Hands-on Demo – Deploy a Bicep file from GitHub Workflows

Written by

Rajnish Kumar Jha

Under the topic

Azure DevOps

Dated:

April 9, 2024

Table Of Content

Hands-on Demo – Deploy a Bicep file from GitHub Workflows

In this demo, we will show how to deploy an Azure resource using a Bicep file via GitHub Actions. GitHub Actions allow you to automate your workflows, and in this case, we will set up a CI/CD pipeline to deploy an Azure resource using a Bicep template from a GitHub repository.

Steps Overview

Create the Bicep file in your GitHub repository.
Set up the Azure Service Principal for authentication.
Create a GitHub Actions workflow file (main.yml) for deploying the Bicep file to Azure.
Deploy the Bicep file via the GitHub Actions pipeline.

1. Create the Bicep File in GitHub Repository

First, create a Bicep file in your GitHub repository.

For this example, we’ll create a simple Bicep template that deploys an Azure Virtual Network and Subnet.

Example: `main.bicep


xxxxxxxxxx
30
1
// Parameters
2
param location string = 'East US'
3
param vnetName string = 'myVNet'
4
param subnetName string = 'mySubnet'
5
// Variables
6
var addressPrefix = '10.0.0.0/16'
7
var subnetPrefix = '10.0.1.0/24'
8
// Resource - Virtual Network
9
resource vnet 'Microsoft.Network/virtualNetworks@2020-05-01' = {
10
  name: vnetName
11
  location: location
12
  properties: {
13
    addressSpace: {
14
      addressPrefixes: [
15
        addressPrefix
16
      ]
17
    }
18
  }
19
}
20
// Resource - Subnet
21
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2020-05-01' = {
22
  name: '${vnetName}/${subnetName}'
23
  parent: vnet
24
  properties: {
25
    addressPrefix: subnetPrefix
26
  }
27
}
28
// Outputs
29
output vnetId string = vnet.id
30
output subnetId string = subnet.id

Ensure this Bicep file is committed to your GitHub repository.

Let’s now set up the GitHub Actions pipeline to deploy this template.

2. Set Up the Azure Service Principal for Authentication

To deploy resources to Azure from GitHub Actions, you’ll need to authenticate using an Azure Service Principal (SP). The service principal allows GitHub Actions to interact with Azure resources securely.

Follow below given steps to create an Azure Service Principal.

Log in to Azure CLI:
```
xxxxxxxxxx
1
1
az login
```

Create the Service Principal and assign it a role (e.g., Contributor):


xxxxxxxxxx
4
1
az ad sp create-for-rbac \
2
--name "GitHubActionsSP" \
3
--role Contributor \
4
--scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group}

This will output the following:

appId: The client ID for the service principal.
password: The client secret (you will need this).
tenant: The tenant ID for your Azure Active Directory.

Save the following information (you’ll need it for the GitHub secrets):
- AZURE_CLIENT_ID: appId from the output.
- AZURE_CLIENT_SECRET: password from the output.
- AZURE_TENANT_ID: tenant from the output.
- AZURE_SUBSCRIPTION_ID: Your Azure subscription ID.
Set up GitHub Secrets:
- Go to your GitHub repository’s Settings → Secrets.
- Add the following secrets:
  - AZURE_CLIENT_ID
  - AZURE_CLIENT_SECRET
  - AZURE_TENANT_ID
  - AZURE_SUBSCRIPTION_ID

3. Create the GitHub Actions Workflow File

Next, create a GitHub Actions workflow file that will automate the deployment process.

Steps to Create the Workflow File:

In your GitHub repository, create a new directory .github/workflows/.
Inside that directory, create a new file deploy.yml.
Here's the deploy.yml GitHub Actions workflow file:


xxxxxxxxxx
36
1
name: Deploy Bicep Template to Azure
2
on:
3
  push:
4
    branches:
5
      - main  # Trigger deployment on push to main branch
6
jobs:
7
  deploy:
8
    runs-on: ubuntu-latest  # Use the latest Ubuntu image for the runner
9
    steps:
10
      # Step 1: Checkout the repository
11
      - name: Checkout repository
12
        uses: actions/checkout@v3
13
      # Step 2: Set up Azure CLI
14
      - name: Set up Azure CLI
15
        uses: azure/setup-azurecli@v1
16
        with:
17
          azure-cli-version: '2.37.0'  # Set the version you want
18
      # Step 3: Log in to Azure using the service principal
19
      - name: Azure Login
20
        uses: azure/login@v1
21
        with:
22
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
23
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
24
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
25
      # Step 4: Deploy Bicep template
26
      - name: Deploy Bicep Template
27
        run: |
28
          az deployment group create \
29
            --resource-group <your-resource-group> \
30
            --template-file ./main.bicep \
31
            --parameters location='East US' vnetName='myVNet' subnetName='mySubnet'
32
      # Optional Step: Show output of deployed resources
33
      - name: Show deployed resources
34
        run: |
35
          az network vnet show --resource-group <your-resource-group> --name myVNet
36
          az network vnet subnet show --resource-group <your-resource-group> --vnet-name myVNet --name mySubnet

Explanation of the Workflow File:

Trigger: The workflow is triggered on a push to the main branch.
Steps:
- Checkout: This step checks out the repository code.
- Set up Azure CLI: Installs Azure CLI on the GitHub runner.
- Azure Login: Logs in to Azure using the service principal credentials stored in GitHub secrets.
- Deploy Bicep Template: This step runs the Azure CLI command to deploy the main.bicep file to the specified Azure resource group. It uses the az deployment group create command.
- Show Deployed Resources (Optional): This step verifies the deployment by showing the deployed VNet and subnet in the Azure portal.

4. Deploy the Bicep Template via GitHub Actions

Once the workflow file is created, push your changes to the main branch:


xxxxxxxxxx
3
1
git add .github/workflows/deploy.yml
2
git commit -m "Add GitHub Actions workflow for Bicep deployment"
3
git push origin main

5. Monitor the Workflow

After pushing the changes to the main branch, GitHub Actions will automatically start running the workflow.

You can monitor the status of the deployment from the Actions tab of your GitHub repository.

Go to your GitHub repository.
Click on the Actions tab.
You will see the workflow running (it may take a minute or two).
If the workflow runs successfully, your resources will be deployed to Azure.
You can also see logs to troubleshoot if needed.

6. Verify the Deployment

Once the deployment is complete, go to the Azure Portal and verify that the resources (Virtual Network and Subnet) were created successfully.

Alternatively, you can use Azure CLI to check:


xxxxxxxxxx
8
1
az network vnet show \
2
--resource-group <your-resource-group> \
3
--name myVNet
4

5
az network vnet subnet show \
6
--resource-group <your-resource-group> \
7
--vnet-name myVNet \
8
--name mySubnet

7. Summary

With the above steps, you've automated the process of deploying a Bicep file to Azure using GitHub Actions.

This setup:

Ensures that your Bicep file can be deployed continuously and consistently.
Provides a robust, automated deployment pipeline, reducing manual intervention.

Course Navigation Learn Azure DevOps from scratch

Hand-on demo – Setting up Deployment Stag…

Hand-on demo – Setting up Deployment Stages in Az…

Designing and Implementing Permissions and Secu…

Designing and Implementing Permissions and Security Gro…

In depth guide on Azure DevSecOps Threat Modeling

In depth guide on Azure DevSecOps Threat Modeling '…

Learning about the Azure App Configuration

Learning about the Azure App Configuration Azure App Co…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.