Add support for storage account RBAC only access (#592)

Author: timja

pom.xml

@@ -23,18 +23,6 @@
         </license>
     </licenses>
 
-    <developers>
-        <developer>
-            <id>xuzhang</id>
-            <name>Xu Zhang</name>
-            <email>[email protected]</email>
-        </developer>
-        <developer>
-            <id>timja</id>
-            <name>Tim Jacomb</name>
-        </developer>
-    </developers>
-
     <scm>
         <connection>scm:git:https://github.com/${gitHubRepo}</connection>
         <developerConnection>scm:git:https://github.com/${gitHubRepo}</developerConnection>
@@ -45,7 +33,8 @@
     <properties>
         <changelist>9999-SNAPSHOT</changelist>
         <gitHubRepo>jenkinsci/azure-vm-agents-plugin</gitHubRepo>
-        <jenkins.version>2.426.3</jenkins.version>
+        <jenkins.baseline>2.426</jenkins.baseline>
+        <jenkins.version>${jenkins.baseline}.3</jenkins.version>
         <maven.javadoc.skip>true</maven.javadoc.skip>
         <hpi.compatibleSinceVersion>883</hpi.compatibleSinceVersion>
     </properties>
@@ -54,7 +43,7 @@
         <dependencies>
             <dependency>
                 <groupId>io.jenkins.tools.bom</groupId>
-                <artifactId>bom-2.426.x</artifactId>
+                <artifactId>bom-${jenkins.baseline}.x</artifactId>
                 <version>3208.vb_21177d4b_cd9</version>
                 <scope>import</scope>
                 <type>pom</type>
@@ -71,7 +60,7 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>azure-credentials</artifactId>
-            <version>293.vb_d506148f506</version>
+            <version>341.v4881e9f4ffea_</version>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>

src/main/java/com/microsoft/azure/vmagent/AzureVMAgentCleanUpTask.java

@@ -79,12 +79,14 @@ private static class DeploymentInfo implements Serializable {
                        String resourceGroupName,
                        String deploymentName,
                        String scriptUri,
-                       int deleteAttempts) {
+                       int deleteAttempts,
+                       boolean isUseEntraIdForStorageAccount) {
             this.cloudName = cloudName;
             this.deploymentName = deploymentName;
             this.resourceGroupName = resourceGroupName;
             this.scriptUri = scriptUri;
             this.attemptsRemaining = deleteAttempts;
+            this.isUseEntraIdForStorageAccount = isUseEntraIdForStorageAccount;
         }
 
         String getCloudName() {
@@ -103,6 +105,10 @@ String getScriptUri() {
             return scriptUri;
         }
 
+        public boolean isUseEntraIdForStorageAccount() {
+            return isUseEntraIdForStorageAccount;
+        }
+
         boolean hasAttemptsRemaining() {
             return attemptsRemaining > 0;
         }
@@ -111,11 +117,12 @@ void decrementAttemptsRemaining() {
             attemptsRemaining--;
         }
 
-        private String cloudName;
-        private String deploymentName;
-        private String resourceGroupName;
-        private String scriptUri;
+        private final String cloudName;
+        private final String deploymentName;
+        private final String resourceGroupName;
+        private final String scriptUri;
         private int attemptsRemaining;
+        private final boolean isUseEntraIdForStorageAccount;
     }
 
     private static final int CLEAN_TIMEOUT_IN_MINUTES = 15;
@@ -165,11 +172,13 @@ public ConcurrentLinkedQueue<DeploymentInfo> getDeploymentsToClean() {
         public void registerDeployment(String cloudName,
                                        String resourceGroupName,
                                        String deploymentName,
-                                       String scriptUri) {
+                                       String scriptUri,
+                                       boolean isUseEntraIdForStorageAccount) {
             LOGGER.log(Level.FINE, "Registering deployment {0} in {1}",
                     new Object[]{deploymentName, resourceGroupName});
             DeploymentInfo newDeploymentToClean =
-                    new DeploymentInfo(cloudName, resourceGroupName, deploymentName, scriptUri, MAX_DELETE_ATTEMPTS);
+                    new DeploymentInfo(cloudName, resourceGroupName, deploymentName, scriptUri, MAX_DELETE_ATTEMPTS,
+                            isUseEntraIdForStorageAccount);
             deploymentsToClean.add(newDeploymentToClean);
 
