AzureFunctionPython/.github/workflows/_setAclPermissions.yml at 6cfb149d9d124081a42e45148ace6b99cc8173e2 · PerfectThymeTech/AzureFunctionPython · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: Set ACL Permissions Template

on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string
        default: "dev"
        description: "Specifies the environment of the deployment."
      storage_account_name:
        required: true
        type: string
        description: "Specifies the name of the storage account."
      storage_container_name:
        required: true
        type: string
        description: "Specifies the name of the storage account container name."
      storage_container_path:
        required: true
        type: string
        description: "Specifies the path within the storage account container."
      user_object_id:
        required: true
        type: string
        description: "Specifies the object id of the identity that should be granted access."
      acl_permissions:
        required: true
        type: string
        description: "Specifies the acl permissions to be granted to the identity (e.g. 'rwx')."
    secrets:
      TENANT_ID:
        required: true
        description: "Specifies the tenant id of the deployment."
      SUBSCRIPTION_ID:
        required: true
        description: "Specifies the subscription id of the deployment."
      CLIENT_ID:
        required: true
        description: "Specifies the client id."
      CLIENT_SECRET:
        required: true
        description: "Specifies the client secret."

jobs:
  exec:
    name: Run Az CLI Command
    runs-on: ubuntu-latest # [self-hosted, linux, adp]
    continue-on-error: false
    environment: "${{ inputs.environment }}"

    steps:
      # Login to Azure
      - name: Azure Login
        id: azure_login
        uses: azure/login@v1
        with:
          creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'

      # Grant Access - ACL
      - name: Grant Access - ACL
        id: access_acl
        run: |
          echo "Set Azure Context"
          az account set -s "${{ secrets.SUBSCRIPTION_ID }}"

          echo "Set ACL"
          az storage fs access set \
            --acl "user::rwx,group::r-x,other::---,mask::rwx,user:$USER_OBJECT_ID:$ACL_PERMISSIONS" \
            --path $STORAGE_CONTAINER_PATH \
            --file-system $STORAGE_CONTAINER_NAME \
            --account-name $STORAGE_ACCOUNT_NAME \
            --auth-mode login
        env:
          USER_OBJECT_ID: ${{ inputs.user_object_id }}
          ACL_PERMISSIONS: ${{ inputs.acl_permissions }}
          STORAGE_ACCOUNT_NAME: ${{ inputs.storage_account_name }}
          STORAGE_CONTAINER_NAME: ${{ inputs.storage_container_name }}
          STORAGE_CONTAINER_PATH: ${{ inputs.storage_container_path }}

      # Log out from Azure
      - name: Log out from Azure
        id: azure_logout
        run: |
          az logout