actions/runner-images
1
0
Fork 0
mirror of https://github.com/actions/runner-images.git synced 2025-12-14 13:17:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow authentication of resource generator script via service principal (#2622)

Browse Source 
* Allow authentication of resource generator script via service principal

* Re-use the given service principal in case of parametric authentication

* Updated variable names

* Renamed parameter and variable from AzureTenant to AzureTenantId

* Added Azure DevOps pipeline to build an agent

* Added link to azure pipeline to instructions

* Fixed typo in link

* Removed unnecessary / double brackets

* Untangled credential instantiation to make it more readable

* Removed example yaml file

* Removed unnecessary variable assignment
This commit is contained in:
Daniel
2021-03-11 09:21:35 +13:00
committed by GitHub
parent 971ee7d2a7
commit 160f5bedb0
1 changed files with 47 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
helpers/GenerateResourcesAndImage.ps1
View File

@@ -83,6 +83,15 @@ Function GenerateResourcesAndImage {
.PARAMETER GithubFeedToken .PARAMETER GithubFeedToken
GitHub PAT to download tool packages from GitHub Package Registry GitHub PAT to download tool packages from GitHub Package Registry
.PARAMETER AzureClientId
Client id needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
.PARAMETER AzureClientSecret
Client secret needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
.PARAMETER AzureTenantId
Tenant needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
.EXAMPLE .EXAMPLE
GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US" GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US"
#> #>
@@ -102,10 +111,16 @@ Function GenerateResourcesAndImage {
[Parameter(Mandatory = $False)] [Parameter(Mandatory = $False)]
[string] $GithubFeedToken, [string] $GithubFeedToken,
[Parameter(Mandatory = $False)] [Parameter(Mandatory = $False)]
[string] $AzureClientId,
[Parameter(Mandatory = $False)]
[string] $AzureClientSecret,
[Parameter(Mandatory = $False)]
[string] $AzureTenantId,
[Parameter(Mandatory = $False)]
[Switch] $Force [Switch] $Force
) )
if (([string]::IsNullOrEmpty($GithubFeedToken))) if ([string]::IsNullOrEmpty($GithubFeedToken))
{ {
Write-Error "'-GithubFeedToken' parameter is not specified. You have to specify valid GitHub PAT to download tool packages from GitHub Package Registry" Write-Error "'-GithubFeedToken' parameter is not specified. You have to specify valid GitHub PAT to download tool packages from GitHub Package Registry"
exit 1 exit 1
@@ -115,7 +130,14 @@ Function GenerateResourcesAndImage {
$ServicePrincipalClientSecret = $env:UserName + [System.GUID]::NewGuid().ToString().ToUpper(); $ServicePrincipalClientSecret = $env:UserName + [System.GUID]::NewGuid().ToString().ToUpper();
$InstallPassword = $env:UserName + [System.GUID]::NewGuid().ToString().ToUpper(); $InstallPassword = $env:UserName + [System.GUID]::NewGuid().ToString().ToUpper();
Connect-AzAccount if ([string]::IsNullOrEmpty($AzureClientId))
{
Connect-AzAccount
} else {
$AzSecureSecret = ConvertTo-SecureString $AzureClientSecret -AsPlainText -Force
$AzureAppCred = New-Object System.Management.Automation.PSCredential($AzureClientId, $AzSecureSecret)
Connect-AzAccount -ServicePrincipal -Credential $AzureAppCred -Tenant $AzureTenantId
}
Set-AzContext -SubscriptionId $SubscriptionId Set-AzContext -SubscriptionId $SubscriptionId
$alreadyExists = $true; $alreadyExists = $true;
@@ -171,21 +193,31 @@ Function GenerateResourcesAndImage {
New-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $storageAccountName -Location $AzureLocation -SkuName "Standard_LRS" New-AzStorageAccount -ResourceGroupName $ResourceGroupName -AccountName $storageAccountName -Location $AzureLocation -SkuName "Standard_LRS"
