Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: Remove secret references for login #793

Merged
merged 9 commits into from
Jul 16, 2024
Merged

Enhancement: Remove secret references for login #793

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
165c6b5
Remove secret references for login
oZakari Jun 14, 2024
bb8676f
Merge branch 'main' of https://github.com/Azure/ALZ-Bicep into oidc-l…
oZakari Jul 12, 2024
73ddc48
Login to Azure CLI
oZakari Jul 12, 2024
f55dcdb
Testing login
oZakari Jul 12, 2024
6ad0149
Fix token misspelling
oZakari Jul 12, 2024
f73f710
Update remaining pipeline files
oZakari Jul 12, 2024
e508076
Update display names of tasks
oZakari Jul 12, 2024
ab58799
Update azure/login github action to v2
oZakari Jul 12, 2024
a9e45e9
Merge branch 'main' into oidc-login
Springstone Jul 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 19 additions & 7 deletions .github/azFunction/azure-pipelines/deploy-functions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,31 +14,43 @@ steps:
includeRootFolder: false
archiveFile: "$(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip"

- task: AzureCLI@2
displayName: 'Azure CLI Get Federated Token'
inputs:
azureSubscription: azserviceconnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"

- task: Bash@3
displayName: Login to Azure
displayName: Login to Azure for Subsequent Tasks
name: git_azlogin
inputs:
targetType: 'inline'
targetType: "inline"
script: |
az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)

- task: Bash@3
- task: Bash@3
displayName: Deploy Base Azure Function
name: create_az_function
inputs:
targetType: 'inline'
script: |
az deployment group create --resource-group cancelsubscription --template-file .github/azFunction/AzFunctionInfrastructure/main.bicep --parameters parAzFunctionName=$(cancelsubfunctionname)

- task: AzureFunctionApp@1
- task: AzureFunctionApp@1
displayName: "Deploy Functions to base"
inputs:
azureSubscription: 'azserviceconnection'
appType: functionAppLinux
appType: functionAppLinux
appName: $(cancelsubfunctionname)
package: $(System.DefaultWorkingDirectory)/build$(Build.BuildId).zip

- task: Bash@3
- task: Bash@3
displayName: Az CLI create Role Assignment to Tenant root group
name: create_role_assign_tenant
inputs:
Expand Down
2 changes: 1 addition & 1 deletion accelerator/.github/workflows/alz-bicep-1-core.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:
run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV

- name: OIDC Login to Tenant
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down
2 changes: 1 addition & 1 deletion accelerator/.github/workflows/alz-bicep-2-policyassignments.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV

- name: OIDC Login to Tenant
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down
2 changes: 1 addition & 1 deletion accelerator/.github/workflows/alz-bicep-3-subplacement.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ jobs:
run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV

- name: OIDC Login to Tenant
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down
2 changes: 1 addition & 1 deletion accelerator/.github/workflows/alz-bicep-4a-hubspoke.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV

- name: OIDC Login to Tenant
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down
2 changes: 1 addition & 1 deletion accelerator/.github/workflows/alz-bicep-4b-vwan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
run: cat ${{ env.ENV_FILE }} >> $GITHUB_ENV

- name: OIDC Login to Tenant
uses: azure/login@v1
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/PipelinesGitHub.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
fetch-depth: 0

- name: Azure Login
uses: azure/login@v1
uses: azure/login@v2
with:
creds: '${{ secrets.AZURE_CREDENTIALS }}'

Expand Down
16 changes: 14 additions & 2 deletions tests/pipelines/base-unit-validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,25 @@ jobs:
pool:
vmImage: ubuntu-latest
steps:
- task: AzureCLI@2
displayName: 'Azure CLI Get Federated Token'
inputs:
azureSubscription: azserviceconnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"

- task: Bash@3
displayName: Login to Azure
displayName: Login to Azure for Subsequent Tasks
name: git_azlogin
inputs:
targetType: "inline"
script: |
az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)

- task: Bash@3
displayName: Az CLI Create Subscription for PR
Expand Down
16 changes: 14 additions & 2 deletions tests/pipelines/bicep-build-to-validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,25 @@ jobs:
echo "gitSpokeOUTPUT=$git_spoke" >> $GITHUB_ENV
echo "##vso[task.setvariable variable=gitSpokeOUTPUT]$git_spoke"

- task: AzureCLI@2
displayName: 'Azure CLI Get Federated Token'
inputs:
azureSubscription: azserviceconnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"

- task: Bash@3
displayName: Login to Azure
displayName: Login to Azure for Subsequent Tasks
name: git_azlogin
inputs:
targetType: "inline"
script: |
az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)

- task: Bash@3
displayName: Az CLI Create Subscription for PR
Expand Down
16 changes: 14 additions & 2 deletions tests/pipelines/mc-base-unit-validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,26 @@ jobs:
pool:
vmImage: ubuntu-latest
steps:
- task: AzureCLI@2
displayName: 'Azure CLI Get Federated Token'
inputs:
azureSubscription: mcserviceconnection
addSpnToEnvironment: true
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
echo "##vso[task.setvariable variable=ARM_CLIENT_ID]$servicePrincipalId"
echo "##vso[task.setvariable variable=ARM_ID_TOKEN]$idToken"
echo "##vso[task.setvariable variable=ARM_TENANT_ID]$tenantId"

- task: Bash@3
displayName: Login to Azure
displayName: Login to Azure for Subsequent Tasks
name: git_azlogin
inputs:
targetType: "inline"
script: |
az cloud set --name AzureChinaCloud
az login --service-principal --username $(azclilogin) --password $(azclipwd) --tenant $(azclitenant)
az login --service-principal -u $(ARM_CLIENT_ID) --tenant $(ARM_TENANT_ID) --allow-no-subscriptions --federated-token $(ARM_ID_TOKEN)

- task: Bash@3
displayName: Az CLI Create Resource Group for PR
Expand Down