Enabling MFA in MuleSoft for CI/CD Pipelines Using GitHub Actions

Most enterprise Anypoint Platform accounts require that you use multi-factor authentication (MFA) mechanisms for added security. This means that in addition to your regular username and password, you will need an extra step to authenticate (for example, an authenticator application on your phone).

When you are using CI/CD pipelines for your Mule applications and MFA is enabled in your account, the configuration to authenticate using the Mule Maven plugin will be different than if you were just using your username and password. There are more steps that you have to take from your Anypoint Platform account to enable your CI/CD pipelines with this authentication method.

In this post, you will learn how to set up a GitHub Actions pipeline to work with your MFA-enabled account from Anypoint Platform.

Prerequisites

A Mule project with a working Mule application.
A GitHub repository with your Mule application. We will use our example repository in this post.
An Anypoint Platform account with MFA enabled (you can use a free trial account). See About Multi-Factor Authentication for details.

Create a Connected App

Since using your Anypoint Platform’s username and password is not good enough to authenticate in the pipeline, you need to create a connected app to use its credentials (ID/Secret). To create it, go to your Anypoint Platform account and navigate to Access Management > Connected Apps > Create app.

Access Management screen to create a connected app

Name your app to identify it from others you might create. For example, github-actions. Select the App acts on its own behalf type and click on the Add Scopes button.

Adding name to a new connected app

Select the following 10 scopes.

Design Center Developer
View Environment
View Organization
Profile
CloudHub Organization Admin
Create Applications
Delete Applications
Download Applications
Read Applications
Read Servers

Click on Next. Select your Business Group and click Next. Select your Environment (for example, Sandbox) and click on Next. Review that the scopes are correct and click on Add Scopes. Click on Save.

Scopes for the newly created connected app

After your app has been created, make sure to copy both ID and Secret. You will use these in the pipeline’s settings as the authentication method.

List of connected apps after creating the github-actions app

Set up your GitHub Actions secrets

Go to your GitHub repository. Click on the Settings tab > Secrets and variables > Actions > New repository secret. In the name field, add CONNECTED_APP_CLIENT_ID. In the secret field, add the actual ID that you just copied from the previous step. Repeat this step to create another secret with the actual secret you copied from the previous step. Use the name CONNECTED_APP_CLIENT_SECRET.

List of repository secrets shown from GitHub

Create a CI/CD pipeline

Back in your Mule application’s code, create a .github folder at the root level. Inside this folder, create another folder called workflows. Inside this folder, create a build.yml file with the following contents: mule-mfa-cicd-build.yml. Please note that the main branch is being used on line 5. If your branch has a different name, be sure to update this setting.

In this file, we describe the steps to generate our Mule application’s JAR file and deploy it to our Anypoint Platform account using GitHub Actions. Notice that we are using the previously created secrets in the last step to pass them to our project through Maven. Here we are declaring two Java environment variables (client.id and client.secret) to copy our app credentials from GitHub secrets so that the pom.xml file can be used later.

Modify your Maven settings

In your Mule project, open your pom.xml file. Locate the org.mule.tools.maven plugin under project/build/plugins. Add the following configuration to this plugin.

Double-check these settings in case you need to update them to match your use case. For example, muleVersion, applicationName, environment, or region. We will be using the connectedAppClientId and connectedAppClientSecret fields to pass the Java variables we declared earlier in the Maven configuration.

It’s important that you don’t hardcode the connected app’s credentials into this file for security reasons. That is why we keep the values as GitHub secrets. Remember you can access our example repository if you need to compare your code with ours.

Run the pipeline

Once all your settings are ready, commit and push your changes to the remote repository. This will trigger the pipeline in GitHub. You can view the process by clicking the Actions tab from your GitHub repository.

Overview of a GitHub Actions run summary showing the build and deploy jobs

After the process is complete, your Mule application will be deployed in Runtime Manager. Note that the JAR file will contain the commit hash in its name.

Runtime Manager screenshot showing the mulesoft-mfa-cicd application running successfully

Conclusion

Enabling CI/CD pipelines is important to automate repetitive tasks. Instead of manually deploying a Mule application every time there is a change to the code, we can create pipelines to do these tasks for us. This was a simple example using just one branch and one environment, but you can connect other branches to other environments in Anypoint Platform. For example, dev, qa, prod, and so on.

In this post, we learned how to automatically deploy a Mule application into CloudHub when using multi-factor authentication in our Anypoint Platform account because most enterprise accounts have this setting enabled. However, when you’re only using a free trial account, you don’t need to create a connected app if you’re not using MFA in your account. You can use your Anypoint Platform username and password to sign in.

There are many things you can automate when using CI/CD pipelines for your Mule applications. You can run automated tests before deploying your Mule app, for example. Can you think of other repetitive tasks you can automate in your pipelines?

Note: The initial versions of the pipeline are based on the following repository created by Archana Patel: arch-jn/github-actions-mule-cicd-demo.

Further Resources

About the author

Alex Martinez was part of the MuleSoft Community before joining MuleSoft as a Developer Advocate. She founded ProstDev to help other professionals learn more about content creation. In her free time, you will find Alex playing Nintendo or Playstation games and writing reviews about them! Follow Alex on LinkedIn or in the Trailblazer Community.