DockerBuild.ps1: transfer environment variables from key vault.

Author: gfraiteur

DockerBuild.ps1

@@ -11,14 +11,18 @@ param(
     [switch]$KeepEnv, # Does not override the env.g.json file.
     [string]$ImageName, # Image name (defaults to a name based on the directory).
     [string]$BuildAgentPath = 'C:\BuildAgent',
+    [switch]$LoadEnvFromKeyVault, # Forces loading environment variables form the key vault.
     [Parameter(ValueFromRemainingArguments)]
     [string[]]$BuildArgs   # Arguments passed to `Build.ps1` within the container.
 )
 
-# This setting is replaced by the generate-scripts command.
+####
+# These settings are replaced by the generate-scripts command.
 $EngPath = 'eng'
-$EnvironmentVariables = 'AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AZ_IDENTITY_USERNAME,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_DEVOPS_TOKEN,AZURE_DEVOPS_USER,AZURE_TENANT_ID,DOC_API_KEY,DOWNLOADS_API_KEY,ENG_USERNAME,GIT_USER_EMAIL,GIT_USER_NAME,GITHUB_AUTHOR_EMAIL,GITHUB_REVIEWER_TOKEN,GITHUB_TOKEN,IS_POSTSHARP_OWNED,IS_TEAMCITY_AGENT,NUGET_ORG_API_KEY,SIGNSERVER_SECRET,TEAMCITY_CLOUD_TOKEN,TYPESENSE_API_KEY,VS_MARKETPLACE_ACCESS_TOKEN,VSS_NUGET_EXTERNAL_FEED_ENDPOINTS'
+$EnvironmentVariables = 'AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AZ_IDENTITY_USERNAME,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_DEVOPS_TOKEN,AZURE_DEVOPS_USER,AZURE_TENANT_ID,DOC_API_KEY,DOWNLOADS_API_KEY,ENG_USERNAME,GIT_USER_EMAIL,GIT_USER_NAME,GITHUB_AUTHOR_EMAIL,GITHUB_REVIEWER_TOKEN,GITHUB_TOKEN,IS_POSTSHARP_OWNED,IS_TEAMCITY_AGENT,MetalamaLicense,NUGET_ORG_API_KEY,PostSharpLicense,SIGNSERVER_SECRET,TEAMCITY_CLOUD_TOKEN,TYPESENSE_API_KEY,VS_MARKETPLACE_ACCESS_TOKEN,VSS_NUGET_EXTERNAL_FEED_ENDPOINTS'
+####
 
+$ErrorActionPreference = "Stop"
 $dockerContextDirectory = "$EngPath/docker-context"
 
 # Function to create secrets JSON file
@@ -42,6 +46,27 @@ function New-EnvJson
         }
     }
 
+    # Add secrets from the PostSharpBuildEnv key vault, on our development machines.
+    # On CI agents, these environment variables are supposed to be set by the host.
+    if ($LoadEnvFromKeyVault -or ($env:IS_POSTSHARP_OWNED -and -not $env:IS_TEAMCITY_AGENT))
+    {
+        $moduleName = "Az.KeyVault"
+
+        if (-not (Get-Module -ListAvailable -Name $moduleName)) {
+            Write-Error "The required module '$moduleName' is not installed. Please install it with: Install-Module -Name $moduleName"
+            exit 1
+        }
+
+        Import-Module $moduleName
+        foreach ($secret in Get-AzKeyVaultSecret -VaultName "PostSharpBuildEnv")
+        {
+            $secretWithValue = Get-AzKeyVaultSecret -VaultName "PostSharpBuildEnv" -Name $secret.Name
+            $envName = $secretWithValue.Name -Replace "-", "_"
+            $envValue = (ConvertFrom-SecureString $secretWithValue.SecretValue -AsPlainText)
+            $secrets[$envName] = $envValue
+        }
+    }
+
     # Convert to JSON and save
     $jsonPath = Join-Path $dockerContextDirectory "env.g.json"
 
