Remove ACTIONS_ACR & consolidate secrets

.github/actions/devcontainer_run_command/action.yml

@@ -17,29 +17,11 @@ inputs:
   COMMAND:
     description: "The command you want to run in the Devcontainer."
     required: true
-  ACTIONS_ACR_NAME:
-    description: "The Azure Container registry name that the devcontainer is stored in."
-    required: true
-  ACTIONS_ACR_URI:
-    description: "The full uri of the Azure Container Registry where the devcontainer is stored in."
-    required: true
-  ACTIONS_ACR_PASSWORD:
-    description: "The Azure Container registry password for the devcontainer."
-    required: true
-  ACTIONS_DEVCONTAINER_TAG:
+  DEVCONTAINER_TAG:
     description: "The container label to use when running the command."
     required: true
-  ARM_TENANT_ID:
-    description: "Azure Tenant Id."
-    required: true
-  ARM_CLIENT_ID:
-    description: "Azure user Id. This user needs User Access Administrator permission as minimum."
-    required: true
-  ARM_CLIENT_SECRET:
-    description: "Azure user password."
-    required: true
-  ARM_SUBSCRIPTION_ID:
-    description: "Azure Subscription Id."
+  AZURE_CREDENTIALS:
+    description: "Credentials to access Azure."
     required: true
   API_CLIENT_ID:
     description: "The API Client Id."
@@ -118,7 +100,7 @@ inputs:
     default: "false"
   CI_CACHE_ACR_NAME:
     description: "A secondary ACR used for caching in CI environments"
-    required: false
+    required: true
     default: ""
   TF_LOG:
     description: "Log level for terraform - values are blank | DEBUG | TRACE"
@@ -128,12 +110,17 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Login to Container Registry
-      uses: docker/login-action@v1
+    - name: Azure Login
+      uses: azure/login@v1
+      if: contains(inputs.COMMAND, 'bootstrap') != true
       with:
-        registry: ${{ inputs.ACTIONS_ACR_URI }}
-        username: ${{ inputs.ACTIONS_ACR_NAME }}
-        password: ${{ inputs.ACTIONS_ACR_PASSWORD }}
+        creds: ${{ inputs.AZURE_CREDENTIALS }}
+
+    - name: ACR Login
+      shell: bash
+      if: contains(inputs.COMMAND, 'bootstrap') != true
+      run: |
+        az acr login --name "${{ inputs.CI_CACHE_ACR_NAME }}"
 
     - name: Run command in DevContainer
       shell: bash
@@ -151,10 +138,10 @@ runs:
           -e LOCATION="${{ inputs.LOCATION }}" \
           -e TF_VAR_location="${{ inputs.LOCATION }}" \
           -e RESOURCE_LOCATION="${{ inputs.LOCATION }}" \
-          -e ARM_CLIENT_ID="${{ inputs.ARM_CLIENT_ID }}" \
-          -e ARM_CLIENT_SECRET="${{ inputs.ARM_CLIENT_SECRET }}" \
-          -e ARM_TENANT_ID="${{ inputs.ARM_TENANT_ID }}" \
-          -e ARM_SUBSCRIPTION_ID="${{ inputs.ARM_SUBSCRIPTION_ID }}" \
+          -e ARM_CLIENT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientId }}" \
+          -e ARM_CLIENT_SECRET="${{ fromJSON(inputs.AZURE_CREDENTIALS).clientSecret }}" \
+          -e ARM_TENANT_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).tenantId }}" \
+          -e ARM_SUBSCRIPTION_ID="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
           -e TF_VAR_terraform_state_container_name="${{ inputs.TERRAFORM_STATE_CONTAINER_NAME }}" \
           -e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \
           -e TF_VAR_mgmt_resource_group_name="${{ inputs.MGMT_RESOURCE_GROUP_NAME }}" \
@@ -165,7 +152,7 @@ runs:
           -e TF_VAR_api_client_secret="${{ inputs.API_CLIENT_SECRET }}" \
           -e TF_VAR_application_admin_client_id="${{ inputs.APPLICATION_ADMIN_CLIENT_ID }}" \
           -e TF_VAR_application_admin_client_secret="${{ inputs.APPLICATION_ADMIN_CLIENT_SECRET }}" \
-          -e TF_VAR_arm_subscription_id="${{ inputs.ARM_SUBSCRIPTION_ID }}" \
+          -e TF_VAR_arm_subscription_id="${{ fromJSON(inputs.AZURE_CREDENTIALS).subscriptionId }}" \
           -e SWAGGER_UI_CLIENT_ID="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
           -e TF_VAR_swagger_ui_client_id="${{ inputs.SWAGGER_UI_CLIENT_ID }}" \
           -e TF_VAR_core_address_space="${{ inputs.core_address_space }}" \
@@ -185,5 +172,5 @@ runs:
           -e TF_VAR_stateful_resources_locked=${{ inputs.STATEFUL_RESOURCES_LOCKED }} \
           -e TF_VAR_enable_airlock_malware_scanning=${{ inputs.ENABLE_AIRLOCK_MALWARE_SCANNING }} \
           -e CI_CACHE_ACR_NAME="${{ inputs.CI_CACHE_ACR_NAME }}" \
-          '${{ inputs.ACTIONS_ACR_URI }}tredev:${{ inputs.ACTIONS_DEVCONTAINER_TAG }}' \
+          '${{ inputs.CI_CACHE_ACR_NAME }}.azurecr.io/tredev:${{ inputs.DEVCONTAINER_TAG }}' \
         bash -c "${{ inputs.COMMAND }}"

