From 74101429840e71a9be1b529286190fbb34d3e6ef Mon Sep 17 00:00:00 2001 From: Robert Schaedler Date: Wed, 13 Mar 2024 19:08:23 +0000 Subject: [PATCH] use managed identity for runner authentication --- .github/workflows/ci-report.yml | 2 +- .github/workflows/e2e-run.yml | 19 ++++++------ .github/workflows/e2e.yml | 32 ++++++++++++--------- .github/workflows/package-publish.yml | 11 +++---- .github/workflows/package-sign.yml | 11 +++---- .github/workflows/universalnrp-test-run.yml | 2 +- devops/e2e/terraform/iothub/providers.tf | 5 ---- devops/e2e/terraform/iothub/variables.tf | 22 -------------- devops/scripts/create_service_principal.sh | 15 ---------- 9 files changed, 42 insertions(+), 77 deletions(-) delete mode 100755 devops/scripts/create_service_principal.sh diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml index 24d98f2ea..94e4cd95b 100644 --- a/.github/workflows/ci-report.yml +++ b/.github/workflows/ci-report.yml @@ -21,7 +21,7 @@ jobs: name: CI report path: '*.xml' reporter: java-junit - + nrp-e2e-report: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/e2e-run.yml b/.github/workflows/e2e-run.yml index 1fa2dce2e..66d736fe4 100644 --- a/.github/workflows/e2e-run.yml +++ b/.github/workflows/e2e-run.yml @@ -13,11 +13,8 @@ on: required: true type: string secrets: - client_id: - description: 'Azure Client ID' - required: true - client_secret: - description: 'Azure Client Secret' + subscription_id: + description: 'Azure Subscription ID' required: true tenant_id: description: 'Azure Tenant ID' @@ -48,15 +45,17 @@ jobs: - uses: actions/download-artifact@v3 with: name: ${{ inputs.target }} - path: package + path: ${{ github.workspace }}/package + + - uses: azure/login@v2 + with: + auth-type: IDENTITY + tenant-id: ${{ secrets.tenant_id }} + subscription-id: ${{ secrets.subscription_id }} - name: Create device identity id: device run: | - az login --service-principal \ - --username ${{ secrets.client_id }} \ - --password ${{ secrets.client_secret }} \ - --tenant ${{ secrets.tenant_id }} az extension add --name azure-iot az iot hub device-identity create \ --hub-name ${{ secrets.iothub }} \ diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index e566a83e2..6d973936c 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -11,7 +11,7 @@ on: jobs: hub: name: Create IoT Hub - runs-on: ubuntu-latest + runs-on: [self-hosted, 1ES.Pool=e2e-pool, '1ES.ImageOverride=ubuntu-22.04'] outputs: name: ${{ steps.terraform.outputs.iothub_name }} connection_string: ${{ steps.terraform.outputs.connection_string }} @@ -19,6 +19,12 @@ jobs: steps: - uses: actions/checkout@v4 + - uses: azure/login@v2 + with: + auth-type: IDENTITY + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - uses: hashicorp/setup-terraform@v3 with: terraform_version: latest @@ -28,10 +34,9 @@ jobs: id: terraform working-directory: devops/e2e/terraform/iothub env: - TF_VAR_client_id: ${{ secrets.CLIENT_ID }} - TF_VAR_client_secret: ${{ secrets.CLIENT_SECRET }} - TF_VAR_subscription_id: ${{ secrets.SUBSCRIPTION_ID }} - TF_VAR_tenant_id: ${{ secrets.TENANT_ID }} + ARM_USE_MSI: true + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} TF_VAR_name: e2e-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} run: | terraform init @@ -56,9 +61,8 @@ jobs: ] arch: [amd64] secrets: - client_id: ${{ secrets.CLIENT_ID }} - client_secret: ${{ secrets.CLIENT_SECRET }} - tenant_id: ${{ secrets.TENANT_ID }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} iothub: ${{ needs.hub.outputs.name }} iothub_connection_string: ${{ needs.hub.outputs.connection_string }} with: @@ -68,16 +72,18 @@ jobs: cleanup: name: Delete IoT Hub - runs-on: ubuntu-latest + runs-on: [self-hosted, 1ES.Pool=e2e-pool, '1ES.ImageOverride=ubuntu-22.04'] needs: [hub, test] if: always() steps: + - uses: azure/login@v2 + with: + auth-type: IDENTITY + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Delete IoT Hub run: | - az login --service-principal \ - --username ${{ secrets.CLIENT_ID }} \ - --password ${{ secrets.CLIENT_SECRET }} \ - --tenant ${{ secrets.TENANT_ID }} az extension add --name azure-iot az iot hub delete \ --name ${{ needs.hub.outputs.name }} \ diff --git a/.github/workflows/package-publish.yml b/.github/workflows/package-publish.yml index 0725da13c..bd622aa29 100644 --- a/.github/workflows/package-publish.yml +++ b/.github/workflows/package-publish.yml @@ -22,7 +22,6 @@ jobs: