fixup! Move to Resource Module

Sheyla Trudo · Sheyla Trudo · commit 7e9e8289b637 · 2024-10-28T01:08:31.000-07:00
diff --git a/.pipelines/templates/artifact-storage.steps.yaml b/.pipelines/templates/artifact-storage.steps.yaml
@@ -84,68 +84,6 @@ steps:
     INFRA_RG_LENGTH: $(OUT_RESULT_LENGTH)
     
 
-## Managed Identity ##
-
-- template: get-resources.steps.yaml
-  parameters:
-    resourceType: managedidentity
-    serviceConnection: $(ACN_TEST_SERVICE_CONNECTION)
-    inputs: 
-      resourceGroupName: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
-      buildTagDefinitionIdKey: $(ACNCI_BUILDTAG_DEFINITIONID)
-      buildTagCreatedByAppIdKey: $(ACNCI_BUILDTAG_CREATEDBYAPPID)
-
-- template: create-or-update-resource.steps.yaml
-  parameters:
-    serviceConnection: $(ACN_TEST_SERVICE_CONNECTION)
-    resourceType: managedidentity
-    refreshAfterCreation: True 
-    createCondition: |
-      and(succeeded(),
-          or(not(variables.OUT_RESULT_LENGTH),
-             eq(variables.OUT_RESULT_LENGTH, 'null'),
-             lt(variables.OUT_RESULT_LENGTH, 1)))
-    updateCondition: False
-    inputs:
-      managedIdentityList: $(OUT_RESULT)
-      managedIdentityCount: $(OUT_RESULT_LENGTH)
-      managedIdentityName: '$(ACNCI_MANAGEDIDENTITY_PREFIX)$(LOCAL_ACNCI_UNIQUE_ID)-$(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_LOCATION)'
-      managedIdentityLocation: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_LOCATION)
-      resourceGroupName: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
-      buildTagDefinitionIdKey: $(ACNCI_BUILDTAG_DEFINITIONID)
-      buildTagCreatedByAppIdKey: $(ACNCI_BUILDTAG_CREATEDBYAPPID)
-      buildTagCreatedByBuildIdKey: $(ACNCI_BUILDTAG_CREATEDBYBUILDID)
-
-- task: AzureCLI@2
-  name: managedidentity
-  displayName: "[Output] Build User ManagedIdentity Details"
-  inputs:
-    azureSubscription: $(ACN_TEST_SERVICE_CONNECTION)
-    scriptType: bash
-    scriptLocation: inlineScript
-    addSpnToEnvironment: true
-    inlineScript: |
-      set -e
-      [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
-
-      # Select MI to use
-      RANDOM_SELECT=`tr -dc '1-9' < /dev/urandom | head -c${1:-7}`
-      IDX=$(( "$RANDOM_SELECT" % "$MI_LIST_LENGTH" ))
-      MI_DATA=$(echo "$MI_LIST" | jq --argjson IDX "$IDX" -rc '.[$IDX]')
-
-      MI_ID=$(echo "$MI_DATA" | jq -r '.id')
-      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_ID;isoutput=true]$MI_ID"
-      MI_PRINCIPALID=$(echo "$MI_DATA" | jq -r '.principalId')
-      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_OBJECTID;isoutput=true]$MI_PRINCIPALID"
-      MI_APPID=$(echo "$MI_DATA" | jq -r '.clientId')
-      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_APPID;isoutput=true]$MI_APPID"
-      MI_NAME=$(echo "$MI_DATA" | jq -r '.name')
-      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_NAME;isoutput=true]$MI_NAME"
-  env:
-    ACNCI_BUILD_RESOURCEGROUP: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
-    MI_LIST: $(OUT_RESULT)
-    MI_LIST_LENGTH: $(OUT_RESULT_LENGTH)
-
 ## MI Service Connection
 
 #- template: get-resources.steps.yaml
@@ -358,6 +296,7 @@ steps:
         # - Local Use Only -
         # SA Object
         echo >&2 "##vso[task.setvariable variable=ACNCI_STORAGEACCOUNT]$SA_DATA"
+        echo $SA_DATA
       else
         echo >&2 "##[error]No storage accounts available for use."
         exit 1
@@ -398,6 +337,68 @@ steps:
     STORAGEACCOUNT_NAME: $(artifact_storage.ACNCI_STORAGEACCOUNT_NAME)
     STORAGECONTAINER_NAME: $(artifact_storage.ACNCI_STORAGEACCOUNT_CONTAINER_NAME)
 
+## Managed Identity ##
+
+- template: get-resources.steps.yaml
+  parameters:
+    resourceType: managedidentity
+    serviceConnection: $(ACN_TEST_SERVICE_CONNECTION)
+    inputs: 
+      resourceGroupName: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
+      buildTagDefinitionIdKey: $(ACNCI_BUILDTAG_DEFINITIONID)
+      buildTagCreatedByAppIdKey: $(ACNCI_BUILDTAG_CREATEDBYAPPID)
+
+- template: create-or-update-resource.steps.yaml
+  parameters:
+    serviceConnection: $(ACN_TEST_SERVICE_CONNECTION)
+    resourceType: managedidentity
+    refreshAfterCreation: True 
+    createCondition: |
+      and(succeeded(),
+          or(not(variables.OUT_RESULT_LENGTH),
+             eq(variables.OUT_RESULT_LENGTH, 'null'),
+             lt(variables.OUT_RESULT_LENGTH, 1)))
+    updateCondition: False
+    inputs:
+      managedIdentityList: $(OUT_RESULT)
+      managedIdentityCount: $(OUT_RESULT_LENGTH)
+      managedIdentityName: '$(ACNCI_MANAGEDIDENTITY_PREFIX)$(LOCAL_ACNCI_UNIQUE_ID)-$(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_LOCATION)'
+      managedIdentityLocation: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP_LOCATION)
+      resourceGroupName: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
+      buildTagDefinitionIdKey: $(ACNCI_BUILDTAG_DEFINITIONID)
+      buildTagCreatedByAppIdKey: $(ACNCI_BUILDTAG_CREATEDBYAPPID)
+      buildTagCreatedByBuildIdKey: $(ACNCI_BUILDTAG_CREATEDBYBUILDID)
+
+- task: AzureCLI@2
+  name: managedidentity
+  displayName: "[Output] Build User ManagedIdentity Details"
+  inputs:
+    azureSubscription: $(ACN_TEST_SERVICE_CONNECTION)
+    scriptType: bash
+    scriptLocation: inlineScript
+    addSpnToEnvironment: true
+    inlineScript: |
+      set -e
+      [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
+
+      # Select MI to use
+      RANDOM_SELECT=`tr -dc '1-9' < /dev/urandom | head -c${1:-7}`
+      IDX=$(( "$RANDOM_SELECT" % "$MI_LIST_LENGTH" ))
+      MI_DATA=$(echo "$MI_LIST" | jq --argjson IDX "$IDX" -rc '.[$IDX]')
+
+      MI_ID=$(echo "$MI_DATA" | jq -r '.id')
+      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_ID;isoutput=true]$MI_ID"
+      MI_PRINCIPALID=$(echo "$MI_DATA" | jq -r '.principalId')
+      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_OBJECTID;isoutput=true]$MI_PRINCIPALID"
+      MI_APPID=$(echo "$MI_DATA" | jq -r '.clientId')
+      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_APPID;isoutput=true]$MI_APPID"
+      MI_NAME=$(echo "$MI_DATA" | jq -r '.name')
+      echo >&2 "##vso[task.setvariable variable=ACNCI_MANAGEDIDENTITY_NAME;isoutput=true]$MI_NAME"
+  env:
+    ACNCI_BUILD_RESOURCEGROUP: $(resourcegroups.ACNCI_BUILD_RESOURCEGROUP)
+    MI_LIST: $(OUT_RESULT)
+    MI_LIST_LENGTH: $(OUT_RESULT_LENGTH)
+
 - task: AzureCLI@2
   displayName: "[Provision] Build User Access Permissions"
   continueOnError: true
diff --git a/.pipelines/templates/create-or-update-resource.steps.yaml b/.pipelines/templates/create-or-update-resource.steps.yaml
@@ -90,9 +90,9 @@ steps:
     
           az role assignment create \
             --role "$ROLE_NAME" \
-            --assignee-object-id "$MANAGEDIDENTITY_OBJECTID" \
-            --assignee-principal-type ServicePrincipal \
-            --scope "$RESOURCEGROUP_ID"
+            --assignee "$MANAGEDIDENTITY_NAME" \
+            --resource-group "$RESOURCEGROUP_NAME" \
+            --scope "$MI_SCOPE"
 
