This repo contains code to publish a Bicep module to a Private Module Registry.
This demo will publish modules under the modules path to a Bicep registry as defined in bicepconfig.json. This is done using a GitHub Actions workflow and a wrapper script. The latest git tag will be used as the module version.
You will then be able to deploy a template that refers to this module from the registry 💪
- Azure CLI
- Bicep (install with
az bicep install- you will needv0.4.1008or newer) - An Azure subscription with Owner permissions
- Permission to create a service principal in Azure AD
- Fork this repo by clicking Fork in the top-right corner
- Create a resource group
az group create -n bicep-registry-demo -l westeurope- Create an Azure Container Registry
az acr create -g bicep-registry-demo -l westeurope -n <registry name> --sku basic❗ Make note of the registry name you choose. This name must be globally unique.
-
Set your registry in bicepconfig.json
- Change the
registryNamefor the aliasdemoRegistryto the unique name from the step above. The value should be<registry name>.azurecr.io. - Learn more about the Bicep configuration file here.
- Change the
-
Create service principal with AcrPush permissions to the container registry, and add a secret to your GitHub repository
# Get the id of your ACR
SCOPE=$(az acr show -n <registry name> -g <resource group> --query id -o tsv)
#! Replace the values for registry name and resource group
az ad sp create-for-rbac --name "bicep-registry-demo-ci" --role AcrPush \
--scopes $SCOPE --sdk-auth
# The command should output a JSON object similar to this:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
# Copy this and add as a repository secret named AZURE_CREDENTIALS- Modify the template in modules/storage/main.bicep.
- Example: Update the
locationparameter to restrict allowed values
- Example: Update the
@allowed([
'northeurope'
'westeurope'
])
param location string = 'westeurope'- Commit, tag and push changes
git add modules/storage/main.bicep
git commit -m "set allowed locations"
git tag v1.1.0
git push # push the commit
git push --tags # push the commit with tagsThis will trigger the bicep-publish workflow and publish the module to the registry.
❗ Note that each new tag pushed will trigger a new published version.
To see the published modules in the registry see this.
There is a demo template in demo/main.bicep which uses the module from the registry:
module storage 'br/demoRegistry:storage:v1.1.0' = {
...
}Note that this module refers to version v1.1.0. If you have published another version than this, please update the value in the template.
- Deploy the template by running the following command:
az deployment group create -n registry-demo -g bicep-registry-demo -f ./demo/main.bicep✔️ Congratulations! - you've successfully deployed a Bicep template that refers to a remote module in a private module registry!
To build upon this you can try:
- Adding another module in the modules directory. The name of the directory will be the module name and it must have a
main.bicepfile within it. The workflow will parse all modules in the odules directory. Note that currently all modules will be deployed with the same version (git tag). - Consuming the module from the registry in a another workflow to deploy resources
- You will need to set up a service principal that have AcrPull permissions and permissions to deploy resources (Contributor or equivalent)
- Add more robust versioning automation (e.g. always publish a
latestversion on push to main) and use GitHub Releases to publish specific versions, or add individual versioning of modules.
Delete the resource group and the resources in in by running:
az group delete -n bicep-registry-demo