use managed identity for runner authentication

Azure · Mar 13, 2024 · 9a7b519 · 9a7b519
1 parent d99f039
commit 9a7b519
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 76 deletions.
diff --git a/.github/workflows/ci-report.yml b/.github/workflows/ci-report.yml
@@ -21,7 +21,7 @@ jobs:
           name: CI report
           path: '*.xml'
           reporter: java-junit
-  
+
   nrp-e2e-report:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/e2e-run.yml b/.github/workflows/e2e-run.yml
@@ -13,11 +13,8 @@ on:
         required: true
         type: string
     secrets:
-      client_id:
-        description: 'Azure Client ID'
-        required: true
-      client_secret:
-        description: 'Azure Client Secret'
+      subscription_id:
+        description: 'Azure Subscription ID'
         required: true
       tenant_id:
         description: 'Azure Tenant ID'
@@ -50,13 +47,15 @@ jobs:
           name: ${{ inputs.target }}
           path: package
 
+      - uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          tenant-id: ${{ secrets.tenant_id }}
+          subscription-id: ${{ secrets.subscription_id }}
+
       - name: Create device identity
         id: device
         run: |
-          az login --service-principal \
-            --username ${{ secrets.client_id }} \
-            --password ${{ secrets.client_secret }} \
-            --tenant ${{ secrets.tenant_id }}
           az extension add --name azure-iot
           az iot hub device-identity create \
             --hub-name ${{ secrets.iothub }} \

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -11,14 +11,20 @@ on:
 jobs:
   hub:
     name: Create IoT Hub
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, 1ES.Pool=e2e-pool, '1ES.ImageOverride=ubuntu-22.04']
     outputs:
       name: ${{ steps.terraform.outputs.iothub_name }}
       connection_string: ${{ steps.terraform.outputs.connection_string }}
       resource_group_name: ${{ steps.terraform.outputs.resource_group_name }}
     steps:
       - uses: actions/checkout@v4
 
+      - uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: latest
@@ -28,10 +34,9 @@ jobs:
         id: terraform
         working-directory: devops/e2e/terraform/iothub
         env:
-          TF_VAR_client_id: ${{ secrets.CLIENT_ID }}
-          TF_VAR_client_secret: ${{ secrets.CLIENT_SECRET }}
-          TF_VAR_subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
-          TF_VAR_tenant_id: ${{ secrets.TENANT_ID }}
+          ARM_USE_MSI: true
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
           TF_VAR_name: e2e-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
         run: |
           terraform init
@@ -56,9 +61,8 @@ jobs:
           ]
         arch: [amd64]
     secrets:
-      client_id: ${{ secrets.CLIENT_ID }}
-      client_secret: ${{ secrets.CLIENT_SECRET }}
-      tenant_id: ${{ secrets.TENANT_ID }}
+      subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      tenant_id: ${{ secrets.AZURE_TENANT_ID }}
       iothub: ${{ needs.hub.outputs.name }}
       iothub_connection_string: ${{ needs.hub.outputs.connection_string }}
     with:
@@ -68,16 +72,18 @@ jobs:
 
   cleanup:
     name: Delete IoT Hub
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, 1ES.Pool=e2e-pool, '1ES.ImageOverride=ubuntu-22.04']
     needs: [hub, test]
     if: always()
     steps:
+      - uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Delete IoT Hub
         run: |
-          az login --service-principal \
-            --username ${{ secrets.CLIENT_ID }} \
-            --password ${{ secrets.CLIENT_SECRET }} \
-            --tenant ${{ secrets.TENANT_ID }}
           az extension add --name azure-iot
           az iot hub delete \
             --name ${{ needs.hub.outputs.name }} \

diff --git a/.github/workflows/package-publish.yml b/.github/workflows/package-publish.yml
@@ -22,7 +22,6 @@ jobs:
       PMC_CLI_MSAL_SCOPE: api://d48bb382-20ec-41b9-a0ea-07758a21ccd0/.default
       PMC_CLI_MSAL_AUTHORITY: https://login.microsoftonline.com/MSAzureCloud.onmicrosoft.com
       PMC_CLI_MSAL_CERT_PATH: auth.pem
-
     steps:
       - uses: actions/checkout@v4
 
@@ -31,15 +30,17 @@ jobs:
           name: ${{ inputs.artifact }}
           path: packages
 
+      - uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Download certs
         env:
-          CLIENT_ID: ${{ secrets.CLIENT_ID }}
-          CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-          TENANT_ID: ${{ secrets.TENANT_ID }}
           AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
           PMC_MSAL_CERT_NAME: pmc-onecert
         run: |
-          az login --service-principal --username "$CLIENT_ID" --password "$CLIENT_SECRET" --tenant "$TENANT_ID"
           az keyvault secret download --vault-name "$AZURE_VAULT" --name "$PMC_MSAL_CERT_NAME" --file "${{ github.workspace }}/auth.pem"
 
       - name: Upload package

diff --git a/.github/workflows/package-sign.yml b/.github/workflows/package-sign.yml
@@ -21,17 +21,18 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Setup ESRP
         env:
-          CLIENT_ID: ${{ secrets.CLIENT_ID }}
-          CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
-          TENANT_ID: ${{ secrets.TENANT_ID }}
           AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
           AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
           REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
         run: |
-          az login --service-principal --username "$env:CLIENT_ID" --password "$env:CLIENT_SECRET" --tenant "$env:TENANT_ID"
-
           az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx
           certutil -f -importpfx out.pfx
           Remove-Item -Path out.pfx

diff --git a/.github/workflows/universalnrp-test-run.yml b/.github/workflows/universalnrp-test-run.yml
@@ -30,7 +30,7 @@ jobs:
 
   test:
     needs: package
-    runs-on: [self-hosted, 1ES.Pool=e2e-pool, '1ES.ImageOverride=${{ inputs.target }}']
+    runs-on: [self-hosted, 1ES.Pool=ci-pool, '1ES.ImageOverride=${{ inputs.target }}']
     steps:
       - uses: actions/checkout@v4
 

diff --git a/devops/e2e/terraform/iothub/providers.tf b/devops/e2e/terraform/iothub/providers.tf
@@ -9,9 +9,4 @@ terraform {
 
 provider "azurerm" {
   features {}
-
-  subscription_id = var.subscription_id
-  tenant_id       = var.tenant_id
-  client_id       = var.client_id
-  client_secret   = var.client_secret
 }
diff --git a/devops/e2e/terraform/iothub/variables.tf b/devops/e2e/terraform/iothub/variables.tf
@@ -1,25 +1,3 @@
-variable "client_id" {
-  type        = string
-  sensitive   = true
-  description = "Client ID for the service principal"
-}
-
-variable "client_secret" {
-  type        = string
-  sensitive   = true
-  description = "Client secret for the service principal"
-}
-
-variable "subscription_id" {
-  type      = string
-  sensitive = true
-}
-
-variable "tenant_id" {
-  type      = string
-  sensitive = true
-}
-
 variable "name" {
   type        = string
   description = "The name of the Azure IoT Hub"

diff --git a/devops/scripts/create_service_principal.sh b/devops/scripts/create_service_principal.sh