From bb7098182b2aa35c5e676a11f4c43cb537624e4c Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Mon, 29 Apr 2024 17:05:57 +0200 Subject: [PATCH 1/6] Use SYSTEM_OIDCREQUESTURI --- scripts/azure-devops/create-oidctoken.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index 5aa5c8f..02d2689 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -124,18 +124,7 @@ jobs: scriptType: pscore scriptLocation: inlineScript inlineScript: | - Get-ChildItem -Path Env: -Recurse -Include ENDPOINT_DATA_* | Select-Object -First 1 -ExpandProperty Name ` - | ForEach-Object { $_.Split("_")[2] } - | Set-Variable serviceConnectionId - - "{0}{1}/_apis/distributedtask/hubs/build/plans/{2}/jobs/{3}/oidctoken?api-version={4}&serviceConnectionId={5}" -f ` - "$(System.TeamFoundationCollectionUri)", ` - "$(System.TeamProjectId)", ` - "$(System.PlanId)", ` - "$(System.JobId)", ` - "7.1-preview.1", ` - "${serviceConnectionId}" ` - | Set-Variable oidcTokenUrl + $oidcTokenUrl = "${env:SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" Write-Host "oidcTokenUrl: $oidcTokenUrl" Invoke-RestMethod -Headers @{ From 28c37244c8cecc3368003f818e67515b227c1496 Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Fri, 7 Jun 2024 11:49:15 +0200 Subject: [PATCH 2/6] addSpnToEnvironment: true --- scripts/azure-devops/create-oidctoken.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index 02d2689..38ae7d2 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -120,6 +120,7 @@ jobs: - task: AzureCLI@2 displayName: 'Inline script' inputs: + addSpnToEnvironment: true azureSubscription: '$(azureConnection)' scriptType: pscore scriptLocation: inlineScript From 522e62ce51d9793b795b5220ea903b926986e8f7 Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Fri, 7 Jun 2024 11:53:40 +0200 Subject: [PATCH 3/6] List env vars --- scripts/azure-devops/create-oidctoken.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index 38ae7d2..1afd751 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -125,6 +125,20 @@ jobs: scriptType: pscore scriptLocation: inlineScript inlineScript: | + Write-Host "Service Connection ID: ${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" + Write-Host "Service Connection endpoint data:" + Get-ChildItem -Path Env: -Recurse ` + -Include AZURESUBSCRIPTION_*, ENDPOINT_DATA_*, SYSTEM_OIDC* ` + | Sort-Object -Property Name ` + | ForEach-Object { + if ($_.Name -match 'SECRET|TOKEN') { + $_.Value = '***' + } + $_ + } ` + | Format-Table -HideTableHeaders -Property @{Expression='Name';Width=75}, @{Expression='Value';Width=175} -Wrap ` + | Out-String -Width 256 + $oidcTokenUrl = "${env:SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" Write-Host "oidcTokenUrl: $oidcTokenUrl" From e35f60274bdb8f51777143d6de8a2d4a4ef4749a Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Fri, 7 Jun 2024 12:02:31 +0200 Subject: [PATCH 4/6] Remove addSpnToEnvironment --- scripts/azure-devops/create-oidctoken.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index 1afd751..ca24190 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -120,7 +120,6 @@ jobs: - task: AzureCLI@2 displayName: 'Inline script' inputs: - addSpnToEnvironment: true azureSubscription: '$(azureConnection)' scriptType: pscore scriptLocation: inlineScript From a5c35f8a5137043146e9c99a832f455fc48aa089 Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Fri, 7 Jun 2024 12:04:58 +0200 Subject: [PATCH 5/6] Don't list ENDPOINT_* data --- scripts/azure-devops/create-oidctoken.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index ca24190..b393f92 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -127,7 +127,7 @@ jobs: Write-Host "Service Connection ID: ${env:AZURESUBSCRIPTION_SERVICE_CONNECTION_ID}" Write-Host "Service Connection endpoint data:" Get-ChildItem -Path Env: -Recurse ` - -Include AZURESUBSCRIPTION_*, ENDPOINT_DATA_*, SYSTEM_OIDC* ` + -Include AZURESUBSCRIPTION_*, SYSTEM_OIDC* ` | Sort-Object -Property Name ` | ForEach-Object { if ($_.Name -match 'SECRET|TOKEN') { From 1a75aa2503f28546c8a9615dd6e7864e280d004e Mon Sep 17 00:00:00 2001 From: Eric van Wijk Date: Fri, 7 Jun 2024 12:10:48 +0200 Subject: [PATCH 6/6] Separate SC & WIF Scs to test --- scripts/azure-devops/azure-pipelines.yml | 24 +++++++++++------------ scripts/azure-devops/create-oidctoken.yml | 18 ++++++++--------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/scripts/azure-devops/azure-pipelines.yml b/scripts/azure-devops/azure-pipelines.yml index e22eee0..c03b12a 100644 --- a/scripts/azure-devops/azure-pipelines.yml +++ b/scripts/azure-devops/azure-pipelines.yml @@ -71,7 +71,7 @@ jobs: - task: AzureCLI@2 displayName: 'rename_service_connection_applications.