feat: OIDC auth-type SERVICE_PRINCIPAL using msi + Entity type Environment - branch test

.github/actions/templates/avm-validateModuleDeployment/action.yml

@@ -59,7 +59,52 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Azure Login
+    # [Azure login] task(s)
+    # ------------------------------
+    - name: "Set OIDC temporary exception"
+      id: set-oidc-exception
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+          # Grouping task logs
+          Write-Output '::group::Set OIDC exception'
+
+          # List of modules requiring more that 1 hour to deploy and delete resources
+          $modulePath = "${{ inputs.modulePath }}"
+          $exceptionModulePaths = @(
+            'avm/ptn/lz/sub-vending'                             # Requires additional OIDC MSI permissions
+            'avm/res/compute/image'                              # Failing on resource deletion when trying to delete RBAC at subscription level
+            'avm/res/compute/disk'                               # Failing on resource deletion when trying to delete RBAC at subscription level
+            'avm/ptn/virtual-machine-images/azure-image-builder' # Failing on resource deletion when trying to delete RBAC at subscription level
+          )
+          if ($exceptionModulePaths.Contains($modulePath)) {
+            $oidcException = 'true'
+            Write-Verbose ('The module [{0}] is in the list of modules temporarily requiring an exception to OIDC.' -f $modulePath) -Verbose
+          } else {
+            $oidcException = 'false'
+            Write-Verbose ('The module [{0}] supports OIDC.' -f $modulePath) -Verbose
+          }
+
+          Write-Output ('{0}={1}' -f 'oidcException', $oidcException) >> $env:GITHUB_OUTPUT
+          Write-Output '::endgroup::'
+
+    # Default: support both OIDC and service principal with secret
+    # 'creds' will be ignored if 'client-id', 'subscription-id' or 'tenant-id' is set
+    - name: "Azure Login - Default"
+      if: ${{ steps.set-oidc-exception.outputs.oidcException == 'false' }}
+      uses: azure/login@v2
+      with:
+        creds: ${{ env.AZURE_CREDENTIALS }}
+        client-id: ${{ env.VALIDATE_CLIENT_ID }}
+        tenant-id: ${{ env.VALIDATE_TENANT_ID }}
+        subscription-id: ${{ env.VALIDATE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true
+
+    # Exception: module requires login by using service principal with secret
+    # Should only be leveraged by modules listed in $exceptionModulePaths above
+    - name: "Azure Login - Exception"
+      if: ${{ steps.set-oidc-exception.outputs.oidcException == 'true' }}
       uses: azure/login@v2
       with:
         creds: ${{ env.AZURE_CREDENTIALS }}
@@ -410,6 +455,7 @@ runs:
           Write-Verbose 'Found no Pester test files (*.test.ps1) in test folder' -Verbose
           Write-Output ('{0}={1}' -f 'formattedPesterResultsPath', '') >> $env:GITHUB_OUTPUT
         }
+
     - name: "Output to GitHub job summaries"
       if: steps.pester_run_step.outputs.formattedPesterResultsPath != ''
       shell: pwsh

.github/workflows/avm.template.module.yml

@@ -21,9 +21,9 @@ on:
         required: true
 
 env:
+  # Used for token replacement steps in both PSRule and deployment validation
   ARM_SUBSCRIPTION_ID: "${{ secrets.ARM_SUBSCRIPTION_ID }}"
   ARM_MGMTGROUP_ID: "${{ secrets.ARM_MGMTGROUP_ID }}"
-  ARM_TENANT_ID: "${{ secrets.ARM_TENANT_ID }}"
   TOKEN_NAMEPREFIX: "${{ secrets.TOKEN_NAMEPREFIX }}"
   CI_KEY_VAULT_NAME: "${{ vars.CI_KEY_VAULT_NAME }}"
 
@@ -143,6 +143,7 @@ jobs:
   #############################
   job_module_deploy_validation: # Note: Please don't change this job name. It is used by the setEnvironment action to define which PS modules to install on runners.
     name: "Deploy [${{ matrix.testCases.name}}]"
+    environment: avm-validation
     runs-on: ubuntu-latest
     if: |
       !cancelled() &&
@@ -179,6 +180,9 @@ jobs:
           customLocation: "${{ fromJson(inputs.workflowInput).customLocation }}"
         env:
           AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+          VALIDATE_CLIENT_ID: ${{ secrets.VALIDATE_CLIENT_ID }}
+          VALIDATE_SUBSCRIPTION_ID: ${{ secrets.VALIDATE_SUBSCRIPTION_ID }}
+          VALIDATE_TENANT_ID: ${{ secrets.VALIDATE_TENANT_ID }}
 
   ##################
   #   Publishing   #