Enhancement: Remove secret references for login (#793)

* Remove secret references for login * Login to Azure CLI * Testing login * Fix token misspelling * Update remaining pipeline files * Update display names of tasks * Update azure/login github action to v2 --------- Co-authored-by: Sacha Narinx <Springstone@users.noreply.github.com>
Azure · Jul 16, 2024 · bf7a19b · bf7a19b
1 parent b702fbe
commit bf7a19b
Show file tree

Hide file tree

Showing 10 changed files with 67 additions and 19 deletions.
diff --git a/.github/azFunction/azure-pipelines/deploy-functions.yml b/.github/azFunction/azure-pipelines/deploy-functions.yml
@@ -14,31 +14,43 @@ steps:
     includeRootFolder: false
     archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"
 
+- task: AzureCLI@2
+  displayName: 'Azure CLI Get Federated Token'
+  inputs:
+    azureSubscription: azserviceconnection
+    addSpnToEnvironment: true
+    scriptType: bash
+    scriptLocation: inlineScript
+    inlineScript: |
+      echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
+      echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
+      echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
+
 - task: Bash@3
-  displayName: Login to Azure
+  displayName: Login to Azure for Subsequent Tasks
   name: git_azlogin
   inputs:
-    targetType: 'inline'
+    targetType: "inline"
     script: |
-      az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+      az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
 
-- task: Bash@3    
+- task: Bash@3
   displayName: Deploy Base Azure Function
   name: create_az_function
   inputs:
     targetType: 'inline'
     script: |
       az deployment group create --resource-group cancelsubscription --template-file .github/azFunction/AzFunctionInfrastructure/main.bicep --parameters parAzFunctionName=$(cancelsubfunctionname)
 
-- task: AzureFunctionApp@1 
+- task: AzureFunctionApp@1
   displayName: "Deploy Functions to base"
   inputs:
     azureSubscription: 'azserviceconnection'
-    appType: functionAppLinux 
+    appType: functionAppLinux
     appName: $(cancelsubfunctionname)
     package: $(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip
 
-- task: Bash@3    
+- task: Bash@3
   displayName: Az CLI create Role Assignment to Tenant root group
   name: create_role_assign_tenant
   inputs:

diff --git a/accelerator/.github/workflows/alz-bicep-1-core.yml b/accelerator/.github/workflows/alz-bicep-1-core.yml
@@ -53,7 +53,7 @@ jobs:
         run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV
 
       - name: OIDC Login to Tenant
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/accelerator/.github/workflows/alz-bicep-2-policyassignments.yml b/accelerator/.github/workflows/alz-bicep-2-policyassignments.yml
@@ -43,7 +43,7 @@ jobs:
         run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV
 
       - name: OIDC Login to Tenant
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/accelerator/.github/workflows/alz-bicep-3-subplacement.yml b/accelerator/.github/workflows/alz-bicep-3-subplacement.yml
@@ -43,7 +43,7 @@ jobs:
         run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV
 
       - name: OIDC Login to Tenant
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/accelerator/.github/workflows/alz-bicep-4a-hubspoke.yml b/accelerator/.github/workflows/alz-bicep-4a-hubspoke.yml
@@ -45,7 +45,7 @@ jobs:
         run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV
 
       - name: OIDC Login to Tenant
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/accelerator/.github/workflows/alz-bicep-4b-vwan.yml b/accelerator/.github/workflows/alz-bicep-4b-vwan.yml
@@ -45,7 +45,7 @@ jobs:
         run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV
 
       - name: OIDC Login to Tenant
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/docs/wiki/PipelinesGitHub.md b/docs/wiki/PipelinesGitHub.md
@@ -38,7 +38,7 @@ jobs:
           fetch-depth: 0
 
       - name: Azure Login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           creds: '${{ secrets.AZURE_CREDENTIALS }}'
 

diff --git a/tests/pipelines/base-unit-validate.yml b/tests/pipelines/base-unit-validate.yml
@@ -19,13 +19,25 @@ jobs:
     pool:
       vmImage: ubuntu-latest
     steps:
+      - task: AzureCLI@2
+        displayName: 'Azure CLI Get Federated Token'
+        inputs:
+          azureSubscription: azserviceconnection
+          addSpnToEnvironment: true
+          scriptType: bash
+          scriptLocation: inlineScript
+          inlineScript: |
+            echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
+            echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
+            echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
+
       - task: Bash@3
-        displayName: Login to Azure
+        displayName: Login to Azure for Subsequent Tasks
         name: git_azlogin
         inputs:
           targetType: "inline"
           script: |
-            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+            az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
 
       - task: Bash@3
         displayName: Az CLI Create Subscription for PR

diff --git a/tests/pipelines/bicep-build-to-validate.yml b/tests/pipelines/bicep-build-to-validate.yml
@@ -100,13 +100,25 @@ jobs:
             echo "gitSpokeOUTPUT=$git_spoke" >> $GITHUB_ENV
             echo "##vso[task.setvariable variable=gitSpokeOUTPUT]$git_spoke"
 
+      - task: AzureCLI@2
+        displayName: 'Azure CLI Get Federated Token'
+        inputs:
+          azureSubscription: azserviceconnection
+          addSpnToEnvironment: true
+          scriptType: bash
+          scriptLocation: inlineScript
+          inlineScript: |
+            echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
+            echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
+            echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
+
       - task: Bash@3
-        displayName: Login to Azure
+        displayName: Login to Azure for Subsequent Tasks
         name: git_azlogin
         inputs:
           targetType: "inline"
           script: |
-            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+            az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
 
       - task: Bash@3
         displayName: Az CLI Create Subscription for PR

diff --git a/tests/pipelines/mc-base-unit-validate.yml b/tests/pipelines/mc-base-unit-validate.yml
@@ -17,14 +17,26 @@ jobs:
     pool:
       vmImage: ubuntu-latest
     steps:
+      - task: AzureCLI@2
+        displayName: 'Azure CLI Get Federated Token'
+        inputs:
+          azureSubscription: mcserviceconnection
+          addSpnToEnvironment: true
+          scriptType: bash
+          scriptLocation: inlineScript
+          inlineScript: |
+            echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
+            echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
+            echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"
+
       - task: Bash@3
-        displayName: Login to Azure
+        displayName: Login to Azure for Subsequent Tasks
         name: git_azlogin
         inputs:
           targetType: "inline"
           script: |
             az cloud set --name AzureChinaCloud
-            az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
+            az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)
 
       - task: Bash@3
         displayName: Az CLI Create Resource Group for PR