az login exception

Azure · Sep 5, 2024 · 363063c · 363063c
1 parent d4ef1c3
commit 363063c
Showing 1 changed file with 39 additions and 39 deletions.
diff --git a/.github/actions/templates/avm-validateModuleDeployment/action.yml b/.github/actions/templates/avm-validateModuleDeployment/action.yml
@@ -61,9 +61,37 @@ runs:
  steps:
  # [Azure login] task(s)
  # ------------------------------
- # Supports both OIDC and service principal with secret
+ - name: "Set OIDC temporary exception"
+ id: set-oidc-exception
+ uses: azure/powershell@v2
+ with:
+ azPSVersion: "latest"
+ inlineScript: |
+ # Grouping task logs
+ Write-Output '::group::Set OIDC exception'
+
+ # List of modules requiring more that 1 hour to deploy and delete resources
+ $modulePath = "${{ inputs.modulePath }}"
+ $exceptionModulePaths = @(
+ 'avm/ptn/lz/sub-vending' # Requires additional OIDC MSI permissions
+ 'avm/res/compute/image' # Failing on resource deletion when trying to delete RBAC at subscription level
+ 'avm/res/compute/disk' # Failing on resource deletion when trying to delete RBAC at subscription level
+ )
+ if ($exceptionModulePaths.Contains($modulePath)) {
+ $oidcException = 'true'
+ Write-Verbose ('The module [{0}] is in the list of modules temporarily requiring an exception to OIDC.' -f $modulePath) -Verbose
+ } else {
+ $oidcException = 'false'
+ Write-Verbose ('The module [{0}] supports OIDC.' -f $modulePath) -Verbose
+ }
+
+ Write-Output ('{0}={1}' -f 'oidcException', $oidcException) >> $env:GITHUB_OUTPUT
+ Write-Output '::endgroup::'
+
+ # Default: support both OIDC and service principal with secret
  # 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
- - name: Azure Login
+ - name: "Azure Login - Default"
+ if: ${{ steps.set-oidc-exception.outputs.oidcException == 'false' }}
  uses: azure/login@v2
  with:
  creds: ${{ env.AZURE_CREDENTIALS }}
@@ -72,6 +100,15 @@ runs:
  subscription-id: ${{ env.VALIDATE_SUBSCRIPTION_ID }}
  enable-AzPSSession: true
 
+ # Exception: module requires login by using service principal with secret
+ # Should only be leveraged by modules listed in $exceptionModulePaths above
+ - name: "Azure Login - Exception"
+ if: ${{ steps.set-oidc-exception.outputs.oidcException == 'true' }}
+ uses: azure/login@v2
+ with:
+ creds: ${{ env.AZURE_CREDENTIALS }}
+ enable-AzPSSession: true
+
  # [Set Deployment Location] task(s)
  # ---------------------------
  - name: "Get Resource Location"
@@ -215,7 +252,6 @@ runs:
  AdditionalParameters = @{}
  }
 
- # Add custom parameters as needed
  if($moduleTemplatePossibleParameters -contains 'resourceLocation') {
  $functionInput.AdditionalParameters += @{
  resourceLocation = '${{ steps.get-resource-location.outputs.resourceLocation }}'
@@ -227,24 +263,6 @@ runs:
  }
  }
 
- # Fetch & add custom secrets, if any
- # -----------------------------------
- $keyVaultName = "${{ env.CI_KEY_VAULT_NAME }}"
- if(-not [String]::IsNullOrEmpty($keyVaultName)) {
- # Note: This action requires at least 'Key Vault Secrets User' permissions
- $customKeyVaultSecrets = Get-AzKeyVaultSecret -VaultName $keyVaultName | Where-Object { $_.Name -match '^CI-.+' }
-
- foreach($customSecret in $customKeyVaultSecrets) {
- $formattedName = $customSecret.Name -replace '^CI-' # e.g. 'CI-mySecret' -> 'mySecret'
- if($moduleTemplatePossibleParameters -contains $formattedName) {
- Write-Verbose ('Setting value for parameter [{0}]' -f $formattedName) -Verbose
- $functionInput.AdditionalParameters += @{
- $formattedName = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $customSecret.Name).SecretValue
- }
- }
- }
- }
-
  Write-Verbose 'Invoke task with' -Verbose
  Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose
 
@@ -306,24 +324,6 @@ runs:
  }
  }
 
- # Fetch & add custom secrets, if any
- # -----------------------------------
- $keyVaultName = "${{ env.CI_KEY_VAULT_NAME }}"
- if(-not [String]::IsNullOrEmpty($keyVaultName)) {
- # Note: This action requires at least 'Key Vault Secrets User' permissions
- $customKeyVaultSecrets = Get-AzKeyVaultSecret -VaultName $keyVaultName | Where-Object { $_.Name -match '^CI-.+' }
-
- foreach($customSecret in $customKeyVaultSecrets) {
- $formattedName = $customSecret.Name -replace '^CI-' # e.g. 'CI-mySecret' -> 'mySecret'
- if($moduleTemplatePossibleParameters -contains $formattedName) {
- Write-Verbose ('Setting value for parameter [{0}]' -f $formattedName) -Verbose
- $functionInput.AdditionalParameters += @{
- $formattedName = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $customSecret.Name).SecretValue
- }
- }
- }
- }
-
  Write-Verbose 'Invoke task with' -Verbose
  Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose