-
Notifications
You must be signed in to change notification settings - Fork 125
07 IaC Bicep
The GitHub Action workflows/iac-fabric-dataplatform.yml triggers the IaC Bicep scripts to deploy cloud resources. Hit the Run Workflow on Provision Fabric Data Platform action to trigger the workflow.
Pre-Requisite: Create a Service Principal with Contributor and User Access Administrator roles to the subscription 1.
This GitHub Action requires the following repository secrets:
- ACTION_SPN_CLIENTID: Client/Application ID of the Service Principal.
- ACTION_SPN_SECRET: Service Principal Secret.
- AZURE_RG: Resource Group where the Fabric capacity in Azure will be provisioned.
- FABRIC_CAPACITY_ADMIN_EMAIL: Email ID of Fabric capacity administrator.
- SUBSCRIPTION_ID: ID of the Azure Subscription where the resources will be provisioned. The Service Principal requires Contributor and User Access Administrator roles to this subscription.
- TENANT_ID: ID of the Entra Tenant where the resources will be provisioned.
To provision cloud resources, use the Bicep scripts available in the iac/bicep directory of the repository. The main.bicep is the script called by the workflow file.
The main.bicep script calls the following modules:
- fabric-capacity: Creates a Fabric SKU in Azure.
- keyvault: Creates a Key Vault and manages access policies.
- Review the parameters in the main.bicep. Update and override the default param values as per your naming convention. The parameter @description tells you what these parameters mean.
- While in main.bicep, also review the parameters passed to modules if you need to override the default values. For e.g. keyvault_name.
- Edit the keyvault.bicep and update the access policies section. In particular, take note of the object id of the Service Principal created previously and update here. The Service Principal should have list and get permissions to secrets. Also add yourself and any other user/security groups that might require access to the Key Vault secrets with appropriate permissions
// Default Access Policies. Replace the ObjectID's with your user/group id
accessPolicies:[
{ tenantId: subscription().tenantId
objectId: '01e16ca5-e5da-49f3-ac27-a46f1cc68ede' // Replace this with your user/group ObjectID
permissions: {secrets:['list','get','set']}
}
{ tenantId: subscription().tenantId
objectId: '688ad7c8-d7bb-4f32-884a-05601c9762a2' // Replace this with your user/group ObjectID
permissions: {secrets:['list','get','set']}
}
{ tenantId: subscription().tenantId
objectId: '703595dd-9298-4ef8-ab80-a64f10e8ea07' // Replace this with your user/group ObjectID
permissions: {secrets:['list','get']}
}
]
Once done, commit and pull request the updates. Navigate to Actions -> All Workflows -> Provision Fabric Data Platform and click Run Workflow to kick-off provisioning.