Post

Building a nested virtual machine in Azure: Part 2

Posted Updated
By Constantin Hager 2 min read

Series Table of contents:

Happy new year everybody. We continue our journey of building a nested virtual machine in Azure. In the following article, I will discuss two key aspects:

  • Create a GitHub repository
  • Create an Azure Service Principal and establish a connection with our previously created GitHub repository.

Create an Azure Service Principal

Within the Entra ID portal, go to App registration and select “New registration”.

Create Entra ID service principal

On the following screen, make a record of the specified values:

  • Application (client) ID
  • Directory (tenant) ID

Create a GitHub repository

If you don’t have a GitHub account create one. Create a new repository.

Create GitHub repository

Create secrets for GitHub Actions

Navigate to Settings -> Secrets an variables -> Actions and create the following Repository secrets:

  • AZURE_CLIENT_ID: See Application (client) ID
  • AZURE_SUBSCRIPTION_ID: In the Azure Portal search for the “Subscription” Service and find the subscription id next to the “Subscription name”
  • AZURE_TENANT_ID: See Directory (tenant) ID
  • STORAGE_ACCOUNT: The name of the Terraform Storage Account
  • CONTAINER_NAME: The name of the Terraform Storage Account Container
  • RESOURCE_GROUP_NAME: The resource group of the Terraform Storage Account

Create Repository secret 1 Create Repository secret 2

Click on “Add secret”. Repeat the process for the other 2 repository secrets.

End result:

Create Repository secret 3

Add Federated credentials to the App registration

Within your recently generated service principal, go to “Certificates & secrets” and choose “Federated Credentials”.

Federated Credentials 1

Click on “Add credential”

Federated credential for main branch

“Federated credential scenario: “GitHub Actions deploying Azure Resources”

Federated Credentials 2 Federated Credentials 3

  1. Organization: Provide either your GitHub account name or, if the repository is located within a GitHub organization, specify the organization’s name.
  2. Repository: The name of the GitHub repository.
  3. Entity Type: Branch
  4. Based on selection: “main” or your branch name.
  5. Name: Provide a meaningful name.

Click on “Add”

Federated credential for pull request

Click on “Add credential”

“Federated credential scenario: “GitHub Actions deploying Azure Resources”

Federated Credentials 4 Federated Credentials 5

  1. Organization: Provide either your GitHub account name or, if the repository is located within a GitHub organization, specify the organization’s name.
  2. Repository: The name of the GitHub repository.
  3. Entity Type: Pull request
  4. Name: Provide a meaningful name.

Click on “Add”

End result

Federated Credentials 6

If you prefer to watch a YouTube video demonstrating the setup and additional steps, you can do so.

Assign Permissions

The previously generated service principal requires permissions for deploying Azure resources. I will assign Contributor permissions at the Azure Subscription level.

Within the Azure Portal, go to the “Subscription” service, choose your subscription, and click on “Access control (IAM)”.

Select “Add” -> “Add role assignment”

Assign Permissions 1

Select “Privileged administrator roles” and select “Contributor”. Click “Next”.

Assign Permissions 2

Choose “Select members,” search for the name of the previously generated service principal, and select it. Click on “Select”.

Assign Permissions 3

Select “Review + assign”

Assign Permissions 4

Select “Review + assign”

Result:

Assign Permissions 5

That’s it for part 2 in part 3 we create the GitHub workflows for the terraform deployment.

Azure
Azure Nested Virtualization Lab Environments GitHub
This post is licensed under CC BY 4.0 by the author.