make use of nginx cli extension for config updates

kuthiala · kuthiala · commit f9dbec3c93f5 · 2025-07-18T15:25:46.000-06:00
This change enables the use of "az nginx deployment" cli to do configuration updates. This helps limit the permissions needed by the service principal to do config updates. This change also adds support for the protected files feature supported by NGINXaaS. Users can give a new optional input called protected-files that contains a comma separated list of all the files that need to be marked as protected. For more information, visit: https://docs.nginx.com/nginxaas/azure/getting-started/nginx-configuration/nginx-configuration-portal/#add-an-nginx-configuration
diff --git a/action.yml b/action.yml
@@ -24,14 +24,19 @@ inputs:
     default: "nginx.conf"
   transformed-nginx-config-directory-path:
     description: >
-      'The transformed absolute path of the NGINX configuration directory in NGINXaaS for Azure deployment, example: "/etc/nginx/".
-      If the "include" directive in the NGINX configuration files uses absolute paths, the path transformation
-      can be used to overwrite the file paths when the action synchronizes the files to the NGINXaaS for Azure deployment.'
+      'The absolute directory path in the NGINXaaS for Azure deployment where your configuration files will be placed. 
+      All files found in the nginx-config-directory-path will be copied to this location in the deployment. 
+      For example, use "/etc/nginx/" to match the standard NGINX directory structure on Azure.
+      If your NGINX configuration files use absolute paths in "include" directives, this setting ensures those paths are correctly mapped in the deployment by prepending the specified directory.'
     required: false
     default: ""
   nginx-certificates:
     description: 'An array of JSON objects each with keys nginx_cert_name, keyvault_secret, certificate_virtual_path and key_virtual_path. Example: [{"certificateName": "server1", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server1.crt", "keyVirtualPath": "/etc/ssl/certs/server1.key"  }, {"name": "server2", "keyvaultSecret": "https://...", "certificateVirtualPath": "/etc/ssl/certs/server2.crt", "keyVirtualPath": "/etc/ssl/certs/server2.key"  }] '
     required: false
+  protected-files:
+    description: "Comma-separated list of file paths relative to nginx-config-directory-path that should be marked as protected. Example: 'ssl/private.key,conf.d/secrets.conf'"
+    required: false
+    default: ""
   debug:
     description: "Enable/Disable debug output."
     required: false
@@ -40,10 +45,10 @@ runs:
   using: "composite"
   steps:
     - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
+      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --nginx-resource-location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
       if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }}
       shell: bash
     - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}
+      run: ${{github.action_path}}/src/deploy-config.sh --subscription-id=${{ inputs.subscription-id }} --resource-group-name=${{ inputs.resource-group-name }} --nginx-deployment-name=${{ inputs.nginx-deployment-name }} --nginx-config-directory-path=${{ inputs.nginx-config-directory-path }} --nginx-root-config-file=${{ inputs.nginx-root-config-file }} --transformed-nginx-config-directory-path=${{ inputs.transformed-nginx-config-directory-path }} --protected-files=${{ inputs.protected-files }} --debug=${{ inputs.debug }}
       if: ${{ inputs.nginx-config-directory-path != '' }}
       shell: bash
diff --git a/src/deploy-config.sh b/src/deploy-config.sh
@@ -1,69 +1,72 @@
 #!/bin/bash
-set -euo pipefail
+set -eo pipefail
 IFS=$'\n\t'
 
 transformed_config_dir_path=''
 for i in "$@"
 do
 case $i in
-    --subscription_id=*)
+    --subscription-id=*)
     subscription_id="${i#*=}"
     shift
     ;;
-    --resource_group_name=*)
+    --resource-group-name=*)
     resource_group_name="${i#*=}"
     shift
     ;;
-    --nginx_deployment_name=*)
+    --nginx-deployment-name=*)
     nginx_deployment_name="${i#*=}"
     shift
     ;;
-    --config_dir_path=*)
+    --nginx-config-directory-path=*)
     config_dir_path="${i#*=}"
     shift
     ;;
-    --root_config_file=*)
+    --nginx-root-config-file=*)
     root_config_file="${i#*=}"
     shift
     ;;
-    --transformed_config_dir_path=*)
+    --transformed-nginx-config-directory-path=*)
     transformed_config_dir_path="${i#*=}"
     shift
     ;;
     --debug=*)
     debug="${i#*=}"
     shift
     ;;
+    --protected-files=*)
+    protected_files="${i#*=}"
+    shift
+    ;;
     *)
-    echo "Not matched option '${i#*=}' passed in."
+    echo "Unknown option '${i}' passed in."
     exit 1
     ;;
 esac
 done
 
