improving secret checkouts

Author: brettsam

azure-pipelines.yml

@@ -180,7 +180,6 @@ jobs:
     artifact: packages
 
 - job: RunUnitTests
-  dependsOn: InitializePipeline
   pool:
     vmImage: 'windows-2019'
   steps: 
@@ -201,11 +200,8 @@ jobs:
         **\WebJobs.Script.Tests.csproj
 
 - job: RunNonE2EIntegrationTests
-  dependsOn: InitializePipeline
   pool:
     vmImage: 'windows-2019'
-  variables:
-    keyVaultSuffix: $[ dependencies.InitializePipeline.outputs['Initialize.LeaseBlob'] ]
   steps: 
   - task: UseDotNet@2
     inputs:
@@ -215,11 +211,27 @@ jobs:
   - task: UseNode@1
     inputs:      
       version: '10.x'
+  - task: PowerShell@2
+    displayName: 'Install Az.Storage Powershell module'
+    inputs:
+      targetType: 'inline'
+      script: 'Install-Module -Name Az.Storage -RequiredVersion 1.11.0 -Scope CurrentUser -Force -AllowClobber'
+  - task: AzureKeyVault@1
+    inputs:
+      # Note: This is actually a Service Connection in DevOps, not an Azure subscription name
+      azureSubscription: 'Azure-Functions-Host-CI'
+      keyVaultName: 'azure-functions-host-ci'
+      secretsFilter: '*'
+  - task: PowerShell@2
+    displayName: 'Checkout secrets'
+    inputs:
+      filePath: '$(Build.Repository.LocalPath)\build\checkout-secrets.ps1'
+      arguments: '-connectionString ''$(Storage-azurefunctionshostci0)'''
   - task: AzureKeyVault@1
     inputs:
       # Note: This is actually a Service Connection in DevOps, not an Azure subscription name
       azureSubscription: 'Azure-Functions-Host-CI'
-      keyVaultName: azure-functions-host-$(keyVaultSuffix)
+      keyVaultName: azure-functions-host-$(LeaseBlob)
       secretsFilter: '*'
   - task: DotNetCoreCLI@2
     displayName: 'Non-E2E integration tests'
@@ -236,13 +248,16 @@ jobs:
       AzureWebJobsEventHubReceiver: $(EventHub)
       AzureWebJobsSecretStorageKeyVaultConnectionString: $(KeyVaultConnectionString)
       AzureWebJobsSecretStorageKeyVaultName: $(KeyVaultName)
+  - task: PowerShell@2
+    condition: always()
+    displayName: 'Checkin secrets'
+    inputs:
+      filePath: '$(Build.Repository.LocalPath)\build\checkin-secrets.ps1'
+      arguments: '-connectionString ''$(Storage-azurefunctionshostci0)'' -leaseBlob $(LeaseBlob) -leaseToken $(LeaseToken)'
 
 - job: RunIntegrationTests
-  dependsOn: InitializePipeline
   pool:
     vmImage: 'windows-2019'
-  variables:
-    keyVaultSuffix: $[ dependencies.InitializePipeline.outputs['Initialize.LeaseBlob'] ]
   steps: 
   - task: UseDotNet@2
     inputs:
@@ -256,11 +271,27 @@ jobs:
     inputs:
       versionSpec: '3.7.x'
       addToPath: true
+  - task: PowerShell@2
+    displayName: 'Install Az.Storage Powershell module'
+    inputs:
+      targetType: 'inline'
+      script: 'Install-Module -Name Az.Storage -RequiredVersion 1.11.0 -Scope CurrentUser -Force -AllowClobber'
+  - task: AzureKeyVault@1
+    inputs:
+      # Note: This is actually a Service Connection in DevOps, not an Azure subscription name
+      azureSubscription: 'Azure-Functions-Host-CI'
+      keyVaultName: 'azure-functions-host-ci'
+      secretsFilter: '*'
+  - task: PowerShell@2
+    displayName: 'Checkout secrets'
+    inputs:
+      filePath: '$(Build.Repository.LocalPath)\build\checkout-secrets.ps1'
+      arguments: '-connectionString ''$(Storage-azurefunctionshostci0)'''
   - task: AzureKeyVault@1
     inputs:
       # Note: This is actually a Service Connection in DevOps, not an Azure subscription name
       azureSubscription: 'Azure-Functions-Host-CI'
-      keyVaultName: azure-functions-host-$(keyVaultSuffix)
+      keyVaultName: azure-functions-host-$(LeaseBlob)
       secretsFilter: '*'
   - task: PowerShell@2
     displayName: 'Set environment variables'
@@ -375,28 +406,9 @@ jobs:
       arguments: '--filter "Group=ContainerInstanceTests"'
       projects: |
         **\WebJobs.Script.Tests.Integration.csproj
-        
-- job: FinishPipeline
-  dependsOn:
-  - InitializePipeline
-  - BuildArtifacts
-  - RunUnitTests
-  - RunIntegrationTests
-  - RunNonE2EIntegrationTests
-  condition: always()
-  variables:
-    leaseBlob: $[ dependencies.InitializePipeline.outputs['Initialize.LeaseBlob'] ]
-    leaseToken: $[ dependencies.InitializePipeline.outputs['Initialize.LeaseToken'] ]
-  pool:
-    vmImage: 'windows-2019'
-  steps:
-  - task: AzureKeyVault@1
-    inputs:
-      azureSubscription: 'Azure-Functions-Host-CI'
-      keyVaultName: 'azure-functions-host-ci'
-      secretsFilter: '*'
   - task: PowerShell@2
-    displayName: 'Finish'
+    condition: always()
+    displayName: 'Checkin secrets'
     inputs:
-      filePath: '$(Build.Repository.LocalPath)\build\finish-pipeline.ps1'
-      arguments: '-connectionString ''$(Storage-azurefunctionshostci0)'' -leaseBlob $(leaseBlob) -leaseToken $(leaseToken)'
+      filePath: '$(Build.Repository.LocalPath)\build\checkin-secrets.ps1'
+      arguments: '-connectionString ''$(Storage-azurefunctionshostci0)'' -leaseBlob $(LeaseBlob) -leaseToken $(LeaseToken)'

build/finish-pipeline.ps1 renamed to build/checkin-secrets.ps1

@@ -16,9 +16,9 @@ if ($leaseToken -eq "") {
 
 Write-Host "Breaking lease for $leaseBlob."
 
-$storageContext = New-AzureStorageContext -ConnectionString $connectionString
-$blob = Get-AzureStorageBlob -Context $storageContext -Container "ci-locks" -Blob $leaseBlob
+$storageContext = New-AzStorageContext -ConnectionString $connectionString
+$blob = Get-AzStorageBlob -Context $storageContext -Container "ci-locks" -Blob $leaseBlob
 
-$accessCondition = New-Object -TypeName Microsoft.WindowsAzure.Storage.AccessCondition
+$accessCondition = New-Object -TypeName Microsoft.Azure.Storage.AccessCondition
 $accessCondition.LeaseId = $leaseToken
 $blob.ICloudBlob.ReleaseLease($accessCondition)

build/checkout-secrets.ps1

@@ -0,0 +1,75 @@
+param (
+  [string]$connectionString = ""
+)
+
+function AcquireLease($blob) {
+  try {
+    return $blob.ICloudBlob.AcquireLease($null, $null, $null, $null, $null)
+  } catch {
+    Write-Host "  Error: $_"
+    return $null
+  } 
+}
+
+# use this for tracking metadata in lease blobs
+$buildName = "3.0." + $env:buildNumber + "_" + $env:SYSTEM_JOBDISPLAYNAME
+
+$azVersion = "1.11.0"
+Import-Module Az.Storage
+$azModule = Get-Module -Name Az.Storage
+if ($azModule.Version -ne $azVersion) {
+  throw "Az.Storage module version $azVersion was not found. Current version: $($azModule.Version)"
+}
+
+# get a blob lease to prevent test overlap
+$storageContext = New-AzStorageContext -ConnectionString $connectionString
+
+While($true) {
+  $blobs = Get-AzStorageBlob -Context $storageContext -Container "ci-locks"
+  $token = $null
+  
+  # shuffle the blobs for random ordering
+  $blobs = $blobs | Sort-Object {Get-Random}
+
+  Write-Host "Looking for unleased ci-lock blobs (list is shuffled):"
+  Foreach ($blob in $blobs) {
+    $name = $blob.Name
+    $leaseStatus = $blob.ICloudBlob.Properties.LeaseStatus
+    
+    Write-Host "  ${name}: $leaseStatus"
+    
+    if ($leaseStatus -eq "Locked") {
+      continue
+    }
+
+    Write-Host "  Attempting to acquire lease on $name."
+    $token = AcquireLease $blob
+    if ($token -ne $null) {
+      Write-Host "  Lease acquired on $name. LeaseId: '$token'"
+      Write-Host "##vso[task.setvariable variable=LeaseBlob]$name"
+      Write-Host "##vso[task.setvariable variable=LeaseToken]$token"
+      try {
+        $blob.ICloudBlob.FetchAttributes()
+        $blob.ICloudBlob.Metadata["Build"] = $buildName
+        $accessCondition = New-Object -TypeName Microsoft.Azure.Storage.AccessCondition
+        $accessCondition.LeaseId = $token
+        $blob.ICloudBlob.SetMetadata($accessCondition)
+      } catch {
+        # best effort
+        Write-Host "Warning: unable to update blob metadata. Continuing. $_"
+      }
+      break
+    } else {
+      Write-Host "  Lease not acquired on $name."
+    }    
+  }
+  
+  if ($token -ne $null) {
+    break
+  }
+  
+  $delay = 30
+  Write-Host "No lease acquired. Waiting $delay seconds to try again. This run cannot begin until it acquires a lease on a CI test environment."
+  Start-Sleep -s $delay
+  Write-Host ""
+}

build/initialize-pipeline.ps1

@@ -1,16 +1,3 @@
-param (
-  [string]$connectionString = ""
-)
-
-function AcquireLease($blob) {
-  try {
-    return $blob.ICloudBlob.AcquireLease($null, $null, $null, $null, $null)    
-  } catch {
-    Write-Host "  Error: $_"
-    return $null
-  } 
-}
-
 $buildReason = $env:BUILD_REASON
 
 if ($buildReason -eq "PullRequest") {
@@ -22,46 +9,4 @@ if ($buildReason -eq "PullRequest") {
     Write-Host "##vso[task.setvariable variable=BuildArtifacts;isOutput=true]true"
     Write-Host "Setting 'BuildArtifacts' to true."
   }
-}
-
-# get a blob lease to prevent test overlap
-$storageContext = New-AzureStorageContext -ConnectionString $connectionString
-While($true) {
-  $blobs = Get-AzureStorageBlob -Context $storageContext -Container "ci-locks"
-  $token = $null
-  
-  # shuffle the blobs for random ordering
-  $blobs = $blobs | Sort-Object {Get-Random}
-
-  Write-Host "Looking for unleased ci-lock blobs (list is shuffled):"
-  Foreach ($blob in $blobs) {
-    $name = $blob.Name
-    $leaseStatus = $blob.ICloudBlob.Properties.LeaseStatus
-    
-    Write-Host "  ${name}: $leaseStatus"
-    
-    if ($leaseStatus -eq "Locked") {
-      continue
-    }
-
-    Write-Host "  Attempting to acquire lease on $name."
-    $token = AcquireLease $blob
-    if ($token -ne $null) {
-      Write-Host "  Lease acquired on $name. LeaseId: '$token'"
-      Write-Host "##vso[task.setvariable variable=LeaseBlob;isOutput=true]$name"
-      Write-Host "##vso[task.setvariable variable=LeaseToken;isOutput=true]$token"
-      break
-    } else {
-      Write-Host "  Lease not acquired on $name."
-    }    
-  }
-  
-  if ($token -ne $null) {
-    break
-  }
-  
-  $delay = 30
-  Write-Host "No lease acquired. Waiting $delay seconds to try again. This run cannot begin until it acquires a lease on a CI test environment."
-  Start-Sleep -s $delay
-  Write-Host ""
 }