Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Wiki ADO Workload Identity #829

Merged
merged 5 commits into from
Nov 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions docs/wiki/Azure-Pipelines.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ The PowerShell script below will set up a new project or use an existing if it a

- Before running the commands below, any `<Value>` needs to be replaced with your values

> If you are running self-hosted build agents in Azure with Managed Identity enabled set the value for `$ARM_CLIENT_ID` and `$ARM_CLIENT_SECRET` to `''`.
> If you are running self-hosted build agents in Azure with Managed Identity enabled. Remove the variables `$ARM_CLIENT_ID` and `$ARM_CLIENT_SECRET` from `credentials` variable group.

```PowerShell
# Configuration, make sure to replace <Value> with your values
Expand Down Expand Up @@ -99,6 +99,7 @@ $CredentialVariableGroup = @(
@{Name = 'ARM_TENANT_ID'; Value = $TenantId; IsSecret = $false }
@{Name = 'ARM_SUBSCRIPTION_ID'; Value = $SubscriptionId; IsSecret = $false }
@{Name = 'ARM_CLIENT_ID'; Value = $ARM_CLIENT_ID; IsSecret = $false }
@{Name = 'ARM_SERVICE_CONNECTION'; Value = ''; IsSecret = $false }
)
if ($ARM_CLIENT_SECRET) {
$CredentialVariableGroup += @{Name = 'ARM_CLIENT_SECRET'; Value = $ARM_CLIENT_SECRET; IsSecret = $true }
Expand Down Expand Up @@ -186,11 +187,12 @@ foreach ($pipeline in 'AzOps - Push', 'AzOps - Pull', 'AzOps - Validate') {

- Add the variables from the `Service Principal` creation to the `credentials Variable group`.

> If you are running self-hosted build agents in Azure with Managed Identity enabled set the value for `ARM_CLIENT_ID` and `ARM_CLIENT_SECRET` to `null`.
> If you are running self-hosted build agents in Azure with Managed Identity enabled, skip adding `ARM_CLIENT_ID` and `ARM_CLIENT_SECRET`.

```shell
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_SERVICE_CONNECTION
ARM_SUBSCRIPTION_ID
ARM_TENANT_ID
```
Expand Down
10 changes: 5 additions & 5 deletions docs/wiki/GitHub-Actions.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
- [Prerequisites](#prerequisites)
- [Further reading](#further-reading)
- [Important Repository Link to refer](#important-repository-link-to-refer)
- [Two ways to configure AzOps](#Two-ways-to-configure-AzOps)
- [Configure AzOps via Portal](#Configure-AzOps-via-Portal)
- [Configure via command-line](#Configure-via-command-line)
- [Two ways to configure AzOps](#two-ways-to-configure-azops)
- [Configure AzOps via Portal](#configure-azops-via-portal)
- [Configure via command-line](#configure-via-command-line)

## Prerequisites

Expand Down Expand Up @@ -43,7 +43,7 @@ If you are using GitHub Enterprise Server, you need to [import the repository](h
![GIT-Project](./Media/Actions/GIT-Project.PNG)
3. Review the information you entered, then click Begin import.
![GIT-Repository](./Media/Actions/GIT-Repository.PNG)
4. Navigate to Settings -> Secrets -> Actions and create the required secrets as depicted below. Note that `ARM_CLIENT_SECRET` is not required when using [federated credentials](https://github.com/azure/azops/wiki/github-oidc).
4. Navigate to Settings -> Secrets -> Actions and create the required secrets as depicted below. Note that `ARM_CLIENT_SECRET` is not required when using [federated credentials](https://github.com/azure/azops/wiki/oidc).
![GIT-Secret](./Media/Actions/GIT-Secret.PNG)
5. Untick `Allow merge commits` and `Allow rebase merging` under Settings -> General -> Pull Requests
![GIT-Merge](./Media/Actions/GIT-Merge.PNG)
Expand All @@ -70,7 +70,7 @@ gh repo create '<Name>' --template azure/azops-accelerator --private --confirm
gh secret set 'ARM_TENANT_ID' -b "<Secret>"
gh secret set 'ARM_SUBSCRIPTION_ID' -b "<Secret>"
gh secret set 'ARM_CLIENT_ID' -b "<Secret>"
gh secret set 'ARM_CLIENT_SECRET' -b "<Secret>" # Not required when using federated credentials((https://github.com/azure/azops/wiki/github-oidc)
gh secret set 'ARM_CLIENT_SECRET' -b "<Secret>" # Not required when using federated credentials((https://github.com/azure/azops/wiki/oidc)
```

