Add support for Federated Auth to test resources scripts

Author: danieljurek

eng/common/TestResources/New-TestResources.ps1

@@ -92,8 +92,13 @@ param (
     [Parameter()]
     [switch] $SuppressVsoCommands = ($null -eq $env:SYSTEM_TEAMPROJECTID),
 
+    # Default behavior is to use -UserAuth
     [Parameter()]
-    [switch] $UserAuth,
+    [switch] $ServicePrincipalAuth,
+
+    [Parameter()]
+    [switch] $FederatedAuth,
+
 
     # Captures any arguments not declared here (no parameter errors)
     # This enables backwards compatibility with old script versions in
@@ -105,6 +110,16 @@ param (
 
 . $PSScriptRoot/SubConfig-Helpers.ps1
 
+if ($FederatedAuth -and $ServicePrincipalAuth) {
+    Write-Error "Only one of 'FederatedAuth' and 'ServicePrincipalAuth' can be set."
+    exit 1
+}
+
+$UserAuth = $true
+if ($ServicePrincipalAuth) {
+    $UserAuth = $false
+}
+
 # By default stop for any error.
 if (!$PSBoundParameters.ContainsKey('ErrorAction')) {
     $ErrorActionPreference = 'Stop'
@@ -268,7 +283,6 @@ function BuildDeploymentOutputs([string]$serviceName, [object]$azContext, [objec
     # Add default values
     $deploymentOutputs = [Ordered]@{
         "${serviceDirectoryPrefix}CLIENT_ID" = $TestApplicationId;
-        "${serviceDirectoryPrefix}CLIENT_SECRET" = $TestApplicationSecret;
         "${serviceDirectoryPrefix}TENANT_ID" = $azContext.Tenant.Id;
         "${serviceDirectoryPrefix}SUBSCRIPTION_ID" =  $azContext.Subscription.Id;
         "${serviceDirectoryPrefix}RESOURCE_GROUP" = $resourceGroup.ResourceGroupName;
@@ -280,6 +294,10 @@ function BuildDeploymentOutputs([string]$serviceName, [object]$azContext, [objec
         "AZURE_SERVICE_DIRECTORY" = $serviceName.ToUpperInvariant();
     }
 
+    if (!$FederatedAuth) {
+        $deploymentOutputs["${serviceDirectoryPrefix}CLIENT_SECRET"] = $TestApplicationSecret;
+    }
+
     MergeHashes $environmentVariables $(Get-Variable deploymentOutputs)
 
     foreach ($key in $deployment.Outputs.Keys) {
@@ -518,8 +536,9 @@ try {
         }
     }
 
-    # If a provisioner service principal was provided, log into it to perform the pre- and post-scripts and deployments.
-    if ($ProvisionerApplicationId) {
+    # If a provisioner service principal was provided (and not using Federated
+    # Auth), log into it to perform the pre- and post-scripts and deployments.
+    if ($ProvisionerApplicationId -and !$FederatedAuth) {
         $null = Disable-AzContextAutosave -Scope Process
 
         Log "Logging into service principal '$ProvisionerApplicationId'."
@@ -614,7 +633,7 @@ try {
         }
     }
 
-    if ($UserAuth) {
+    if (!$CI -and !$FederatedAuth -and $UserAuth) {
         if ($TestApplicationId) {
             Write-Warning "The specified TestApplicationId '$TestApplicationId' will be ignored when UserAuth is set."
         }
@@ -625,8 +644,8 @@ try {
         $userAccountName = $userAccount.UserPrincipalName
         Log "User authentication with user '$userAccountName' ('$TestApplicationId') will be used."
     }
-    # If no test application ID was specified during an interactive session, create a new service principal.
-    elseif (!$CI -and !$TestApplicationId) {
+    # If user has specified -ServicePrincipalAuth
+    elseif (!$CI -and $ServicePrincipalAuth) {
         # Cache the created service principal in this session for frequent reuse.
         $servicePrincipal = if ($AzureTestPrincipal -and (Get-AzADServicePrincipal -ApplicationId $AzureTestPrincipal.AppId) -and $AzureTestSubscription -eq $SubscriptionId) {
             Log "TestApplicationId was not specified; loading cached service principal '$($AzureTestPrincipal.AppId)'"
@@ -686,7 +705,9 @@ try {
     # Make sure pre- and post-scripts are passed formerly required arguments.
     $PSBoundParameters['TestApplicationId'] = $TestApplicationId
     $PSBoundParameters['TestApplicationOid'] = $TestApplicationOid
-    $PSBoundParameters['TestApplicationSecret'] = $TestApplicationSecret
+    if (!$FederatedAuth) {
+        $PSBoundParameters['TestApplicationSecret'] = $TestApplicationSecret
+    }
 
