change deploy certificate to use az nginx cli

kuthiala · kuthiala · commit b7bc9e7b343d · 2025-08-07T19:11:28.000-06:00
move from using ARM deployment templates to
`az nginx deployment certificate update`. This
change prevents the need for contributor level
permissions on the resource group of the NGINXaaS
deployment.
diff --git a/github-action/action.yml b/github-action/action.yml
@@ -10,10 +10,6 @@ inputs:
   nginx-deployment-name:
     description: "The name of the NGINXaaS for Azure deployment."
     required: true
-  nginx-deployment-location:
-    description: "The location where the NGINX deployment is located. Example westcentralus"
-    required: false
-    deprecationMessage: "This field is not in use and will be removed in a future release. Consider dropping it from your Github Action configuration."
   nginx-config-directory-path:
     description: 'The NGINX configuration directory path relative to the root of the Git repository, example: "config/".'
     required: false
@@ -40,8 +36,8 @@ runs:
   using: "composite"
   steps:
     - name: "Synchronize NGINX certificate(s) from the Git repository to an NGINXaaS for Azure deployment"
-      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --nginx_resource_location=${{ inputs.nginx-deployment-location }}  --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
-      if: ${{ inputs.nginx-deployment-location != '' && inputs.nginx-certificates != '' }}
+      run: ${{github.action_path}}/src/deploy-certificate.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --certificates=${{ toJSON(inputs.nginx-certificates) }} --debug=${{ inputs.debug }}
+      if: ${{ inputs.nginx-certificates != '' }}
       shell: bash
     - name: "Synchronize NGINX configuration from the Git repository to an NGINXaaS for Azure deployment"
       run: ${{github.action_path}}/src/deploy-config.sh --subscription_id=${{ inputs.subscription-id }} --resource_group_name=${{ inputs.resource-group-name }} --nginx_deployment_name=${{ inputs.nginx-deployment-name }} --config_dir_path=${{ inputs.nginx-config-directory-path }} --root_config_file=${{ inputs.nginx-root-config-file }} --transformed_config_dir_path=${{ inputs.transformed-nginx-config-directory-path }} --debug=${{ inputs.debug }}
diff --git a/github-action/src/deploy-certificate.sh b/github-action/src/deploy-certificate.sh
@@ -17,10 +17,6 @@ case $i in
     nginx_deployment_name="${i#*=}"
     shift
     ;;
-    --nginx_resource_location=*)
-    nginx_resource_location="${i#*=}"
-    shift
-    ;;
     --certificates=*)
     certificates="${i#*=}"
     shift
@@ -51,26 +47,12 @@ then
     echo "Please set 'nginx-deployment-name' ..."
     exit 1
 fi
-if [[ ! -v nginx_resource_location ]];
-then
-    echo "Please set 'nginx-resource-location' ..."
-    exit 1
-fi
 if [[ ! -v certificates ]];
 then
     echo "Please set 'nginx-certificates' ..."
     exit 1
 fi
 
-arm_template_file="nginx-for-azure-certificate-template.json"
-
-#get the ARM template file
-wget -O "$arm_template_file" https://raw.githubusercontent.com/nginxinc/nginx-for-azure-deploy-action/a69d33feaa1a8a012ec44c138ca78c6ec4db9f29/src/nginx-for-azure-certificate-template.json
-echo "Downloaded the ARM template for synchronizing NGINX certificate."
-
-cat "$arm_template_file"
-echo ""
-
 az account set -s "$subscription_id" --verbose
 
 count=$(echo "$certificates" | jq '. | length')
@@ -104,41 +86,33 @@ do
         do_nginx_arm_deployment=0
     fi
 
-    uuid="$(cat /proc/sys/kernel/random/uuid)"
-    template_file="template-$uuid.json"
-    template_deployment_name="${nginx_deployment_name:0:20}-$uuid"
-
-    cp "$arm_template_file" "$template_file"
-
     echo "Synchronizing NGINX certificate"
     echo "Subscription ID: $subscription_id"
     echo "Resource group name: $resource_group_name"
     echo "NGINXaaS for Azure deployment name: $nginx_deployment_name"
-    echo "NGINXaaS for Azure Location: $nginx_resource_location"
-    echo "ARM template deployment name: $template_deployment_name"
     echo ""
     echo "NGINXaaS for Azure cert name: $nginx_cert_name"
     echo "NGINXaaS for Azure cert file location: $nginx_cert_file"
     echo "NGINXaaS for Azure key file location: $nginx_key_file"
     echo ""
 
+    echo "Installing the az nginx extension if not already installed."
+    az extension add --name nginx --allow-preview true
+
     if [ $do_nginx_arm_deployment -eq 1 ]
     then
         az_cmd=(
             "az"
+            "nginx"
             "deployment"
-            "group"
+            "certificate"
             "create"
-            "--name" "$template_deployment_name"
             "--resource-group" "$resource_group_name"
-            "--template-file" "$template_file"
-            "--parameters"
-            "name=$nginx_cert_name"
-            "location=$nginx_resource_location"
-            "nginxDeploymentName=$nginx_deployment_name"
-            "certificateVirtualPath=$nginx_cert_file"
-            "keyVirtualPath=$nginx_key_file"
-            "keyVaultSecretID=$keyvault_secret"
+            "--certificate-name" "$nginx_cert_name"
+            "--deployment-name" "$nginx_deployment_name"
+            "--certificate-path" "$nginx_cert_file"
+            "--key-path" "$nginx_key_file"
+            "--key-vault-secret-id" "$keyvault_secret"
             "--verbose"
         )
         if [[ "$debug" == true ]]; then
diff --git a/github-action/src/nginx-for-azure-certificate-template.json b/github-action/src/nginx-for-azure-certificate-template.json