PMC_CLI_MSAL_SCOPE: api://d48bb382-20ec-41b9-a0ea-07758a21ccd0/.default PMC_CLI_MSAL_AUTHORITY: https://login.microsoftonline.com/MSAzureCloud.onmicrosoft.com PMC_CLI_MSAL_CERT_PATH: auth.pem - steps: - uses: actions/checkout@v4 @@ -31,15 +30,17 @@ jobs: name: ${{ inputs.artifact }} path: packages + - uses: azure/login@v2 + with: + auth-type: IDENTITY + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Download certs env: - CLIENT_ID: ${{ secrets.CLIENT_ID }} - CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} - TENANT_ID: ${{ secrets.TENANT_ID }} AZURE_VAULT: ${{ secrets.AZURE_VAULT }} PMC_MSAL_CERT_NAME: pmc-onecert run: | - az login --service-principal --username "$CLIENT_ID" --password "$CLIENT_SECRET" --tenant "$TENANT_ID" az keyvault secret download --vault-name "$AZURE_VAULT" --name "$PMC_MSAL_CERT_NAME" --file "${{ github.workspace }}/auth.pem" - name: Upload package diff --git a/.github/workflows/package-sign.yml b/.github/workflows/package-sign.yml index d5336ddda..b9f702237 100644 --- a/.github/workflows/package-sign.yml +++ b/.github/workflows/package-sign.yml @@ -21,17 +21,18 @@ jobs: steps: - uses: actions/checkout@v4 + - uses: azure/login@v2 + with: + auth-type: IDENTITY + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Setup ESRP env: - CLIENT_ID: ${{ secrets.CLIENT_ID }} - CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} - TENANT_ID: ${{ secrets.TENANT_ID }} AZURE_VAULT: ${{ secrets.AZURE_VAULT }} AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} run: | - az login --service-principal --username "$env:CLIENT_ID" --password "$env:CLIENT_SECRET" --tenant "$env:TENANT_ID" - az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx certutil -f -importpfx out.pfx Remove-Item -Path out.pfx diff --git a/.github/workflows/universalnrp-test-run.yml b/.github/workflows/universalnrp-test-run.yml index e1c9e53eb..4e8b14bde 100644 --- a/.github/workflows/universalnrp-test-run.yml +++ b/.github/workflows/universalnrp-test-run.yml @@ -30,7 +30,7 @@ jobs: test: needs: package - runs-on: [self-hosted, 1ES.Pool=e2e-pool, '1ES.ImageOverride=${{ inputs.target }}'] + runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ inputs.target }}'] steps: - uses: actions/checkout@v4 diff --git a/devops/e2e/terraform/iothub/providers.tf b/devops/e2e/terraform/iothub/providers.tf index bb870ff5b..78570c171 100644 --- a/devops/e2e/terraform/iothub/providers.tf +++ b/devops/e2e/terraform/iothub/providers.tf @@ -9,9 +9,4 @@ terraform { provider "azurerm" { features {} - - subscription_id = var.subscription_id - tenant_id = var.tenant_id - client_id = var.client_id - client_secret = var.client_secret } diff --git a/devops/e2e/terraform/iothub/variables.tf b/devops/e2e/terraform/iothub/variables.tf index cbc1073d0..accc29514 100644 --- a/devops/e2e/terraform/iothub/variables.tf +++ b/devops/e2e/terraform/iothub/variables.tf @@ -1,25 +1,3 @@ -variable "client_id" { - type = string - sensitive = true - description = "Client ID for the service principal" -} - -variable "client_secret" { - type = string - sensitive = true - description = "Client secret for the service principal" -} - -variable "subscription_id" { - type = string - sensitive = true -} - -variable "tenant_id" { - type = string - sensitive = true -} - variable "name" { type = string description = "The name of the Azure IoT Hub" diff --git a/devops/scripts/create_service_principal.sh b/devops/scripts/create_service_principal.sh deleted file mode 100755 index cce16f8c7..000000000 --- a/devops/scripts/create_service_principal.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -# This script requires Azure CLI version 2.25.0 or later. Check version with `az --version`. - -# SERVICE_PRINCIPAL_NAME: Must be unique within your AD tenant -SERVICE_PRINCIPAL_NAME= -# Replace with valid Azure Subscription ID -SUBSCRIPTION_ID= - -# Create the service principal with rights scoped to the subscription. -SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --scopes /subscriptions/$SUBSCRIPTION_ID --role Contributor --query password --output tsv) -SP_APP_ID=$(az ad sp list --display-name $SERVICE_PRINCIPAL_NAME --query [].appId --output tsv) - -# Output the service principal's credentials; use these in your services and applications to authenticate. -echo "Service principal ID: $SP_APP_ID" -echo "Service principal password: $SP_PASSWD" \ No newline at end of file