-
echo "NGINXaaS for Azure cert file location: $nginx_cert_file"
96-
echo "NGINXaaS for Azure key file location: $nginx_key_file"
93+
if [ ${#missing_cert_params[@]} -gt 0 ]; then
94+
echo "Skipping certificate $i deployment due to missing parameters:"
95+
echo "${missing_cert_params[*]}"
96+
echo ""
97+
continue
98+
fi
99+
100+
echo "Processing certificate: $nginx_cert_name"
101+
echo "Certificate file location: $nginx_cert_file"
102+
echo "Key file location: $nginx_key_file"
97103
echo ""
98104

99-
echo "Installing the az nginx extension if not already installed."
100-
az extension add --name nginx --allow-preview true
105+
az_cmd=(
106+
"az"
107+
"nginx"
108+
"deployment"
109+
"certificate"
110+
"create"
111+
"--resource-group" "$resource_group_name"
112+
"--certificate-name" "$nginx_cert_name"
113+
"--deployment-name" "$nginx_deployment_name"
114+
"--certificate-path" "$nginx_cert_file"
115+
"--key-path" "$nginx_key_file"
116+
"--key-vault-secret-id" "$keyvault_secret"
117+
"--verbose"
118+
)
101119

102-
if [ $do_nginx_arm_deployment -eq 1 ]
103-
then
104-
az_cmd=(
105-
"az"
106-
"nginx"
107-
"deployment"
108-
"certificate"
109-
"create"
110-
"--resource-group" "$resource_group_name"
111-
"--certificate-name" "$nginx_cert_name"
112-
"--deployment-name" "$nginx_deployment_name"
113-
"--certificate-path" "$nginx_cert_file"
114-
"--key-path" "$nginx_key_file"
115-
"--key-vault-secret-id" "$keyvault_secret"
116-
"--verbose"
117-
)
118-
if [[ "$debug" == true ]]; then
119-
az_cmd+=("--debug")
120-
echo "${az_cmd[@]}"
121-
fi
122-
set +e
123-
"${az_cmd[@]}"
124-
set -e
125-
else
126-
echo "Skipping JSON object $i cert deployment with error:$err_msg"
127-
echo ""
120+
if [[ "$debug" == true ]]; then
121+
az_cmd+=("--debug")
122+
echo "${az_cmd[@]}"
128123
fi
124+
125+
"${az_cmd[@]}"
129126
done

0 commit comments

Comments
 (0)