-if [[ ! -v subscription_id ]];
-then
-    echo "Please set 'subscription-id' ..."
-    exit 1
+# Validate Required Parameters
+missing_params=()
+if [ -z "$subscription_id" ]; then
+    missing_params+=("subscription-id")
 fi
-if [[ ! -v resource_group_name ]];
-then
-    echo "Please set 'resource-group-name' ..."
-    exit 1
+if [ -z "$resource_group_name" ]; then
+    missing_params+=("resource-group-name")
 fi
-if [[ ! -v nginx_deployment_name ]];
-then
-    echo "Please set 'nginx-deployment-name' ..."
-    exit 1
+if [ -z "$nginx_deployment_name" ]; then
+    missing_params+=("nginx-deployment-name")
 fi
-if [[ ! -v config_dir_path ]];
-then
-    echo "Please set 'nginx-config-directory-path' ..."
-    exit 1
+if [ -z "$config_dir_path" ]; then
+    missing_params+=("nginx-config-directory-path")
 fi
-if [[ ! -v root_config_file ]];
-then
-    echo "Please set 'nginx-root-config-file' ..."
+if [ -z "$root_config_file" ]; then
+    missing_params+=("nginx-root-config-file")
+fi
+
+# Check and print if any required params are missing
+if [ ${#missing_params[@]} -gt 0 ]; then
+    echo "Error: Missing required variables in the workflow:"
+    echo "${missing_params[*]}"
     exit 1
 fi
 
@@ -121,60 +124,206 @@ fi
 transformed_root_config_file_path="$transformed_config_dir_path$root_config_file"
 echo "The transformed root NGINX configuration file path is '$transformed_root_config_file_path'."
 
-# Create a NGINX configuration tarball.
+# Common utility functions
+
+# Function to trim whitespace from a string
+trim_whitespace() {
+    local var="$1"
+    # Trim leading whitespace from the file path (var)
+    # ${var%%[![:space:]]*} starts at the file path's end
+    # and finds the longest match of non-whitespace
+    # characters leaving only leading whitespaces
+    # ${var#"..." } removes the leading whitespace found
+    var="${var#"${var%%[![:space:]]*}"}"
+    # Remove trailing whitespace
+    # See explanation above. The process is reversed here.
+    var="${var%"${var##*[![:space:]]}"}"
+    # Check if the file exists in the repository
+    echo "$var"
+}
+
+# Function to encode file content to base64
+encode_file_base64() {
+    local file_path="$1"
+    # Use base64 to encode the file content
+    # -w 0 option is used to avoid line wrapping in the output
+    base64 -w 0 "$file_path"
+}
 
-config_tarball="nginx-config.tar.gz"
+# Function to build virtual path from relative path
+build_virtual_path() {
+    local relative_path="$1"
+    echo "${transformed_config_dir_path}${relative_path}"
+}
 
-echo "Creating a tarball from the NGINX configuration directory."
-tar -cvzf "$config_tarball" -C "$config_dir_path" --xform s:'./':"$transformed_config_dir_path": .
-echo "Successfully created the tarball from the NGINX configuration directory."
+# Function to add a file entry to a JSON array
+# The add_file_to_json_array function uses indirect variable references
+# and global assignment to update JSON arrays and flags that track
+# which files have been processed. The variable names for the JSON array 
+# and the "first file" flag are passed as arguments, allowing the
+# function to generically update different arrays 
+# (for regular and protected files) without hardcoding their names.
+# The syntax ${!var} retrieves the value of the variable whose 
+# name is stored in 'var', and declare -g ensures the updated
+# values are set globally, so changes persist outside the function.
+add_file_to_json_array() {
+    local file_path="$1"
+    local virtual_path="$2"
+    local file_type="$3"  # "regular" or "protected"
+    local json_var_name="$4"  # Variable name to modify
+    local first_file_var_name="$5"  # Variable name for first_file flag
+    
+    if [ -f "$file_path" ]; then
+        echo "Processing $file_type file: $file_path -> $virtual_path"
+        
+        # Base64 encode the file content
+        local file_content_b64
+        file_content_b64=$(encode_file_base64 "$file_path")
+        
+        # Get current values using indirect variable references
+        local current_json="${!json_var_name}"
+        local is_first_file="${!first_file_var_name}"
+        
+        # Add comma separator if not the first file
+        if [ "$is_first_file" = false ]; then
+            current_json+=","
+        fi
+        
+        # Add the file entry to JSON array
+        current_json+="{\"content\":\"$file_content_b64\",\"virtual-path\":\"$virtual_path\"}"
+        
+        # Update the variables using indirect assignment
+        declare -g "$json_var_name=$current_json"
+        declare -g "$first_file_var_name=false"
+        
+        if [[ "$debug" == true ]]; then
+            echo "$file_type file virtual path: $virtual_path"
+            echo "$file_type file content (base64): ${file_content_b64:0:50}..."
+        fi
+    else
+        echo "Warning: $file_type file '$file_path' not found"
+    fi
+}
+
+# Process protected files first to build exclusion list
+protected_files_list=()
+if [ -n "$protected_files" ]; then
+    IFS=',' read -ra files <<< "$protected_files"
+    
+    for file in "${files[@]}"; do
+        file=$(trim_whitespace "$file")
+        if [ -n "$file" ]; then
+            protected_files_list+=("$file")
+        fi
+    done
+fi
+
+# Function to check if a file is in the protected files list
+is_protected_file() {
+    local relative_path="$1"
+    for protected_file in "${protected_files_list[@]}"; do
+        if [ "$relative_path" = "$protected_file" ]; then
+            return 0  # File is protected
+        fi
+    done
+    return 1  # File is not protected
+}
 
