Update Azure Pipelines for workload identity federation (Azure#138)

* Added ARM_SERVICE_CONNECTION - updated vars.yml * Support federated credentials - updated sharedSteps.yml * Forgot azurePowerShellVersion - updated sharedSteps.yml * Update Logic * Update Link --------- Co-authored-by: Jesper Fajers <jesper@fajers.se>
Jefajers · Nov 21, 2023 · 71e7858 · 71e7858
1 parent 02b5edc
commit 71e7858
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 13 deletions.
diff --git a/.github/workflows/pull.yml b/.github/workflows/pull.yml
@@ -135,7 +135,7 @@ jobs:
 
     #
     # Environment if using Federated Credentials 
-    # https://github.com/azure/azops/wiki/github-oidc
+    # https://github.com/azure/azops/wiki/oidc
     #
 
     # environment: prod 

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -59,7 +59,7 @@ jobs:
 
     #
     # Environment if using Federated Credentials 
-    # https://github.com/azure/azops/wiki/github-oidc
+    # https://github.com/azure/azops/wiki/oidc
     #
 
     # environment: prod 

diff --git a/.github/workflows/redeploy.yml b/.github/workflows/redeploy.yml
@@ -77,7 +77,7 @@ jobs:
 
     #
     # Environment if using Federated Credentials 
-    # https://github.com/azure/azops/wiki/github-oidc
+    # https://github.com/azure/azops/wiki/oidc
     #
 
     # environment: prod 

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -53,7 +53,7 @@ jobs:
 
     #
     # Environment if using Federated Credentials 
-    # https://github.com/azure/azops/wiki/github-oidc
+    # https://github.com/azure/azops/wiki/oidc
     #
 
     # environment: prod 

diff --git a/.pipelines/.templates/sharedSteps.yml b/.pipelines/.templates/sharedSteps.yml
@@ -62,31 +62,57 @@ steps:
         }
         Save-Module @params
 
+  #
+  # Federated Identity
+  # Get access token
+  #
+
+  - task: AzurePowerShell@5
+    displayName: "Access token"
+    condition: ne(variables['ARM_SERVICE_CONNECTION'], '')
+    inputs:
+      azureSubscription: $(ARM_SERVICE_CONNECTION)
+      azurePowerShellVersion: 'LatestVersion'
+      pwsh: true
+      scriptType: 'InlineScript'
+      inline: |
+        $token = Get-AzAccessToken -ResourceTypeName MSGraph
+        Write-Host "##vso[task.setvariable variable=ARM_ACCESS_TOKEN;isSecret=true]$($token.Token)"
+
   #
   # Connect
   # Authenticate Azure context
   # If no value is set for ARM_CLIENT_ID connect will try
-  # to use a Managed Identity. 
+  # to use a Managed Identity.
   #
 
   - task: PowerShell@2
     displayName: "Connect"
     env:
       ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET)
+      ARM_ACCESS_TOKEN: $(ARM_ACCESS_TOKEN)
     inputs:
       targetType: "inline"
       script: |
-        $Env:PSModulePath = $Env:PSModulePath, '$(modulesFolder)' -join [IO.Path]::PathSeparator  
+        $Env:PSModulePath = $Env:PSModulePath, '$(modulesFolder)' -join [IO.Path]::PathSeparator
         $azParams = @{
           SubscriptionId    = '$(ARM_SUBSCRIPTION_ID)'
           TenantId          = '$(ARM_TENANT_ID)'
         }
         if ('$(ARM_ENVIRONMENT)' -in (Get-AzEnvironment).Name) {
           $azParams.Environment = '$(ARM_ENVIRONMENT)'
         }
-        if('$(ARM_CLIENT_ID)') {
-          $azParams.credential = (New-Object PSCredential -ArgumentList '$(ARM_CLIENT_ID)', (ConvertTo-SecureString -String $Env:ARM_CLIENT_SECRET -AsPlainText -Force))
+        # Use Service Principal if ARM_CLIENT_ID is set
+        if($Env:ARM_CLIENT_ID -ne $null) {
+          # Use federated credentials if token and no secret exists
+          # A U+200B ZERO WIDTH SPACE is inserted between dollar and parentheses to ensure literal comparison of ne and eq
+          if ($Env:ARM_ACCESS_TOKEN -ne '$(ARM_ACCESS_TOKEN)' -and $Env:ARM_CLIENT_SECRET -eq '$(ARM_CLIENT_SECRET)') {
+            $azParams.ApplicationId = '$(ARM_CLIENT_ID)'
+            $azParams.FederatedToken = '$Env:ARM_ACCESS_TOKEN'
+          } else {
+            $azParams.credential = (New-Object PSCredential -ArgumentList '$(ARM_CLIENT_ID)', (ConvertTo-SecureString -String $Env:ARM_CLIENT_SECRET -AsPlainText -Force))
+          }
           Connect-AzAccount -ServicePrincipal @azParams
-        } else {        
+        } else {
           Connect-AzAccount -Identity @azParams
         }
diff --git a/.pipelines/.templates/vars.yml b/.pipelines/.templates/vars.yml
@@ -8,6 +8,10 @@ variables:
   # Set ARM_ENVIRONMENT to the Azure Environment you wish to use.
   # Valid values are: AzureCloud, AzureChinaCloud, AzureUSGovernment
   #
+  # Set ARM_SERVICE_CONNECTION to the name of the service connection
+  # that has been setup to use federated identity. In this case you also
+  # need to leave ARM_CLIENT_SECRET empty.
+  #
   # Set AZOPS_MODULE_VERSION to the desired version of the 
   # AzOps Module to enable version pinning. No value will cache the latest release.
   #
@@ -21,13 +25,14 @@ variables:
   # - ARM_CLIENT_ID
   # - ARM_CLIENT_SECRET
   # - ARM_ENVIRONMENT
-  # - AZOPS_MODULE_VERSION   
-  # - AZOPS_CUSTOM_SORT_ORDER 
+  # - ARM_SERVICE_CONNECTION
+  # - AZOPS_MODULE_VERSION
+  # - AZOPS_CUSTOM_SORT_ORDER
   #
 
   - group: credentials
   - group: azops
-  
+
   #
   # modulesFolder
   # To enable caching of PowerShell modules between
@@ -36,4 +41,4 @@ variables:
   #
 
   - name: modulesFolder
-    value: '$(System.DefaultWorkingDirectory)/Modules'
+    value: '$(System.DefaultWorkingDirectory)/Modules'