[Monitor] Use federated auth for live tests (#36497)

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/monitor/azure-monitor-query/tests/conftest.py

@@ -49,6 +49,4 @@ def monitor_info(environment_variables):
         "workspace_id": environment_variables.get(ENV_WORKSPACE_ID),
         "secondary_workspace_id": environment_variables.get(ENV_SECONDARY_WORKSPACE_ID),
         "table_name": environment_variables.get(ENV_TABLE_NAME),
-        "client_id": environment_variables.get(ENV_CLIENT_ID),
-        "tenant_id": environment_variables.get(ENV_TENANT_ID)
     }

sdk/monitor/azure-monitor-query/tests/test_exceptions.py

@@ -56,9 +56,9 @@ def test_logs_resource_query_partial_exception(self, recorded_test, monitor_info
 
     def test_logs_batch_query_fatal_exception(self, recorded_test, monitor_info):
         credential  = ClientSecretCredential(
-            client_id = monitor_info['client_id'],
-            client_secret = 'bad_secret',
-            tenant_id = monitor_info['tenant_id']
+            client_id = "00000000-0000-0000-0000-000000000000",
+            client_secret = "bad_secret",
+            tenant_id = "00000000-0000-0000-0000-000000000000"
         )
         client = self.get_client(LogsQueryClient, credential)
         requests = [

sdk/monitor/azure-monitor-query/tests/test_exceptions_async.py

@@ -65,9 +65,9 @@ async def test_logs_resource_query_partial_exception(self, recorded_test, monito
     @pytest.mark.asyncio
     async def test_logs_batch_query_fatal_exception(self, recorded_test, monitor_info):
         credential  = ClientSecretCredential(
-            client_id = monitor_info['client_id'],
-            client_secret = 'bad_secret',
-            tenant_id = monitor_info['tenant_id']
+            client_id = "00000000-0000-0000-0000-000000000000",
+            client_secret = "bad_secret",
+            tenant_id = "00000000-0000-0000-0000-000000000000"
         )
         client = self.get_client(LogsQueryClient, credential)
         async with client:

sdk/monitor/test-resources-post.ps1

@@ -4,18 +4,26 @@
 # IMPORTANT: Do not invoke this file directly. Please instead run eng/New-TestResources.ps1 from the repository root.
 
 param (
-    [hashtable] $DeploymentOutputs
+    [hashtable] $DeploymentOutputs,
+
+    [Parameter()]
+    [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
+    [string] $TestApplicationId,
+
+    [Parameter()]
+    [ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
+    [string] $SubscriptionId,
+
+    [Parameter(ValueFromRemainingArguments = $true)]
+    $RemoveTestResourcesRemainingArguments
 )
 
 # Outputs from the Bicep deployment passed in from New-TestResources
-$tenantId = $DeploymentOutputs['MONITOR_TENANT_ID']
-$clientId = $DeploymentOutputs['MONITOR_CLIENT_ID']
-$clientSecret = $DeploymentOutputs['MONITOR_CLIENT_SECRET']
+$tenantId = $DeploymentOutputs['AZURE_MONITOR_TENANT_ID']
 $dcrImmutableId = $DeploymentOutputs['AZURE_MONITOR_DCR_ID']
 $dceEndpoint = $DeploymentOutputs['AZURE_MONITOR_DCE']
 $streamName = $DeploymentOutputs['AZURE_MONITOR_STREAM_NAME']
 $environment = $DeploymentOutputs['MONITOR_ENVIRONMENT']
-$authorityHost = $DeploymentOutputs['AZURE_AUTHORITY_HOST']
 
 ##################
 ### Step 0: Wait for role assignment to propagate
@@ -35,11 +43,16 @@ $audienceMappings = @{
 
 $audience = $audienceMappings[$environment]
 
-$scope= [System.Web.HttpUtility]::UrlEncode("$audience/.default")
-$body = "client_id=$clientId&scope=$scope&client_secret=$clientSecret&grant_type=client_credentials";
-$headers = @{"Content-Type"="application/x-www-form-urlencoded"};
-$uri = "$authorityHost/$tenantId/oauth2/v2.0/token"
-$bearerToken = (Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers).access_token
+az cloud set --name $environment
+
+if ($CI) {
+    az login --service-principal -u $TestApplicationId --tenant $tenantId --allow-no-subscriptions --federated-token $env:ARM_OIDC_TOKEN
+} else {
+    az login
+}
+az account set --subscription $SubscriptionId
+
+$bearerToken = az account get-access-token --output json --resource $audience | ConvertFrom-Json | Select-Object -ExpandProperty accessToken
 
 ##################
 ### Step 2: Load up some sample data.

sdk/monitor/test-resources.bicep

@@ -4,6 +4,9 @@ param baseName string = resourceGroup().name
 @description('Which Azure Region to deploy the resource to. Defaults to the resource group location.')
 param location string = resourceGroup().location
 
+@description('The tenant ID')
+param tenantId string = ''
+
 @description('The principal to assign the role to. This is application object id.')
 param testApplicationOid string
 
@@ -238,3 +241,4 @@ output AZURE_MONITOR_DCE string = dataCollectionEndpoint.properties.logsIngestio
 output AZURE_MONITOR_DCR_ID string = dataCollectionRule.properties.immutableId
 output AZURE_MONITOR_STREAM_NAME string = streamName
 output AZURE_MONITOR_TABLE_NAME string = tableName
+output AZURE_MONITOR_TENANT_ID string = tenantId

sdk/monitor/tests.yml

@@ -1,24 +1,40 @@
+# cSpell:ignore pscore
+# cSpell:ignore issecret
 trigger: none
 
 extends:
     template: /eng/pipelines/templates/stages/archetype-sdk-tests.yml
     parameters:
+      PreSteps:
+        - task: AzureCLI@2
+          displayName: Set OIDC variables
+          inputs:
+            azureSubscription: azure-sdk-tests
+            scriptType: pscore
+            scriptLocation: inlineScript
+            addSpnToEnvironment: true
+            inlineScript: |
+              Write-Host "##vso[task.setvariable variable=ARM_OIDC_TOKEN;issecret=true]$($env:idToken)"
       ServiceDirectory: monitor
       TestTimeoutInMinutes: 300
       BuildTargetingString: azure-monitor-*
       SupportedClouds: 'Public,UsGov,China'
       CloudConfig:
         Public:
           SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
+          ServiceConnection: azure-sdk-tests
+          SubscriptionConfigurationFilePaths:
+            - eng/common/TestResources/sub-config/AzurePublicMsft.json
         UsGov:
+          ServiceConnection: azure-sdk-tests
           SubscriptionConfiguration: $(sub-config-gov-test-resources)
         China:
+          ServiceConnection: azure-sdk-tests
           SubscriptionConfiguration: $(sub-config-cn-test-resources)
           Location: chinanorth3
+      UseFederatedAuth: true
       EnvVars:
         AZURE_SUBSCRIPTION_ID: $(MONITOR_SUBSCRIPTION_ID)
-        AZURE_TENANT_ID: $(MONITOR_TENANT_ID)
-        AZURE_CLIENT_ID: $(MONITOR_CLIENT_ID)
-        AZURE_CLIENT_SECRET: $(MONITOR_CLIENT_SECRET)
         AZURE_TEST_RUN_LIVE: 'true'
         AZURE_SKIP_LIVE_RECORDING: 'true'
+        ARM_OIDC_TOKEN: $(ARM_OIDC_TOKEN)