GH Integration updates

[jpocloud]

• Updated env validation scripts to match new webapp patterns
• Updated all 3 templates to work with Federated credentials and tested this in my Azure subscription & GH repo
• In Release pipeline, I added environments and job stages so we can have approvals/gates, the environments require additional federation to be setup on the application registration (part 4 instructions below)
• The pipelines will have multiple azd login executions, this is due to potentially the token either expiring or getting wiped from prior azd command execution. I created an issue for this in the azd project: Using federated trust in GH Action, I had to add azd login between azd executions azure-dev#1740
• Resolves: Setup Integration testing with GH secrets #61

Note: If there is a desire to run any of these pipelines against a non-main branch on ad-hoc basis, this will require additional federations to be setup on the app registration to include a subject which contains the branch name.

Steps to configure on Azure Github Org & Desired Azure Subscription:
Prereq- requires Github CLI and azd

1. Set repo secret in MWA for AZURE_LOCATION2 to australiaeast
2. Clone MWA repo and navigate to MWA folder in console
3. Run the following azd commands, update the principal name as needed. You will be prompted for an environment name, “mwa” would be a nice choice since the pipeline executions will append environments names to RGs.

azd pipeline config --principal-name mwa-gh-spn
azd pipeline config --principal-name mwa-gh-spn --principal-role "User Access Administrator"

4. Add Federated credential entries to app registration support deployments with “QA” and “PROD” GH environments.

appId=$(az ad app list --display-name mwa-gh-spn --query [0].id -o tsv)
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${appId}/federatedIdentityCredentials" --body '{"name":"mwa-qa","issuer":"https://token.actions.githubusercontent.com","subject":"repo:Azure/modern-web-app-pattern-dotnet:environment:QA","description":"QA Env","audiences":["api://AzureADTokenExchange"]}'
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${appId}/federatedIdentityCredentials" --body '{"name":"mwa-prod","issuer":"https://token.actions.githubusercontent.com","subject":"repo:Azure/modern-web-app-pattern-dotnet:environment:PROD","description":"PROD Env","audiences":["api://AzureADTokenExchange"]}'

[KSchlobohm]

Looks good, please include suggestions for file headers.

[KSchlobohm]

Suggested change

	name: "MWA- Daily Build"
	# This file is part of our engineering process to build and maintain this file.
	# See the README markdown file for further details
	name: "MWA- Daily Build"