             syncDeploymentsToClean();
@@ -247,7 +256,8 @@ public void cleanDeployments(long successTimeoutInMinutes, long failTimeoutInMin
                     azureClient.deployments()
                             .deleteByResourceGroup(info.getResourceGroupName(), info.getDeploymentName());
                     if (StringUtils.isNotBlank(info.scriptUri)) {
-                        delegate.removeStorageBlob(new URI(info.scriptUri), info.getResourceGroupName());
+                        delegate.removeStorageBlob(new URI(info.scriptUri), info.getResourceGroupName(),
+                                cloud.getAzureCredentialsId(), info.isUseEntraIdForStorageAccount());
                     }
                 } else if (state.equalsIgnoreCase("succeeded")
                         && diffTimeInMinutes > successTimeoutInMinutes) {
@@ -257,7 +267,8 @@ public void cleanDeployments(long successTimeoutInMinutes, long failTimeoutInMin
                     azureClient.deployments()
                             .deleteByResourceGroup(info.getResourceGroupName(), info.getDeploymentName());
                     if (StringUtils.isNotBlank(info.scriptUri)) {
-                        delegate.removeStorageBlob(new URI(info.scriptUri), info.getResourceGroupName());
+                        delegate.removeStorageBlob(new URI(info.scriptUri), info.getResourceGroupName(),
+                                cloud.getAzureCredentialsId(), info.isUseEntraIdForStorageAccount());
                     }
                 } else {
                     LOGGER.log(getNormalLoggingLevel(), "Deployment newer than timeout, keeping");
@@ -442,7 +453,12 @@ private int getPriority(GenericResource resource) {
                             new Object[]{resource.name(), resourceGroup});
                     azureClient.genericResources().deleteById(resource.id());
                     if (osDiskURI != null) {
-                        serviceDelegate.removeStorageBlob(osDiskURI, resourceGroup);
+                        String jenkinsTemplateTag = resource.tags().get(Constants.AZURE_TEMPLATE_TAG_NAME);
+                        boolean useEntraIdForStorageAccount = cloud
+                                .getTemplate(jenkinsTemplateTag)
+                                .isUseEntraIdForStorageAccount();
+                        serviceDelegate.removeStorageBlob(osDiskURI, resourceGroup,
+                                cloud.getAzureCredentialsId(), useEntraIdForStorageAccount);
                     }
                     if (managedOsDiskId != null) {
                         azureClient.disks().deleteById(managedOsDiskId);

src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java

@@ -223,6 +223,38 @@ public String getGalleryResourceGroup() {
 
     private static final int GEN_STORAGE_ACCOUNT_UID_LENGTH = 22;
 
+    private static final String VALIDATE_DEPLOYMENT_TEMPLATE_MESSAGE = "Verify configuration:\n\t{0}{1}{2}{3}"
+            + "resourceGroupName: {4};\n\t"
+            + "templateName: {5};\n\t"
+            + "labels: {6};\n\t"
+            + "location: {7};\n\t"
+            + "virtualMachineSize: {8};\n\t"
+            + "storageAccountName: {9};\n\t"
+            + "noOfParallelJobs: {10};\n\t"
+            + "imageTopLevelType: {11};\n\t"
+            + "builtInImage: {12};\n\t"
+            + "image: {13};\n\t"
+            + "osType: {14};\n\t"
+            + "id: {15};\n\t"
+            + "publisher: {16};\n\t"
+            + "offer: {17};\n\t"
+            + "sku: {18};\n\t"
+            + "version: {19};\n\t"
+            + "sshConfig: {20};\n\t"
+            + "initScript: {21};\n\t"
+            + "credentialsId: {22};\n\t"
+            + "virtualNetworkName: {23};\n\t"
+            + "virtualNetworkResourceGroupName: {24};\n\t"
+            + "subnetName: {25};\n\t"
+            + "privateIP: {26};\n\t"
+            + "nsgName: {27};\n\t"
+            + "jvmOptions: {28};\n\t"
+            + "galleryName: {29}\n\t"
+            + "galleryImageDefinition: {30}\n\t"
+            + "galleryImageVersion: {31}\n\t"
+            + "galleryResourceGroup: {32}\n\t"
+            + "gallerySubscriptionId: {33}";
+
     // General Configuration
     private final String templateName;
 
