Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: OIDC auth-type SERVICE_PRINCIPAL using msi + Entity type Environment - branch test #2792

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from
Draft

feat: OIDC auth-type SERVICE_PRINCIPAL using msi + Entity type Environment - branch test #2792

wants to merge 15 commits into from

Conversation

eriqua
Copy link
Contributor

@eriqua eriqua commented Jul 23, 2024
edited
Loading

Description

  • Tested backward compatibility.
    CI will continue to use Azure login with service principal + secrets (Azure creds) meanwhile OIDC is set up at repo level and in target subscription.
    image
  • Created OIDC MSI and granted permissions
  • Tested feature on all modules as per pipeline badges below
  • Implement OIDC exception list, allowing a subset of modules to temporarily leverage SPN + secret meanwhile their blocker gets investigated and fixed
    • Supporting OIDC
      image
      image
    • Exempted
      image
  • Update AVM contribution guidelines

Pipeline Reference

Pipeline
avm.ptn.aca-lza.hosting-environment
avm.ptn.ai-platform.baseline
avm.ptn.authorization.policy-assignment
avm.ptn.authorization.resource-role-assignment
avm.ptn.authorization.role-assignment
avm.ptn.deployment-script.import-image-to-acr
avm.ptn.finops-toolkit.finops-hub
avm.ptn.lz.sub-vending --> (exception uses SPN+secrets)
avm.ptn.network.private-link-private-dns-zones
avm.ptn.policy-insights.remediation
avm.ptn.security.security-center
avm.res.aad.domain-service
avm.res.alerts-management.action-rule
avm.res.analysis-services.server
avm.res.api-management.service
avm.res.app-configuration.configuration-store
avm.res.app.container-app
avm.res.app.job
avm.res.app.managed-environment
avm.res.automation.automation-account
avm.res.batch.batch-account
avm.res.cache.redis
avm.res.cdn.profile
avm.res.cognitive-services.account
avm.res.communication.communication-service
avm.res.communication.email-service
avm.res.compute.availability-set
avm.res.compute.disk-encryption-set
avm.res.compute.disk --> (exception uses SPN+secrets)
avm.res.compute.gallery
avm.res.compute.image --> (exception uses SPN+secrets)
avm.res.compute.proximity-placement-group
avm.res.compute.ssh-public-key
avm.res.compute.virtual-machine-scale-set
avm.res.compute.virtual-machine
avm.res.consumption.budget
avm.res.container-instance.container-group
avm.res.container-registry.registry
avm.res.container-service.managed-cluster
avm.res.data-factory.factory
avm.res.data-protection.backup-vault
avm.res.databricks.access-connector
avm.res.databricks.workspace
avm.res.db-for-my-sql.flexible-server
avm.res.db-for-postgre-sql.flexible-server
avm.res.desktop-virtualization.application-group
avm.res.desktop-virtualization.host-pool
avm.res.desktop-virtualization.scaling-plan
avm.res.desktop-virtualization.workspace
avm.res.dev-test-lab.lab
avm.res.digital-twins.digital-twins-instance --> unrelated
avm.res.document-db.database-account
avm.res.event-grid.domain
avm.res.event-grid.namespace --> unrelated
avm.res.event-grid.system-topic
avm.res.event-grid.topic
avm.res.event-hub.namespace
avm.res.health-bot.health-bot
avm.res.healthcare-apis.workspace
avm.res.hybrid-compute.machine
avm.res.insights.action-group
avm.res.insights.activity-log-alert
avm.res.insights.component
avm.res.insights.data-collection-endpoint
avm.res.insights.data-collection-rule
avm.res.insights.diagnostic-setting
avm.res.insights.metric-alert
avm.res.insights.private-link-scope
avm.res.insights.scheduled-query-rule
avm.res.insights.webtest
avm.res.key-vault.vault
avm.res.kubernetes-configuration.extension
avm.res.kubernetes-configuration.flux-configuration
avm.res.kusto.cluster
avm.res.load-test-service.load-test
avm.res.logic.workflow
avm.res.machine-learning-services.workspace
avm.res.maintenance.maintenance-configuration
avm.res.managed-identity.user-assigned-identity
avm.res.managed-services.registration-definition
avm.res.management.management-group
avm.res.net-app.net-app-account
avm.res.network.application-gateway-web-application-firewall-policy
avm.res.network.application-gateway
avm.res.network.application-security-group
avm.res.network.azure-firewall
avm.res.network.bastion-host
avm.res.network.connection
avm.res.network.ddos-protection-plan
avm.res.network.dns-forwarding-ruleset
avm.res.network.dns-resolver
avm.res.network.dns-zone
avm.res.network.express-route-circuit
avm.res.network.express-route-gateway
avm.res.network.firewall-policy
avm.res.network.front-door-web-application-firewall-policy
avm.res.network.front-door
avm.res.network.ip-group
avm.res.network.load-balancer
avm.res.network.local-network-gateway
avm.res.network.nat-gateway
avm.res.network.network-interface
avm.res.network.network-manager
avm.res.network.network-security-group
avm.res.network.network-watcher
avm.res.network.private-dns-zone
avm.res.network.private-endpoint
avm.res.network.private-link-service
avm.res.network.public-ip-address
avm.res.network.public-ip-prefix
avm.res.network.route-table
avm.res.network.service-endpoint-policy
avm.res.network.trafficmanagerprofile
avm.res.network.virtual-hub
avm.res.network.virtual-network-gateway
avm.res.network.virtual-network
avm.res.network.virtual-wan
avm.res.network.vpn-gateway
avm.res.network.vpn-site
avm.res.operational-insights.workspace
avm.res.operations-management.solution
avm.res.portal.dashboard
avm.res.power-bi-dedicated.capacity --> unrelated
avm.res.purview.account
avm.res.recovery-services.vault
avm.res.relay.namespace
avm.res.resource-graph.query
avm.res.resources.deployment-script
avm.res.resources.resource-group
avm.res.search.search-service
avm.res.service-bus.namespace
avm.res.service-fabric.cluster
avm.res.signal-r-service.signal-r
avm.res.signal-r-service.web-pub-sub
avm.res.sql.instance-pool
avm.res.sql.managed-instance
avm.res.sql.server
avm.res.storage.storage-account
avm.res.synapse.private-link-hub
avm.res.synapse.workspace
avm.res.virtual-machine-images.image-template
avm.res.web.connection
avm.res.web.hosting-environment
avm.res.web.serverfarm
avm.res.web.site
avm.res.web.static-site

