ci: add Azure integration tests GitHub Actions workflow#1794
Open
james00012 wants to merge 1 commit intomainfrom
Open
ci: add Azure integration tests GitHub Actions workflow#1794james00012 wants to merge 1 commit intomainfrom
james00012 wants to merge 1 commit intomainfrom
Conversation
Runs `go test -tags azure ./test/azure/...` against a real Azure subscription via GitHub OIDC + `azure/login@v2` + `ARM_USE_OIDC=true`. No client secret stored. Fork PRs are blocked at the job level so secrets are never exposed. A `concurrency:` group cancels superseded runs on the same ref. Scope: 21 of 23 Azure example modules pin AzureRM 2.x, which predates the provider's OIDC support (added in 3.7.0). The test run is therefore narrowed to the two modules already on AzureRM 3.x: - TestTerraformAzureContainerAppExample - TestTerraformAzureKeyVaultExample Bringing the remaining 21 under CI requires a separate provider-upgrade effort. Also fixes a pre-existing bug in the Key Vault example: the hardcoded example.pfx test cert (CN=testing.com) had expired on 2024-06-15, causing TestTerraformAzureKeyVaultExample to fail at import time with "X509 Certificate is already expired". Regenerated as a 100-year self-signed cert with the same subject and password, in legacy PKCS#12 format for Azure Key Vault compatibility. Uses `set -o pipefail` so go test failures aren't masked by tee's exit code (the pipeline would otherwise produce false-green workflow runs).
james00012
force-pushed
the
ci/azure-github-actions
branch
from
2aeb14f to
59a2297
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds
.github/workflows/azure-integration-tests.yml— runs Azure integration tests against a real subscription via GitHub OIDC +azure/login@v2+ARM_USE_OIDC=true. No client secret stored. Fork PRs are blocked at the job level so secrets are never exposed.Complementary to existing
azure-tests.yml(compile-only ontest/azure/, unit tests onmodules/azure/). Replaces #1793 (closed; was opened from a fork, where the same fork-PR guard prevented the workflow from running).Scope
The AzureRM provider gained OIDC support in 3.7.0. 21 of 23 Azure example modules pin AzureRM 2.x and cannot auth via OIDC. This PR therefore scopes the run to the two examples already on 3.x:
TestTerraformAzureContainerAppExampleTestTerraformAzureKeyVaultExampleBringing the remaining 21 under CI requires a separate provider-upgrade effort.
Subscription prerequisites (to land green)
Microsoft.Appresource provider on the subscription (az provider register --namespace Microsoft.App) — currently blocks Container App with 409MissingSubscriptionRegistration.terraform-azure-keyvault-exampleimports a hardcoded test cert that's expired — separate fix needed in the example.Out of scope
AZURE_CREDENTIALSsecret (Yousif).