-
Notifications
You must be signed in to change notification settings - Fork 6
119 lines (118 loc) · 4.57 KB
/
deploy_azfw_arm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
on:
push:
branches: [master]
paths:
- '**.json'
name: Azure ARM - Azure Firewall - On Push
jobs:
deploy-azfw-policy:
concurrency:
group: deploy_azfw
runs-on: ubuntu-latest
steps:
# Checkout code
- uses: actions/checkout@main
# Define path filters
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
azfw_shared:
- 'shared/ARM/**.json'
azfw_shared_policy:
- 'shared/ARM/azfwpolicy.json'
azfw_shared_rcg:
- 'shared/ARM/rcg-global.json'
azfw_shared_ipgroups:
- 'shred/ARM/ipgroups-global.json'
azfw_app01:
- 'app01/ARM/**.json'
azfw_app01_rcg:
- 'app01/ARM/rcg-app01.json'
azfw_app01_ipgroups:
- 'app01/ARM/ipgroups-app01.json'
azfw_app02:
- 'app02/ARM/**.json'
azfw_app02_rcg:
- 'app02/ARM/rcg-app02.json'
azfw_app02_ipgroups:
- 'app02/ARM/ipgroups-app02.json'
azfw_app03:
- 'app03/ARM/*.json'
- 'app03/dev/ARM/*.json'
- 'app03/qa/ARM/*.json'
- 'app03/staging/ARM/*.json'
- 'app03/prod/ARM/*.json'
# Log into Azure
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
# Deploy ARM templates for global resources
- name: Deploy ARM template for global policy
if: steps.filter.outputs.azfw_shared_policy == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./shared/ARM/azfwpolicy.json
parameters: policyName=TestPolicy
- name: Deploy ARM template for shared IP groups
if: steps.filter.outputs.azfw_shared_ipgroups == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./shared/ARM/ipgroups-global.json
- name: Deploy ARM template for global RCG
if: steps.filter.outputs.azfw_shared_rcg == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./shared/ARM/rcg-global.json
parameters: policyName=TestPolicy rcgName=GlobalRCG
# Deploy ARM templates for app01
- name: Deploy ARM template for app01 IP groups
if: steps.filter.outputs.azfw_app01_ipgroups == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app01/ARM/ipgroups-app01.json
- name: Deploy ARM template for app01 RCG
if: steps.filter.outputs.azfw_app01_rcg == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app01/ARM/rcg-app01.json
parameters: policyName=TestPolicy rcgName=app01-RCG
# Deploy ARM templates for app02
- name: Deploy ARM template for app02 IP groups
if: steps.filter.outputs.azfw_app02_ipgroups == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app02/ARM/ipgroups-app02.json
- name: Deploy ARM template for app02 RCG
if: steps.filter.outputs.azfw_app02_rcg == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app02/ARM/rcg-app02.json
parameters: policyName=TestPolicy rcgName=app02-RCG
# Deploy ARM templates for app03 (aggregate files)
- name: Deploy ARM template for app03 rule collections (aggregate files)
if: steps.filter.outputs.azfw_app03 == 'true'
run: |
python3 ./scripts/merge_rcg.py --rcg-file ./app03/ARM/rcg-app03.json --rc-directories "./app03/dev/ARM ./app03/qa/ARM ./app03/staging/ARM ./app03/prod/ARM" --output-file ./app03/ARM/rcg-merged.json --verbose
- name: Deploy ARM template for merged app03 RCG
if: steps.filter.outputs.azfw_app03 == 'true'
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
resourceGroupName: ${{ secrets.AZURE_RG }}
template: ./app03/ARM/app03/rcg-merged.json
parameters: policyName=TestPolicy rcgName=app03-RCG