search

microsoft / vscode-azuretools

Common packages for building Azure extensions for VS Code
MIT License
106 stars 66 forks source link

azure-pipelines: Add workflow identity federation to the test pipeline template #1724

Closed hossam-nasr closed 3 months ago

hossam-nasr commented 4 months ago

Modify the test.yml pipeline template to add support for workflow identity federation for nightly testing pipelines. We do this by adding two new steps, one dummy keyvault step to connect to the newly-created AzCodeE2ETests service connection for this purpose. The other is a "real" Key Vault step connecting to the AzCodeE2ETestsCredsKV key vault, to obtain the identifiers required to connect to the AzCodeE2ETests service connection and obtain an OIDC token in code. Then, the needed environment variables are manually propagated to the Test step.

hossam-nasr commented 3 months ago

Updated the main 1esmain.yml pipeline such that it accepts a useAzureFederatedCredentials parameter, which is passed all the way down to the test.yml template, which includes the relevant key vault steps (and sets the relevant env vars) only if useAzureFederatedCredentials is set to true. I tested this on a few pipelines and confirmed that if useAzureFederatedCredentials is false (the default, basically no change on the client extensions side), the pipeline runs the same test step as before, and without prompting for permissions. If useAzureFederatedCredentials parameter is set to true, that's when the Key Vault steps are included and env vars are propagated, and that's when permissions are prompted. Since this is a template parameter and not a runtime condition, this is figured out at "compile time", no two .yml files needed! @alexweininger Who's the plumber now? 😎

alexweininger commented 3 months ago

Updated the main 1esmain.yml pipeline such that it accepts a useAzureFederatedCredentials parameter, which is passed all the way down to the test.yml template, which includes the relevant key vault steps (and sets the relevant env vars) only if useAzureFederatedCredentials is set to true. I tested this on a few pipelines and confirmed that if useAzureFederatedCredentials is false (the default, basically no change on the client extensions side), the pipeline runs the same test step as before, and without prompting for permissions. If useAzureFederatedCredentials parameter is set to true, that's when the Key Vault steps are included and env vars are propagated, and that's when permissions are prompted. Since this is a template parameter and not a runtime condition, this is figured out at "compile time", no two .yml files needed!

That is epic, great work.

Who's the plumber now? 😎

I'm happy to hand over my denim overalls and tool box 👷 🪠 🧰