GitHub Actions & Azure — How to deploy into multiple subscriptions

Hey everyone, I hope you are doing well.

Today’s post will talk about deploying an Azure resource or service into multiple subscriptions through GitHub Actions.

What does it mean ?

Let’s take a use case; Let’s assume that I have an Azure Policy that I want to deploy using GitHub Actions (using the Action of Azure Policies). I want to deploy it to several subscriptions, but I want to do it in one time !

GitHub Actions : How to use Azure Policy Action ?

In this link, you will find the Action that deploys (creates or updates) a definition of Azure Policy and may Assign it. The documentation explains how to export a policy and then consuming it. I will show you, how to go from scratch and deploys your policy without the need of exporting.

First of all, create a GitHub Repository, then you need such a directory organization :

|-Policies/
          |-DisplayName_Name1/
                            |-policy.json
                            |-assign.displayName_Name.json
          |-DisplayName_Name2/
                            |-policy.json
                            |-assign.displayName_Name.json

It is not magic, everything was described in the documentation. You just need to care about the naming, actually, to deploy the definition of the policy, you need the to name the policy file as mentioned the tree above.

Then you will need the workflow :

The action will take all the policies of the directory mentioned in the path property, then deploys them, Great ha ?

Let’s see how the policy is written :

Actually, the “id” property is important for the deployment.

Here is a repository where I put in place this Action :

charotAmine/policyAction (github.com)

GitHub Actions : How to deploy this policy to multiple subscriptions ?

Did you ever hear about Matrix in GitHub? Well the documentation of GitHub Actions says :

A matrix allows you to create multiple jobs by performing variable substitution in a single job definition. For example, you can use a matrix to create jobs for more than one supported version of a programming language, operating system, or tool. A matrix reuses the job’s configuration and creates a job for each matrix you configure.

• How it works ?

Let’s take the same example as the documentation :

strategy:
  matrix:
    node: [6, 8, 10]
steps:
  # Configures the node version used on GitHub-hosted runners
  - uses: actions/setup-node@v1
    with:
      # The Node.js version to configure
      node-version: ${{ matrix.node }}

The matrix takes an array as input, it will run multiple jobs and will replace the node-version with 6, 8 and 10.

• How to use Matrix strategy to deploy to multiple subscriptions ?

I think this is clear, we will do something like :

strategy:
  matrix:
    subscriptionIds: [id1, id2, ...]

So, let’s improve our workflow :

First of all, I added the matrix Strategy :

strategy:      
  matrix:        
   subscriptionIds: ["68a49bc4-1f2b-4af5-9c53-da081debe239", "fa971420-4388-457a-ac56-1cd453785f14"]

I said that I want to deploy the policy in both subscriptions,

Then in the policy, I replaced the subscription with the key word {{SID}}, and I used an action to get all policy.json files and replace the key word with the appropriate subscription :

- name: Find and Replace      
  uses: jacobtomlinson/gha-find-replace@master      
  with:        
   find: "{{SID}}"        
   replace: ${{ matrix.subscriptionIds }}        
   include: "policy.json"

and the deployment worked as a charm for the subscriptions: