Skip to content

Commit 618f4df

Browse files
benbpbenbp
committed
Use pool subnet map to reduce number of subnets added to live test resources
1 parent 47adabb commit 618f4df

1 file changed

Lines changed: 29 additions & 20 deletions

File tree

eng/common/TestResources/New-TestResources.ps1

Lines changed: 29 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -106,18 +106,29 @@ param (
106106

107107
. $PSScriptRoot/SubConfig-Helpers.ps1
108108

109-
$azsdkPipelineVnet = "/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/resourceGroups/azsdk-pools/providers/Microsoft.Network/virtualNetworks/azsdk-pipeline-vnet-wus"
110-
$azsdkPipelineSubnets = @(
111-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-ubuntu-1804-general"),
112-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-ubuntu-2004-general"),
113-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-ubuntu-2204-general"),
114-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-win-2019-general"),
115-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-win-2022-general"),
116-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-ubuntu-1804-storage"),
117-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-ubuntu-2004-storage"),
118-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-win-2019-storage"),
119-
($azsdkPipelineVnet + "/subnets/pipeline-subnet-win-2022-storage")
120-
)
109+
$azsdkPipelineVnetWestUS = '/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/resourceGroups/azsdk-pools/providers/Microsoft.Network/virtualNetworks/azsdk-pipeline-vnet-wus'
110+
$azsdkPipelineVnetCanadaCentral = '/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/resourceGroups/azsdk-pools/providers/Microsoft.Network/virtualNetworks/azsdk-pipeline-vnet-cnc'
111+
$azsdkPipelineSubnetMap = @{
112+
'azsdk-pool-mms-ubuntu-1804-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-ubuntu-1804-general')
113+
'azsdk-pool-mms-ubuntu-2004-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-ubuntu-2004-general')
114+
'azsdk-pool-mms-ubuntu-2204-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-ubuntu-2204-general')
115+
'azsdk-pool-mms-win-2019-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-win-2019-general')
116+
'azsdk-pool-mms-win-2022-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-win-2022-general')
117+
'azsdk-pool-mms-ubuntu-1804-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-ubuntu-1804-storage')
118+
'azsdk-pool-mms-ubuntu-2004-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-ubuntu-2004-storage')
119+
'azsdk-pool-mms-win-2019-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-win-2019-storage')
120+
'azsdk-pool-mms-win-2022-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-win-2022-storage')
121+
'Azure Pipelines' = ''
122+
}
123+
124+
$poolSubnet = ''
125+
if ($env:Pool) {
126+
$poolSubnet = $azsdkPipelineSubnetMap[$env:Pool]
127+
} elseif ($env:pool) {
128+
$poolSubnet = $azsdkPipelineSubnetMap[$env:pool]
129+
} else {
130+
Write-Warning "Pool environment variable is not defined! Subnet allowlisting will not work and live test resources may be non-compliant."
131+
}
121132

122133
if (!$ServicePrincipalAuth) {
123134
# Clear secrets if not using Service Principal auth. This prevents secrets
@@ -763,8 +774,8 @@ try {
763774
$templateParameters.Add('testApplicationSecret', $TestApplicationSecret)
764775
}
765776
# Only add subnets when running in an azure pipeline context
766-
if ($CI -and $Environment -eq 'AzureCloud') {
767-
$templateParameters.Add('azsdkPipelineSubnetList', $azsdkPipelineSubnets)
777+
if ($CI -and $Environment -eq 'AzureCloud' -and $poolSubnet) {
778+
$templateParameters.Add('azsdkPipelineSubnetList', @($poolSubnet))
768779
}
769780

770781
$defaultCloudParameters = LoadCloudConfig $Environment
@@ -851,12 +862,10 @@ try {
851862
if ($rules -and $rules.DefaultAction -eq "Allow") {
852863
Write-Host "Restricting network rules in storage account '$($account.Name)' to deny access by default"
853864
Retry { Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $ResourceGroupName -Name $account.Name -DefaultAction Deny }
854-
if ($CI) {
855-
Write-Host "Enabling access to '$($account.Name)' from pipeline subnets"
856-
foreach ($subnet in $azsdkPipelineSubnets) {
857-
Retry { Add-AzStorageAccountNetworkRule -ResourceGroupName $ResourceGroupName -Name $account.Name -VirtualNetworkResourceId $subnet }
858-
}
859-
} else {
865+
if ($CI -and $poolSubnet) {
866+
Write-Host "Enabling access to '$($account.Name)' from pipeline subnet $poolSubnet"
867+
Retry { Add-AzStorageAccountNetworkRule -ResourceGroupName $ResourceGroupName -Name $account.Name -VirtualNetworkResourceId $poolSubnet }
868+
} elseif (!$CI) {
860869
Write-Host "Enabling access to '$($account.Name)' from client IP"
861870
$clientIp ??= Retry { Invoke-RestMethod -Uri 'https://icanhazip.com/' } # cloudflare owned ip site
862871
Retry { Add-AzStorageAccountNetworkRule -ResourceGroupName $ResourceGroupName -Name $account.Name -IPAddressOrRange $clientIp | Out-Null }

0 commit comments

Comments
 (0)