@@ -98,6 +123,7 @@ if (-not $KeepEnv)
         $env:ENG_USERNAME = $env:USERNAME
     }
 
+    # Add git identity to environment
     $env:GIT_USER_EMAIL = git config --global user.email
     $env:GIT_USER_NAME = git config --global user.name
 

src/PostSharp.Engineering.BuildTools/Build/Model/Product.cs

@@ -135,7 +135,7 @@ public BuildAgentRequirements ResolvedBuildAgentRequirements
         public static ImmutableArray<Publisher> DefaultPublicPublishers { get; }
             =
             [
-                new NugetPublisher( Pattern.Create( "*.nupkg" ), "https://api.nuget.org/v3/index.json", "%NUGET_ORG_API_KEY%" ),
+                new NugetPublisher( Pattern.Create( "*.nupkg" ), "https://api.nuget.org/v3/index.json", $"%{EnvironmentVariableNames.NuGetOrgApiKey}%" ),
                 new VsixPublisher( Pattern.Create( "*.vsix" ) )
             ];
 

src/PostSharp.Engineering.BuildTools/Build/Publishing/DocumentationPublisher.cs

@@ -9,5 +9,5 @@ namespace PostSharp.Engineering.BuildTools.Build.Publishing;
 public class DocumentationPublisher : InvalidatingS3Publisher
 {
     public DocumentationPublisher( IReadOnlyCollection<S3PublisherConfiguration> configurations, string documentationUrl )
-        : base( configurations, $"{documentationUrl}_api/invalidate?%DOC_API_KEY%" ) { }
+        : base( configurations, $"{documentationUrl}_api/invalidate?%{EnvironmentVariableNames.DocInvalidationKey}%" ) { }
 }

src/PostSharp.Engineering.BuildTools/Build/Publishing/Downloads/DownloadPublisher.cs

@@ -10,5 +10,5 @@ public class DownloadPublisher : InvalidatingS3Publisher
 {
     public DownloadPublisher( IReadOnlyCollection<S3PublisherConfiguration> configurations ) : base(
         configurations,
-        "https://www.postsharp.net/download/Refresh.ashx?p=%DOWNLOADS_API_KEY%" ) { }
+        $"https://www.postsharp.net/download/Refresh.ashx?p=%{EnvironmentVariableNames.DownloadsInvalidationKey}%" ) { }
 }

src/PostSharp.Engineering.BuildTools/Build/Publishing/MsDeployPublisher.cs

@@ -34,7 +34,7 @@ private static bool QueryPublishProfile(
             var args =
                 $"webapp deployment list-publishing-profiles --subscription {configuration.SubscriptionId} --resource-group {configuration.ResourceGroupName} --name {configuration.SiteName} --slot {configuration.SlotName}";
 
-            if ( !AzHelper.Query( context.Console, args, settings.Dry, out var profiles ) )
+            if ( !AzHelper.Query( context, args, settings.Dry, out var profiles ) )
             {
                 publishProfile = null;
 

src/PostSharp.Engineering.BuildTools/Build/Publishing/VsixPublisher.cs

@@ -49,7 +49,7 @@ public override SuccessCode PublishFile(
             var exe = $@"{vsSdkDir}\VisualStudioIntegration\Tools\Bin\VsixPublisher.exe";
 
             var args =
-                $" publish -payload \"{file}\" -publishManifest \"{file}.json\" -personalAccessToken \"%VS_MARKETPLACE_ACCESS_TOKEN%\"";
+                $" publish -payload \"{file}\" -publishManifest \"{file}.json\" -personalAccessToken \"%{nameof(EnvironmentVariableNames.VsMarketplaceAccessToken)}%\"";
 
             if ( settings.Dry )
             {

src/PostSharp.Engineering.BuildTools/Build/Swapping/AppServiceSwapper.cs

@@ -57,7 +57,7 @@ protected override SuccessCode ExecuteCore(
                 return SuccessCode.Success;
             }
 
