Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: OIDC auth-type SERVICE_PRINCIPAL using msi + Entity type Environment - branch test #2792

Draft
wants to merge 20 commits into
base: main
Choose a base branch
from

Conversation

eriqua
Copy link
Contributor

@eriqua eriqua commented Jul 23, 2024

Description

  • Tested backward compatibility.
    CI will continue to use Azure login with service principal + secrets (Azure creds) meanwhile OIDC is set up at repo level and in target subscription.
    image

  • Created OIDC MSI and granted permissions

  • Tested feature on all modules as per pipeline badges below

  • Implement OIDC exception list, allowing a subset of modules to temporarily leverage SPN + secret meanwhile their blocker gets investigated and fixed

    • Supporting OIDC
      image
      image
    • Exempted
      image
  • Update AVM contribution guidelines

  • Testing new modules merged meanwhile

Pipeline Reference

Pipeline
avm.ptn.aca-lza.hosting-environment
avm.ptn.ai-platform.baseline
avm.ptn.authorization.policy-assignment
avm.ptn.authorization.resource-role-assignment
avm.ptn.authorization.role-assignment
avm.ptn.deployment-script.import-image-to-acr
avm.ptn.finops-toolkit.finops-hub
avm.ptn.lz.sub-vending --> (exception uses SPN+secrets)
avm.ptn.network.private-link-private-dns-zones
avm.ptn.policy-insights.remediation
avm.ptn.security.security-center
avm.res.aad.domain-service
avm.res.alerts-management.action-rule
avm.res.analysis-services.server
avm.res.api-management.service
avm.res.app-configuration.configuration-store
avm.res.app.container-app
avm.res.app.job
avm.res.app.managed-environment
avm.res.automation.automation-account
avm.res.batch.batch-account
avm.res.cache.redis
avm.res.cdn.profile
avm.res.cognitive-services.account
avm.res.communication.communication-service
avm.res.communication.email-service
avm.res.compute.availability-set
avm.res.compute.disk-encryption-set
avm.res.compute.disk --> (exception uses SPN+secrets)
avm.res.compute.gallery
avm.res.compute.image --> (exception uses SPN+secrets)
avm.res.compute.proximity-placement-group
avm.res.compute.ssh-public-key
avm.res.compute.virtual-machine-scale-set
avm.res.compute.virtual-machine
avm.res.consumption.budget
avm.res.container-instance.container-group
avm.res.container-registry.registry
avm.res.container-service.managed-cluster
avm.res.data-factory.factory
avm.res.data-protection.backup-vault
avm.res.databricks.access-connector
avm.res.databricks.workspace
avm.res.db-for-my-sql.flexible-server
avm.res.db-for-postgre-sql.flexible-server
avm.res.desktop-virtualization.application-group
avm.res.desktop-virtualization.host-pool
avm.res.desktop-virtualization.scaling-plan
avm.res.desktop-virtualization.workspace
avm.res.dev-test-lab.lab
avm.res.digital-twins.digital-twins-instance --> unrelated
avm.res.document-db.database-account
avm.res.event-grid.domain
avm.res.event-grid.namespace --> unrelated
avm.res.event-grid.system-topic
avm.res.event-grid.topic
avm.res.event-hub.namespace
avm.res.health-bot.health-bot
avm.res.healthcare-apis.workspace
avm.res.hybrid-compute.machine
avm.res.insights.action-group
avm.res.insights.activity-log-alert
avm.res.insights.component
avm.res.insights.data-collection-endpoint
avm.res.insights.data-collection-rule
avm.res.insights.diagnostic-setting
avm.res.insights.metric-alert
avm.res.insights.private-link-scope
avm.res.insights.scheduled-query-rule
avm.res.insights.webtest
avm.res.key-vault.vault
avm.res.kubernetes-configuration.extension
avm.res.kubernetes-configuration.flux-configuration
avm.res.kusto.cluster
avm.res.load-test-service.load-test
avm.res.logic.workflow
avm.res.machine-learning-services.workspace
avm.res.maintenance.maintenance-configuration
avm.res.managed-identity.user-assigned-identity
avm.res.managed-services.registration-definition
avm.res.management.management-group
avm.res.net-app.net-app-account
avm.res.network.application-gateway-web-application-firewall-policy
avm.res.network.application-gateway
avm.res.network.application-security-group
avm.res.network.azure-firewall
avm.res.network.bastion-host
avm.res.network.connection
avm.res.network.ddos-protection-plan
avm.res.network.dns-forwarding-ruleset
avm.res.network.dns-resolver
avm.res.network.dns-zone
avm.res.network.express-route-circuit
avm.res.network.express-route-gateway
avm.res.network.firewall-policy
avm.res.network.front-door-web-application-firewall-policy
avm.res.network.front-door
avm.res.network.ip-group
avm.res.network.load-balancer
avm.res.network.local-network-gateway
avm.res.network.nat-gateway
avm.res.network.network-interface
avm.res.network.network-manager
avm.res.network.network-security-group
avm.res.network.network-watcher
avm.res.network.private-dns-zone
avm.res.network.private-endpoint
avm.res.network.private-link-service
avm.res.network.public-ip-address
avm.res.network.public-ip-prefix
avm.res.network.route-table
avm.res.network.service-endpoint-policy
avm.res.network.trafficmanagerprofile
avm.res.network.virtual-hub
avm.res.network.virtual-network-gateway
avm.res.network.virtual-network
avm.res.network.virtual-wan
avm.res.network.vpn-gateway
avm.res.network.vpn-site
avm.res.operational-insights.workspace
avm.res.operations-management.solution
avm.res.portal.dashboard
avm.res.power-bi-dedicated.capacity --> unrelated
avm.res.purview.account
avm.res.recovery-services.vault
avm.res.relay.namespace
avm.res.resource-graph.query
avm.res.resources.deployment-script
avm.res.resources.resource-group
avm.res.search.search-service
avm.res.service-bus.namespace
avm.res.service-fabric.cluster
avm.res.signal-r-service.signal-r
avm.res.signal-r-service.web-pub-sub
avm.res.sql.instance-pool
avm.res.sql.managed-instance
avm.res.sql.server
avm.res.storage.storage-account
avm.res.synapse.private-link-hub
avm.res.synapse.workspace
avm.res.virtual-machine-images.image-template
avm.res.web.connection
avm.res.web.hosting-environment
avm.res.web.serverfarm
avm.res.web.site
avm.res.web.static-site
avm.utl.types.avm-common-types](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.utl.types.avm-common-types.yml)
avm.res.service-networking.traffic-controller](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.service-networking.traffic-controller.yml)
avm.res.network.vpn-server-configuration](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.vpn-server-configuration.yml)
avm.res.fabric.capacity](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.fabric.capacity.yml)
avm.res.document-db.mongo-cluster](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.document-db.mongo-cluster
avm.res.dev-ops-infrastructure.pool](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.dev-ops-infrastructure.pool.yml)
avm.ptn.virtual-machine-images.azure-image-builder](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.virtual-machine-images.![azure-image-builder.yml)
avm.ptn.network.hub-networking](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.network.hub-networking.yml)
avm.ptn.dev-ops.cicd-agents-and-runners](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.dev-ops.cicd-agents-and-runners.yml)
avm.ptn.azd.acr-container-app](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.acr-container-app.yml)
avm.ptn.azd.aks](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.aks
avm.ptn.azd.apim-api](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.apim-api.yml)
avm.ptn.data.private-analytical-workspace](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.data.private-analytical-workspace.yml)
avm.ptn.azd.container-app-upsert](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.container-app-upsert.yml)
avm.ptn.azd.container-apps-stack](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.container-apps-stack.yml)
avm.ptn.azd.insights-dashboard](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.insights-dashboard.yml)
avm.ptn.azd.ml-ai-environment](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.ml-ai-environment.yml)
avm.ptn.azd.ml-hub-dependencies](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.ml-hub-dependencies.yml)
avm.ptn.azd.ml-project](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.ml-project.yml)
avm.ptn.azd.monitoring](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.ptn.azd.monitoring.yml)

Type of Change

  • Update to CI Environment or utilities (Non-module affecting changes)
  • Azure Verified Module updates:
    • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
      • Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description.
      • The bug was found by the module author, and no one has opened an issue to report it yet.
    • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
    • Breaking changes and I have bumped the MAJOR version in version.json.
    • Update to documentation

Checklist

  • I'm sure there are no other open Pull Requests for the same update/change
  • I have run Set-AVMModule locally to generate the supporting module files.
  • My corresponding pipelines / checks run clean and green without any errors or warnings

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Jul 23, 2024
@eriqua eriqua self-assigned this Jul 23, 2024
Copy link
Contributor

@AlexanderSehr AlexanderSehr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we should update every pipeline that runs an Azure Login with the new parameters. I just saw that for example the deployment history cleanup workflow would need the same (but there may be more)

@matebarabas matebarabas added Needs: Core Team 🧞 This item needs the AVM Core Team to review it and removed Needs: Triage 🔍 Maintainers need to triage still labels Aug 6, 2024
@eriqua
Copy link
Contributor Author

eriqua commented Aug 8, 2024

I guess we should update every pipeline that runs an Azure Login with the new parameters. I just saw that for example the deployment history cleanup workflow would need the same (but there may be more)

@AlexanderSehr the only other workflow to be updated is the cleanup deployments one (addressed already via another PR). All the others using azure login action are already using oidc, but with the publish credentials

@FallenHoot
Copy link
Contributor

FallenHoot commented Nov 15, 2024

This is much needed, because using Service Principals is not best practice and strongly discouraged. --https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure#:~:text=Sign%20in%20with%20OpenID%20Connect%20using,principal%20and%20secret%20(Not%20recommended

Will be using this going forward. Huge thanks for getting this working. @eriqua . I did run into my own issues but found out I fat fingered :P.

As stated, it didn't work out of the box for me. I didn't want to change my secrets to use yours and kept them default.

#kept param names, but used default secrets naming
  VALIDATE_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
  VALIDATE_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
  VALIDATE_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}"
 
#It didnt work with out adding the below
permissions:
  id-token: write
  contents: read

@jtracey93
Copy link
Contributor

Hey @eriqua ,

Firstly, thanks for your work on this PR!

We have made some changes to the AVM CI, detailed below, which means we need you to update your fork to pull in these latest changes and re-run your tests to show they still are passing prior to approving and merging this PR, as we don't and it fails once merged the publishing of your module will fail and will be blocked going forward until the test pass again via additional PRs.

Changes to CI That Have Been Made That You Need To Take Action On

Any questions reach out to the AVM Core Team by tagging us in your PR here or internally via Teams

Thanks

Jack (AVM Core Team)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Needs: Core Team 🧞 This item needs the AVM Core Team to review it Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Type: CI 🚀 This issue is related to the AVM CI
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants