azureazure-web-app-servicegithub-actionsdevops

How allow github actions to access database on vnet


I have setup a web app + database in azure and I am trying to deploy my code via github actions in the deployment center. I have added the connection string to my database in github secrets and I get an erro:

[22:54:57] ERROR (payload): Error: cannot connect to Postgres. Details: getaddrinfo 
ENOTFOUND myapp-database-server.postgres.database.azure.com
error Command failed with exit code 1.

In reality this makes sense because how could github actions check my database exists if its behind a vnet. So I am curious how can I fix this issue without removing my vnet and making my db public?

One option noted in comments is runners. I found this code tto add to my yml file:

      - name: Whitelist GitHub Runner IP
    uses: azure/CLI@v1
    with:
      inlineScript: |
        set -eu
        agentIP=$(curl -s https://api.ipify.org/)
        az storage account network-rule add \
          --resource-group "${{ secrets.RESOURCE_GROUP }}" \
          --account-name "${{ secrets.STORAGE_ACCOUNT_NAME }}" \
          --ip-address $agentIP
        sleep 300

My question is how can I add an ip exception to a vnet? Do I need to setup a firewall with it somehow and allow ip access?


Solution

  • You have two options. First option is to create a VM and install a self-hosted runner on it. The VM should either located in your VNET or is connected to a paired VNET/is able to route to that network. https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners

    The other option is, that you enable the public endpoint of the database with "Selected Networks" Then you can use the script you have to add an IP exception for the github public runner to your database. (Do not forget to remove it afterwards)

    az sql server firewall-rule create -g mygroup -s myserver -n myrule --start-ip-address 1.2.3.4 --end-ip-address 5.6.7.8
    

    https://learn.microsoft.com/en-us/cli/azure/sql/server/firewall-rule?view=azure-cli-latest

    From your posted code (haven't tested it)

    - name: Whitelist GitHub Runner IP
    uses: azure/CLI@v1
    with:
      inlineScript: |
        set -eu
        agentIP=$(curl -s https://api.ipify.org/)
        az sql server firewall-rule create -g "${{ secrets.RESOURCE_GROUP }}" -s "${{ secrets.SQL_SERVER_NAME }}" -n ghrunner --start-ip-address $agentIP --end-ip-address $agentIP
        sleep 300