Federated auth for live tests (Azure#23018)

* Wire up federated auth and migrate test jobs

* exit $LASTEXITCODE

* Activate federated auth for azappconfig

* Authenticate perf tests, too

* expression

* Correct params

* Remove reference to secret, better naming in build-test.yml

* ./

* InlineScript

* Testing comment

* Review feedback

* Review feedback: plumb EnvVars

* List

* Revert test ci.yml changes

* s

* Map SYSTEM_ACCESSTOKEN in environment for processes that need auth

Author: danieljurek

eng/pipelines/templates/jobs/archetype-sdk-client.yml

@@ -40,15 +40,30 @@ parameters:
     default:
       Public:
         SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
+        ServiceConnection: azure-sdk-tests
+        SubscriptionConfigurationFilePaths:
+          - eng/common/TestResources/sub-config/AzurePublicMsft.json
       Preview:
         SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources-preview)
+        ServiceConnection: azure-sdk-tests
+        # TODO:
+        SubscriptionConfigurationFilePaths:
       Canary:
         SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
+        ServiceConnection: azure-sdk-tests
+        # TODO:
+        SubscriptionConfigurationFilePaths:
         Location: 'centraluseuap'
       UsGov:
         SubscriptionConfiguration: $(sub-config-gov-test-resources)
+        ServiceConnection: usgov_azure-sdk-tests
+        # TODO:
+        SubscriptionConfigurationFilePaths:
       China:
         SubscriptionConfiguration: $(sub-config-cn-test-resources)
+        ServiceConnection: china_azure-sdk-tests
+        # TODO:
+        SubscriptionConfigurationFilePaths:
   - name: MatrixConfigs
     type: object
     default:
@@ -86,6 +101,9 @@ parameters:
   - name: EnableRaceDetector
     type: boolean
     default: false
+  - name: UseFederatedAuth
+    type: boolean
+    default: false
 
 extends:
   template: /eng/pipelines/templates/stages/1es-redirect.yml
@@ -180,6 +198,7 @@ extends:
                                   - ${{ parameters.PreSteps }}
                                 PostSteps:
                                   - ${{ parameters.PostSteps }}
+                                UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
                               MatrixConfigs:
                                 # Enumerate platforms and additional platforms based on supported clouds (sparse platform<-->cloud matrix).
                                 - ${{ each config in parameters.MatrixConfigs }}:
@@ -199,6 +218,8 @@ extends:
                                 SubscriptionConfigurations: ${{ cloud.value.SubscriptionConfigurations }}
                                 Location: ${{ coalesce(parameters.Location, cloud.value.Location) }}
                                 Cloud: ${{ cloud.key }}
+                                ServiceConnection: ${{ cloud.value.ServiceConnection }}
+                                SubscriptionConfigurationFilePaths: ${{ cloud.value.SubscriptionConfigurationFilePaths }}
 
       # The Prerelease and Release stages are conditioned on:
       # 1. Internal trigger, not Pull Request trigger

eng/pipelines/templates/jobs/live.tests.yml

@@ -33,6 +33,9 @@ parameters:
     default: '600s'
   - name: OSName
     type: string
+  - name: UseFederatedAuth
+    type: boolean
+    default: false
 
 jobs:
   - job:
@@ -83,6 +86,10 @@ jobs:
           ServiceDirectory: ${{ parameters.ServiceDirectory }}
           SubscriptionConfiguration: $(SubscriptionConfiguration)
           ArmTemplateParameters: $(ArmTemplateParameters)
+          UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+          ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }}
+          SubscriptionConfigurationFilePaths: ${{ parameters.CloudConfig.SubscriptionConfigurationFilePaths}}
+          EnvVars: ${{ parameters.EnvVars }}
 
       - task: GoTool@0
         inputs:
@@ -97,6 +104,8 @@ jobs:
           Image: $(OSVmImage)
           GoVersion: $(GoVersion)
           TestRunTime: ${{ parameters.TestRunTime }}
+          UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+          ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }}
           EnvVars:
             AZURE_RECORD_MODE: 'live'
             ${{ insert }}: ${{ parameters.EnvVars }}
@@ -107,3 +116,6 @@ jobs:
         parameters:
           ServiceDirectory: ${{ parameters.ServiceDirectory }}
           SubscriptionConfiguration: $(SubscriptionConfiguration)
+          UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+          ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }}
+          EnvVars: ${{ parameters.EnvVars }}

eng/pipelines/templates/steps/build-test.yml

@@ -20,6 +20,12 @@ parameters:
   - name: EnableRaceDetector
     type: boolean
     default: false
+  - name: UseFederatedAuth
+    type: boolean
+    default: false
+  - name: ServiceConnection
+    type: string
+    default: ''
 
 steps:
   - task: Powershell@2
@@ -68,27 +74,60 @@ steps:
   - ${{ if eq(parameters.TestProxy, true) }}:
     - template: /eng/common/testproxy/test-proxy-tool.yml
 
-  - task: PowerShell@2
-    displayName: 'Run Tests'
-    inputs:
-      targetType: 'filePath'
-      filePath: ./eng/scripts/run_tests.ps1
-      arguments: '${{ parameters.ServiceDirectory }} ${{ parameters.TestRunTime }} $${{ parameters.EnableRaceDetector }}'
-      pwsh: true
-    env:
-      GO111MODULE: 'on'
-      PROXY_CERT: $(Build.SourcesDirectory)/eng/common/testproxy/dotnet-devcert.crt
-      ${{ insert }}: ${{ parameters.EnvVars }}
-      GOTRACEBACK: all
-      AZURE_SDK_GO_LOGGING: all
+  - ${{ if parameters.UseFederatedAuth }}:
+    - task: AzurePowerShell@5
+      displayName: Run Tests (Federated Auth)
+      inputs:
+        azureSubscription: ${{ parameters.ServiceConnection }}
+        azurePowerShellVersion: LatestVersion
+        ScriptType: InlineScript
+        Inline: |
+          ./eng/scripts/run_tests.ps1 ${{ parameters.ServiceDirectory }} ${{ parameters.TestRunTime }} $${{ parameters.EnableRaceDetector }}
+          exit $LASTEXITCODE
+        pwsh: true
+      env:
+        GO111MODULE: 'on'
+        PROXY_CERT: $(Build.SourcesDirectory)/eng/common/testproxy/dotnet-devcert.crt
+        ${{ insert }}: ${{ parameters.EnvVars }}
+        GOTRACEBACK: all
+        AZURE_SDK_GO_LOGGING: all
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 
-  - task: PowerShell@2
-    displayName: 'Build Performance Tests'
-    inputs:
-      targetType: 'filePath'
-      filePath: ./eng/scripts/Build_Perf.ps1
-      arguments: '${{ parameters.ServiceDirectory }} $$(UseAzcoreFromMain)'
-      pwsh: true
+    - task: AzurePowerShell@5
+      displayName: Build Performance Tests (Federated Auth)
+      inputs:
+        azureSubscription: ${{ parameters.ServiceConnection }}
+        azurePowerShellVersion: LatestVersion
+        ScriptType: InlineScript
+        Inline: |
+          eng/scripts/Build_Perf.ps1 ${{ parameters.ServiceDirectory }} $$(UseAzcoreFromMain)
+          exit $LASTEXITCODE
+        pwsh: true
+      env:
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+
+  - ${{ else }}:
+    - task: PowerShell@2
+      displayName: 'Run Tests'
+      inputs:
+        targetType: 'filePath'
+        filePath: ./eng/scripts/run_tests.ps1
+        arguments: '${{ parameters.ServiceDirectory }} ${{ parameters.TestRunTime }} $${{ parameters.EnableRaceDetector }}'
+        pwsh: true
+      env:
+        GO111MODULE: 'on'
+        PROXY_CERT: $(Build.SourcesDirectory)/eng/common/testproxy/dotnet-devcert.crt
+        ${{ insert }}: ${{ parameters.EnvVars }}
+        GOTRACEBACK: all
+        AZURE_SDK_GO_LOGGING: all
+
+    - task: PowerShell@2
+      displayName: 'Build Performance Tests'
+      inputs:
+        targetType: 'filePath'
+        filePath: ./eng/scripts/Build_Perf.ps1
+        arguments: '${{ parameters.ServiceDirectory }} $$(UseAzcoreFromMain)'
+        pwsh: true
 
   - ${{ if eq(parameters.TestProxy, true) }}:
     - pwsh: |

sdk/data/azappconfig/test-resources.json

@@ -21,12 +21,6 @@
                 "description": "The application client ID used to run tests."
             }
         },
-        "testApplicationSecret": {
-            "type": "string",
-            "metadata": {
-                "description": "The application client secret used to run tests."
-            }
-        },
         "testApplicationOid": {
             "type": "string",
             "metadata": {