@@ -321,7 +353,7 @@ public String getGalleryResourceGroup() {
     // If disabled, will not attempt to verify or use
     private boolean templateDisabled;
 
-    private String templateStatusDetails;
+    private transient String templateStatusDetails;
 
     private transient AzureVMCloud azureCloud;
 
@@ -338,6 +370,7 @@ public String getGalleryResourceGroup() {
     private boolean enableMSI;
 
     private boolean enableUAMI;
+    private boolean useEntraIdForStorageAccount;
 
     private String uamiID;
 
@@ -572,6 +605,15 @@ public void setMaxVirtualMachinesLimit(int maxVirtualMachinesLimit) {
         this.maxVirtualMachinesLimit = maxVirtualMachinesLimit;
     }
 
+    public boolean isUseEntraIdForStorageAccount() {
+        return useEntraIdForStorageAccount;
+    }
+
+    @DataBoundSetter
+    public void setUseEntraIdForStorageAccount(boolean useEntraIdForStorageAccount) {
+        this.useEntraIdForStorageAccount = useEntraIdForStorageAccount;
+    }
+
     public String getJavaPath() {
         return javaPath;
     }
@@ -1454,6 +1496,10 @@ public ListBoxModel doFillNsgNameItems(
 
             try {
                 AzureResourceManager azureClient = AzureResourceManagerCache.get(azureCredentialsId);
+                if (azureClient == null) {
+                    return model;
+                }
+
                 String resourceGroupName = AzureVMCloud.getResourceGroupName(
                         resourceGroupReferenceType, newResourceGroupName, existingResourceGroupName);
                 PagedIterable<NetworkSecurityGroup> nsgs =
@@ -1634,6 +1680,9 @@ public ListBoxModel doFillExistingStorageAccountNameItems(
 
             try {
                 AzureResourceManager azureClient = AzureResourceManagerCache.get(azureCredentialsId);
+                if (azureClient == null) {
+                    return model;
+                }
 
                 String resourceGroupName = AzureVMCloud.getResourceGroupName(
                         resourceGroupReferenceType, newResourceGroupName, existingResourceGroupName);
@@ -1820,6 +1869,8 @@ public FormValidation doVerifyConfiguration(
                 @QueryParameter String storageAccountNameReferenceType,
                 @QueryParameter String newStorageAccountName,
                 @QueryParameter String existingStorageAccountName,
+                @QueryParameter boolean useEntraIdForStorageAccount,
+                @QueryParameter String uamiID,
                 @QueryParameter String storageAccountType,
                 @QueryParameter String noOfParallelJobs,
                 @QueryParameter String imageTopLevelType,
@@ -1844,7 +1895,8 @@ public FormValidation doVerifyConfiguration(
                 @QueryParameter String subnetName,
                 @QueryParameter boolean usePrivateIP,
                 @QueryParameter String nsgName,
-                @QueryParameter String jvmOptions) {
+                @QueryParameter String jvmOptions
+        ) {
             Jenkins.get().checkPermission(Jenkins.ADMINISTER);
 
             ImageReferenceTypeClass image = new ImageReferenceTypeClass(
@@ -1870,38 +1922,7 @@ public FormValidation doVerifyConfiguration(
                         cloud.getResourceGroupName(), templateName);
             }
 
-            LOGGER.log(Level.INFO,
-                    "Verify configuration:\n\t{0}{1}{2}{3}"
-                            + "resourceGroupName: {4};\n\t"
-                            + "templateName: {5};\n\t"
-                            + "labels: {6};\n\t"
-                            + "location: {7};\n\t"
-                            + "virtualMachineSize: {8};\n\t"
-                            + "storageAccountName: {9};\n\t"
-                            + "noOfParallelJobs: {10};\n\t"
-                            + "imageTopLevelType: {11};\n\t"
-                            + "builtInImage: {12};\n\t"
-                            + "image: {13};\n\t"
-                            + "osType: {14};\n\t"
-                            + "id: {15};\n\t"
-                            + "publisher: {16};\n\t"
-                            + "offer: {17};\n\t"
-                            + "sku: {18};\n\t"
-                            + "version: {19};\n\t"
-                            + "sshConfig: {20};\n\t"
-                            + "initScript: {21};\n\t"
-                            + "credentialsId: {22};\n\t"
-                            + "virtualNetworkName: {23};\n\t"
-                            + "virtualNetworkResourceGroupName: {24};\n\t"
-                            + "subnetName: {25};\n\t"
-                            + "privateIP: {26};\n\t"
-                            + "nsgName: {27};\n\t"
-                            + "jvmOptions: {28};\n\t"
-                            + "galleryName: {29}\n\t"
-                            + "galleryImageDefinition: {30}\n\t"
-                            + "galleryImageVersion: {31}\n\t"
-                            + "galleryResourceGroup: {32}\n\t"
-                            + "gallerySubscriptionId: {33}",
+            LOGGER.log(Level.INFO, VALIDATE_DEPLOYMENT_TEMPLATE_MESSAGE,
                     new Object[]{
                             "",
                             "",
@@ -1946,6 +1967,13 @@ public FormValidation doVerifyConfiguration(
                 return FormValidation.error(result);
             }
 
+            if (useEntraIdForStorageAccount) {
+                if (StringUtils.isBlank(uamiID)) {
+                    return FormValidation.error("If using Entra ID authentication for storage account "
+                            + "user assigned managed identity must be enabled as well.");
+                }
+            }
+
             AzureSSHLauncher azureComputerLauncher = new AzureSSHLauncher();
             if (StringUtils.isNotBlank(sshConfig)) {
                 azureComputerLauncher.setSshConfig(sshConfig);

src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java

@@ -595,7 +595,7 @@ public AzureVMAgent createProvisionedAgent(
                                 getServiceDelegate().setVirtualMachineDetails(newAgent, template);
                                 return newAgent;
                             } else {
-                                LOGGER.log(Level.INFO,
+                                LOGGER.log(Level.FINE,
                                         "Deployment {0} not yet finished ({1}): {2}:{3} - waited {4} seconds",
                                         new Object[]{deploymentName, state, type, resource,
                                                 (maxTries - triesLeft) * sleepTimeInSeconds});
@@ -873,7 +873,7 @@ public Node call() throws AzureCloudException {
                                 }
 
                                 try {
-                                    LOGGER.log(Level.INFO, "Adding agent {0} to Jenkins nodes",
+                                    LOGGER.log(Level.FINE, "Adding agent {0} to Jenkins nodes",
                                             agent.getNodeName());
                                     // Place the node in blocked state while it starts.
                                     try {
@@ -1282,6 +1282,10 @@ public FormValidation doVerifyConfiguration(
                     resourceGroupName = Constants.DEFAULT_RESOURCE_GROUP_NAME;
                 }
                 AzureResourceManager azureClient = AzureResourceManagerCache.get(azureCredentialsId);
+                if (azureClient == null) {
+                    return FormValidation.error("Cannot get Azure client");
+                }
+
                 final String validationResult = AzureVMManagementServiceDelegate
                         .getInstance(azureClient, azureCredentialsId)
                         .verifyConfiguration(resourceGroupName, deploymentTimeout);
@@ -1317,6 +1321,10 @@ public ListBoxModel doFillExistingResourceGroupNameItems(@QueryParameter String
 
             try {
                 final AzureResourceManager azureClient = AzureResourceManagerCache.get(azureCredentialsId);
+                if (azureClient == null) {
+                    return model;
+                }
+
                 Set<String> resourceGroupNames = new HashSet<>();
                 for (ResourceGroup resourceGroup : azureClient.resourceGroups().list()) {
                     resourceGroupNames.add(resourceGroup.name());