$spDisplayName = [System.GUID]::NewGuid().ToString().ToUpper() if ([string]::IsNullOrEmpty($AzureClientId)) {
$credentialProperties = @{ StartDate=Get-Date; EndDate=Get-Date -Year 2024; Password=$ServicePrincipalClientSecret } # Interactive authentication: A service principal is created during runtime.
$credentials = New-Object -TypeName Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential -Property $credentialProperties $spDisplayName = [System.GUID]::NewGuid().ToString().ToUpper()
$sp = New-AzADServicePrincipal -DisplayName $spDisplayName -PasswordCredential $credentials $credentialProperties = @{ StartDate=Get-Date; EndDate=Get-Date -Year 2024; Password=$ServicePrincipalClientSecret }
$credentials = New-Object -TypeName Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential -Property $credentialProperties
$sp = New-AzADServicePrincipal -DisplayName $spDisplayName -PasswordCredential $credentials
$spAppId = $sp.ApplicationId $spAppId = $sp.ApplicationId
$spClientId = $sp.ApplicationId $spClientId = $sp.ApplicationId
$spObjectId = $sp.Id Start-Sleep -Seconds $SecondsToWaitForServicePrincipalSetup
Start-Sleep -Seconds $SecondsToWaitForServicePrincipalSetup
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $spAppId New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $spAppId
Start-Sleep -Seconds $SecondsToWaitForServicePrincipalSetup Start-Sleep -Seconds $SecondsToWaitForServicePrincipalSetup
$sub = Get-AzSubscription -SubscriptionId $SubscriptionId $sub = Get-AzSubscription -SubscriptionId $SubscriptionId
$tenantId = $sub.TenantId $tenantId = $sub.TenantId
# "", "Note this variable-setting script for running Packer with these Azure resources in the future:", "==============================================================================================", "`$spClientId = `"$spClientId`"", "`$ServicePrincipalClientSecret = `"$ServicePrincipalClientSecret`"", "`$SubscriptionId = `"$SubscriptionId`"", "`$tenantId = `"$tenantId`"", "`$spObjectId = `"$spObjectId`"", "`$AzureLocation = `"$AzureLocation`"", "`$ResourceGroupName = `"$ResourceGroupName`"", "`$storageAccountName = `"$storageAccountName`"", "`$install_password = `"$install_password`"", "" # "", "Note this variable-setting script for running Packer with these Azure resources in the future:", "==============================================================================================", "`$spClientId = `"$spClientId`"", "`$ServicePrincipalClientSecret = `"$ServicePrincipalClientSecret`"", "`$SubscriptionId = `"$SubscriptionId`"", "`$tenantId = `"$tenantId`"", "`$spObjectId = `"$spObjectId`"", "`$AzureLocation = `"$AzureLocation`"", "`$ResourceGroupName = `"$ResourceGroupName`"", "`$storageAccountName = `"$storageAccountName`"", "`$install_password = `"$install_password`"", ""
} else {
# Parametrized Authentication via given service principal: The service principal with the data provided via the command line
# is used for all authentication purposes.
$spAppId = $AzureClientId
$spClientId = $AzureClientId
$credentials = $AzureAppCred
$ServicePrincipalClientSecret = $AzureClientSecret
$tenantId = $AzureTenantId
}
Get-LatestCommit -ErrorAction SilentlyContinue Get-LatestCommit -ErrorAction SilentlyContinue
@@ -199,7 +231,6 @@ Function GenerateResourcesAndImage {
-var "client_secret=$($ServicePrincipalClientSecret)" ` -var "client_secret=$($ServicePrincipalClientSecret)" `
-var "subscription_id=$($SubscriptionId)" ` -var "subscription_id=$($SubscriptionId)" `
-var "tenant_id=$($tenantId)" ` -var "tenant_id=$($tenantId)" `
-var "object_id=$($spObjectId)" `
-var "location=$($AzureLocation)" ` -var "location=$($AzureLocation)" `
-var "resource_group=$($ResourceGroupName)" ` -var "resource_group=$($ResourceGroupName)" `
-var "storage_account=$($storageAccountName)" ` -var "storage_account=$($storageAccountName)" `