Knowledge check

Completed

Consider the following workflow definition:

.github/workflows/workflow.yml:

name: workflow

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  deploy-sandbox:
    uses: /.github/workflows/deploy.yml
    with:
      environmentName: Sandbox
    secrets:
      client-id: ${{ secrets.AZURE_CLIENT_ID }}
      tenant-id: ${{ secrets.AZURE_TENANT_ID }}
      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

  deploy-production:
    uses: /.github/workflows/deploy.yml
    needs: deploy-sandbox
    with:
      environmentName: Production
    secrets:
      client-id: ${{ secrets.AZURE_CLIENT_ID }}
      tenant-id: ${{ secrets.AZURE_TENANT_ID }}
      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

.github/workflows/deploy.yml:

name: deploy

on:
  workflow_call:
    inputs:
      environmentName:
        required: true
        type: string
    secrets:
      AZURE_CLIENT_ID:
        required: true
      AZURE_TENANT_ID:
        required: true
      AZURE_SUBSCRIPTION_ID:
        required: true

jobs:
  deploy:
    environment: ${{ inputs.environmentType }}
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - uses: azure/arm-deploy@v1
      with:
        failOnStdErr: false
        deploymentName: ${{ github.run_number }}
        resourceGroupName: ${{ inputs.environmentName }}_rg
        template: ./deploy/main.bicep
        parameters: deploy/parameters.${{ inputs.environmentName }}.json

The Git repository's deploy folder also contains the Bicep file and parameter files.

1.

How can you improve the security of this workflow?

Use separate workload identities for each environment.

Add a condition to deploy only when the environment name is Production.

Create a new Azure role definition.

2.

You need to add a new environment named Integration to the workflow. Which of these actions should you take as part of adding the new environment?

Add a new caller workflow file.

Add a new called workflow file.

Add a new Bicep parameters file.

3.

You need to add a new parameter to your deployment that contains a connection string and password to access a database. Which of these approaches should you consider?

Define a variable in the workflow.yml file.

Define a secret in the GitHub web interface.

Add the parameter to the parameters.ENVIRONMENT_NAME.json files.

You must answer all questions before checking your work.