     # If the role hasn't been explicitly assigned to the resource group and a cached service principal or user authentication is in use,
     # query to see if the grant is needed.
@@ -704,7 +725,7 @@ try {
    # considered a critical failure, as the test application may have subscription-level permissions and not require
    # the explicit grant.
    if (!$resourceGroupRoleAssigned) {
-        $idSlug = if ($userAuth) { "User '$userAccountName' ('$TestApplicationId')"} else { "Test Application '$TestApplicationId'"};
+        $idSlug = if ($UserAuth) { "User '$userAccountName' ('$TestApplicationId')" } else { "Test Application '$TestApplicationId'"};
         Log "Attempting to assign the 'Owner' role for '$ResourceGroupName' to the $idSlug"
         $ownerAssignment = New-AzRoleAssignment `
                             -RoleDefinitionName "Owner" `
@@ -734,7 +755,7 @@ try {
     if ($TenantId) {
         $templateParameters.Add('tenantId', $TenantId)
     }
-    if ($TestApplicationSecret) {
+    if ($TestApplicationSecret -and !$FederatedAuth) {
         $templateParameters.Add('testApplicationSecret', $TestApplicationSecret)
     }
 
@@ -1029,6 +1050,18 @@ By default, the -CI parameter will print out secrets to logs with Azure Pipeline
 commands that cause them to be redacted. For CI environments that don't support this (like
 stress test clusters), this flag can be set to $false to avoid printing out these secrets to the logs.
 
+.PARAMETER ServicePrincipalAuth
+Use the signed in user's credentials to create a service principal for
+provisioning. This is useful for some local development scenarios.
+
+.PARAMETER FederatedAuth
+Use signed in user's credentials for provisioninig. No service principal will be
+created. This is used in CI where the execution context already has a signed in
+user.
+
+In cases where provisioner or test applications are specified, secrets for those
+apps will not be exported or made available to pre- or post- scripts.
+
 .EXAMPLE
 Connect-AzAccount -Subscription 'REPLACE_WITH_SUBSCRIPTION_ID'
 New-TestResources.ps1 keyvault

eng/common/TestResources/New-TestResources.ps1.md

@@ -19,7 +19,7 @@ New-TestResources.ps1 [-BaseName <String>] [-ResourceGroupName <String>] [-Servi
  [-TestApplicationOid <String>] [-SubscriptionId <String>] [-DeleteAfterHours <Int32>] [-Location <String>]
  [-Environment <String>] [-ResourceType <String>] [-ArmTemplateParameters <Hashtable>]
  [-AdditionalParameters <Hashtable>] [-EnvironmentVariables <Hashtable>] [-CI] [-Force] [-OutFile]
- [-SuppressVsoCommands] [-UserAuth] [-NewTestResourcesRemainingArguments <Object>]
+ [-SuppressVsoCommands] [-ServicePrincipalAuth] [-FederatedAuth] [-NewTestResourcesRemainingArguments <Object>]
  [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -32,7 +32,7 @@ New-TestResources.ps1 [-BaseName <String>] [-ResourceGroupName <String>] [-Servi
  -ProvisionerApplicationSecret <String> [-DeleteAfterHours <Int32>] [-Location <String>]
  [-Environment <String>] [-ResourceType <String>] [-ArmTemplateParameters <Hashtable>]
  [-AdditionalParameters <Hashtable>] [-EnvironmentVariables <Hashtable>] [-CI] [-Force] [-OutFile]
- [-SuppressVsoCommands] [-UserAuth] [-NewTestResourcesRemainingArguments <Object>]
+ [-SuppressVsoCommands] [-ServicePrincipalAuth] [-FederatedAuth] [-NewTestResourcesRemainingArguments <Object>]
  [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm] [<CommonParameters>]
 ```
 
@@ -629,15 +629,32 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -UserAuth
-Create the resource group and deploy the template using the signed in user's credentials.
-No service principal will be created or used.
+### -ServicePrincipalAuth
+Use the signed in user's credentials to create a service principal for
+provisioning.
+This is useful for some local development scenarios.
 
-The environment file will be named for the test resources template that it was
-generated for.
-For ARM templates, it will be test-resources.json.env.
-For
-Bicep templates, test-resources.bicep.env.
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FederatedAuth
+Use signed in user's credentials for provisioninig.
+No service principal will be
+created.
+This is used in CI where the execution context already has a signed in
+user.
+
+In cases where provisioner or test applications are specified, secrets for those
+apps will not be exported or made available to pre- or post- scripts.
 
 ```yaml
 Type: SwitchParameter
@@ -716,7 +733,7 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 

eng/common/TestResources/Remove-TestResources.ps1

@@ -56,6 +56,9 @@ param (
     [ValidateSet('test', 'perf')]
     [string] $ResourceType = 'test',
 
+    [Parameter()]
+    [switch] $FederatedAuth,
+
     [Parameter()]
     [switch] $Force,
 
@@ -110,7 +113,7 @@ function Retry([scriptblock] $Action, [int] $Attempts = 5) {
     }
 }
 
-if ($ProvisionerApplicationId) {
+if ($ProvisionerApplicationId -and !$FederatedAuth) {
     $null = Disable-AzContextAutosave -Scope Process
 
     Log "Logging into service principal '$ProvisionerApplicationId'"
@@ -305,6 +308,10 @@ Run script in CI mode. Infers various environment variable names based on CI con
 .PARAMETER Force
 Force removal of resource group without asking for user confirmation
 
+.PARAMETER FederatedAuth
+Use signed in user's credentials for provisioninig. This is used in CI where
+the execution context already has a signed in user.
+
 .EXAMPLE
 Remove-TestResources.ps1 keyvault -Force
 Use the currently logged-in account to delete the resources created for Key Vault testing.

eng/common/TestResources/Remove-TestResources.ps1.md

@@ -14,32 +14,36 @@ Deletes the resource group deployed for a service directory from Azure.
 
 ### Default (Default)
 ```
-Remove-TestResources.ps1 [-BaseName <String>] [-SubscriptionId <String>] [-ServiceDirectory] <String>
- [-Environment <String>] [-Force] [-RemoveTestResourcesRemainingArguments <Object>] [-WhatIf] [-Confirm]
+Remove-TestResources.ps1 [-BaseName <String>] [-SubscriptionId <String>] [[-ServiceDirectory] <String>]
+ [-Environment <String>] [-ResourceType <String>] [-FederatedAuth] [-Force]
+ [-RemoveTestResourcesRemainingArguments <Object>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### Default+Provisioner
 ```
 Remove-TestResources.ps1 -BaseName <String> -TenantId <String> [-SubscriptionId <String>]
  -ProvisionerApplicationId <String> -ProvisionerApplicationSecret <String> [[-ServiceDirectory] <String>]
- [-Environment <String>] [-Force] [-RemoveTestResourcesRemainingArguments <Object>] [-WhatIf] [-Confirm]
+ [-Environment <String>] [-ResourceType <String>] [-FederatedAuth] [-Force]
+ [-RemoveTestResourcesRemainingArguments <Object>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### ResourceGroup+Provisioner
 ```
-Remove-TestResources.ps1 -ResourceGroupName <String> -TenantId <String> [-SubscriptionId <String>]
+Remove-TestResources.ps1 [-ResourceGroupName <String>] -TenantId <String> [-SubscriptionId <String>]
  -ProvisionerApplicationId <String> -ProvisionerApplicationSecret <String> [[-ServiceDirectory] <String>]
- [-Environment <String>] [-CI] [-Force] [-RemoveTestResourcesRemainingArguments <Object>] [-WhatIf] [-Confirm]
+ [-Environment <String>] [-CI] [-ResourceType <String>] [-FederatedAuth] [-Force]
+ [-RemoveTestResourcesRemainingArguments <Object>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
 ### ResourceGroup
 ```
-Remove-TestResources.ps1 -ResourceGroupName <String> [-SubscriptionId <String>] [[-ServiceDirectory] <String>]
- [-Environment <String>] [-CI] [-Force] [-RemoveTestResourcesRemainingArguments <Object>] [-WhatIf] [-Confirm]
- [<CommonParameters>]
+Remove-TestResources.ps1 [-ResourceGroupName <String>] [-SubscriptionId <String>]
+ [[-ServiceDirectory] <String>] [-Environment <String>] [-CI] [-ResourceType <String>] [-FederatedAuth]
+ [-Force] [-RemoveTestResourcesRemainingArguments <Object>] [-ProgressAction <ActionPreference>] [-WhatIf]
+ [-Confirm] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -112,7 +116,7 @@ Type: String
 Parameter Sets: ResourceGroup+Provisioner, ResourceGroup
 Aliases:
 
-Required: True
+Required: False
 Position: Named
 Default value: None
 Accept pipeline input: False
@@ -193,32 +197,51 @@ specified - in which to discover pre removal script named 'remove-test-resources
 
 ```yaml
 Type: String
-Parameter Sets: Default
+Parameter Sets: (All)
 Aliases:
 
-Required: True
+Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -Environment
+Name of the cloud environment.
+The default is the Azure Public Cloud
+('PublicCloud')
+
 ```yaml
 Type: String
-Parameter Sets: Default+Provisioner, ResourceGroup+Provisioner, ResourceGroup
+Parameter Sets: (All)
 Aliases:
 
 Required: False
-Position: 1
-Default value: None
+Position: Named
+Default value: AzureCloud
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -Environment
-Name of the cloud environment.
-The default is the Azure Public Cloud
-('PublicCloud')
+### -CI
+Run script in CI mode.
+Infers various environment variable names based on CI convention.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ResourceGroup+Provisioner, ResourceGroup
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceType
+{{ Fill ResourceType Description }}
 
 ```yaml
 Type: String
@@ -227,13 +250,27 @@ Aliases:
 
 Required: False
 Position: Named
-Default value: AzureCloud
+Default value: Test
 Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
-### -CI
-Run script in CI mode. Infers various environment variable names based on CI convention.
+### -FederatedAuth
+Use signed in user's credentials for provisioninig.
+This is used in CI where
+the execution context already has a signed in user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
 
 ### -Force
 Force removal of resource group without asking for user confirmation
@@ -296,8 +333,23 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -ProgressAction
+{{ Fill ProgressAction Description }}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
-This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS