Last active
September 6, 2021 02:56
-
-
Save venura9/a7511ac6aca8bffa998bed29f914f89e to your computer and use it in GitHub Desktop.
Manage NSG GitHub Action entrypoint.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh -l | |
# Ensure the workflow fails on error | |
set -e | |
_azure_credentails=$1 | |
_rule_priority_start=$2 | |
_rule_priority_end=$(($2+$3)) | |
_rule_port=$4 | |
_rule_id_for_removal=$5 | |
_rule_nsg_resource_group=$6 | |
_rule_nsg=$7 | |
_rule_public_ip=$(dig +short myip.opendns.com @resolver1.opendns.com) # Get runner's public IP | |
# break the azure credientials JSON | |
_client_id=$(echo $_azure_credentails | jq -r '.clientId') | |
_client_secret=$(echo $_azure_credentails | jq -r '.clientSecret') | |
_tenant_id=$(echo $_azure_credentails | jq -r '.tenantId') | |
_subscription_id=$(echo $_azure_credentails | jq -r '.subscriptionId') | |
# Login to azure using service principal | |
az login --service-principal -u $_client_id -p $_client_secret --tenant $_tenant_id | |
# Select the subscription | |
az account set --subscription $_subscription_id | |
if [ $_rule_id_for_removal ] | |
then | |
# removing the rule | |
echo "Removing rule $_rule_id_for_removal" | |
az network nsg rule delete -g $_rule_nsg_resource_group --nsg-name $_rule_nsg -n $_rule_id_for_removal | |
echo "::set-output name=rule_name::$_rule_id_for_removal" | |
else | |
# adding the rule | |
echo _rule_port: $_rule_port | |
echo _rule_priority_start: $_rule_priority_start | |
echo _rule_priority_end: $_rule_priority_end | |
_rule_priority=$(shuf -i $_rule_priority_start-$_rule_priority_end -n 1) | |
_rule_name=manage-nsg-github-actions-$_rule_priority | |
echo "Adding rule.... $_rule_name" | |
az network nsg rule create -g $_rule_nsg_resource_group --nsg-name $_rule_nsg \ | |
-n $_rule_name --priority $_rule_priority \ | |
--source-address-prefixes $_rule_public_ip --source-port-ranges '*' \ | |
--destination-address-prefixes '*' --destination-port-ranges '*' \ | |
--access Allow --protocol '*' \ | |
--description 'Allow from IP address of github actions hosted runner temporarily' | |
# output | |
echo "::set-output name=rule_name::$_rule_name" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment