fixup! User Service Connections

Sheyla Trudo · Sheyla Trudo · commit bdb750d51715 · 2024-11-03T19:20:35.000-08:00
diff --git a/.pipelines/run-pipeline.yaml b/.pipelines/run-pipeline.yaml
@@ -23,7 +23,6 @@ stages:
     dependsOn: pre_build
     variables:
       ACN_DIR: $(Build.SourcesDirectory)
-      SYSTEM_DEBUG: $[ coalesce(variables.SYSTEM_DEBUG, 'False') ]
     jobs:
       - job: env
         displayName: Setup
@@ -53,7 +52,7 @@ stages:
             displayName: "Set environmental variables"
 
       - job: resources
-        displayName: "[Infra] Configure Artifact Resources"
+        displayName: "[Infra] Configure Build Resources"
         variables:
           ACNCI_BUILDUSER_ROLE_NAME: "ACN CI/CD Build Environment Owner"
           ACNCI_MANAGEDIDENTITY_PREFIX: acnci-builds-
@@ -184,7 +183,6 @@ stages:
         - test
       variables:
         ACN_DIR: $(Build.SourcesDirectory)
-        SYSTEM_DEBUG: $[ coalesce(variables.SYSTEM_DEBUG, 'False') ]
       jobs:
         - job: containerize_amd64
           displayName: Build Images
@@ -346,7 +344,6 @@ stages:
       variables:
         Packaging.EnableSBOMSigning: false
         ACN_DIR: $(Build.SourcesDirectory)
-        SYSTEM_DEBUG: $[ coalesce(variables.SYSTEM_DEBUG, 'False') ]
       jobs:
         - job: manifest
           displayName: Compile Manifests
@@ -553,7 +550,6 @@ stages:
       variables:
         ACN_DIR: $(Build.SourcesDirectory)
         commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ]
-        SYSTEM_DEBUG: $[ coalesce(variables.SYSTEM_DEBUG, 'False') ]
       jobs:
         - job: delete
           displayName: Delete Cluster
diff --git a/.pipelines/templates/create-or-update-resource.steps.yaml b/.pipelines/templates/create-or-update-resource.steps.yaml
@@ -112,8 +112,15 @@ steps:
           #[[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
           az upgrade -y
 
-          echo "az storage account create --name "$STORAGEACCOUNT_NAME" --location "$STORAGEACCOUNT_LOCATION" --resource-group "$RESOURCEGROUP_NAME" --allow-blob-public-access false --allow-shared-key-access false --tags "$BUILDTAG_DEFINITIONID"="$SYSTEM_DEFINITIONID" "$BUILDTAG_CREATEDBYBUILDID"="$BUILD_BUILDID" "$BUILDTAG_CREATEDBYAPPID"="$servicePrincipalId""
-          az storage account create --name "$STORAGEACCOUNT_NAME" --location "$STORAGEACCOUNT_LOCATION" --resource-group "$RESOURCEGROUP_NAME" --allow-blob-public-access false --allow-shared-key-access false --tags "$BUILDTAG_DEFINITIONID"="$SYSTEM_DEFINITIONID" "$BUILDTAG_CREATEDBYBUILDID"="$BUILD_BUILDID" "$BUILDTAG_CREATEDBYAPPID"="$servicePrincipalId"
+          az storage account create \
+            --name "$STORAGEACCOUNT_NAME" \
+            --location "$STORAGEACCOUNT_LOCATION" \
+            --resource-group "$RESOURCEGROUP_NAME" \
+            --allow-blob-public-access false \
+            --allow-shared-key-access false \
+            --tags "$BUILDTAG_DEFINITIONID"="$SYSTEM_DEFINITIONID" \
+                   "$BUILDTAG_CREATEDBYBUILDID"="$BUILD_BUILDID" \
+                   "$BUILDTAG_CREATEDBYAPPID"="$servicePrincipalId"
     
       ${{ elseif eq(parameters.resourceType, 'roledefinition') }}:
         inlineScript: |
@@ -134,30 +141,6 @@ steps:
             --tags "$ACNCI_BUILDTAG_DEFINITIONID"="$SYSTEM_DEFINITIONID" \
                    "$ACNCI_BUILDTAG_CREATEDBYBUILDID"="$BUILD_BUILDID" \
                    "$ACNCI_BUILDTAG_CREATEDBYAPPID"="$servicePrincipalId"
-  
-      ${{ elseif eq(parameters.resourceType, 'serviceconnection') }}:
-        inlineScript: |
-          set -e
-          [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
-
-          ## Requires manual creation
-
-          #az config set extension.use_dynamic_install=yes_without_prompt
-          ##az devops login --identity "$SERVICECONNECTION_PRINCIPALID"
-          #az config set extension.dynamic_install_allow_preview=true
-          ##jq '.requiredResourceAccess = "$STORAGECONTAINER_ID"'
-          ##jq '.appId = "$MANAGEDIDENTITY_APPID"'
-          ##jq '.tags["$BUILDTAG_APPID"] = "$APPID"'
-          ##jq '.tags["$BUILDTAG_DEFINITIONID"] = "$SYSTEM_DEFINITIONID"'
-          #az devops login
-          #az devops service-endpoint azurerm create \
-            #--org "https://dev.azure.com/msazure/" \
-            #--azure-rm-service-principal-id "$SERVICECONNECTION_PRINCIPALID" \
-            #--azure-rm-subscription-id "$SUBSCRIPTION_ID" \
-            #--azure-rm-subscription-name "$SUBSCRIPTION_NAME" \
-            #--azure-rm-tenant-id "$SERVICECONNECTION_TENANT_ID"\
-            #--name "$SERVICECONNECTION_NAME" \
-            #--project "One" --debug
 
 
 
@@ -222,6 +205,14 @@ steps:
           set -e
           [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
 
+          echo "$ROLEASSIGNMENTS_LIST" | \
+            jq -rc \
+              --arg RA_NAME "$RA_NAME" \
+              --arg RA_PRINCIPAL_ID "$RA_PRINCIPAL_ID" \
+              --arg RA_SCOPE "$RA_SCOPE" \
+              '. | select(.roleDefinitionName == $RA_NAME && .principalId == $RA_PRINCIPAL_ID && .scope == $RA_SCOPE)'
+          
+
       ${{ elseif eq(parameters.resourceType, 'storageaccounts') }}:
         inlineScript: |
           set -e
@@ -240,7 +231,8 @@ steps:
           CONDITION="(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:Name] stringEquals '$STORAGECONTAINER_NAME' AND (!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'}) OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:'$BUILDTAG_BUILDUSER_APPID'<\$key_case_sensitive\$>] StringEquals '$MANAGEDIDENTITY_APPID'))"
           az role assignment update \
             --role "$ROLE_NAME" \
-            --assignee "$MANAGEDIDENTITY_NAME" \
+            --assignee-object-id "$SERVICEPRINCIPAL_CLIENTID" \
+            --assignee-principl-type "ServicePrincipal" \
             --scope "$RESOURCEGROUP_ID" \
             --description "Enable access to build user blobs." \
             --condition "$CONDITION" \
diff --git a/.pipelines/templates/get-resources.steps.yaml b/.pipelines/templates/get-resources.steps.yaml
@@ -161,25 +161,20 @@ steps:
         echo >&2 "##vso[task.setvariable variable=${VAR_NAME}_LENGTH;]$R_LIST_LENGTH"
 
 
-    ${{ elseif eq(parameters.resourceType, 'managedidentity') }}:
+    ${{ elseif eq(parameters.resourceType, 'roleassignments') }}:
       inlineScript: |
         set -e
         [[ -n $SYSTEM_DEBUG ]] && [[ $SYSTEM_DEBUG =~ $IS_TRUE ]] && set -x || set +x
   
-        R_QUERY="[? tags.\""$BUILDTAG_DEFINITIONID"\" && tags.\""$BUILDTAG_CREATEDBYAPPID"\"]"
-        MI_LIST=$(az identity list \
-          --resource-group "$RESOURCEGROUP_NAME" \
-          --query "$R_QUERY" -o json | \
-          jq -rc \
-            --arg BUILDTAG_CREATEDBYAPPID "$BUILDTAG_CREATEDBYAPPID" \
-            --arg APPID "$servicePrincipalId" \
-            --arg BUILDTAG_DEFINITIONID "$BUILDTAG_DEFINITIONID" \
-            --arg DEFINITIONID "$SYSTEM_DEFINITIONID" \
-          '[ .[] | select(.tags[$BUILDTAG_DEFINITIONID] == $DEFINITIONID ) | select( .tags[$BUILDTAG_CREATEDBYAPPID] == $APPID) ]')
-        MI_LIST_LENGTH=$(echo "$MI_LIST" | jq length)
+        RA_LIST=$(az role assignment list \
+          --assignee "$ASSIGNEE_ID" \
+          --include-groups \
+          --include-inherited)
+
+        RA_LIST_LENGTH=$(echo "$RA_LIST" | jq length)
   
-        echo >&2 "##vso[task.setvariable variable=${VAR_NAME};]$MI_LIST"
-        echo >&2 "##vso[task.setvariable variable=${VAR_NAME}_LENGTH;]$MI_LIST_LENGTH"
+        echo >&2 "##vso[task.setvariable variable=${VAR_NAME};]$RA_LIST"
+        echo >&2 "##vso[task.setvariable variable=${VAR_NAME}_LENGTH;]$RA_LIST_LENGTH"
 
     ${{ elseif eq(parameters.resourceType, 'serviceconnection') }}:
       inlineScript: |
