generated from hashicorp/packer-plugin-scaffolding
-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[V2] Add OIDC Test, Cut V2.0.0 (#331)
* Re-introduce OIDC test and set version to v2 * Remove un-used bad example and update oidc test to use PAcker v1.9.1 to avoid locally built plugin issue * Only run this test on main * Explain test * add TODO reminding us to update packer version once locally installed plugins issue is fixed
- Loading branch information
1 parent
95012a5
commit 2e2bab5
Showing
4 changed files
with
68 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# taken and modified from https://github.com/hashicorp/go-azure-sdk/blob/main/.github/workflows/pr-acceptance-tests.yml | ||
# This test requires creating a GitHub OIDC app registration | ||
# First create an Azure Application Registration | ||
# Then in `Certificates & secrets` add Federated Credentials | ||
# select GitHub Actions deploying Azure Resources | ||
# And add the repository and branch | ||
# Then set the relevant subscription/client IDs in GitHub Action secrets and you're good to go | ||
# More detailed instrucitons for configuring GHA Azure OIDC Authentication are available here https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure | ||
name: OIDC Example - Testing OIDC integration in the SDK branch | ||
on: | ||
push: | ||
branches: | ||
- main | ||
|
||
permissions: | ||
contents: read | ||
id-token: write | ||
|
||
jobs: | ||
secrets-check: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
available: "${{ steps.check-secrets.outputs.available }}" | ||
steps: | ||
# we check for the ACTIONS_ID_TOKEN_REQUEST_URL variable as a proxy for other secrets | ||
# it will be unset when running for a PR from a fork | ||
- id: check-secrets | ||
run: | | ||
if [[ "${ACTIONS_ID_TOKEN_REQUEST_URL}" == "" ]]; then | ||
echo "available=false" | tee ${GITHUB_OUTPUT} | ||
else | ||
echo "available=true" | tee ${GITHUB_OUTPUT} | ||
fi | ||
test-oidc: | ||
runs-on: ubuntu-latest | ||
needs: [secrets-check] | ||
if: needs.secrets-check.outputs.available == 'true' | ||
steps: | ||
- name: Set OIDC Token | ||
run: | | ||
echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV} | ||
- name: Install Go | ||
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 | ||
with: | ||
go-version: '1.19.5' | ||
|
||
- name: Checkout | ||
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
|
||
- name: Setup `packer` | ||
uses: hashicorp/setup-packer@main | ||
id: setup | ||
with: | ||
# TODO Update this to latest after v1.9.3 is released | ||
version: '1.9.1' | ||
|
||
- name: Build the plugin | ||
run: make | ||
|
||
- name: Try to run an AzureARM build with our OIDC token | ||
run: packer build -force ./example/oidc-example.pkr.hcl | ||
env: | ||
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID}} | ||
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters