diff --git a/.github/actions/templates/avm-validateModuleDeployment/action.yml b/.github/actions/templates/avm-validateModuleDeployment/action.yml index 715a2f642b..6fcf5b1224 100644 --- a/.github/actions/templates/avm-validateModuleDeployment/action.yml +++ b/.github/actions/templates/avm-validateModuleDeployment/action.yml @@ -59,7 +59,51 @@ inputs: runs: using: "composite" steps: - - name: Azure Login + # [Azure login] task(s) + # ------------------------------ + - name: "Set OIDC temporary exception" + id: set-oidc-exception + uses: azure/powershell@v2 + with: + azPSVersion: "latest" + inlineScript: | + # Grouping task logs + Write-Output '::group::Set OIDC exception' + + # List of modules requiring more that 1 hour to deploy and delete resources + $modulePath = "${{ inputs.modulePath }}" + $exceptionModulePaths = @( + 'avm/ptn/lz/sub-vending' # Requires additional OIDC MSI permissions + 'avm/res/compute/image' # Failing on resource deletion when trying to delete RBAC at subscription level + 'avm/res/compute/disk' # Failing on resource deletion when trying to delete RBAC at subscription level + ) + if ($exceptionModulePaths.Contains($modulePath)) { + $oidcException = 'true' + Write-Verbose ('The module [{0}] is in the list of modules temporarily requiring an exception to OIDC.' -f $modulePath) -Verbose + } else { + $oidcException = 'false' + Write-Verbose ('The module [{0}] supports OIDC.' -f $modulePath) -Verbose + } + + Write-Output ('{0}={1}' -f 'oidcException', $oidcException) >> $env:GITHUB_OUTPUT + Write-Output '::endgroup::' + + # Default: support both OIDC and service principal with secret + # 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set + - name: "Azure Login - Default" + if: ${{ steps.set-oidc-exception.outputs.oidcException == 'false' }} + uses: azure/login@v2 + with: + creds: ${{ env.AZURE_CREDENTIALS }} + client-id: ${{ env.VALIDATE_CLIENT_ID }} + tenant-id: ${{ env.VALIDATE_TENANT_ID }} + subscription-id: ${{ env.VALIDATE_SUBSCRIPTION_ID }} + enable-AzPSSession: true + + # Exception: module requires login by using service principal with secret + # Should only be leveraged by modules listed in $exceptionModulePaths above + - name: "Azure Login - Exception" + if: ${{ steps.set-oidc-exception.outputs.oidcException == 'true' }} uses: azure/login@v2 with: creds: ${{ env.AZURE_CREDENTIALS }} @@ -410,6 +454,7 @@ runs: Write-Verbose 'Found no Pester test files (*.test.ps1) in test folder' -Verbose Write-Output ('{0}={1}' -f 'formattedPesterResultsPath', '') >> $env:GITHUB_OUTPUT } + - name: "Output to GitHub job summaries" if: steps.pester_run_step.outputs.formattedPesterResultsPath != '' shell: pwsh diff --git a/.github/workflows/avm.template.module.yml b/.github/workflows/avm.template.module.yml index 4df961c68e..3fcb5f96d4 100644 --- a/.github/workflows/avm.template.module.yml +++ b/.github/workflows/avm.template.module.yml @@ -21,9 +21,9 @@ on: required: true env: + # Used for token replacement steps in both PSRule and deployment validation ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}" ARM_MGMTGROUP_ID: "${{ secrets.ARM_MGMTGROUP_ID }}" - ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}" TOKEN_NAMEPREFIX: "${{ secrets.TOKEN_NAMEPREFIX }}" CI_KEY_VAULT_NAME: "${{ vars.CI_KEY_VAULT_NAME }}" @@ -99,6 +99,7 @@ jobs: ############################# job_module_deploy_validation: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners. name: "Deploy [${{ matrix.testCases.name}}]" + environment: avm-validation runs-on: ubuntu-latest if: | !cancelled() && @@ -133,6 +134,9 @@ jobs: customLocation: "${{ fromJson(inputs.workflowInput).customLocation }}" env: AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + VALIDATE_CLIENT_ID: ${{ secrets.VALIDATE_CLIENT_ID }} + VALIDATE_SUBSCRIPTION_ID: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }} + VALIDATE_TENANT_ID: ${{ secrets.VALIDATE_TENANT_ID }} ################## # Publishing #