test-resources-post.ps1

  1# Copyright (c) Microsoft Corporation. All rights reserved.
  2# Licensed under the MIT License.
  3
  4# IMPORTANT: Do not invoke this file directly. Please instead run eng/common/TestResources/New-TestResources.ps1 from the repository root.
  5
  6param (
  7  [hashtable] $AdditionalParameters = @{},
  8  [hashtable] $DeploymentOutputs
  9)
 10
 11$ErrorActionPreference = 'Stop'
 12$PSNativeCommandUseErrorActionPreference = $true
 13
 14if ($CI) {
 15  if (!$AdditionalParameters['deployResources']) {
 16    Write-Host "Skipping post-provisioning script because resources weren't deployed"
 17    return
 18  }
 19  az login --service-principal -u $DeploymentOutputs['AZIDENTITY_CLIENT_ID'] -p $DeploymentOutputs['AZIDENTITY_CLIENT_SECRET'] --tenant $DeploymentOutputs['AZIDENTITY_TENANT_ID']
 20  az account set --subscription $DeploymentOutputs['AZIDENTITY_SUBSCRIPTION_ID']
 21}
 22
 23Write-Host "Building container"
 24$image = "$($DeploymentOutputs['AZIDENTITY_ACR_LOGIN_SERVER'])/azidentity-managed-id-test"
 25Set-Content -Path "$PSScriptRoot/Dockerfile" -Value @"
 26FROM mcr.microsoft.com/oss/go/microsoft/golang:latest as builder
 27ENV GOARCH=amd64 GOWORK=off
 28COPY . /azidentity
 29WORKDIR /azidentity/testdata/managed-id-test
 30RUN go mod tidy
 31RUN go build -o /build/managed-id-test .
 32RUN GOOS=windows go build -o /build/managed-id-test.exe .
 33
 34FROM mcr.microsoft.com/mirror/docker/library/alpine:3.16
 35RUN apk add gcompat
 36COPY --from=builder /build/* .
 37RUN chmod +x managed-id-test
 38CMD ["./managed-id-test"]
 39"@
 40# build from sdk/azidentity because we need that dir in the context (because the test app uses local azidentity)
 41docker build -t $image "$PSScriptRoot"
 42az acr login -n $DeploymentOutputs['AZIDENTITY_ACR_NAME']
 43docker push $image
 44
 45$rg = $DeploymentOutputs['AZIDENTITY_RESOURCE_GROUP']
 46
 47# ACI is easier to provision here than in the bicep file because the image isn't available before now
 48Write-Host "Deploying Azure Container Instance"
 49$aciName = "azidentity-test"
 50az container create -g $rg -n $aciName --image $image `
 51  --acr-identity $($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY']) `
 52  --assign-identity [system] $($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY']) `
 53  --role "Storage Blob Data Reader" `
 54  --scope $($DeploymentOutputs['AZIDENTITY_STORAGE_ID']) `
 55  -e AZIDENTITY_STORAGE_NAME=$($DeploymentOutputs['AZIDENTITY_STORAGE_NAME']) `
 56     AZIDENTITY_STORAGE_NAME_USER_ASSIGNED=$($DeploymentOutputs['AZIDENTITY_STORAGE_NAME_USER_ASSIGNED']) `
 57     AZIDENTITY_USER_ASSIGNED_IDENTITY=$($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY']) `
 58     FUNCTIONS_CUSTOMHANDLER_PORT=80
 59Write-Host "##vso[task.setvariable variable=AZIDENTITY_ACI_NAME;]$aciName"
 60
 61# Azure Functions deployment: copy the Windows binary from the Docker image, deploy it in a zip
 62Write-Host "Deploying to Azure Functions"
 63$container = docker create $image
 64docker cp ${container}:managed-id-test.exe "$PSScriptRoot/testdata/managed-id-test/"
 65docker rm -v $container
 66Compress-Archive -Path "$PSScriptRoot/testdata/managed-id-test/*" -DestinationPath func.zip -Force
 67az functionapp deploy -g $rg -n $DeploymentOutputs['AZIDENTITY_FUNCTION_NAME'] --src-path func.zip --type zip
 68
 69Write-Host "Creating federated identity"
 70$aksName = $DeploymentOutputs['AZIDENTITY_AKS_NAME']
 71$idName = $DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_NAME']
 72$issuer = az aks show -g $rg -n $aksName --query "oidcIssuerProfile.issuerUrl" -otsv
 73$podName = "azidentity-test"
 74$serviceAccountName = "workload-identity-sa"
 75az identity federated-credential create -g $rg --identity-name $idName --issuer $issuer --name $idName --subject system:serviceaccount:default:$serviceAccountName
 76Write-Host "Deploying to AKS"
 77az aks get-credentials -g $rg -n $aksName
 78az aks update --attach-acr $DeploymentOutputs['AZIDENTITY_ACR_NAME'] -g $rg -n $aksName
 79Set-Content -Path "$PSScriptRoot/k8s.yaml" -Value @"
 80apiVersion: v1
 81kind: ServiceAccount
 82metadata:
 83  annotations:
 84    azure.workload.identity/client-id: $($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_CLIENT_ID'])
 85  name: $serviceAccountName
 86  namespace: default
 87---
 88apiVersion: v1
 89kind: Pod
 90metadata:
 91  name: $podName
 92  namespace: default
 93  labels:
 94    app: $podName
 95    azure.workload.identity/use: "true"
 96spec:
 97  serviceAccountName: $serviceAccountName
 98  containers:
 99  - name: $podName
100    image: $image
101    env:
102    - name: AZIDENTITY_STORAGE_NAME
103      value: $($DeploymentOutputs['AZIDENTITY_STORAGE_NAME_USER_ASSIGNED'])
104    - name: AZIDENTITY_USE_WORKLOAD_IDENTITY
105      value: "true"
106    - name: FUNCTIONS_CUSTOMHANDLER_PORT
107      value: "80"
108  nodeSelector:
109    kubernetes.io/os: linux
110"@
111kubectl apply -f "$PSScriptRoot/k8s.yaml"
112Write-Host "##vso[task.setvariable variable=AZIDENTITY_POD_NAME;]$podName"