-echo "Listing the NGINX configuration file paths in the tarball."
-tar -tf "$config_tarball"
+# Process all configuration files individually (excluding protected files)
+
+echo "Processing NGINX configuration files individually."
+
+# Build the files JSON array
+files_json="["
+files_first_file=true
+
+# Find all files in the config directory and process them (excluding protected files)
+while IFS= read -r -d '' file; do
+    # Get relative path from config directory
+    relative_path="${file#$config_dir_path}"
+    
+    # Skip if this file is in the protected files list
+    if is_protected_file "$relative_path"; then
+        echo "Skipping protected file from regular files: $relative_path"
+        continue
+    fi
+    
+    # Apply transformation to get virtual path
+    virtual_path=$(build_virtual_path "$relative_path")
+    
+    add_file_to_json_array "$file" "$virtual_path" "regular" "files_json" "files_first_file"
+done < <(find "$config_dir_path" -type f -print0)
 
-encoded_config_tarball=$(base64 "$config_tarball")
+files_json+="]"
 
 if [[ "$debug" == true ]]; then
-    echo "The base64 encoded NGINX configuration tarball"
-    echo "$encoded_config_tarball"
+    echo "Regular files JSON: $files_json"
 fi
-echo ""
 
-# Synchronize the NGINX configuration tarball to the NGINXaaS for Azure deployment.
+# Process protected files if specified
+protected_files_arg=""
+if [ -n "$protected_files" ]; then
+    echo "Processing protected files: $protected_files"
+    
+    # Build the protected files JSON array
+    protected_files_json="["
+    protected_first_file=true
+    IFS=',' read -ra files <<< "$protected_files"
+    
+    for file in "${files[@]}"; do
+        file=$(trim_whitespace "$file")
+        if [ -n "$file" ]; then
+            repo_file_path="${config_dir_path}${file}"
+            virtual_path=$(build_virtual_path "$file")
+            
+            add_file_to_json_array "$repo_file_path" "$virtual_path" "protected" "protected_files_json" "protected_first_file"
+        fi
+    done
+    
+    protected_files_json+="]"
+    
+    if [ "$protected_first_file" = false ]; then
+        protected_files_arg="--protected-files"
+        if [[ "$debug" == true ]]; then
+            echo "Protected files JSON: $protected_files_json"
+        fi
+    fi
+fi
 
-uuid="$(cat /proc/sys/kernel/random/uuid)"
-template_file="template-$uuid.json"
-template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
 
-wget -O "$template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/487d1394d6115d4f42ece6200cbd20859595557d/src/nginx-for-azure-configuration-template.json
-echo "Downloaded the ARM template for synchronizing NGINX configuration."
-cat "$template_file"
-echo ""
+# Synchronize the NGINX configuration files to the NGINXaaS for Azure deployment.
 
 echo "Synchronizing NGINX configuration"
 echo "Subscription ID: $subscription_id"
 echo "Resource group name: $resource_group_name"
 echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-echo "ARM template deployment name: $template_deployment_name"
 echo ""
 
 az account set -s "$subscription_id" --verbose
 
+echo "Installing the az nginx extension if not already installed."
+az extension add --name nginx --allow-preview true
+
 az_cmd=(
     "az"
+    "nginx"
     "deployment"
-    "group"
-    "create"
-    "--name" "$template_deployment_name"
+    "configuration"
+    "update"
+    "--name" "default"
+    "--deployment-name" "$nginx_deployment_name"
     "--resource-group" "$resource_group_name"
-    "--template-file" "$template_file"
-    "--parameters"
-    "nginxDeploymentName=$nginx_deployment_name"
-    "rootFile=$transformed_root_config_file_path"
-    "tarball=$encoded_config_tarball"
+    "--root-file" "$transformed_root_config_file_path"
+    "--files" "$files_json"
     "--verbose"
 )
 
+# Add protected files argument if present
+if [ -n "$protected_files_arg" ]; then
+    az_cmd+=("$protected_files_arg")
+    az_cmd+=("$protected_files_json")
+fi
+
 if [[ "$debug" == true ]]; then
     az_cmd+=("--debug")
     echo "${az_cmd[@]}"
