.github: set up e2e

Signed-off-by: Steve Kuznetsov <[email protected]>
Azure · Oct 17, 2024 · fc2ed90 · fc2ed90
1 parent b90817f
commit fc2ed90
Show file tree

Hide file tree

Showing 4 changed files with 87 additions and 10 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -1,18 +1,19 @@
 name: Azure Workload Identity E2E
 
 on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-      - release-**
+  pull_request:
+    branches: [ main ]
 
 permissions:
   id-token: write
   contents: read
 
 jobs:
   msi_acrpull_e2e:
+    env:
+      AZURE_CLIENT_ID: ecf12de5-b661-4194-8c94-3710b7d5472f
+      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
+      AZURE_SUBSCRIPTION_ID: 0cc1cafa-578f-4fa5-8d6b-ddfd8d82e6ea
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
@@ -34,9 +35,9 @@ jobs:
           az version
       - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
       - name: E2E test
         run: make -C test/ test
       - name: Cleanup

diff --git a/test/Makefile b/test/Makefile
@@ -3,18 +3,24 @@ include ./../.bingo/Variables.mk
 UNIQUE_INPUT ?= ${USER}-test-dev
 LOCATION ?= EastUS
 
-_output/acr-deployment:
+_output:
+	mkdir _output
+
+_output/acr-deployment: _output
 	echo "$(UNIQUE_INPUT)-acr" > _output/acr-deployment
 
 _output/acr-infrastructure.json: _output/acr-deployment
 	az deployment sub create --name "$(shell cat _output/acr-deployment )" --location "$(LOCATION)" --template-file "./infrastructure/acr.resourceGroup.bicep" --parameters "location=$(LOCATION)" --parameters "uniqueIdentifier=$(UNIQUE_INPUT)" --output "json" > _output/acr-infrastructure.json
 
-_output/aks-deployment:
+_output/aks-deployment: _output
 	echo "$(UNIQUE_INPUT)-aks" > _output/aks-deployment
 
 _output/aks-infrastructure.json: _output/aks-deployment
 	az deployment sub create --name "$(shell cat _output/aks-deployment )" --location "$(LOCATION)" --template-file "./infrastructure/aks.resourceGroup.bicep" --parameters "location=$(LOCATION)" --parameters "uniqueIdentifier=$(UNIQUE_INPUT)" --output "json" > _output/aks-infrastructure.json
 
+_output/identity.json: _output
+	az deployment sub create --name msi-acrpull-e2e-test-runner --template-file "./test/infrastructure/identity.resourceGroup.bicep" --parameters "location=$(LOCATION)" --output json --location "$(LOCATION)" > _output/identity.json
+
 .PHONY: cleanup-resource-group
 cleanup-resource-group:
 	test -f _output/acr-infrastructure.json && az group delete --name "$(shell jq --raw-output '.properties.outputs.resourceGroup.value' < _output/acr-infrastructure.json )"

diff --git a/test/infrastructure/identity.bicep b/test/infrastructure/identity.bicep
@@ -0,0 +1,24 @@
+targetScope = 'resourceGroup'
+param location string = resourceGroup().location
+
+resource pullerIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+    name: guid('msi-acrpull-e2e-runner')
+    location: location
+}
+
+// Issuer: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
+// Audience: https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-openid-connect#set-up-azure-login-action-with-openid-connect-in-github-actions-workflows
+// Subject: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#filtering-for-pull_request-events
+resource credential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = {
+  name: 'msi-acrpull-e2e-test-runner'
+  parent: pullerIdentity
+  properties: {
+    audiences: [
+      'api://AzureADTokenExchange'
+    ]
+    issuer: 'https://token.actions.githubusercontent.com'
+    subject: 'repo:Azure/msi-acrpull:pull_request'
+  }
+}
+
+output pullerIdentity object = pullerIdentity
diff --git a/test/infrastructure/identity.resourceGroup.bicep b/test/infrastructure/identity.resourceGroup.bicep
@@ -0,0 +1,46 @@
+targetScope = 'subscription'
+
+param location string
+
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {
+    name: 'msi-acrpull-e2e-test-runner'
+    location: location
+}
+
+module identity 'identity.bicep' = {
+    scope: resourceGroup
+    name: 'msi-acrpull-e2e-test-runner'
+    params: {
+        location: resourceGroup.location
+    }
+}
+
+// Contributor:
+// https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#owner
+// https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#privileged
+var ownerId = 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+resource subOwnerRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(subscription().id, 'msi-acrpull-e2e-test-runner', ownerId)
+    scope: subscription()
+    properties: {
+        roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', ownerId)
+        principalType: 'ServicePrincipal'
+        principalId: identity.outputs.pullerIdentity.properties.principalId
+    }
+}
+
+// RBAC Administrator:
+// https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged#role-based-access-control-administrator
+// https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#privileged
+var rbacAdministratorId = 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+resource credentialRefersherRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid('acr-puller-assigner', rbacAdministratorId)
+    scope: subscription()
+    properties: {
+        conditionVersion: '2.0'
+        condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7f951dda4ed34680a7ca43fe172d538d})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{7f951dda4ed34680a7ca43fe172d538d}))'
+        roleDefinitionId: rbacAdministratorId
+        principalId: identity.outputs.pullerIdentity.properties.principalId
+        principalType: 'ServicePrincipal'
+    }
+}