* Support AAD graph and Microsoft Graph service principal APIs
* Consolidate service principal wrapper creation
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
The focus of these changes is to ensure that the service principal is
explicitly granted the "Owner" role on the active resource group, whether
the principal was newly created or a cached instance was used.
Co-authored-by: Jesse Squire <jesse.squire@gmail.com>
* Use stress test environment defaults for group and subscription
* Fix parameter passing from deploy-stress-tests.ps1 script
* Redact stress deployment logs and simplify image handling
* Use DevopsLogging parameter to prevent secret logging in non-devops CI environments
* Use switch type for DevopsLogging parameter
* Remove boolean parameter usage in favor of [switch]
* Add default parameter set usage comment
* Throw when clusterGroup and/or subscription is not specified for custom environments
* Add helper function for logging azure pipelines vso commands
* Invert SuppressVsoCommands binary default value
* Vso command fixes
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
* Exclude certain live test deployment outputs from being marked as log secrets
* debug
* Update subscription configuration merge jobs to use secret handler
* Rename subscription config helper function script
* Fix variable name reference in scope
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
* Doc Updates and Revisions for External Use
The focus of these changes is to revise the script to better support use
by external contributors and others outside of the Azure SDK ecosystem and
without access to the Microsoft AAD Tenant.
Changes include:
- Creation of a new Test Application service principal is now possible
from a non-Microsoft AAD tenant.
- When a new Test Application principal is created, the principle of least
privilege is now applied; the new Test Application is granted ownership
of the resource group associated with the test resources and no longer
has access to any other resources in the subscription.
- If an existing Test Application principal is specified, it will be
assigned ownership of the resource group created. This supports using
a Test Application principal without privileges at the subscription-level.
- When no provisioner is specified, the script is now executed in the
context of the caller rather than the Test Application principal.
This supports using a Test Application principal that has restricted
privileges and better aligns to the purpose of the Test Application
principal.
- The `$TestApplicationOid` is now explicitly bound at the time a new Test
Application principal is created rather than having to query for it later.
- Common error scenarios resulting from lack of permissions now provide
messaging with more context of why the failure occurred and suggest
remediation.
- Added new examples to illustrate the common call patterns needed by
external contributors running the script, outside of the Microsoft tenant
and Azure SDK ecosystem.
- Documentation has been enhanced with additional context to detail the
permissions and roles assigned by the script.
- Added documentation details for Bicep template use.
* Add the provisioner OID to the deployment params
Key Vault needs this to deploy Managed HSMs. There's a corresponding change necessary in test-resources.json I'll roll out across languages.
* Fixing typos and spelling mistakes
Co-authored-by: Jesse Squire <jesse.squire@gmail.com>
Co-authored-by: Heath Stewart <heaths@microsoft.com>
* Attempt to purge all vaults, managed HSMs
Reverts #1910. Vaults and managed HSMs are automatically purged on their purge date. The point was to purge them daily to preserve capacity. The default purge date is +90 days.
* Add timeout and more logging
* Pass required -Resource
* Fix log message
* Ensure the $Resource is correctly captured
Added comment to new code explaining why, since ScriptBlock.GetNewClosure() is not working as expected.
* Add -ErrorAction to Receive-Job
Worked without terminating when run locally, but failed on the first error in the AzDO agent.
* Use $using:r instead of creating ScriptBlock
More idiomatic for passing ScriptBlocks to jobs.
* Resolve PR feedback
* Change default DeleteAfterHours to 120
Resolves#1917
* Use the Az cmdlets built-in -AsJob
Co-authored-by: Heath Stewart <heaths@microsoft.com>
- Fix rg.Name to rg.ResourceGroupName
- Add more verbose logging for better debugging
- Handle deleted resource groups when gathering puragable resource
- Remove coerce now that we are collecting in functions
Co-authored-by: Wes Haggard <Wes.Haggard@microsoft.com>
* Support building and deploying bicep templates
* Add bicep powershell install aka link to deployment error message
* Write bicep compiled arm templates to temp directory
* Simplify bicep building code/function usage
* Use bicep location for compiled arm templates, and remove them on success
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
- Remove copied AzPowershell utilities
- Add latest AZ module path already on hosted agents to PSModulePath
- Rename setup-az-modules template setup-environments to reflect what is is doing
- Add support for Caching the current user PS Module folder
- Add support for install-module if not already present in module folder
- Organize the live test clean-up script to be in the standard location
Co-authored-by: Wes Haggard <Wes.Haggard@microsoft.com>
* Remove passing -Mode Complete to deployment
When passing Complete it will remove any resources
already in the resource group that weren't part
of the current deployment. That removal breaks a
lot of assumptions, like multiple deployments when
testing things like smoke-tests or if you are reusing
an existing resource group. We don't want that to happen.
