Migrate secrets from CI variables to KeyVault (#23451)

vidai-msft · web-flow · commit 2883294cb53c · 2023-11-16T12:51:59.000+08:00
* Update test coverage CI with secrets retrieved from KeyVault

* Update live test CI to retrieve secrets from KeyVault

* Update smoke test CI to retrieve secrets from Key Vault

* Add condition for keyvault template
diff --git a/.azure-pipelines/test-coverage.yml b/.azure-pipelines/test-coverage.yml
@@ -60,7 +60,6 @@ jobs:
     vmImage: ${{ parameters.testPoolVMImage }}
 
   steps:
-  - template: util/get-github-pat-steps.yml
   - task: UseDotNet@2
     displayName: 'Install .NET 6.0 SDK'
     inputs:
@@ -115,6 +114,13 @@ jobs:
       filePath: ./tools/TestFx/Coverage/AnalyzeTestCoverage.ps1
       arguments: -CalcBaseline
 
+  - template: util/get-keyvault-secret-steps.yml
+    parameters:
+      serviceConnectionName: $(AzureSubscription)
+      keyVaultName: $(KustoServicePrincipalKeyVaultName)
+      secretName: $(KustoServicePrincipalSecretName)
+      outVar: 'KustoServicePrincipalSecret'
+
   - task: PowerShell@2
     displayName: Save Test Coverage Results
     condition: succeeded()
@@ -124,6 +130,8 @@ jobs:
       filePath: ./tools/TestFx/Coverage/SaveTestCoverageResult.ps1
       arguments: CITest $(KustoTenantId) $(KustoServicePrincipalId) $(KustoServicePrincipalSecret) $(KustoClusterName) $(KustoClusterRegion)
 
+  - template: util/get-github-pat-steps.yml
+
   - task: PowerShell@2
     displayName: Update Test Coverage Baseline
     condition: succeeded()
diff --git a/.azure-pipelines/util/get-keyvault-secret-steps.yml b/.azure-pipelines/util/get-keyvault-secret-steps.yml
@@ -0,0 +1,26 @@
+parameters:
+- name: serviceConnectionName
+  type: string
+- name: keyVaultName
+  type: string
+- name: secretName
+  type: string
+- name: outVar
+  type: string
+  default: 'KVSecret'
+- name: execCondition
+  type: string
+  default: succeeded()
+
+steps:
+- task: AzurePowerShell@5
+  displayName: Get Secret from Azure KeyVault
+  condition: ${{ parameters.execCondition }}
+  inputs:
+    azurePowerShellVersion: LatestVersion
+    azureSubscription: ${{ parameters.serviceConnectionName }}
+    pwsh: true
+    scriptType: InlineScript
+    inline: |
+      $secretValue = Get-AzKeyVaultSecret -VaultName ${{ parameters.keyVaultName }} -Name ${{ parameters.secretName }} -AsPlainText
+      Write-Host "##vso[task.setvariable variable=${{ parameters.outVar }};issecret=true;isreadonly=true]$secretValue"
diff --git a/.azure-pipelines/util/live-test-steps.yml b/.azure-pipelines/util/live-test-steps.yml
@@ -106,6 +106,14 @@ jobs:
       filePath: ./tools/TestFx/Live/InvokeLiveTestCITask.ps1
       arguments: -UseWindowsPowerShell ('${{ parameters.psVersion }}' -eq '5.1') -ScriptFile './tools/TestFx/Live/InstallLiveTestAzModules.ps1 -Source $(GalleryName) -AzPackagesLocation (Join-Path -Path $(DataLocation) -ChildPath AzPreviewPackages)'
 
+  - template: get-keyvault-secret-steps.yml
+    parameters:
+      serviceConnectionName: $(LiveTestServiceConnectionName)
+      keyVaultName: $(LiveTestServicePrincipalKeyVaultName)
+      secretName: $(LiveTestServicePrincipalSecretName)
+      outVar: 'LiveTestServicePrincipalSecret'
+      execCondition: and(succeeded(), ne(variables['skipLatest'], 'true'))
+
   - task: PowerShell@2
     displayName: Connect Azure with live test service principal
     condition: and(succeeded(), ne(variables['skipLatest'], 'true'))
@@ -126,6 +134,14 @@ jobs:
       filePath: ./tools/TestFx/Live/InvokeLiveTestCITask.ps1
       arguments: -UseWindowsPowerShell ('${{ parameters.psVersion }}' -eq '5.1') -ScriptFile './tools/TestFx/Live/InvokeLiveTestScenarios.ps1 -OSVersion ${{ parameters.vmImage }} -RunPlatform ${{ parameters.osType }} -RunPowerShell ${{ parameters.psVersion }}'
 