-            return AzHelper.Run( context.Console, args, settings.Dry ) ? SuccessCode.Success : SuccessCode.Error;
+            return AzHelper.Run( context, args, settings.Dry ) ? SuccessCode.Success : SuccessCode.Error;
         }
     }
 }

src/PostSharp.Engineering.BuildTools/ContinuousIntegration/AzureDevOpsHelper.cs

@@ -21,7 +21,6 @@ private static bool TryConnect( ConsoleHelper console, string url, [NotNullWhen(
     {
         var user = Environment.GetEnvironmentVariable( EnvironmentVariableNames.AzureDevOpsUser ) ?? "[email protected]";
 
-        
         var token = Environment.GetEnvironmentVariable( EnvironmentVariableNames.AzureDevOpsToken );
 
         if ( string.IsNullOrEmpty( token ) )
@@ -79,7 +78,7 @@ private static bool TryConnect( ConsoleHelper console, string url, [NotNullWhen(
                 var pullRequestWithAutoCompleteEnabled = new GitPullRequest
                 {
                     AutoCompleteSetBy = new IdentityRef { Id = createdPullRequest.CreatedBy.Id },
-                    CompletionOptions = new GitPullRequestCompletionOptions { DeleteSourceBranch = true, MergeCommitMessage = title },
+                    CompletionOptions = new GitPullRequestCompletionOptions { DeleteSourceBranch = true, MergeCommitMessage = title }
                 };
 
                 console.WriteMessage( "Setting the new pull request to get completed automatically." );
@@ -117,10 +116,13 @@ public static async Task<bool> TrySetBranchPoliciesAsync(
         var project = azureDevOpsRepository.Project;
         var projectIdArgs = $"--org {org} --project {project}";
 
-        context.Console.WriteMessage( "Fetching repository ID." );
+        var console = context.Console;
+        var product = context.Product;
+
+        console.WriteMessage( "Fetching repository ID." );
 
         if ( !AzHelper.Query(
-                context.Console,
+                context,
                 $"repos show --repository {repository} {projectIdArgs}",
                 dry,
                 out var repositoryJson ) )
@@ -138,24 +140,24 @@ string GetCommonArgs( string branch )
             return $"{branchIdArgs} --blocking true --enabled true";
         }
 
-        var branch = context.Product.DependencyDefinition.Branch;
+        var branch = product.DependencyDefinition.Branch;
         var commonArgs = GetCommonArgs( branch );
 
         bool TryRequireApproversAndCommentResolution()
         {
-            context.Console.WriteMessage( $"Requiring approvers for '{branch}' branch." );
+            console.WriteMessage( $"Requiring approvers for '{branch}' branch." );
 
             if ( !AzHelper.Run(
-                    context.Console,
+                    context,
                     $"repos policy approver-count create {commonArgs} --allow-downvotes false --creator-vote-counts true --minimum-approver-count 1 --reset-on-source-push false",
                     dry ) )
             {
                 return false;
             }
 
-            context.Console.WriteMessage( $"Requiring comment resolution for '{branch}' branch." );
+            console.WriteMessage( $"Requiring comment resolution for '{branch}' branch." );
 
-            if ( !AzHelper.Run( context.Console, $"repos policy comment-required create {commonArgs}", dry ) )
+            if ( !AzHelper.Run( context, $"repos policy comment-required create {commonArgs}", dry ) )
             {
                 return false;
             }
@@ -170,11 +172,11 @@ bool TryRequireApproversAndCommentResolution()
 
         if ( buildStatusName == null )
         {
-            context.Console.WriteMessage( $"Success status for '{branch}' branch is not required." );    
+            console.WriteMessage( $"Success status for '{branch}' branch is not required." );
         }
         else
         {
-            context.Console.WriteMessage( $"Requiring success status for '{branch}' branch." );
+            console.WriteMessage( $"Requiring success status for '{branch}' branch." );
 
             // This is not covered by "az repos policy" command. https://github.com/Azure/azure-devops-cli-extension/issues/1040
             var statusCheckPayload = $@"{{
@@ -207,7 +209,7 @@ bool TryRequireApproversAndCommentResolution()
             {
                 await File.WriteAllTextAsync( statusCheckPayloadFile, statusCheckPayload );
 
