From 9884bd0bc63fc25cc4a5c9719a6ff00cf32b08ab Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Tue, 26 Mar 2024 11:00:58 -0700
Subject: [PATCH] [ci] Use managed identity for ApiScan (#8823)

I've configured a new [managed identity][0] (MSI) for API Scan, which
allows us to enable a more modern authentication approach when running
API Scan on the `MAUI-1ESPT` agent pool.

A new `$(ApiScanMAUI1ESPTManagedId)` variable has been configured in the
pipeline settings to pass the app ID for this MSI to the API Scan task.

[0]: https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/cd4829e2-e38b-43d2-8316-2f2009f36f97/resourcegroups/1esobjects/providers/microsoft.managedidentity/userassignedidentities/maui1esptapiscanidentity/overview
---
 build-tools/automation/azure-pipelines-nightly.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml
index a71b2ac0872..49a37060c02 100644
--- a/build-tools/automation/azure-pipelines-nightly.yaml
+++ b/build-tools/automation/azure-pipelines-nightly.yaml
@@ -289,8 +289,8 @@ stages:
   - job: api_scan
     displayName: API Scan
     pool:
-      name: Azure Pipelines
-      vmImage: windows-2022
+      name: MAUI-1ESPT
+      demands: ImageOverride -equals $(WindowsPoolImage1ESPT)
     timeoutInMinutes: 480
     workspace:
       clean: all
@@ -335,7 +335,7 @@ stages:
         isLargeApp: true
         toolVersion: Latest
       env:
-        AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+        AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanMAUI1ESPTManagedId)
 
     - task: SdtReport@2
       displayName: Guardian Export - Security Report