- Disable Allow Merge commits and Allow rebase merging
Expand Down
Binary file modified docs/wiki/Media/Pipelines/Library.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/wiki/Media/oidc/add.png
Binary file not shown.
Binary file removed docs/wiki/Media/oidc/addcreds.png
Binary file not shown.
Binary file removed docs/wiki/Media/oidc/connect_github_account.png
Binary file not shown.
Binary file removed docs/wiki/Media/oidc/credential_details.png
Binary file not shown.
Binary file added docs/wiki/Media/oidc/remove-ado-arm_cs.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/wiki/Media/oidc/spn_addcreds.jpg
Binary file not shown.
Binary file removed docs/wiki/Media/oidc/spn_addcreds2.png
Binary file not shown.
Binary file removed docs/wiki/Media/oidc/uami.png
Binary file not shown.
76 changes: 30 additions & 46 deletions docs/wiki/GitHub-OIDC.md → docs/wiki/OIDC.md
Original file line number Diff line number Diff line change
@@ -1,82 +1,65 @@
# Use Workload identity federation with the AzOps GitHub Actions
# Use Workload identity federation with the AzOps

- [Introduction](#introduction)
- [Configure](#configure)
- [GitHub](#github)
- [Azure Pipelines](#azure-pipelines)
- [Resources](#resources)

## Introduction

GitHub Actions support OpenID Connect (OIDC) for secure deployments to Azure, which uses short-lived tokens that are automatically rotated for each deployment.
GitHub Actions and Azure Pipelines can make use of OpenID Connect (OIDC) for secure deployments to Azure, which uses short-lived tokens that are automatically rotated for each deployment.
In the context of AzOps, this means we can allow the AzOps pipeline Service Principal/User-assigned managed identity to access Azure Resource Manager and Azure AD with federated credentials, eliminating the need to create/handle secrets.

This wiki explains how this feature can be configured and used in the AzOps GitHub Actions.

> **Important**: For this feature to work with the current implementation of Workload identities, we take a dependency on [Environments for GitHub Actions](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment). *Environments are only available in public repositories for free. Access to environments in private repositories requires [GitHub Enterprise](https://docs.github.com/en/get-started/learning-about-github/githubs-products#github-enterprise).*
This wiki explains how this feature can be used and configured with AzOps.

## Configure

Before you start to configure the workload federation feature in Azure AD and changing the GitHub Actions, ensure that you have followed the instructions at <https://github.com/azure/azops/wiki/prerequisites> and have your Service Principal/User-assigned managed identity ready with appropriate RBAC permissions.
Before you start to configure the workload federation feature in Azure AD and changing the GitHub Actions or Azure DevOps Pipelines, ensure that you have followed the instructions at <https://github.com/azure/azops/wiki/prerequisites> and have your Service Principal/User-assigned managed identity ready with appropriate RBAC permissions.

### Federated credentials
> **Note:** Depending on if you are using a Service Principal or User-assigned managed identity the wording and visuals might differ.

1. **For Service Principal:** In Azure AD, find your AzOps service principal and navigate to Certificates & Secrets -> Federated credentials, click on `Add credential`.
![Add creds](./Media/oidc/spn_addcreds.jpg)
### GitHub
> **Important**: For this feature to work with the current implementation of Workload identities, we take a dependency on [Environments for GitHub Actions](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment). *Environments are only available in public repositories for free. Access to environments in private repositories requires [GitHub Enterprise](https://docs.github.com/en/get-started/learning-about-github/githubs-products#github-enterprise).*

**For User-assigned managed identity:** In Azure Portal, find your AzOps User-assigned managed identity and navigate to Federated credentials, click on `Add Credential`.
![Add creds](./Media/oidc/uami.png)
How to setup GitHub Actions with workload identity federation:

2. There are three sections requiring input, enter your values in each highlighted field.
- [Create a Microsoft Entra application and service principal](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-a-microsoft-entra-application-and-service-principal)

1. **Federated credential scenario:**
- [Add federated credentials](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#add-federated-credentials)

| Setting | Value |
|---|---|
| `Federated credential scenario` | select `GitHub Actions deploying Azure resources` |
>
> **Note:** The starter GitHub pipelines in [AzOps-Accelerator](https://github.com/azure/azops-accelerator) have been updated to support federated credentials. Consider performing an update using the [update](https://github.com/azure/azops/wiki/updates) pipeline.

Click on `Select scenario` and choose `GitHub Actions deploying Azure resources`.
![Add creds](./Media/oidc/addcreds.png)

2. **Connect your GitHub account:**
1. Validate that you have the latest version (post february 2023) of [sharedSteps/action.yml](https://github.com/Azure/AzOps-Accelerator/tree/main/.github/actions/sharedSteps), [pull.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/pull.yml), [push.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/push.yml), [redeploy.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/redeploy.yml) and [validate.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/validate.yml).
2. Uncomment the line with environment definition in [pull.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/pull.yml), [push.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/push.yml), [redeploy.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/redeploy.yml) and [validate.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/validate.yml). Change the environment name to reflect your environment names.

| Setting | Value |
|---|---|
| `Organization` | {replace with your organization} |
| `Repository` | {replace with your repository} |
| `Entity type` | select `Environment` |
| `GitHub environment name` | {replace with your environment name} |
```yaml
environment: prod # Environment if using Federated Credentials (https://github.com/azure/azops/wiki/oidc)
```

![Add creds](./Media/oidc/connect_github_account.png)
3. **Credential details:**
3. Remove all references to `ARM_CLIENT_SECRET` from the repository/environment secrets. If `ARM_CLIENT_SECRET` exists, the pipeline will try to connect with the secret instead.

| Setting | Value |
|---|---|
| `Name` | {replace with your name} |
![Overview](./Media/oidc/arm_client_secret.png)
4. Test the Pull, Push and Validate pipelines to ensure authentication works with federated credential.