-                if ( !AzHelper.Run( context.Console, $"repos policy create {projectIdArgs} --config {statusCheckPayloadFile}", dry ) )
+                if ( !AzHelper.Run( context, $"repos policy create {projectIdArgs} --config {statusCheckPayloadFile}", dry ) )
                 {
                     return false;
                 }
@@ -218,26 +220,26 @@ bool TryRequireApproversAndCommentResolution()
             }
         }
 
-        if ( context.Product.DependencyDefinition.ReleaseBranch != null )
+        if ( product.DependencyDefinition.ReleaseBranch != null )
         {
             var developBranch = branch;
-            branch = context.Product.DependencyDefinition.ReleaseBranch;
+            branch = product.DependencyDefinition.ReleaseBranch;
             commonArgs = GetCommonArgs( branch );
 
             if ( !TryRequireApproversAndCommentResolution() )
             {
                 return false;
             }
 
-            context.Console.WriteMessage( $"Requiring reviewers for '{branch}' branch." );
+            console.WriteMessage( $"Requiring reviewers for '{branch}' branch." );
 
             var message =
                 $"\"TeamCity is a required reviewer because only automated merges during publishing are allowed to a release branch. For development, use '{developBranch}' branch as a target branch of your PR.\"";
 
             var options = new ToolInvocationOptions( new Dictionary<string, string?> { { "ReviewerMessage", message } }.ToImmutableDictionary() );
 
             if ( !AzHelper.Run(
-                    context.Console,
+                    context,
                     $"repos policy required-reviewer create {commonArgs} --message %ReviewerMessage% --required-reviewer-ids [email protected]",
                     dry,
                     options ) )
@@ -248,9 +250,9 @@ bool TryRequireApproversAndCommentResolution()
 
         return await Task.FromResult( true );
     }
-    
+
     public static async Task<bool> TrySetDefaultBranchAsync(
-        ConsoleHelper console,
+        BuildContext context,
         AzureDevOpsRepository azureDevOpsRepository,
         string defaultBranch,
         bool dry )
@@ -261,10 +263,10 @@ public static async Task<bool> TrySetDefaultBranchAsync(
         var projectIdArgs = $"--org {org} --project {project}";
         var repositoryIdArgs = $"{projectIdArgs} --repository {repository}";
 
-        console.WriteMessage( $"Setting repository default branch to '{defaultBranch}'." );
+        context.Console.WriteMessage( $"Setting repository default branch to '{defaultBranch}'." );
 
         if ( !AzHelper.Run(
-                console,
+                context,
                 $"repos update {repositoryIdArgs} --default-branch {defaultBranch}",
                 dry ) )
         {

src/PostSharp.Engineering.BuildTools/EnvironmentVariableNames.cs

@@ -2,7 +2,7 @@
 
 namespace PostSharp.Engineering.BuildTools;
 
-public static class EnvironmentVariableNames
+internal static class EnvironmentVariableNames
 {
     // Our infrastructure
     public const string IsPostSharpOwned = "IS_POSTSHARP_OWNED";
@@ -11,6 +11,8 @@ public static class EnvironmentVariableNames
     public const string SignServerSecret = "SIGNSERVER_SECRET";
     public const string DocInvalidationKey = "DOC_API_KEY";
     public const string DownloadsInvalidationKey = "DOWNLOADS_API_KEY";
+    private const string _metalamaLicense = "MetalamaLicense";
+    private const string _postSharpLicense = "PostSharpLicense";
 
     // AWS
     public const string AwsAccessKeyId = "AWS_ACCESS_KEY_ID";
@@ -21,10 +23,10 @@ public static class EnvironmentVariableNames
 
     // NuGet.org
     public const string NuGetOrgApiKey = "NUGET_ORG_API_KEY";
-    
+
     // Git - set by DockerBuild.ps1 from current git config.
-    public const string GitUserName = "GIT_USER_NAME";
-    public const string GitUserEmail = "GIT_USER_EMAIL";
+    private const string _gitUserName = "GIT_USER_NAME";
+    private const string _gitUserEmail = "GIT_USER_EMAIL";
 
     // GitHub
     public const string GitHubToken = "GITHUB_TOKEN";
@@ -48,6 +50,7 @@ public static class EnvironmentVariableNames
     public const string AzureClientSecret = "AZURE_CLIENT_SECRET";
     public const string AzureTenantId = "AZURE_TENANT_ID";
 
+    // List of all environment variables, injected into DockerBuild.ps1 and passed to the container.
     public static readonly string[] All =
     [
         TeamCityToken,
@@ -62,8 +65,8 @@ public static class EnvironmentVariableNames
         AzureDevOpsToken,
         GitHubReviewerToken,
         GitHubAuthorEmail,
-        GitUserEmail,
-        GitUserName,
+        _gitUserEmail,
+        _gitUserName,
         NuGetOrgApiKey,
         AwsAccessKeyId,
         AwsAccessKeySecret,
@@ -73,6 +76,8 @@ public static class EnvironmentVariableNames
         AzureClientSecret,
         AzureTenantId,
         DocInvalidationKey,
-        DownloadsInvalidationKey
+        DownloadsInvalidationKey,
+        _metalamaLicense,
+        _postSharpLicense
     ];
 }

src/PostSharp.Engineering.BuildTools/Resources/DockerBuild.ps1

@@ -11,14 +11,18 @@ param(
     [switch]$KeepEnv, # Does not override the env.g.json file.
     [string]$ImageName, # Image name (defaults to a name based on the directory).
     [string]$BuildAgentPath = 'C:\BuildAgent',
+    [switch]$LoadEnvFromKeyVault, # Forces loading environment variables form the key vault.
     [Parameter(ValueFromRemainingArguments)]
     [string[]]$BuildArgs   # Arguments passed to `Build.ps1` within the container.
 )
 
-# This setting is replaced by the generate-scripts command.
+####
+# These settings are replaced by the generate-scripts command.
 $EngPath = '<ENG_PATH>'
 $EnvironmentVariables = '<ENVIRONMENT_VARIABLES>'
+####
 
+$ErrorActionPreference = "Stop"
 $dockerContextDirectory = "$EngPath/docker-context"
 
 # Function to create secrets JSON file
@@ -42,6 +46,27 @@ function New-EnvJson
         }
     }
 
+    # Add secrets from the PostSharpBuildEnv key vault, on our development machines.
+    # On CI agents, these environment variables are supposed to be set by the host.
+    if ($LoadEnvFromKeyVault -or ($env:IS_POSTSHARP_OWNED -and -not $env:IS_TEAMCITY_AGENT))
+    {
+        $moduleName = "Az.KeyVault"
+
+        if (-not (Get-Module -ListAvailable -Name $moduleName)) {
+            Write-Error "The required module '$moduleName' is not installed. Please install it with: Install-Module -Name $moduleName"
+            exit 1
+        }
+
+        Import-Module $moduleName
+        foreach ($secret in Get-AzKeyVaultSecret -VaultName "PostSharpBuildEnv")
+        {
+            $secretWithValue = Get-AzKeyVaultSecret -VaultName "PostSharpBuildEnv" -Name $secret.Name
+            $envName = $secretWithValue.Name -Replace "-", "_"
+            $envValue = (ConvertFrom-SecureString $secretWithValue.SecretValue -AsPlainText)
+            $secrets[$envName] = $envValue
+        }
+    }
+
     # Convert to JSON and save
     $jsonPath = Join-Path $dockerContextDirectory "env.g.json"
 
@@ -98,6 +123,7 @@ if (-not $KeepEnv)
         $env:ENG_USERNAME = $env:USERNAME
     }
 
+    # Add git identity to environment
     $env:GIT_USER_EMAIL = git config --global user.email
     $env:GIT_USER_NAME = git config --global user.name