From 978bc98444391c060a94b2485b8bec572a599ea8 Mon Sep 17 00:00:00 2001 From: Chou Hu Date: Wed, 29 May 2024 13:23:42 +0800 Subject: [PATCH] feat: use MSI to upload VHDs to the storage container (#4440) --- .../.builder-release-template-windows.yaml | 3 --- .../templates/.builder-release-template.yaml | 3 --- ...ert-sig-to-classic-storage-account-blob.sh | 25 +++---------------- 3 files changed, 4 insertions(+), 27 deletions(-) diff --git a/.pipelines/templates/.builder-release-template-windows.yaml b/.pipelines/templates/.builder-release-template-windows.yaml index 2534354de54..312f4cdc058 100644 --- a/.pipelines/templates/.builder-release-template-windows.yaml +++ b/.pipelines/templates/.builder-release-template-windows.yaml @@ -181,9 +181,6 @@ steps: -e RESOURCE_GROUP_NAME="${AZURE_BUILD_RESOURCE_GROUP_NAME}" \ -e LOCATION="${AZURE_BUILD_LOCATION}" \ -e OS_TYPE="Windows" \ - -e CLASSIC_SA_CONNECTION_STRING="$(CLASSIC_SA_CONNECTION_STRING)" \ - -e OUTPUT_STORAGE_ACCOUNT_NAME=${OUTPUT_STORAGE_ACCOUNT_NAME} \ - -e OUTPUT_STORAGE_CONTAINER_NAME=${OUTPUT_STORAGE_CONTAINER_NAME} \ -e CLASSIC_BLOB="$(STORAGE_ACCT_BLOB_URL)" \ -e SIG_IMAGE_NAME=${SIG_IMAGE_NAME} \ -e SIG_GALLERY_NAME=${SIG_GALLERY_NAME} \ diff --git a/.pipelines/templates/.builder-release-template.yaml b/.pipelines/templates/.builder-release-template.yaml index 9db2dddb9c5..c75d03a575b 100644 --- a/.pipelines/templates/.builder-release-template.yaml +++ b/.pipelines/templates/.builder-release-template.yaml @@ -196,9 +196,6 @@ steps: -e LOCATION="${AZURE_LOCATION}" \ -e OS_TYPE="Linux" \ -e CLASSIC_BLOB=${CLASSIC_BLOB} \ - -e CLASSIC_SA_CONNECTION_STRING="$(CLASSIC_SA_CONNECTION_STRING)" \ - -e OUTPUT_STORAGE_ACCOUNT_NAME=${OUTPUT_STORAGE_ACCOUNT_NAME} \ - -e OUTPUT_STORAGE_CONTAINER_NAME=${OUTPUT_STORAGE_CONTAINER_NAME} \ -e SIG_GALLERY_NAME=${SIG_GALLERY_NAME} \ -e SIG_IMAGE_NAME=${SIG_IMAGE_NAME} \ -e CAPTURED_SIG_VERSION=${captured_sig_version} \ diff --git a/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh b/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh index 63675cf4b09..56922f5c124 100755 --- a/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh +++ b/vhdbuilder/packer/convert-sig-to-classic-storage-account-blob.sh @@ -1,8 +1,6 @@ #!/bin/bash -e required_env_vars=( - "CLASSIC_SA_CONNECTION_STRING" - "OUTPUT_STORAGE_CONTAINER_NAME" "SUBSCRIPTION_ID" "RESOURCE_GROUP_NAME" "CAPTURED_SIG_VERSION" @@ -11,23 +9,6 @@ required_env_vars=( "SIG_IMAGE_NAME" ) -start_date=$(date +"%Y-%m-%dT00:00Z" -d "-1 day") -expiry_date=$(date +"%Y-%m-%dT00:00Z" -d "+1 year") -if [[ "${OS_NAME,,}" != "windows" ]]; then - [ -z "${OUTPUT_STORAGE_CONTAINER_NAME}" ] && echo "OUTPUT_STORAGE_CONTAINER_NAME should be set..." && exit 1 - echo "storage container name: ${OUTPUT_STORAGE_CONTAINER_NAME}" - # max of 7 day expiration time when using user delegation SAS - storage_sas_token=$(az storage container generate-sas --name ${OUTPUT_STORAGE_CONTAINER_NAME} --permissions acwlr --connection-string ${CLASSIC_SA_CONNECTION_STRING} --start ${start_date} --expiry ${expiry_date} | tr -d '"') -else - # we still need to use the original connection string when not using a system-assigned identity on 1ES pools - storage_sas_token=$(az storage container generate-sas --name vhds --permissions acwlr --connection-string ${CLASSIC_SA_CONNECTION_STRING} --start ${start_date} --expiry ${expiry_date} | tr -d '"') -fi - -if [ "$storage_sas_token" == "" ]; then - echo "sas_token is empty" - exit 1 -fi - for v in "${required_env_vars[@]}" do if [ -z "${!v}" ]; then @@ -86,9 +67,11 @@ echo "Converted $sig_resource_id to $disk_resource_id" # shellcheck disable=SC2102 sas=$(az disk grant-access --ids $disk_resource_id --duration-in-seconds 3600 --query [accessSas] -o tsv) -echo "Uploading $disk_resource_id to ${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd" +echo "Logging into azcopy with MSI" +azcopy-preview login --identity -azcopy-preview copy "${sas}" "${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd?${storage_sas_token}" --recursive=true +echo "Uploading $disk_resource_id to ${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd" +azcopy-preview copy "${sas}" "${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd" --recursive=true || exit $? echo "Uploaded $disk_resource_id to ${CLASSIC_BLOB}/${CAPTURED_SIG_VERSION}.vhd"