* Remove ServiceDirectory as required parameter for remove/update
When this was made mandatory it broke some usages which didn't
pass the value. Those usages don't need to pass it because
the pass required information in other ways so removing the
requirement for the parameter to be passed.
Co-authored-by: Wes Haggard <Wes.Haggard@microsoft.com>
Initializing the BaseName with a ServiceDirectory that contains
a "/", because it is a multiple level path, causes the BaseName
initialization code to fail because it doesn't support the
validation pattern.
In all the known cases we already pass the ResourceGroupName
explicitly so don't need to set the BaseName so we can
skip the initialization in those cases.
Co-authored-by: Wes Haggard <Wes.Haggard@microsoft.com>
* Use SubscriptionId throughout TestResources
Fixes#1454
* Resolve PR feedback
* Default DeleteAfterHours to 48 for SDK team
Also makes a few other adjustments for subscriptions, like restoring the previous one if available and another was specified.
* Resolve PR feedback
* Change deployment mode to Complete
Also fixes an issue where if the user opted not to deploy to the same resource group, the script would continue execution anyway.
* Use consistent aka links to satisfy link checker
Only need it for the new Update-TestResources.ps1 script, but I wanted them to look consistent.
Co-authored-by: Heath Stewart <heaths@microsoft.com>
* Improve TestResources docs and logging
Resolves#1388Resolves#1407
Also ignores cached service principal if it no longer exists. I ran into this while testing since I cleaned up old SPs.
* Add ADP test sub to look-up
Co-authored-by: Heath Stewart <heaths@microsoft.com>
* Cache created service principal for iteration
Useful when testing changes over and over again without passing your own -TestApplicationId and -TestApplicationSecret.
* Restore initial AzContext for New-TestResources
* Make sure PSBoundParameters is correct
Fixes#1177
Co-authored-by: Heath Stewart <heaths@microsoft.com>
* Add debugging link on resource deployment failures to log output
* Update aka link for live test help docs. Use here string and empty throw.
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
* Add debug flag to arm deployment command
* Only set debug preference when $CI is true
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
* Update subscription configuration schema to include new parameters
* Support platform specific arm template parameters and legacy hashtable format
* Update arm template parameter comment to include top level key
* Restore AdditionalParameters. Merge ArmTemplateParameters from stringified hash literal
* Handle duplicate keys more explicitly for arm and env vars
* Regenerate New-TestResources.ps1 markdown
* revert variable name to environmentVariables to fix post-scripts
* Handle empty arm template parameters better
* Remove arm template parameter merge logic from deploy template
* Add merge hashes function to New-TestResources.ps1
* Add merge hashes function to New-TestResources.ps1
* Add env variable overwrite warning. Use ContainsKey checks
* Temporarily manually fix invalid generated markdown links
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
This also adds previously-required parameters back into
@PSBoundParameters to pass down to pre- and post-scripts.
Co-authored-by: Heath Stewart <heaths@microsoft.com>
* Remove resource group asynchronously and do not wait for completion
* Verify resource group has reached Deleting state before exiting script
* Use $_ instead of $Error[0] for resource group removal handling
Co-authored-by: Ben Broderick Phillips <bebroder@microsoft.com>
* Simplify Net-TestResources usage
* docs and windows check
* Update eng/common/TestResources/New-TestResources.ps1
Co-authored-by: Heath Stewart <heaths@outlook.com>
* update markdown
* make service directory the default parameter
* Fix links
* Doc change
Co-authored-by: Pavel Krymets <pavel@krymets.com>
Co-authored-by: Heath Stewart <heaths@outlook.com>
