From 65eebd8fd5f00e15d26e0eff39c4ed093dd99225 Mon Sep 17 00:00:00 2001 From: Ben Broderick Phillips Date: Mon, 11 Nov 2024 21:23:47 -0500 Subject: [PATCH] Refresh OIDC token in azadmin test resources scripts (#23722) --- sdk/security/keyvault/azadmin/ci.yml | 1 + .../keyvault/azadmin/test-resources-post.ps1 | 61 ++++++++++++++----- .../keyvault/azadmin/test-resources-pre.ps1 | 54 ++++++++++++++++ .../keyvault/azadmin/test-resources.json | 2 +- 4 files changed, 102 insertions(+), 16 deletions(-) create mode 100644 sdk/security/keyvault/azadmin/test-resources-pre.ps1 diff --git a/sdk/security/keyvault/azadmin/ci.yml b/sdk/security/keyvault/azadmin/ci.yml index ae76efce5b0c..ef3a7c0ef3bb 100644 --- a/sdk/security/keyvault/azadmin/ci.yml +++ b/sdk/security/keyvault/azadmin/ci.yml @@ -27,6 +27,7 @@ extends: TimeoutInMinutes: 120 ServiceDirectory: 'security/keyvault/azadmin' UsePipelineProxy: false + PersistOidcToken: true # Due to the high cost of Managed HSMs, which keyvault-admin requires, we only want to run # the live tests weekly or for releases (manual builds). diff --git a/sdk/security/keyvault/azadmin/test-resources-post.ps1 b/sdk/security/keyvault/azadmin/test-resources-post.ps1 index 80f20c0cbfdc..d17ebdad5afc 100644 --- a/sdk/security/keyvault/azadmin/test-resources-post.ps1 +++ b/sdk/security/keyvault/azadmin/test-resources-post.ps1 @@ -12,8 +12,25 @@ using namespace System.Security.Cryptography.X509Certificates # Use same parameter names as declared in eng/New-TestResources.ps1 (assume validation therein). [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')] param ( - [Parameter()] - [hashtable] $DeploymentOutputs, + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $SubscriptionId, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $TenantId, + + [Parameter(Mandatory = $true)] + [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')] + [string] $TestApplicationId, + + [Parameter(Mandatory = $true)] + [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')] + [string] $TestApplicationOid, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $Environment, # Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors). [Parameter(ValueFromRemainingArguments = $true)] @@ -80,7 +97,7 @@ Log 'Creating 3 X509 certificates to activate security domain' $wrappingFiles = foreach ($i in 0..2) { $certificate = New-X509Certificate2 "CN=$($hsmUrl.Host)" - $baseName = "$PSScriptRoot\$hsmName-certificate$i" + $baseName = "$PSScriptRoot/$hsmName-certificate$i" Export-X509Certificate2 "$baseName.pfx" $certificate Export-X509Certificate2PEM "$baseName.cer" $certificate @@ -89,18 +106,23 @@ $wrappingFiles = foreach ($i in 0..2) { Log "Downloading security domain from '$hsmUrl'" -$sdPath = "$PSScriptRoot\$hsmName-security-domain.key" +$sdPath = "$PSScriptRoot/$hsmName-security-domain.key" if (Test-Path $sdpath) { Log "Deleting old security domain: $sdPath" Remove-Item $sdPath -Force } -Export-AzKeyVaultSecurityDomain -Name $hsmName -Quorum 2 -Certificates $wrappingFiles -OutputPath $sdPath -ErrorAction SilentlyContinue -Verbose -if ( !$? ) { +az keyvault security-domain download ` + --hsm-name "$hsmName" ` + --sd-wrapping-keys $wrappingFiles ` + --sd-quorum 2 ` + --security-domain-file "$sdPath" ` + --verbose + +if ($LASTEXITCODE) { Write-Host $Error[0].Exception Write-Error $Error[0] - - exit + exit $LASTEXITCODE } Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'" @@ -109,10 +131,19 @@ Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsm Log 'Sleeping for 30 seconds to allow activation to propagate...' Start-Sleep -Seconds 30 -$testApplicationOid = $DeploymentOutputs['CLIENT_OBJECTID'] - -Log "Creating additional required role assignments for '$testApplicationOid'" -$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto Officer' -ObjectID $testApplicationOid -$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto User' -ObjectID $testApplicationOid - -Log "Role assignments created for '$testApplicationOid'" \ No newline at end of file +Log "Creating additional required role assignments for '$TestApplicationOid'" +az keyvault role assignment create ` + --hsm-name "$hsmName" ` + --role "Managed HSM Crypto Officer" ` + --assignee-object-id "$TestApplicationOid" ` + --scope "/" +if ($LASTEXITCODE) { exit $LASTEXITCODE } +az keyvault role assignment create ` + --hsm-name "$hsmName" ` + --role "Managed HSM Crypto User" ` + --assignee-object-id "$TestApplicationOid" ` + --scope "/" +if ($LASTEXITCODE) { exit $LASTEXITCODE } + + +Log "Role assignments created for '$TestApplicationOid'" diff --git a/sdk/security/keyvault/azadmin/test-resources-pre.ps1 b/sdk/security/keyvault/azadmin/test-resources-pre.ps1 new file mode 100644 index 000000000000..7de1f6896552 --- /dev/null +++ b/sdk/security/keyvault/azadmin/test-resources-pre.ps1 @@ -0,0 +1,54 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +# IMPORTANT: Do not invoke this file directly. Please instead run eng/New-TestResources.ps1 from the repository root. + +#Requires -Version 6.0 +#Requires -PSEdition Core + +using namespace System.Security.Cryptography +using namespace System.Security.Cryptography.X509Certificates + +# Use same parameter names as declared in eng/New-TestResources.ps1 (assume validation therein). +[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')] +param ( + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $SubscriptionId, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $TenantId, + + [Parameter(Mandatory = $true)] + [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')] + [string] $TestApplicationId, + + [Parameter(Mandatory = $true)] + [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')] + [string] $TestApplicationOid, + + [Parameter(Mandatory = $true)] + [ValidateNotNullOrEmpty()] + [string] $Environment, + + # Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors). + [Parameter(ValueFromRemainingArguments = $true)] + $RemainingArguments +) + +# By default stop for any error. +if (!$PSBoundParameters.ContainsKey('ErrorAction')) { + $ErrorActionPreference = 'Stop' +} + +function Log($Message) { + Write-Host ('{0} - {1}' -f [DateTime]::Now.ToLongTimeString(), $Message) +} + +Log "Refreshing OIDC token" +az cloud set -n $Environment +az login --federated-token $env:ARM_OIDC_TOKEN --service-principal -t $TenantId -u $TestApplicationId +if ($LASTEXITCODE) { exit $LASTEXITCODE } +az account set --subscription $SubscriptionId +if ($LASTEXITCODE) { exit $LASTEXITCODE } diff --git a/sdk/security/keyvault/azadmin/test-resources.json b/sdk/security/keyvault/azadmin/test-resources.json index d2d2a90b954e..5eb2123a03f1 100644 --- a/sdk/security/keyvault/azadmin/test-resources.json +++ b/sdk/security/keyvault/azadmin/test-resources.json @@ -323,4 +323,4 @@ "value": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))).primaryEndpoints.blob, variables('blobContainerName'))]" } } -} \ No newline at end of file +}