Merge pull request #290 from microsoft/user/elay/remove-client-secret

Remove secret from cicd
microsoft · May 7, 2024 · ceaad79 · ceaad79
2 parents 18915aa + 148e87e
commit ceaad79
Show file tree

Hide file tree

Showing 8 changed files with 38 additions and 46 deletions.
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -9,10 +9,6 @@ env:
   PCTASKS_COSMOSDB__URL: ${{ secrets.COSMOSDB_URL }}
   PCTASKS_COSMOSDB__KEY: ${{ secrets.COSMOSDB_KEY }}
   PCTASKS_COSMOSDB__TEST_CONTAINER_SUFFIX: ${{ github.run_id }}
-  AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-  AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-  AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-  AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
 
 permissions:
   id-token: write
@@ -72,23 +68,18 @@ jobs:
           ;;
           esac
 
-      - name: Log into the ACR (test)
-        env:
-          CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
-        run: docker login pccomponentstest.azurecr.io --username ${CLIENT_ID} --password ${CLIENT_SECRET}
+      - name: Log in with Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Publish images (test)
-        run: ./scripts/publish --acr pccomponentstest --tag ${{steps.get_image_tag.outputs.tag}} --no-login
-
-      - name: Log into the ACR
-        env:
-          CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
-        run: docker login pccomponents.azurecr.io --username ${CLIENT_ID} --password ${CLIENT_SECRET}
+        run: ./scripts/publish --acr pccomponentstest --tag ${{steps.get_image_tag.outputs.tag}}
 
       - name: Publish images
-        run: ./scripts/publish --acr pccomponents --tag ${{steps.get_image_tag.outputs.tag}} --no-login
+        run: ./scripts/publish --acr pccomponents --tag ${{steps.get_image_tag.outputs.tag}}
 
       - name: Clean up CosmosDB test containers
         run: ./scripts/setup --rm-test-containers
@@ -105,10 +96,19 @@ jobs:
     steps:
       - uses: actions/checkout@v2
 
+      - name: Log in with Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Deploy
         run: ./scripts/cideploy
         env:
           IMAGE_TAG: ${{needs.build_and_publish.outputs.image_tag}}
           ENVIRONMENT: staging
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          ARM_USE_OIDC: true
diff --git a/deployment/Dockerfile b/deployment/Dockerfile
@@ -24,9 +24,9 @@ RUN echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu
 
 RUN apt-get update && apt-get install -y azure-functions-core-tools-4
 
-# Install Terraform 0.14.4
+# Install Terraform 1.8.2
 
-RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/1.1.2/terraform_1.1.2_linux_amd64.zip
+RUN wget -O terraform.zip https://releases.hashicorp.com/terraform/1.8.2/terraform_1.8.2_linux_amd64.zip
 RUN unzip terraform.zip
 RUN mv terraform /usr/local/bin
 

diff --git a/deployment/bin/deploy b/deployment/bin/deploy
@@ -33,11 +33,8 @@ Options:
 require_env "ARM_SUBSCRIPTION_ID"
 require_env "ARM_TENANT_ID"
 require_env "ARM_CLIENT_ID"
-require_env "ARM_CLIENT_SECRET"
+require_env "ARM_USE_OIDC"
 
-require_env "AZURE_TENANT_ID"
-require_env "AZURE_CLIENT_ID"
-require_env "AZURE_CLIENT_SECRET"
 
 ###################
 # Parse arguments #
@@ -112,8 +109,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
     # Gather environment variables from the terraform directory
     source "${TERRAFORM_DIR}"/env.sh
 
-    bin/azlogin
-
     require_env "DEPLOY_SECRETS_KV"
     require_env "DEPLOY_SECRETS_KV_SECRET"
     require_env "DEPLOY_SECRETS_KV_RG_NAME"

diff --git a/deployment/bin/lib b/deployment/bin/lib
@@ -71,11 +71,6 @@ function cluster_login() {
         CLUSTER_NAME=$2
     fi
 
-    az login --service-principal \
-        --username ${ARM_CLIENT_ID} \
-        --password ${ARM_CLIENT_SECRET} \
-        --tenant ${ARM_TENANT_ID}
-
     az aks get-credentials \
         --resource-group ${RESOURCE_GROUP} \
         --name ${CLUSTER_NAME} \
@@ -88,9 +83,7 @@ function cluster_login() {
     # So we export to a kubeconfig file
     echo "Converting kubeconfig..."
     kubelogin convert-kubeconfig \
-        --login spn \
-        --client-id ${ARM_CLIENT_ID} \
-        --client-secret ${ARM_CLIENT_SECRET} \
+        -l azurecli \
         --kubeconfig=kubeconfig
     export KUBECONFIG=kubeconfig
 }

diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml
@@ -7,15 +7,15 @@ services:
       dockerfile: deployment/Dockerfile
     environment:
       # For Terraform
-      - ARM_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
-      - ARM_TENANT_ID=${AZURE_TENANT_ID}
-      - ARM_CLIENT_ID=${AZURE_CLIENT_ID}
-      - ARM_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
-
-      # For Azure CLI
-      - AZURE_TENANT_ID=${AZURE_TENANT_ID}
-      - AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
-      - AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
+      - ARM_SUBSCRIPTION_ID
+      - ARM_TENANT_ID
+      - ARM_CLIENT_ID
+      - ARM_USE_OIDC
+      - ARM_OIDC_TOKEN
+      - ACTIONS_ID_TOKEN_REQUEST_URL
+      - ACTIONS_ID_TOKEN_REQUEST_TOKEN
+      - ARM_OIDC_REQUEST_TOKEN
+      - ARM_OIDC_REQUEST_URL
 
       # Used in function deployment injected by GH Actions
       - GITHUB_TOKEN
@@ -26,3 +26,4 @@ services:
       - ../deployment:/opt/src/deployment
       - ../pctasks:/opt/src/pctasks:ro
       - ../pctasks_funcs:/opt/src/pctasks_funcs:ro
+      - ~/.azure:/root/.azure
diff --git a/deployment/terraform/batch_pool/providers.tf b/deployment/terraform/batch_pool/providers.tf
@@ -1,6 +1,7 @@
 provider azurerm {
   features {}
   skip_provider_registration = true
+  use_oidc = true
 }
 
 terraform {
@@ -9,7 +10,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.65.0"
+      version = "3.97.1"
     }
   }
 }
diff --git a/deployment/terraform/resources/providers.tf b/deployment/terraform/resources/providers.tf
@@ -1,6 +1,7 @@
 provider azurerm {
   features {}
   skip_provider_registration = true
+  use_oidc = true
 }
 
 terraform {
@@ -9,7 +10,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.65.0"
+      version = "3.97.1"
     }
   }
 }

diff --git a/deployment/terraform/staging/backend.tf b/deployment/terraform/staging/backend.tf
@@ -4,5 +4,6 @@ terraform {
     storage_account_name = "pctesttfstate"
     container_name       = "pctasks"
     key                  = "staging.terraform.tfstate"
+    use_oidc             = true
   }
 }