-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: OIDC auth-type SERVICE_PRINCIPAL using msi + Entity type Environment - branch test #2792
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we should update every pipeline that runs an Azure Login with the new parameters. I just saw that for example the deployment history cleanup workflow would need the same (but there may be more)
@AlexanderSehr the only other workflow to be updated is the cleanup deployments one (addressed already via another PR). All the others using azure login action are already using oidc, but with the publish credentials |
This is much needed, because using Service Principals is not best practice and strongly discouraged. --https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure#:~:text=Sign%20in%20with%20OpenID%20Connect%20using,principal%20and%20secret%20(Not%20recommended Will be using this going forward. Huge thanks for getting this working. @eriqua . I did run into my own issues but found out I fat fingered :P. As stated, it didn't work out of the box for me. I didn't want to change my secrets to use yours and kept them default.
|
Hey @eriqua , Firstly, thanks for your work on this PR! We have made some changes to the AVM CI, detailed below, which means we need you to update your fork to pull in these latest changes and re-run your tests to show they still are passing prior to approving and merging this PR, as we don't and it fails once merged the publishing of your module will fail and will be blocked going forward until the test pass again via additional PRs. Changes to CI That Have Been Made That You Need To Take Action On
Any questions reach out to the AVM Core Team by tagging us in your PR here or internally via Teams Thanks Jack (AVM Core Team) |
Description
Tested backward compatibility.
CI will continue to use Azure login with service principal + secrets (Azure creds) meanwhile OIDC is set up at repo level and in target subscription.
Created OIDC MSI and granted permissions
Tested feature on all modules as per pipeline badges below
Implement OIDC exception list, allowing a subset of modules to temporarily leverage SPN + secret meanwhile their blocker gets investigated and fixed
Update AVM contribution guidelines
Testing new modules merged meanwhile
Pipeline Reference
Type of Change
version.json
:version.json
.version.json
.Checklist
Set-AVMModule
locally to generate the supporting module files.