This repository demonstrates how to automate the deployment of Azure resources using GitHub Actions and Bicep templates. The workflow provisions a resource group, a storage account, and a blob container with restricted IP access, and associates a Log Analytics workspace for monitoring.
The GitHub Actions workflow is triggered on a push to the main branch and performs the following steps:
- Checks out the repository.
- Logs in to Azure using a service principal.
- Creates a resource group.
- Deploys a storage account and blob container.
- Configures diagnostic settings to send logs to a Log Analytics workspace.
name: Deploy Azure Resources
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Login to Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Create Resource Group
run: |
az group create --name rrblobtest --location "UK South"
- name: Deploy Storage Account
run: |
az deployment group create \
--resource-group rrblobtest \
--template-file bicep/storage-account.bicep \
--parameters location="UK South" \
storageAccountName="teststorage20241229" \
containerName="images" \
allowedIP="92.16.42.251"
- name: Associate Log Analytics Workspace
run: |
az monitor diagnostic-settings create \
--name "storageAccountDiagnostics" \
--resource /subscriptions/929d7635-207a-4b22-8d24-34e2ae29092b/resourceGroups/rrblobtest/providers/Microsoft.Storage/storageAccounts/teststorage20241229 \
--metrics '[{"category": "Transaction", "enabled": true}, {"category": "Capacity", "enabled": true}]' \
--workspace /subscriptions/929d7635-207a-4b22-8d24-34e2ae29092b/resourceGroups/rrblobtest/providers/Microsoft.OperationalInsights/workspaces/rrlogtestThe following Bicep templates are used for deploying the Log Analytics workspace and the storage account with the blob container.
@description('The location for the Log Analytics workspace.')
param location string
@description('The name of the Log Analytics workspace.')
param logAnalyticsWorkspaceName string
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: logAnalyticsWorkspaceName
location: location
properties: {
sku: {
name: 'PerGB2018'
}
retentionInDays: 30
}
}
output logAnalyticsWorkspaceId string = logAnalyticsWorkspace.id@description('The location for all resources.')
param location string
@description('The name of the storage account.')
param storageAccountName string
@description('The name of the container to create.')
param containerName string
@description('The IP address allowed to access the storage account.')
param allowedIP string
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
allowBlobPublicAccess: true
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
ipRules: [
{
value: allowedIP
action: 'Allow'
}
]
}
}
}
resource blobService 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
parent: storageAccount
name: 'default'
}
resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@2022-09-01' = {
parent: blobService
name: containerName
properties: {
publicAccess: 'Blob'
}
}-
Clone the Repository:
git clone https://github.com/your-repo.git
-
Set Up Azure Credentials: Add the
AZURE_CREDENTIALSsecret to your GitHub repository. This should contain the JSON output from creating a service principal. -
Modify Parameters: Update the Bicep template parameters as needed (e.g.,
storageAccountName,allowedIP). -
Push Changes: Commit and push your changes to the
mainbranch to trigger the workflow. -
Monitor Deployment: Check the Actions tab in your GitHub repository for deployment logs.