+  - template: get-keyvault-secret-steps.yml
+    parameters:
+      serviceConnectionName: $(KustoServiceConnectionName)
+      keyVaultName: $(KustoServicePrincipalKeyVaultName)
+      secretName: $(KustoServicePrincipalSecretName)
+      outVar: 'KustoServicePrincipalSecret'
+      execCondition: and(succeeded(), ne(variables['skipLatest'], 'true'))
+
   - task: PowerShell@2
     displayName: Save live test results to Kusto
     condition: and(succeeded(), ne(variables['skipLatest'], 'true'), or(eq(variables['Build.Reason'], 'Schedule'), eq(variables['Build.SourceBranch'], 'refs/heads/internal/release')))
diff --git a/.azure-pipelines/util/smoke-test-steps.yml b/.azure-pipelines/util/smoke-test-steps.yml
@@ -20,7 +20,7 @@ jobs:
     inputs:
       packageType: sdk
       version: ${{ parameters.netCoreVersion }}
-    
+
   - task: PowerShell@2
     condition: and(succeeded(), eq('${{ parameters.psVersion }}', 'preview'))
     displayName: DownLoad Package for ${{ parameters.psVersion }}
@@ -37,13 +37,13 @@ jobs:
         *.tar.gz
       destinationFolder: ${{ parameters.PowerShellPath }}
       overwriteExistingFiles: true
-  
+
   - task: PowerShell@2
     displayName: Prepare Powershell ${{ parameters.psVersion }}
     inputs:
       filePath: 'tools/Test/SmokeTest/PrepareRequiredPowershell.ps1'
       arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
-      
+
   - task: DownloadPipelineArtifact@2
     condition: and(succeeded(), eq(variables['GalleryName'], 'LocalRepo'), eq(variables['PipelineId'], ''))
     displayName: Download Latest Artifacts from Build Pipeline
@@ -91,7 +91,7 @@ jobs:
     inputs:
       command: custom
       arguments: 'install Az.Compute -directdownload -packagesavemode nupkg -source https://www.powershellgallery.com/api/v2 -OutputDirectory packages'
-      
+
   - task: PowerShell@2
     condition: and(succeeded(), eq(variables['GalleryName'], 'LocalRepo'))
     displayName: 'Copy Previous Release .nupkg files to LocalRepo'
@@ -106,49 +106,53 @@ jobs:
     displayName: Install Az Modules from $(GalleryName)
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/InstallAzModules.ps1 -Gallery $(GalleryName) -LocalRepoLocation $(LocalRepoLocation)" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'   
-      
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/InstallAzModules.ps1 -Gallery $(GalleryName) -LocalRepoLocation $(LocalRepoLocation)" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
+
+  - template: get-keyvault-secret-steps.yml
+    parameters:
+      serviceConnectionName: $(ServiceConnectionName)
+      keyVaultName: $(ServicePrincipalKeyVaultName)
+      secretName: $(ServicePrincipalSecretName)
+      outVar: 'ServicePrincipalSecret'
+
   - task: PowerShell@2
-    displayName: Connect AzAccount 
+    displayName: Connect AzAccount
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/ConnectAzAccount.ps1 $(Password) $(ServicePrincipal) $(TenantId) $(SubscriptionId) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/ConnectAzAccount.ps1 $(ServicePrincipalSecret) $(ServicePrincipal) $(TenantId) $(SubscriptionId) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
-    displayName: Run Smoke Test 
+    displayName: Run Smoke Test
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
       arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/RmCoreSmokeTests.ps1 " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
       failOnStderr: true
 
-
   - task: PowerShell@2
     displayName: 'Run Smoke Test Reversely'
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
       arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/RmCoreSmokeTests.ps1 -Reverse" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
       failOnStderr: true
 
-
   - task: PowerShell@2
     displayName: Clean Az Modules
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
     displayName: Update Az Modules
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/UpdateAzModules.ps1 -Gallery $(GalleryName) -AllowEquality $(AllowEquality) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/UpdateAzModules.ps1 -Gallery $(GalleryName) -AllowEquality $(AllowEquality) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
-    displayName: Run Smoke Test 
+    displayName: Run Smoke Test
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
       arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/RmCoreSmokeTests.ps1 " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
       failOnStderr: true
-      
 
   - task: PowerShell@2
     displayName: 'Run Smoke Test Reversely'
@@ -157,48 +161,47 @@ jobs:
       arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/RmCoreSmokeTests.ps1 -Reverse " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
       failOnStderr: true
 
-
   - task: PowerShell@2
     displayName: Clean Az Modules
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
-    
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
+
   - task: PowerShell@2
     displayName: Install an individual module
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/InstallAnIndividualModule.ps1 -Gallery $(GalleryName) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/InstallAnIndividualModule.ps1 -Gallery $(GalleryName) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
     displayName: Clean Az Modules
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
     displayName: Update an individual module
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/UpdateAnIndividualModule.ps1 -Gallery $(GalleryName) -AllowEquality $(AllowEquality) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/UpdateAnIndividualModule.ps1 -Gallery $(GalleryName) -AllowEquality $(AllowEquality) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
     displayName: Clean Az Modules
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
     displayName: Install Az on top of an individual module
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/InstallAzOnTopOfAnIndividualModule.ps1 -Gallery $(GalleryName) -AllowEquality $(AllowEquality) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
- 
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/InstallAzOnTopOfAnIndividualModule.ps1 -Gallery $(GalleryName) -AllowEquality $(AllowEquality) " -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
+
   - task: PowerShell@2
     displayName: Clean Az Modules
     inputs:
       filePath: 'tools/Test/SmokeTest/ScriptsCaller.ps1'
-      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'  
+      arguments: '-RequiredPsVersion ${{ parameters.psVersion }} -Script "./tools/Test/SmokeTest/CleanAzModules.ps1" -PowerShellPath "${{ parameters.PowerShellPath }}" -AgentOS "$(Agent.OS)"'
 
   - task: PowerShell@2
     displayName: Install an individual module on top of Az