![Add creds](./Media/oidc/credential_details.png)
### Azure Pipelines

Click `Add` to complete Federated credentials configuration section.
How to setup Azure DevOps Pipelines with workload identity federation:

![Overview](./Media/oidc/add.png)
- [Connect to Microsoft Azure with an ARM service connection](https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops)

Overview of the accelerator example, where 'prod' is used as the `environment name`.
- [Manually configure Azure Resource Manager workload identity service connections](https://learn.microsoft.com/en-us/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops)

![Overview](./Media/oidc/spn_addcreds2.png)

### GitHub Actions
>
> **Note:** The starter GitHub pipelines in [AzOps-Accelerator](https://github.com/azure/azops-accelerator) have been updated to support federated credentials. If you haven't updated the pipelines recently, consider performing an update using the [update](https://github.com/azure/azops/wiki/updates) pipeline.
> **Note:** The starter Azure Pipelines in [AzOps-Accelerator](https://github.com/azure/azops-accelerator) have been updated to support federated credentials. Consider performing an update using the [update](https://github.com/azure/azops/wiki/updates) pipeline.

1. Validate that you have the latest version (post february 2023) of [sharedSteps/action.yml](https://github.com/Azure/AzOps-Accelerator/tree/main/.github/actions/sharedSteps), [pull.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/pull.yml), [push.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/push.yml), [redeploy.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/redeploy.yml) and [validate.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/validate.yml).
2. Uncomment the line with environment definition in [pull.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/pull.yml), [push.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/push.yml), [redeploy.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/redeploy.yml) and [validate.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.github/workflows/validate.yml). Change the environment name to reflect your environment names.
1. Validate that you have the latest version (post october 2023) of [templates/sharedSteps.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.pipelines/.templates/sharedSteps.yml) and [templates/vars.yml](https://github.com/Azure/AzOps-Accelerator/blob/main/.pipelines/.templates/vars.yml).

```yaml
environment: prod # Environment if using Federated Credentials (https://github.com/azure/azops/wiki/github-oidc)
```

3. Remove all references to `ARM_CLIENT_SECRET` from the repository/environment secrets. If `ARM_CLIENT_SECRET` exists, the pipeline will try to connect with the secret instead.
3. Remove the `ARM_CLIENT_SECRET` variable from the `credentials` variable group. If `ARM_CLIENT_SECRET` exists, the pipeline will try to connect with the secret instead.

![Overview](./Media/oidc/arm_client_secret.png)
![Overview](./Media/oidc/remove-ado-arm_cs.png)
4. Test the Pull, Push and Validate pipelines to ensure authentication works with federated credential.

## Resources
Expand All @@ -85,3 +68,4 @@ Read more about the functionality in the official docs below:

- [Azure AD Workload identity federation](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)
- [GitHub Actions: Secure cloud deployments with OpenID Connect](https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect/)
- [Azure DevOps Pipelines: Workload Identity federation for Azure Deployments](https://learn.microsoft.com/en-us/azure/devops/release-notes/roadmap/2022/secret-free-deployments)
2 changes: 1 addition & 1 deletion docs/wiki/Prerequisites.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ The Azure Active Directory [Directory Readers](https://learn.microsoft.com/azure
### Create Service Principal

If you intend to run AzOps with hosted agents a Service Principal is required. Perform the steps below to create the Service Principal in Azure AD. If you plan to run with self-hosted agents and want to use a managed identity skip to the next step.
If using GitHub Enterprise Cloud, consider using [federated credentials](https://github.com/azure/azops/wiki/github-oidc) to eliminate secrets management.
If using GitHub Enterprise Cloud or Azure DevOps Pipelines, consider using [federated credentials](https://github.com/azure/azops/wiki/oidc) to eliminate secrets management.

```powershell
# Install module
Expand Down
2 changes: 1 addition & 1 deletion docs/wiki/_Sidebar.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
* [Sovereign Clouds](https://github.com/azure/azops/wiki/sovereign-clouds)
* [Services](https://github.com/azure/azops/wiki/services)
* [GitHub Actions](https://github.com/azure/azops/wiki/github-actions)
* [Workload identity federation](https://github.com/azure/azops/wiki/github-oidc)
* [Azure Pipelines](https://github.com/azure/azops/wiki/azure-pipelines)
* [Workload Identity Federation](https://github.com/azure/azops/wiki/oidc)

## Documentation

Expand Down