Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refresh OIDC token for keyvault azadmin tests when deployment is slow #23722

Merged
merged 1 commit into from
Nov 12, 2024
Merged

Refresh OIDC token for keyvault azadmin tests when deployment is slow #23722

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions sdk/security/keyvault/azadmin/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ extends:
TimeoutInMinutes: 120
ServiceDirectory: 'security/keyvault/azadmin'
UsePipelineProxy: false
PersistOidcToken: true

# Due to the high cost of Managed HSMs, which keyvault-admin requires, we only want to run
# the live tests weekly or for releases (manual builds).
Expand Down
61 changes: 46 additions & 15 deletions sdk/security/keyvault/azadmin/test-resources-post.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,25 @@ using namespace System.Security.Cryptography.X509Certificates
# Use same parameter names as declared in eng/New-TestResources.ps1 (assume validation therein).
[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
param (
[Parameter()]
[hashtable] $DeploymentOutputs,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $SubscriptionId,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $TenantId,

[Parameter(Mandatory = $true)]
[ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
[string] $TestApplicationId,

[Parameter(Mandatory = $true)]
[ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
[string] $TestApplicationOid,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $Environment,

# Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors).
[Parameter(ValueFromRemainingArguments = $true)]
Expand Down Expand Up @@ -80,7 +97,7 @@ Log 'Creating 3 X509 certificates to activate security domain'
$wrappingFiles = foreach ($i in 0..2) {
$certificate = New-X509Certificate2 "CN=$($hsmUrl.Host)"

$baseName = "$PSScriptRoot\$hsmName-certificate$i"
$baseName = "$PSScriptRoot/$hsmName-certificate$i"
Export-X509Certificate2 "$baseName.pfx" $certificate
Export-X509Certificate2PEM "$baseName.cer" $certificate

Expand All @@ -89,18 +106,23 @@ $wrappingFiles = foreach ($i in 0..2) {

Log "Downloading security domain from '$hsmUrl'"

$sdPath = "$PSScriptRoot\$hsmName-security-domain.key"
$sdPath = "$PSScriptRoot/$hsmName-security-domain.key"
if (Test-Path $sdpath) {
Log "Deleting old security domain: $sdPath"
Remove-Item $sdPath -Force
}

Export-AzKeyVaultSecurityDomain -Name $hsmName -Quorum 2 -Certificates $wrappingFiles -OutputPath $sdPath -ErrorAction SilentlyContinue -Verbose
if ( !$? ) {
az keyvault security-domain download `
--hsm-name "$hsmName" `
--sd-wrapping-keys $wrappingFiles `
--sd-quorum 2 `
--security-domain-file "$sdPath" `
--verbose

if ($LASTEXITCODE) {
Write-Host $Error[0].Exception
Write-Error $Error[0]

exit
exit $LASTEXITCODE
}

Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'"
Expand All @@ -109,10 +131,19 @@ Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsm
Log 'Sleeping for 30 seconds to allow activation to propagate...'
Start-Sleep -Seconds 30

$testApplicationOid = $DeploymentOutputs['CLIENT_OBJECTID']

Log "Creating additional required role assignments for '$testApplicationOid'"
$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto Officer' -ObjectID $testApplicationOid
$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto User' -ObjectID $testApplicationOid

Log "Role assignments created for '$testApplicationOid'"
Log "Creating additional required role assignments for '$TestApplicationOid'"
az keyvault role assignment create `
--hsm-name "$hsmName" `
--role "Managed HSM Crypto Officer" `
--assignee-object-id "$TestApplicationOid" `
--scope "/"
if ($LASTEXITCODE) { exit $LASTEXITCODE }
az keyvault role assignment create `
--hsm-name "$hsmName" `
--role "Managed HSM Crypto User" `
--assignee-object-id "$TestApplicationOid" `
--scope "/"
if ($LASTEXITCODE) { exit $LASTEXITCODE }


Log "Role assignments created for '$TestApplicationOid'"
54 changes: 54 additions & 0 deletions sdk/security/keyvault/azadmin/test-resources-pre.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.

# IMPORTANT: Do not invoke this file directly. Please instead run eng/New-TestResources.ps1 from the repository root.

#Requires -Version 6.0
#Requires -PSEdition Core

using namespace System.Security.Cryptography
using namespace System.Security.Cryptography.X509Certificates

# Use same parameter names as declared in eng/New-TestResources.ps1 (assume validation therein).
[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
param (
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $SubscriptionId,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $TenantId,

[Parameter(Mandatory = $true)]
[ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
[string] $TestApplicationId,

[Parameter(Mandatory = $true)]
[ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
[string] $TestApplicationOid,

[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string] $Environment,

# Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors).
[Parameter(ValueFromRemainingArguments = $true)]
$RemainingArguments
)

# By default stop for any error.
if (!$PSBoundParameters.ContainsKey('ErrorAction')) {
$ErrorActionPreference = 'Stop'
}

function Log($Message) {
Write-Host ('{0} - {1}' -f [DateTime]::Now.ToLongTimeString(), $Message)
}

Log "Refreshing OIDC token"
az cloud set -n $Environment
az login --federated-token $env:ARM_OIDC_TOKEN --service-principal -t $TenantId -u $TestApplicationId
if ($LASTEXITCODE) { exit $LASTEXITCODE }
az account set --subscription $SubscriptionId
if ($LASTEXITCODE) { exit $LASTEXITCODE }
2 changes: 1 addition & 1 deletion sdk/security/keyvault/azadmin/test-resources.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,4 +323,4 @@
"value": "[concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('primaryAccountName'))).primaryEndpoints.blob, variables('blobContainerName'))]"
}
}
}
}
Loading