The GitHub Action workflows/iac-fabric-dataplatform.yml triggers the IaC Bicep scripts to deploy cloud resources. A pull request to the bicep folder automatically triggers this action.

Pre-Requisite: Create a Service Principal with Contributor and User Access Administrator roles to the subscription ¹.

This GitHub Action requires the following repository secrets:

• ACTION_SPN_CLIENTID: Client/Application ID of the Service Principal.
• ACTION_SPN_SECRET: Service Principal Secret.
• AZURE_RG: Resource Group where the Fabric capacity in Azure will be provisioned.
• SUBSCRIPTION_ID: ID of the Azure Subscription where the resources will be provisioned. The Service Principal requires Contributor and User Access Administrator roles to this subscription.
• TENANT_ID: ID of the Entra Tenant where the resources will be provisioned.

To provision cloud resources, use the Bicep scripts available in the iac/bicep directory of the repository. The main.bicep is the script called by the workflow file.

The main.bicep script calls the following modules:

• fabric-capacity: Creates a Fabric SKU in Azure.
• sqldb: Creates an Azure SQL database for the ELT Framework metadata.
• keyvault: Creates a Key Vault and manages access policies.
• purview: Creates a reference to a new or existing Microsoft Purview instance for data governance purposes.
• audit: Creates an Azure DataLake Storage Gen2 Storage account and a Log Analytics workspace for auditing purposes.

1. Review the parameters in the main.bicep. Update and override the default param values as per your naming convention. The parameter @description tells you what those parameters represent.
2. While in main.bicep, also review the parameters passed to modules if you need to override the default values. For e.g. keyvault_name, audit_storage_name, audit_loganalytics_name, sqlserver_name, database_name.
3. Edit the keyvault.bicep and update the access policies section. In particular, take note of the object id of the Service Principal created previously and update here. The Service Principal should have list and get permissions to secrets. Also add yourself and any other user/security groups that might require access to the Key Vault secrets with appropriate permissions

    // Default Access Policies. Replace the ObjectID's with your user/group id
    accessPolicies:[
      { tenantId: subscription().tenantId
        objectId: '01e16ca5-e5da-49f3-ac27-a46f1cc68ede' // Replace this with your user/group ObjectID
        permissions: {secrets:['list','get','set']}
      }
      { tenantId: subscription().tenantId
        objectId: '688ad7c8-d7bb-4f32-884a-05601c9762a2' // Replace this with your user/group ObjectID
        permissions: {secrets:['list','get','set']}
      }
      { tenantId: subscription().tenantId
        objectId: '703595dd-9298-4ef8-ab80-a64f10e8ea07' // Replace this with your user/group ObjectID
        permissions: {secrets:['list','get']}
      }
    ]

Once done, commit and pull request the updates. Navigate to Actions -> All Workflows -> Provision Fabric Data Platform and click Run Workflow to kick-off provisioning.

When the action workflow runs for the first time, it is perfectly normal to fail with secret not found exception. That's because when the key vault is created for the first time it will not have the secret entries. When this happens, create these key vault secrets and re-run the failed action workflow.