MSI Support tasks - 2 (#7404)

* MSI Support tasks - 2 * azure kry vault fix * monitor l0 test fixes * scheme order changes
microsoft · Jun 8, 2018 · 9a9ab52 · 9a9ab52
1 parent af0a757
commit 9a9ab52
Show file tree

Hide file tree

Showing 10 changed files with 54 additions and 18 deletions.
diff --git a/Tasks/AzureKeyVaultV1/Strings/resources.resjson/en-US/resources.resjson b/Tasks/AzureKeyVaultV1/Strings/resources.resjson/en-US/resources.resjson
@@ -36,7 +36,7 @@
   "loc.messages.AccessDeniedError": "%s. Specified Azure endpoint needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it OR set them from Azure portal.",
   "loc.messages.GetSecretValueFailed": "Get secret value failed for: %s. Error: %s.",
   "loc.messages.ConflictingVariableFound": "Variable with name %s is defined in both environment and key vault",
-  "loc.messages.GetSecretFailedBecauseOfInvalidCharacters": "Cannot find the secret with name: %s. Secret name must be a string 1-127 characters in length containing only 0-9, a-z, A-Z, and -",
+  "loc.messages.GetSecretFailedBecauseOfInvalidCharacters": "Secret not found: %s. Secret name must be a string 1-127 characters in length containing only -, 0-9, a-z and A-Z.",
   "loc.messages.UploadingAttachment": "Uploading %s as attachment",
   "loc.messages.CouldNotWriteToFile": "Could not save content to file. Failed with an error %s",
   "loc.messages.CouldNotMaskSecret": "%s value has regular expressions hence could not mask completely",

diff --git a/Tasks/AzureKeyVaultV1/models/KeyVaultTaskParameters.ts b/Tasks/AzureKeyVaultV1/models/KeyVaultTaskParameters.ts
@@ -12,6 +12,7 @@ export class KeyVaultTaskParameters {
     public vaultCredentials: msRestAzure.ApplicationTokenCredentials;
     public keyVaultUrl: string;
     public servicePrincipalId: string;
+    public scheme: string;
 
     constructor() {
         var connectedService = tl.getInput("ConnectedServiceName", true);
@@ -20,20 +21,22 @@ export class KeyVaultTaskParameters {
         this.secretsFilter = tl.getDelimitedInput("SecretsFilter", ",", true);
         var azureKeyVaultDnsSuffix = tl.getEndpointDataParameter(connectedService, "AzureKeyVaultDnsSuffix", true);
 
-        this.servicePrincipalId = tl.getEndpointAuthorizationParameter(connectedService, 'serviceprincipalid', false);
+        this.servicePrincipalId = tl.getEndpointAuthorizationParameter(connectedService, 'serviceprincipalid', true);
         this.keyVaultUrl = util.format("https://%s.%s", this.keyVaultName, azureKeyVaultDnsSuffix);
+        this.scheme = tl.getEndpointAuthorizationScheme(connectedService, false);
         this.vaultCredentials = this.getVaultCredentials(connectedService, azureKeyVaultDnsSuffix);
     }
 
     private getVaultCredentials(connectedService: string, azureKeyVaultDnsSuffix: string): msRestAzure.ApplicationTokenCredentials {
         var vaultUrl = util.format("https://%s", azureKeyVaultDnsSuffix);
 
-        var servicePrincipalKey: string = tl.getEndpointAuthorizationParameter(connectedService, 'serviceprincipalkey', false);
+        var servicePrincipalKey: string = tl.getEndpointAuthorizationParameter(connectedService, 'serviceprincipalkey', true);
         var tenantId: string = tl.getEndpointAuthorizationParameter(connectedService, 'tenantid', false);
         var armUrl: string = tl.getEndpointUrl(connectedService, true);
         var envAuthorityUrl: string = tl.getEndpointDataParameter(connectedService, 'environmentAuthorityUrl', true);
         envAuthorityUrl = (envAuthorityUrl != null) ? envAuthorityUrl : "https://login.windows.net/";
-        var credentials = new msRestAzure.ApplicationTokenCredentials(this.servicePrincipalId, tenantId, servicePrincipalKey, vaultUrl, envAuthorityUrl, vaultUrl, false);
+        var msiClientId = tl.getEndpointDataParameter(connectedService, 'msiclientId', true);
+        var credentials = new msRestAzure.ApplicationTokenCredentials(this.servicePrincipalId, tenantId, servicePrincipalKey, vaultUrl, envAuthorityUrl, vaultUrl, false, this.scheme , msiClientId);
         return credentials;
     }
 }
diff --git a/Tasks/AzureKeyVaultV1/npm-shrinkwrap.json b/Tasks/AzureKeyVaultV1/npm-shrinkwrap.json
diff --git a/Tasks/AzureKeyVaultV1/operations/KeyVault.ts b/Tasks/AzureKeyVaultV1/operations/KeyVault.ts
@@ -55,11 +55,21 @@ export class KeyVault {
             this.taskParameters.keyVaultName,
             this.taskParameters.keyVaultUrl);
 
-        var scriptContentFormat = `$ErrorActionPreference=\"Stop\";
-Login-AzureRmAccount -SubscriptionId %s;
-$spn=(Get-AzureRmADServicePrincipal -SPN %s);
-$spnObjectId=$spn.Id;
-Set-AzureRmKeyVaultAccessPolicy -VaultName %s -ObjectId $spnObjectId -PermissionsToSecrets get,list;`;
+        let scriptContentFormat;
+        if(this.taskParameters.scheme === "ManagedServiceIdentity") {
+            scriptContentFormat = `$ErrorActionPreference=\"Stop\";
+            Login-AzureRmAccount -SubscriptionId %s;
+            $vmMetadata = Invoke-RestMethod -Headers @{"Metadata"="true"} -URI http://169.254.169.254/metadata/instance?api-version=2017-08-01 -Method get
+            $vm = Get-AzureRmVM -ResourceGroupName $vmMetadata.compute.resourceGroupName  -Name  $vmMetadata.compute.name
+            $spn=(Get-AzureRmADServicePrincipal -SPN %s);
+            Set-AzureRmKeyVaultAccessPolicy -VaultName %s -ObjectId $vm.Identity.PrincipalId -PermissionsToSecrets get,list;`;
+        } else {
+            scriptContentFormat = `$ErrorActionPreference=\"Stop\";
+            Login-AzureRmAccount -SubscriptionId %s;
+            $spn=(Get-AzureRmADServicePrincipal -SPN %s);
+            $spnObjectId=$spn.Id;
+            Set-AzureRmKeyVaultAccessPolicy -VaultName %s -ObjectId $spnObjectId -PermissionsToSecrets get,list;`;
+        }
 
         this.provisionKeyVaultSecretsScript = util.format(scriptContentFormat, this.taskParameters.subscriptionId, this.taskParameters.servicePrincipalId, this.taskParameters.keyVaultName);
     }

diff --git a/Tasks/AzureKeyVaultV1/task.json b/Tasks/AzureKeyVaultV1/task.json
@@ -14,7 +14,7 @@
     "version": {
         "Major": 1,
         "Minor": 0,
-        "Patch": 19
+        "Patch": 20
     },
     "demands": [],
     "minimumAgentVersion": "2.0.0",

diff --git a/Tasks/AzureKeyVaultV1/task.loc.json b/Tasks/AzureKeyVaultV1/task.loc.json
@@ -14,7 +14,7 @@
   "version": {
     "Major": 1,
     "Minor": 0,
-    "Patch": 19
+    "Patch": 20
   },
   "demands": [],
   "minimumAgentVersion": "2.0.0",

diff --git a/Tasks/AzureMonitorAlertsV0/Strings/resources.resjson/en-US/resources.resjson b/Tasks/AzureMonitorAlertsV0/Strings/resources.resjson/en-US/resources.resjson
@@ -26,5 +26,6 @@
   "loc.messages.CreatedRule": "Created rule : '%s'",
   "loc.messages.UpdatedRule": "Updated rule : '%s'",
   "loc.messages.Couldnotfetchaccesstoken": "Could not fetch access token for Azure. Status Code: %s (%s) %s.",
-  "loc.messages.SPNExpiredCheck": "Check if the SPN is valid and not expired."
+  "loc.messages.SPNExpiredCheck": "Check if the SPN is valid and not expired.",
+  "loc.messages.MSINotSupported": "Managed Service Identity(MSI) authentication is not supported for this task."
 }
diff --git a/Tasks/AzureMonitorAlertsV0/azuremonitoralerts.ts b/Tasks/AzureMonitorAlertsV0/azuremonitoralerts.ts
@@ -20,6 +20,12 @@ async function run() {
 		let alertRules: IAzureMetricAlertRulesList = JSON.parse(tl.getInput("AlertRules", true));
 		let notifyServiceOwners: boolean = tl.getInput("NotifyServiceOwners") && tl.getInput("NotifyServiceOwners").toLowerCase() === "true" ? true : false;
 		let notifyEmails: string = tl.getInput("NotifyEmails");
+
+		let endpointScheme = tl.getEndpointAuthorizationScheme(connectedServiceName, true);
+		if (endpointScheme === "ManagedServiceIdentity") {
+			throw tl.loc("MSINotSupported");
+		}
+
 		let endpoint = await initializeAzureRMEndpointData(connectedServiceName);
 
 		let resourceId: string = `/subscriptions/${endpoint["subscriptionId"]}/resourceGroups/${resourceGroupName}/providers/${resourceType}/${resourceName}`

diff --git a/Tasks/AzureMonitorAlertsV0/task.json b/Tasks/AzureMonitorAlertsV0/task.json
@@ -13,7 +13,7 @@
 	"version": {
 		"Major": 0,
 		"Minor": 1,
-		"Patch": 0
+		"Patch": 1
 	},
 	"minimumAgentVersion": "2.111.0",
 	"instanceNameFormat": "Configure Azure Alerts : $(ResourceName)",
@@ -129,6 +129,7 @@
 		"CreatedRule":  "Created rule : '%s'",
 		"UpdatedRule": "Updated rule : '%s'",
 		"Couldnotfetchaccesstoken": "Could not fetch access token for Azure. Status Code: %s (%s) %s.",
-		"SPNExpiredCheck": "Check if the SPN is valid and not expired."
+		"SPNExpiredCheck": "Check if the SPN is valid and not expired.",
+		"MSINotSupported": "Managed Service Identity(MSI) authentication is not supported for this task."
 	}
 }
diff --git a/Tasks/AzureMonitorAlertsV0/task.loc.json b/Tasks/AzureMonitorAlertsV0/task.loc.json
@@ -13,7 +13,7 @@
   "version": {
     "Major": 0,
     "Minor": 1,
-    "Patch": 0
+    "Patch": 1
   },
   "minimumAgentVersion": "2.111.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -131,6 +131,7 @@
     "CreatedRule": "ms-resource:loc.messages.CreatedRule",
     "UpdatedRule": "ms-resource:loc.messages.UpdatedRule",
     "Couldnotfetchaccesstoken": "ms-resource:loc.messages.Couldnotfetchaccesstoken",
-    "SPNExpiredCheck": "ms-resource:loc.messages.SPNExpiredCheck"
+    "SPNExpiredCheck": "ms-resource:loc.messages.SPNExpiredCheck",
+    "MSINotSupported": "ms-resource:loc.messages.MSINotSupported"
   }
 }