       ${{ elseif eq(parameters.resourceType, 'resourcegroups') }}:
         inlineScript: |
@@ -200,6 +200,8 @@ steps:
         MANAGEDIDENTITY_NAME: ${{ parameters.inputs.managedIdentityName }}
         MANAGEDIDENTITY_FEDCRED_NAME: ${{ parameters.inputs.managedIdentityName }}-cred
 
+      
+
     inputs:
       azureSubscription: ${{ parameters.serviceConnection }}
       scriptType: bash
@@ -213,6 +215,11 @@ steps:
 
           az role definition update --role-definition "$ROLEDEFINITION_JSON"
 
+      ${{ elseif eq(parameters.resourceType, 'roleassignments') }}:
+        inlineScript: |
+          set -e
+          [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
+
       ${{ elseif eq(parameters.resourceType, 'storageaccounts') }}:
         inlineScript: |
           set -e
@@ -228,11 +235,17 @@ steps:
           set -e
           [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
 
-          FEDCRED_DETAILS=$(az identity federated-credential create \
-            --name "$MANAGEDIDENTITY_FEDCRED_NAME" \
-            --identity-name "$MANAGEDIDENTITY_NAME" \
+          az role assignment update \
+            --role "$ROLE_NAME" \
+            --assignee "$MANAGEDIDENTITY_NAME" \
             --resource-group "$RESOURCEGROUP_NAME" \
-            --issuer "https://VisualStudio/SPN" \
-            --subject "user_impersonation" \
-            --audience "api://AzureADMyOrg")
-          echo $FEDCRED_DETAILS
+            --scope "$MI_SCOPE"
+
+          #FEDCRED_DETAILS=$(az identity federated-credential create \
+            #--name "$MANAGEDIDENTITY_FEDCRED_NAME" \
+            #--identity-name "$MANAGEDIDENTITY_NAME" \
+            #--resource-group "$RESOURCEGROUP_NAME" \
+            #--issuer "https://VisualStudio/SPN" \
+            #--subject "user_impersonation" \
+            #--audience "api://AzureADMyOrg")
+          #echo $FEDCRED_DETAILS
diff --git a/.pipelines/templates/get-resources.steps.yaml b/.pipelines/templates/get-resources.steps.yaml
@@ -35,7 +35,11 @@ steps:
       ROLEDEFINITION_FILEPATH: ${{ parameters.inputs.roleDefinitionFileLocation }}
 
     ${{ elseif eq(parameters.resourceType, 'roleassignments') }}:
-      MANAGEDIDENTITY_OBJECTID: ${{ parameters.inputs.managedIdentityObjectId }}
+      #MANAGEDIDENTITY_OBJECTID: ${{ parameters.inputs.managedIdentityObjectId }}
+      #RESOURCEGROUP_NAME: ${{ parameters.inputs.resourceGroupName }}
+      #ROLE_NAME: ${{ parameters.inputs.roleName }}
+      MANAGEDIDENTITY_NAME: ${{ parameters.inputs.managedIdentityObjectId }}
+      MANAGEDIDENTITY_SCOPE: ${{ parameters.inputs.scope }}
       RESOURCEGROUP_NAME: ${{ parameters.inputs.resourceGroupName }}
       ROLE_NAME: ${{ parameters.inputs.roleName }}
 
@@ -94,12 +98,19 @@ steps:
         set -e
         [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
   
-        R_QUERY="[? principalId == '$MANAGEDIDENTITY_OBJECTID' ]"
         MI_ROLE_DATA=$(az role assignment list \
           --role "$ROLE_NAME" \
+          --assignee "$MANAGEDIDENTITY_NAME" \
           --resource-group "$RESOURCEGROUP_NAME" \
-          --query "$R_QUERY" \
+          --scope "$MI_SCOPE" \
           --output json | jq -rc '.')
+        echo $MI_ROLE_DATA
+        #R_QUERY="[? name == '$MANAGEDIDENTITY_OBJECTID' ]"
+        #MI_ROLE_DATA=$(az role assignment list \
+        #  --role "$ROLE_NAME" \
+        #  --resource-group "$RESOURCEGROUP_NAME" \
+        #  --query "$R_QUERY" \
+        #  --output json | jq -rc '.')
         MI_ROLE_DATA_LENGTH=$(echo "$MI_ROLE_DATA" | jq length)
   
         echo >&2 "##vso[task.setvariable variable=${VAR_NAME};]$MI_ROLE_DATA"