.github/workflows/deploy_tre.yml

@@ -29,18 +29,12 @@ jobs:
     secrets:
       AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
       ACR_NAME: ${{ secrets.ACR_NAME }}
-      ACTIONS_ACR_NAME: ${{ secrets.ACTIONS_ACR_NAME }}
-      ACTIONS_ACR_URI: ${{ secrets.ACTIONS_ACR_NAME }}.azurecr.io/
-      ACTIONS_ACR_PASSWORD: ${{ secrets.ACTIONS_ACR_PASSWORD }}
-      ACTIONS_DEVCONTAINER_TAG: 'latest'
+      DEVCONTAINER_TAG: 'latest'
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
       API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
       API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
       APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}
       APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}
-      ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-      ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-      ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
       CORE_ADDRESS_SPACE: ${{ secrets.CORE_ADDRESS_SPACE }}
       LOCATION: ${{ secrets.LOCATION }}
       MGMT_RESOURCE_GROUP: ${{ secrets.MGMT_RESOURCE_GROUP }}
@@ -55,3 +49,4 @@ jobs:
       TF_STATE_CONTAINER: ${{ secrets.TF_STATE_CONTAINER }}
       TRE_ADDRESS_SPACE: ${{ secrets.TRE_ADDRESS_SPACE }}
       TRE_ID: ${{ secrets.TRE_ID }}
+      CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}

.github/workflows/deploy_tre_branch.yml

@@ -61,18 +61,12 @@ jobs:
     secrets:
       AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
       ACR_NAME: ${{ format('tre{0}', needs.prepare-not-main.outputs.refid) }}
-      ACTIONS_ACR_NAME: ${{ secrets.ACTIONS_ACR_NAME }}
-      ACTIONS_ACR_URI: ${{ secrets.ACTIONS_ACR_NAME }}.azurecr.io/
-      ACTIONS_ACR_PASSWORD: ${{ secrets.ACTIONS_ACR_PASSWORD }}
-      ACTIONS_DEVCONTAINER_TAG: ${{ needs.prepare-not-main.outputs.refid }}
+      DEVCONTAINER_TAG: ${{ needs.prepare-not-main.outputs.refid }}
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
       API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
       API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
       APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}
       APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}
-      ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-      ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-      ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-      ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
       CORE_ADDRESS_SPACE: ${{ secrets.CORE_ADDRESS_SPACE }}
       LOCATION: ${{ secrets.LOCATION }}
       MGMT_RESOURCE_GROUP: ${{ format('rg-tre{0}-mgmt', needs.prepare-not-main.outputs.refid) }}