none
Linking ARM templates in Private Github Repo

    Question

  • From Jason Greathouse (@usrbinjgreat) via Twitter who tweets:

    “ARM Templates: how do I link to another template in a private github repo?“

    The customer was referenced the documentation on http://aka.ms/d808981 however the customer confirmed that this provides instructions for public repos, whereas the customer is looking for access to a private repo.

    We also referenced the details on http://aka.ms/d8089811, however the customer provided feedback suggesting that this document is related to githubusercontent where the token provided is tmp and that this changes on each new revision. This does not work as a permanent solution

    We would like to assist the customer and explore a more permanent fix.

    Tweet URL: https://twitter.com/AzureSupport/status/675359090764201985

    Appreciate if you can advise the customer on this matter

    Thanks,
    @AzureSupport

    Friday, December 11, 2015 5:29 PM

All replies

  • Not sure I follow the question. Is it more about:

    1. Linking an ARM template to another ARM template that happens to be stored in a private github repo
    2. Deploying the content of a private github repo into a WebApp


    #1 is a pure ARM question not related to Web Apps, while #2 is a Web App question.

    Friday, December 11, 2015 6:00 PM
    Moderator
  • You are right this is not a Web Apps issue.  Its an ARM Template issue.

    Here is what I'm trying to do:

    Lets say I have a ARM template in a private github repo here: https://github.com/jgreat/private-project/blob/master/template/azuredeploy.json

    I want to link to that file in my arm template:

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "resources": [
          {
              "name": "NestedTest",
              "type": "Microsoft.Resources/deployments",
              "apiVersion": "2015-01-01",
              "properties": {
                  "mode": "Incremental",
                  "templateLink": {
                      "uri": "<template url>",
                      "contentVersion": "1.0.0.0"
                  },
                  "parameters": { }
              }
          }
      ]
    }

    Github provides basically 2 ways of accessing a private resource

    First step in both ways is creating a token: https://help.github.com/articles/creating-an-access-token-for-command-line-use/

    1.) Once you have a token you can download a file though the API: https://api.github.com/repos/jgreat/private-project/contents/template/azuredeploy.json?access_token=OAUTH-TOKEN

    But to use the API you need to set the ACCEPT header to application/vnd.github.VERSION.raw

    2.) you can use basic auth with https://<OAUTH-TOKEN>:z-oauth-basic@raw.githubusercontent.com/jgreat/private-project/master/template/azuredeploy.json

    This fails because it appears that the Azure Portal strips the basic auth :(

    The other suggested option which uses raw.githubusercontent.com and the ?token= url parameter uses a temporary token that is regenerated when the file is updated. This isn't a sustainable solution since you would have to update all the templates that use that url every time you update.

    Thursday, December 17, 2015 4:52 PM
  • Here's the solution that I came up with.

    We are running a very simple nginx config to proxy the Github API Request and set the `Accept: application/vnd.github.VERSION.raw` header.

    You will need a commercially signed SSL cert (we have a * cert) the following nginx config. 

    /etc/nginx/conf.d/default.config

    server {
        listen 443 default_server ssl;
        server_name _;
        ssl_certificate /ssl/cert.pem;
        ssl_certificate_key /ssl/key.pem;
    
        # listen 80 default_server;
        server_name _;
        location / {
            resolver 8.8.8.8;
    
            proxy_set_header Accept application/vnd.github.VERSION.raw;
            proxy_pass https://api.github.com;
        }
    }
    


    We are running this in a docker container:

    docker run -d -p 443:443 -v ~/default.conf:/etc/nginx/conf.d/default.conf -v ~/cert.pem:/ssl/cert.pem -v ~/key.pem:/ssl/key.pem --name nginx nginx

    To use this in your linked template, make the request just like you would in the github api, but use the public fqdn for the nginx proxy you setup.

    {
      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
      "contentVersion": "1.0.0.0",
      "parameters": {
        "githubAccessToken": {
          "type": "string",
          "metadata": {
            "description": "Access Token for Github"
          }
        }
      },
      "resources": [
        {
          "name": "vmTemplate",
          "type": "Microsoft.Resources/deployments",
          "apiVersion": "[variables('apiVersion')]",
          "properties": {
            "mode": "Incremental",
            "templateLink": {
              "uri": "[concat('https://github.example.com/repos/jgreat/azure/contents/azuredeploy.json?access_token=', parameters('githubAccessToken'))]",
              "contentVersion": "1.0.0.0"
            },
            "parameters": {
            }
          }
        },
      ]
    }

    To add a little bit of security put your GitHub token in a KeyVault and reference it from a parameters.json file.

    Wednesday, December 23, 2015 5:07 PM
  • Sunday, May 21, 2017 8:13 AM
  • @Tao, thanks for sharing your solution!
    Sunday, May 21, 2017 10:06 PM
    Moderator