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -86,7 +86,7 @@ jobs: - task: AzureCLI@2 displayName: 'list_service_connections.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -101,7 +101,7 @@ jobs: - task: AzureCLI@2 displayName: 'list_service_connection_identities.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -116,7 +116,7 @@ jobs: - task: AzureCLI@2 displayName: 'list_identities_using_issuer.ps1' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -132,7 +132,7 @@ jobs: displayName: 'set_terraform_azurerm_vars.ps1' inputs: addSpnToEnvironment: true - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: ./set_terraform_azurerm_vars.ps1 @@ -151,7 +151,7 @@ jobs: displayName: 'Create resource groups for Managed Identity and scope' name: resourceGroup inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -181,7 +181,7 @@ jobs: displayName: 'Create Managed Identity and Service Connection' name: identity inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -223,7 +223,7 @@ jobs: displayName: 'Test Service Connection $(serviceConnectionToCreate)' timeoutInMinutes: 5 inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -249,7 +249,7 @@ jobs: - task: AzureCLI@2 displayName: 'Convert (WhatIf)' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionSecret)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -291,7 +291,7 @@ jobs: - task: AzureCLI@2 displayName: 'Convert simple (WhatIf)' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionSecret)' failOnStandardError: true scriptType: pscore scriptLocation: inlineScript @@ -344,7 +344,7 @@ jobs: name: teardownAzure displayName: 'Tear down Azure resources' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -383,7 +383,7 @@ jobs: name: teardownAzDO condition: succeededOrFailed() inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | diff --git a/scripts/azure-devops/create-oidctoken.yml b/scripts/azure-devops/create-oidctoken.yml index b393f92..df3e992 100644 --- a/scripts/azure-devops/create-oidctoken.yml +++ b/scripts/azure-devops/create-oidctoken.yml @@ -40,12 +40,12 @@ jobs: displayName: 'Scripted with addSpnToEnvironment' inputs: addSpnToEnvironment: true - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | - Write-Host "Using Service Connection $(azureConnection)" - az account show -o json >"$(azureConnection).json" + Write-Host "Using Service Connection $(azureConnectionWIF)" + az account show -o json >"$(azureConnectionWIF).json" $(scriptDirectory)/set_terraform_azurerm_vars.ps1 Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;isoutput=true]${env:ARM_CLIENT_ID}" @@ -56,7 +56,7 @@ jobs: Write-Host "##vso[task.setvariable variable=ARM_USE_OIDC;isoutput=true]${env:ARM_USE_OIDC}" if ($env:ARM_USE_OIDC -ine 'true') { - Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnection)' is not using federation" + Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnectionWIF)' is not using federation" } failOnStandardError: true workingDirectory: $(Build.ArtifactStagingDirectory) @@ -81,11 +81,11 @@ jobs: displayName: 'Scripted with REST API' inputs: addSpnToEnvironment: true - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | - Write-Host "Using Service Connection $(azureConnection)" + Write-Host "Using Service Connection $(azureConnectionWIF)" $(scriptDirectory)/set_terraform_azurerm_vars.ps1 -RequestNewToken -SystemAccessToken $(System.AccessToken) Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID;isoutput=true]${env:ARM_CLIENT_ID}" @@ -97,7 +97,7 @@ jobs: Write-Host "##vso[task.setvariable variable=ARM_USE_OIDC;isoutput=true]${env:ARM_USE_OIDC}" if ($env:ARM_USE_OIDC -ine 'true') { - Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnection)' is not using federation" + Write-Host "##vso[task.logissue type=warning]Skipping OIDC test because service connection '$(azureConnectionWIF)' is not using federation" } failOnStandardError: true workingDirectory: $(Build.ArtifactStagingDirectory) @@ -120,7 +120,7 @@ jobs: - task: AzureCLI@2 displayName: 'Inline script' inputs: - azureSubscription: '$(azureConnection)' + azureSubscription: '$(azureConnectionWIF)' scriptType: pscore scriptLocation: inlineScript inlineScript: | @@ -160,4 +160,4 @@ jobs: - publish: $(Build.ArtifactStagingDirectory) displayName: 'Publish json files' - artifact: $(azureConnection) + artifact: $(azureConnectionWIF)