diff --git a/scripts/azure-devops/azure-pipelines.yml b/scripts/azure-devops/azure-pipelines.yml index e22eee0..c03b12a 100644 --- a/scripts/azure-devops/azure-pipelines.yml +++ b/scripts/azure-devops/azure-pipelines.yml @@ -71,7 +71,7 @@ jobs: - task: AzureCLI@2 displayName: 'rename_service_connection_applications.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -86,7 +86,7 @@ jobs: - task: AzureCLI@2 displayName: 'list_service_connections.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -101,7 +101,7 @@ jobs: - task: AzureCLI@2 displayName: 'list_service_connection_identities.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -116,7 +116,7 @@ jobs: - task: AzureCLI@2 displayName: 'list_identities_using_issuer.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -132,7 +132,7 @@ jobs: displayName: 'set_terraform_azurerm_vars.ps1' inputs: addSpnToEnvironment: true - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: ./set_terraform_azurerm_vars.ps1 @@ -151,7 +151,7 @@ jobs: displayName: 'Create resource groups for Managed Identity and scope' name: resourceGroup inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -181,7 +181,7 @@ jobs: displayName: 'Create Managed Identity and Service Connection' name: identity inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -223,7 +223,7 @@ jobs: displayName: 'Test Service Connection $(serviceConnectionToCreate)' timeoutInMinutes: 5 inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -249,7 +249,7 @@ jobs: - task: AzureCLI@2 displayName: 'Convert (WhatIf)' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionSecret)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -291,7 +291,7 @@ jobs: - task: AzureCLI@2 displayName: 'Convert simple (WhatIf)' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionSecret)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -344,7 +344,7 @@ jobs: name: teardownAzure displayName: 'Tear down Azure resources' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -383,7 +383,7 @@ jobs: name: teardownAzDO condition: succeededOrFailed() inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index 5aa5c8f..df3e992 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -40,12 +40,12 @@ jobs: displayName: 'Scripted with addSpnToEnvironment' inputs: addSpnToEnvironment: true - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | - Write-Host "Using Service Connection $(azureConnection)" - az account show -o json >"$(azureConnection).json" + Write-Host "Using Service Connection $(azureConnectionWIF)" + az account show -o json >"$(azureConnectionWIF).json" $(scriptDirectory)/set_terraform_azurerm_vars.ps1 Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;isoutput=true]${env:ARM_CLIENT_ID}" @@ -56,7 +56,7 @@ jobs: Write-Host "##vso[task.setvariable variable=ARM_USE_OIDC;isoutput=true]${env:ARM_USE_OIDC}" if ($env:ARM_USE_OIDC -ine 'true') { - Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnection)' is not using federation" + Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnectionWIF)' is not using federation" } failOnStandardError: true workingDirectory: $(Build.ArtifactStagingDirectory) @@ -81,11 +81,11 @@ jobs: displayName: 'Scripted with REST API' inputs: addSpnToEnvironment: true - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | - Write-Host "Using Service Connection $(azureConnection)" + Write-Host "Using Service Connection $(azureConnectionWIF)" $(scriptDirectory)/set_terraform_azurerm_vars.ps1 -RequestNewToken -SystemAccessToken $(System.AccessToken) Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;isoutput=true]${env:ARM_CLIENT_ID}" @@ -97,7 +97,7 @@ jobs: Write-Host "##vso[task.setvariable variable=ARM_USE_OIDC;isoutput=true]${env:ARM_USE_OIDC}" if ($env:ARM_USE_OIDC -ine 'true') { - Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnection)' is not using federation" + Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnectionWIF)' is not using federation" } failOnStandardError: true workingDirectory: $(Build.ArtifactStagingDirectory) @@ -120,22 +120,25 @@ jobs: - task: AzureCLI@2 displayName: 'Inline script' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | - Get-ChildItem -Path Env: -Recurse -Include ENDPOINT_DATA_* | Select-Object -First 1 -ExpandProperty Name ` - | ForEach-Object { $_.Split("_")[2] } - | Set-Variable serviceConnectionId - - "{0}{1}/_apis/distributedtask/hubs/build/plans/{2}/jobs/{3}/oidctoken?api-version={4}&serviceConnectionId={5}" -f ` - "$(System.TeamFoundationCollectionUri)", ` - "$(System.TeamProjectId)", ` - "$(System.PlanId)", ` - "$(System.JobId)", ` - "7.1-preview.1", ` - "${serviceConnectionId}" ` - | Set-Variable oidcTokenUrl + Write-Host "Service Connection ID: ${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" + Write-Host "Service Connection endpoint data:" + Get-ChildItem -Path Env: -Recurse ` + -Include AZURESUBSCRIPTION_*, SYSTEM_OIDC* ` + | Sort-Object -Property Name ` + | ForEach-Object { + if ($_.Name -match 'SECRET|TOKEN') { + $_.Value = '***' + } + $_ + } ` + | Format-Table -HideTableHeaders -Property @{Expression='Name';Width=75}, @{Expression='Value';Width=175} -Wrap ` + | Out-String -Width 256 + + $oidcTokenUrl = "${env:SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" Write-Host "oidcTokenUrl: $oidcTokenUrl" Invoke-RestMethod -Headers @{ @@ -157,4 +160,4 @@ jobs: - publish: $(Build.ArtifactStagingDirectory) displayName: 'Publish json files' - artifact: $(azureConnection) + artifact: $(azureConnectionWIF)