Type of Change

  • Update to CI Environment or utilities (Non-module affecting changes)
  • Azure Verified Module updates:
    • Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in version.json:
      • Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description.
      • The bug was found by the module author, and no one has opened an issue to report it yet.
    • Feature update backwards compatible feature updates, and I have bumped the MINOR version in version.json.
    • Breaking changes and I have bumped the MAJOR version in version.json.
    • Update to documentation

Checklist

  • I'm sure there are no other open Pull Requests for the same update/change
  • I have run Set-AVMModule locally to generate the supporting module files.
  • My corresponding pipelines / checks run clean and green without any errors or warnings

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Triage 🔍 Maintainers need to triage still Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue labels Jul 23, 2024
@eriqua eriqua self-assigned this Jul 23, 2024
AlexanderSehr
AlexanderSehr requested changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@AlexanderSehr AlexanderSehr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we should update every pipeline that runs an Azure Login with the new parameters. I just saw that for example the deployment history cleanup workflow would need the same (but there may be more)

@matebarabas matebarabas added Needs: Core Team 🧞 This item needs the AVM Core Team to review it and removed Needs: Triage 🔍 Maintainers need to triage still labels Aug 6, 2024
@eriqua
Copy link
Contributor Author

eriqua commented Aug 8, 2024
edited
Loading

I guess we should update every pipeline that runs an Azure Login with the new parameters. I just saw that for example the deployment history cleanup workflow would need the same (but there may be more)

@AlexanderSehr the only other workflow to be updated is the cleanup deployments one (addressed already via another PR). All the others using azure login action are already using oidc, but with the publish credentials

@eriqua eriqua marked this pull request as ready for review September 5, 2024 17:42
@eriqua eriqua marked this pull request as draft September 5, 2024 17:43
@AlexanderSehr AlexanderSehr mentioned this pull request Sep 8, 2024
Merged
11 tasks
This was referenced Sep 27, 2024
Closed
Closed
@eriqua eriqua added the Type: CI 🚀 This issue is related to the AVM CI label Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexanderSehr AlexanderSehr Awaiting requested review from AlexanderSehr

Requested changes must be addressed to merge this pull request.

Assignees

@eriqua eriqua

Labels
Needs: Core Team 🧞 This item needs the AVM Core Team to review it Type: AVM 🅰️ ✌️ Ⓜ️ This is an AVM related issue Type: CI 🚀 This issue is related to the AVM CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eriqua @AlexanderSehr @matebarabas