Get pool subnet using separate workload identity

benbp · benbp · commit e324291349a3 · 2024-06-26T16:58:26.000-04:00
diff --git a/eng/common/TestResources/New-TestResources.ps1 b/eng/common/TestResources/New-TestResources.ps1
@@ -119,28 +119,6 @@ param (
 
 . $PSScriptRoot/SubConfig-Helpers.ps1
 
-$azsdkPipelineVnetWestUS = '/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/resourceGroups/azsdk-pools/providers/Microsoft.Network/virtualNetworks/azsdk-pipeline-vnet-wus'
-$azsdkPipelineVnetCanadaCentral = '/subscriptions/a18897a6-7e44-457d-9260-f2854c0aca42/resourceGroups/azsdk-pools/providers/Microsoft.Network/virtualNetworks/azsdk-pipeline-vnet-cnc'
-$azsdkPipelineSubnetMap = @{
-    'azsdk-pool-mms-ubuntu-1804-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-ubuntu-1804-general')
-    'azsdk-pool-mms-ubuntu-2004-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-ubuntu-2004-general')
-    'azsdk-pool-mms-ubuntu-2204-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-ubuntu-2204-general')
-    'azsdk-pool-mms-win-2019-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-win-2019-general')
-    'azsdk-pool-mms-win-2022-general' = ($azsdkPipelineVnetWestUS + '/subnets/pipeline-subnet-win-2022-general')
-    'azsdk-pool-mms-ubuntu-1804-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-ubuntu-1804-storage')
-    'azsdk-pool-mms-ubuntu-2004-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-ubuntu-2004-storage')
-    'azsdk-pool-mms-win-2019-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-win-2019-storage')
-    'azsdk-pool-mms-win-2022-storage' = ($azsdkPipelineVnetCanadaCentral + '/subnets/pipeline-subnet-win-2022-storage')
-    'Azure Pipelines' = ''
-}
-
-$poolSubnet = ''
-if ($env:Pool) {
-    $poolSubnet = $azsdkPipelineSubnetMap[$env:Pool]
-} else {
-    Write-Warning "Pool environment variable is not defined! Subnet allowlisting will not work and live test resources may be non-compliant."
-}
-
 if (!$ServicePrincipalAuth) {
     # Clear secrets if not using Service Principal auth. This prevents secrets
     # from being passed to pre- and post-scripts.
@@ -785,8 +763,8 @@ try {
         $templateParameters.Add('testApplicationSecret', $TestApplicationSecret)
     }
     # Only add subnets when running in an azure pipeline context
-    if ($CI -and $Environment -eq 'AzureCloud' -and $poolSubnet) {
-        $templateParameters.Add('azsdkPipelineSubnetList', @($poolSubnet))
+    if ($CI -and $Environment -eq 'AzureCloud' -and $env:PoolSubnet) {
+        $templateParameters.Add('azsdkPipelineSubnetList', @($env:PoolSubnet))
     }
 
     $defaultCloudParameters = LoadCloudConfig $Environment
@@ -873,9 +851,9 @@ try {
                 if ($rules -and $rules.DefaultAction -eq "Allow") {
                     Write-Host "Restricting network rules in storage account '$($account.Name)' to deny access by default"
                     Retry { Update-AzStorageAccountNetworkRuleSet -ResourceGroupName $ResourceGroupName -Name $account.Name -DefaultAction Deny }
-                    if ($CI -and $poolSubnet) {
-                        Write-Host "Enabling access to '$($account.Name)' from pipeline subnet $poolSubnet"
-                        Retry { Add-AzStorageAccountNetworkRule -ResourceGroupName $ResourceGroupName -Name $account.Name -VirtualNetworkResourceId $poolSubnet }
+                    if ($CI -and $env:PoolSubnet) {
+                        Write-Host "Enabling access to '$($account.Name)' from pipeline subnet $($env:PoolSubnet)"
+                        Retry { Add-AzStorageAccountNetworkRule -ResourceGroupName $ResourceGroupName -Name $account.Name -VirtualNetworkResourceId $env:PoolSubnet }
                     } elseif ($AllowIpRanges) {
                         Write-Host "Enabling access to '$($account.Name)' to $($AllowIpRanges.Length) IP ranges"
                         $ipRanges = $AllowIpRanges | ForEach-Object {
diff --git a/eng/common/TestResources/build-test-resource-config.yml b/eng/common/TestResources/build-test-resource-config.yml
@@ -14,6 +14,24 @@ parameters:
     default: null
 
 steps:
+  - task: AzurePowerShell@5
+    displayName: Set Pipeline Subnet Info
+    env: ${{ parameters.EnvVars }}
+    inputs:
+      azureSubscription: azure-sdk-tests
+      azurePowerShellVersion: LatestVersion
+      pwsh: true
+      ScriptType: InlineScript
+      Inline: |
+        if ($env:Pool -eq 'Azure Pipelines') {
+          Write-Host "Skipping pool subnet lookup when running on an Azure Pipelines hosted pool"
+          Write-Host "##vso[task.setvariable variable=PoolSubnet;]"
+          exit 0
+        }
+        $poolSubnet = (Get-AzResource -ResourceGroupName azsdk-pools -Name $env:Pool -ExpandProperties).Properties.networkProfile.subnetId
+        Write-Host "Setting pipeline subnet env variable PoolSubnet to '$poolSubnet'"
+        Write-Host "##vso[task.setvariable variable=PoolSubnet;]$poolSubnet"
+
   - pwsh: |
       . ./eng/common/TestResources/SubConfig-Helpers.ps1
 
diff --git a/eng/common/TestResources/deploy-test-resources.yml b/eng/common/TestResources/deploy-test-resources.yml
@@ -46,6 +46,7 @@ steps:
       displayName: Deploy test resources
       env:
         TEMP: $(Agent.TempDirectory)
+        PoolSubnet: $(PoolSubnet)
         ${{ insert }}: ${{ parameters.EnvVars }}
       inputs:
         azureSubscription: ${{ parameters.ServiceConnection }}
@@ -98,4 +99,5 @@ steps:
       displayName: Deploy test resources
       env:
         TEMP: $(Agent.TempDirectory)
+        PoolSubnet: $(PoolSubnet)
         ${{ insert }}: ${{ parameters.EnvVars }}
