From eddb4d308b03ae8ce63918752f3262b5773a684f Mon Sep 17 00:00:00 2001 From: Jenna Goldstrich Date: Fri, 11 Aug 2023 14:32:29 -0700 Subject: [PATCH 1/5] Re-introduce OIDC test and set version to v2 --- .github/workflows/oidc-test.yaml | 54 ++++++++++++++++++++++++++++++ README.md | 2 +- example/oidc-example.json | 28 ---------------- example/ubuntu-chroot.json.pkr.hcl | 54 ++++++++++++++++++++++++++++++ version/version.go | 2 +- 5 files changed, 110 insertions(+), 30 deletions(-) create mode 100644 .github/workflows/oidc-test.yaml delete mode 100644 example/oidc-example.json create mode 100644 example/ubuntu-chroot.json.pkr.hcl diff --git a/.github/workflows/oidc-test.yaml b/.github/workflows/oidc-test.yaml new file mode 100644 index 00000000..363c3390 --- /dev/null +++ b/.github/workflows/oidc-test.yaml @@ -0,0 +1,54 @@ +# taken and modified from https://github.com/hashicorp/go-azure-sdk/blob/main/.github/workflows/pr-acceptance-tests.yml +name: OIDC Example - Testing OIDC integration in the SDK branch +on: + push: + +permissions: + contents: read + id-token: write + +jobs: + secrets-check: + runs-on: ubuntu-latest + outputs: + available: "${{ steps.check-secrets.outputs.available }}" + steps: + # we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets + # it will be unset when running for a PR from a fork + - id: check-secrets + run: | + if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then + echo "available=false" | tee ${GITHUB_OUTPUT} + else + echo "available=true" | tee ${GITHUB_OUTPUT} + fi + + test-oidc: + runs-on: ubuntu-latest + needs: [secrets-check] + if: needs.secrets-check.outputs.available == 'true' + steps: + - name: Set OIDC Token + run: | + echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV} + + - name: Install Go + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + with: + go-version: '1.19.5' + + - name: Checkout + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + + - name: Setup `packer` + uses: hashicorp/setup-packer@main + id: setup + + - name: Build the plugin + run: make + + - name: Try to run an AzureARM build with our OIDC token + run: packer build -force ./example/oidc-example.pkr.hcl + env: + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID}} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID}} diff --git a/README.md b/README.md index 5f6997df..99b80b6d 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ Then, run [`packer init`](https://www.packer.io/docs/commands/init). packer { required_plugins { azure = { - version = ">= 1.4.5" + version = ">= 2.0.0" source = "github.com/hashicorp/azure" } } diff --git a/example/oidc-example.json b/example/oidc-example.json deleted file mode 100644 index 5b125cfc..00000000 --- a/example/oidc-example.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "variables": { - "arm_oidc_token": "{{env `ARM_OIDC_TOKEN`}}", - "subscription_id": "{{env `ARM_SUBSCRIPTION_ID`}}", - "arm_client_id": "{{env `ARM_CLIENT_ID`}}" - }, - "builders": [{ - "type": "azure-arm", - "managed_image_resource_group_name": "packer-acceptance-test", - "managed_image_name": "oidc-example", - "os_type": "Windows", - "image_publisher": "MicrosoftWindowsServer", - "image_offer": "WindowsServer", - "image_sku": "2012-R2-Datacenter", - "client_jwt": "{{user `arm_oidc_token`}}", - "client_id": "{{user `arm_client_id`}}", - "subscription_id": "{{ user `subscription_id`}}", - "communicator": "winrm", - "winrm_use_ssl": "true", - "winrm_insecure": "true", - "winrm_timeout": "3m", - "winrm_username": "packer", - "location": "South Central US", - "vm_size": "Standard_DS2_v2" - }] -} - - diff --git a/example/ubuntu-chroot.json.pkr.hcl b/example/ubuntu-chroot.json.pkr.hcl new file mode 100644 index 00000000..37d1241d --- /dev/null +++ b/example/ubuntu-chroot.json.pkr.hcl @@ -0,0 +1,54 @@ + +variable "client_id" { + type = string + default = "${env("ARM_CLIENT_ID")}" +} + +variable "client_secret" { + type = string + default = "${env("ARM_CLIENT_SECRET")}" +} + +variable "gallery_name" { + type = string + default = "${env("ARM_GALLERY_NAME")}" +} + +variable "resource_group" { + type = string + default = "${env("ARM_IMAGE_RESOURCEGROUP_ID")}" +} + +variable "subscription_id" { + type = string + default = "${env("ARM_SUBSCRIPTION_ID")}" +} + +source "azure-chroot" "autogenerated_1" { + client_id = "${var.client_id}" + client_secret = "${var.client_secret}" + shared_image_destination { + exclude_from_latest = false + gallery_name = "${var.gallery_name}" + image_name = "MyUbuntuOSImage" + image_version = "1.0.0" + resource_group = "${var.resource_group}" + target_regions { + name = "eastus" + replicas = "1" + storage_account_type = "standard_zrs" + } + } + source = "Canonical:UbuntuServer:20.04-LTS:latest" + subscription_id = "${var.subscription_id}" +} + +build { + sources = ["source.azure-chroot.autogenerated_1"] + + provisioner "shell" { + inline = ["apt update", "apt upgrade -y"] + inline_shebang = "/bin/sh -x" + } + +} diff --git a/version/version.go b/version/version.go index eb1abf6f..c4f86e1d 100644 --- a/version/version.go +++ b/version/version.go @@ -9,7 +9,7 @@ import ( var ( // Version is the main version number that is being run at the moment. - Version = "1.4.5" + Version = "2.0.0" // VersionPrerelease is A pre-release marker for the Version. If this is "" // (empty string) then it means that it is a final release. Otherwise, this From abc32e702101aff32811e4b6dda952d8737f6f51 Mon Sep 17 00:00:00 2001 From: Jenna Goldstrich Date: Fri, 11 Aug 2023 14:38:48 -0700 Subject: [PATCH 2/5] Remove un-used bad example and update oidc test to use PAcker v1.9.1 to avoid locally built plugin issue --- .github/workflows/oidc-test.yaml | 2 ++ example/ubuntu-chroot.json.pkr.hcl | 54 ------------------------------ 2 files changed, 2 insertions(+), 54 deletions(-) delete mode 100644 example/ubuntu-chroot.json.pkr.hcl diff --git a/.github/workflows/oidc-test.yaml b/.github/workflows/oidc-test.yaml index 363c3390..f1692628 100644 --- a/.github/workflows/oidc-test.yaml +++ b/.github/workflows/oidc-test.yaml @@ -43,6 +43,8 @@ jobs: - name: Setup `packer` uses: hashicorp/setup-packer@main id: setup + with: + version: '1.9.1' - name: Build the plugin run: make diff --git a/example/ubuntu-chroot.json.pkr.hcl b/example/ubuntu-chroot.json.pkr.hcl deleted file mode 100644 index 37d1241d..00000000 --- a/example/ubuntu-chroot.json.pkr.hcl +++ /dev/null @@ -1,54 +0,0 @@ - -variable "client_id" { - type = string - default = "${env("ARM_CLIENT_ID")}" -} - -variable "client_secret" { - type = string - default = "${env("ARM_CLIENT_SECRET")}" -} - -variable "gallery_name" { - type = string - default = "${env("ARM_GALLERY_NAME")}" -} - -variable "resource_group" { - type = string - default = "${env("ARM_IMAGE_RESOURCEGROUP_ID")}" -} - -variable "subscription_id" { - type = string - default = "${env("ARM_SUBSCRIPTION_ID")}" -} - -source "azure-chroot" "autogenerated_1" { - client_id = "${var.client_id}" - client_secret = "${var.client_secret}" - shared_image_destination { - exclude_from_latest = false - gallery_name = "${var.gallery_name}" - image_name = "MyUbuntuOSImage" - image_version = "1.0.0" - resource_group = "${var.resource_group}" - target_regions { - name = "eastus" - replicas = "1" - storage_account_type = "standard_zrs" - } - } - source = "Canonical:UbuntuServer:20.04-LTS:latest" - subscription_id = "${var.subscription_id}" -} - -build { - sources = ["source.azure-chroot.autogenerated_1"] - - provisioner "shell" { - inline = ["apt update", "apt upgrade -y"] - inline_shebang = "/bin/sh -x" - } - -} From 39a95394f87b2f74a6b3158b0c7a64cbd9edb1c6 Mon Sep 17 00:00:00 2001 From: Jenna Goldstrich Date: Fri, 11 Aug 2023 14:48:50 -0700 Subject: [PATCH 3/5] Only run this test on main --- .github/workflows/oidc-test.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/oidc-test.yaml b/.github/workflows/oidc-test.yaml index f1692628..0ede8147 100644 --- a/.github/workflows/oidc-test.yaml +++ b/.github/workflows/oidc-test.yaml @@ -2,6 +2,8 @@ name: OIDC Example - Testing OIDC integration in the SDK branch on: push: + branches: + - main permissions: contents: read From bbbe991fd7ef80e294c70a93d8344a7a5fd7a59c Mon Sep 17 00:00:00 2001 From: Jenna Goldstrich Date: Fri, 11 Aug 2023 14:54:39 -0700 Subject: [PATCH 4/5] Explain test --- .github/workflows/oidc-test.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/oidc-test.yaml b/.github/workflows/oidc-test.yaml index 0ede8147..9db9ded9 100644 --- a/.github/workflows/oidc-test.yaml +++ b/.github/workflows/oidc-test.yaml @@ -1,4 +1,11 @@ # taken and modified from https://github.com/hashicorp/go-azure-sdk/blob/main/.github/workflows/pr-acceptance-tests.yml +# This test requires creating a GitHub OIDC app registration +# First create an Azure Application Registration +# Then in `Certificates & secrets` add Federated Credentials +# select GitHub Actions deploying Azure Resources +# And add the repository and branch +# Then set the relevant subscription/client IDs and you're good to go +# More detailed instrucitons for configuring GHA Azure OIDC Authentication are available here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure name: OIDC Example - Testing OIDC integration in the SDK branch on: push: From c93b915508b40f40cddc3e81c70ba32242b856d9 Mon Sep 17 00:00:00 2001 From: Jenna Goldstrich Date: Fri, 11 Aug 2023 14:55:55 -0700 Subject: [PATCH 5/5] add TODO reminding us to update packer version once locally installed plugins issue is fixed --- .github/workflows/oidc-test.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/oidc-test.yaml b/.github/workflows/oidc-test.yaml index 9db9ded9..a2032ed2 100644 --- a/.github/workflows/oidc-test.yaml +++ b/.github/workflows/oidc-test.yaml @@ -4,7 +4,7 @@ # Then in `Certificates & secrets` add Federated Credentials # select GitHub Actions deploying Azure Resources # And add the repository and branch -# Then set the relevant subscription/client IDs and you're good to go +# Then set the relevant subscription/client IDs in GitHub Action secrets and you're good to go # More detailed instrucitons for configuring GHA Azure OIDC Authentication are available here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure name: OIDC Example - Testing OIDC integration in the SDK branch on: @@ -53,6 +53,7 @@ jobs: uses: hashicorp/setup-packer@main id: setup with: + # TODO Update this to latest after v1.9.3 is released version: '1.9.1' - name: Build the plugin