Skip to content

Commit

Permalink
Enable/disable Mac agents: Dynamically obtain an Azure DevOps token v…
Browse files Browse the repository at this point in the history
…ia a service connection tied to a managed identity. Where the managed identity has access to the shared agent pool
  • Loading branch information
mjbond-msft committed Sep 10, 2024
1 parent 47137d6 commit 961db71
Show file tree
Hide file tree
Showing 3 changed files with 59 additions and 4 deletions.
2 changes: 0 additions & 2 deletions tools/devops/automation/templates/variables.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,5 +40,3 @@ variables:
value: 'wrench'
- name: BUILD_REVISION
value: azure-devops-$(Build.SourceVersion)
- name: MacPoolAccessToken
value: $(botdeploy--azdo--token--register--untrusted)
31 changes: 30 additions & 1 deletion tools/devops/automation/templates/windows/reenable-mac.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,38 @@ steps:
condition: always()
continueOnError: true

- template: azure-tools/az-client-update.yml@templates # AzureCLI step below requires that AzClient 2.x is installed on the agent
parameters:
platform: 'All' # Update Az tools for both Windows and Mac agents
version: '2.62.0'

# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
# Requires Azure client 2.x
- task: AzureCLI@2
displayName: 'AzDO.BearerToken based on service connection'
enabled: true
inputs:
azureSubscription: 'DevDiv - SharedUntrustedAgentPool-Manage'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
# if this fails, check out this bash script that includes diagnostics:
# https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
# Note that the resource is specified to limit the token to Azure DevOps
$token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
Write-Host "Setting AzDO.BearerToken"
Write-Host "##vso[task.setvariable variable=AzDO.BearerToken;issecret=true]${token}"
- pwsh: |
Import-Module $Env:SYSTEM_DEFAULTWORKINGDIRECTORY\xamarin-macios\tools\devops\automation\scripts\MaciosCI.psd1
$vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $(MacPoolAccessToken)
$azdoBearerToken = "$(AzDO.BearerToken)"
$azdoBearerTokenHint = $azdoBearerToken.Substring(0, 8)
Write-Host "AzDO.BearerToken (hint): ${azdoBearerTokenHint}"
$vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $azdoBearerToken
# get the pool and the agent objects and enable the bot
$pool = $vsts.Pools.GetPool("$Env:MAC_AGENT_POOL")
Expand Down
30 changes: 29 additions & 1 deletion tools/devops/automation/templates/windows/reserve-mac.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,41 @@ steps:
AUTH_TOKEN_VSENG_XAMARIN_MAC_DEVICES_P12: ${{ parameters.xqaCertPass }}
AUTH_TOKEN_VSENG_XAMARIN_MAC_DEVICES_2_P12: ${{ parameters.xqaCertPass }}

- template: azure-tools/az-client-update.yml@templates # AzureCLI step below requires that AzClient 2.x is installed on the agent
parameters:
platform: 'All' # Update Az tools for both Windows and Mac agents
version: '2.62.0'

# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
# Requires Azure client 2.x
- task: AzureCLI@2
displayName: 'AzDO.BearerToken based on service connection'
enabled: true
inputs:
azureSubscription: 'DevDiv - SharedUntrustedAgentPool-Manage'
scriptType: 'pscore'
scriptLocation: 'inlineScript'
inlineScript: |
# if this fails, check out this bash script that includes diagnostics:
# https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
# Note that the resource is specified to limit the token to Azure DevOps
$token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
Write-Host "Setting AzDO.BearerToken"
Write-Host "##vso[task.setvariable variable=AzDO.BearerToken;issecret=true]${token}"
- pwsh: |
Import-Module $Env:SYSTEM_DEFAULTWORKINGDIRECTORY\xamarin-macios\tools\devops\automation\scripts\MaciosCI.psd1
New-Item -Path "$($Env:HOME)" -Name "remote_build_testing" -Force -ItemType "directory"
New-Item -Path "$($Env:HOME)/remote_build_testing" -Name "BuildId.txt" -ItemType "file" -Force -Value "$($Env:BUILD_BUILDID)"
$vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $(MacPoolAccessToken)
$azdoBearerToken = "$(AzDO.BearerToken)"
$azdoBearerTokenHint = $azdoBearerToken.Substring(0, 8)
Write-Host "AzDO.BearerToken (hint): ${azdoBearerTokenHint}"
$vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $azdoBearerToken
# get the pool and the agent objects and disable the bot
$pool = $vsts.Pools.GetPool("${{ parameters.macPool }}")
Expand Down

0 comments on commit 961db71

Please sign in to comment.