Continuous deployment
You can automatically deploy all changes that you make to a fork of the nRF Asset Tracker for Azure.
Note
It is optional to keep the deployment in your Azure account automatically synchronized with your fork’s source code repository.
Fork the nRF Asset Tracker repositories
To enable continuous deployment, complete the following steps:
Fork the nRF Asset Tracker for Azure repository.
Update the deploy.webApp.repository in the
package.json
file of your nRF Asset Tracker for Azure fork. It must point to the repository URL of your fork of the nRF Asset Tracker web application.
Authenticate GitHub Actions against Azure using OpenID Connect
To allow the continuous deployment GitHub Action workflow to authenticate against Azure with short-lived credentials using a service principal, complete the following steps:
Follow the instructions to Configure a service principal with a Federated Credential to use OIDC based authentication. Use
https://nrfassettracker.invalid/cd
as the name.On the command line, use the following commands:
az ad app create --display-name 'https://nrfassettracker.invalid/cd' export APPLICATION_OBJECT_ID=`az ad app list | jq -r '.[] | select(.displayName=="https://nrfassettracker.invalid/cd") | .id' | tr -d '\n'` az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${APPLICATION_OBJECT_ID}/federatedIdentityCredentials" --body '{"name":"GitHubActions","issuer":"https://token.actions.githubusercontent.com","subject":"repo:NordicSemiconductor/asset-tracker-cloud-azure-js:environment:production","description":"Allow GitHub Actions to modify Azure resources","audiences":["api://AzureADTokenExchange"]}'
Use the organization and repository name of your fork instead of
NordicSemiconductor/asset-tracker-cloud-azure-js
in the command.Set the secrets:
Set the secrets using the GitHub UI:
Set the following secrets to an environment called
production
in your fork of the nRF Asset Tracker for Azure:AZURE_CLIENT_ID
- Store the application (client) ID of the service principal app registration created in the previous step.AZURE_TENANT_ID
- Store the directory (tenant) ID of the service principal app registration created in the previous step.AZURE_SUBSCRIPTION_ID
- Store the ID of the subscription containing the nRF Asset Tracker resources.
Set also the following values from your
.envrc
file as secrets:RESOURCE_GROUP
LOCATION
APP_NAME
B2C_TENANT
APP_REG_CLIENT_ID
Alternatively, set the secrets using the GitHub CLI:
You can use the GitHub CLI with the environment settings from above (make sure to create the
production
deployment environment in your repository first):
export AZURE_CLIENT_ID=`az ad app list | jq -r '.[] | select(.displayName=="https://nrfassettracker.invalid/cd") | .appId' | tr -d '\n'` export AZURE_TENANT_ID=`az ad sp show --id ${AZURE_CLIENT_ID} | jq -r '.appOwnerOrganizationId' | tr -d '\n'` gh secret set AZURE_CLIENT_ID --env production --body "${AZURE_CLIENT_ID}" gh secret set AZURE_TENANT_ID --env production --body "${AZURE_TENANT_ID}" gh secret set AZURE_SUBSCRIPTION_ID --env production --body "${SUBSCRIPTION_ID}" gh secret set RESOURCE_GROUP --env production --body "${RESOURCE_GROUP}" gh secret set LOCATION --env production --body "${LOCATION}" gh secret set APP_NAME --env production --body "${APP_NAME}" gh secret set B2C_TENANT --env production --body "${B2C_TENANT}" gh secret set APP_REG_CLIENT_ID --env production --body "${APP_REG_CLIENT_ID}"
Grant the application created in step 1 Owner permissions for your resource group:
export AZURE_CLIENT_ID=`az ad app list | jq -r '.[] | select(.displayName=="https://nrfassettracker.invalid/cd") | .appId' | tr -d '\n'` az role assignment create --role Owner \ --assignee ${AZURE_CLIENT_ID} \ --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP:-nrfassettracker}
Grant the application created in step 1 “Key Vault Secrets Officer” rights to the KeyVault:
export AZURE_CLIENT_ID=`az ad app list | jq -r '.[] | select(.displayName=="https://nrfassettracker.invalid/cd") | .appId' | tr -d '\n'` az role assignment create --role "Key Vault Secrets Officer" \ --assignee ${AZURE_CLIENT_ID} \ --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP:-nrfassettracker}/providers/Microsoft.KeyVault/vaults/${APP_NAME:-nrfassettracker}
Trigger a deployment
Commit a change to your fork to trigger a deployment.
Check the status of the continuous deployment
To check the status of the continuous deployment after making the changes, navigate to the Actions tab of your fork. You can see a workflow run of the Continuous Deployment action:
More information
For more details about how GitHub Actions uses OIDC, read About security hardening with OpenID Connect in the GitHub Actions documentation.