Add new AzureCLI authentication options for GenerateResourcesAndImage and Packer templates

[feliasson]

Description

This PR introduces new authentication options for the GenerateResourcesAndImage.ps1 helper script and the Packer templates for ubuntu and windows. By leveraging the use_azure_cli_auth optional value in Packer azure-arm builder (ref) this PR provides new ways to authenticate while building the runner-images.

• A new switch called UseAzureCliAuth is introduced in the helper script.
  • Solely relies on the credentials that you set in AzureCLI using az login.
  • Skips the SPN-registration even if no client id is provided in AzureClientId parameter
  • Ignores all other authentication configurations if enabled (see parameter explanation)
  • It defaults to false in both the helper-script and packer-templates and does not break the approach of using SPN authentication

What advantages does using the new switch give?

• No longer needed to have privileged Microsoft Entra roles such as Application Developer or Application Administrator to run script / build without AzureClientId and AzureClientSecret inputs.

  Directory permission is needed for the current user to register the application. For how to configure, please refer 
  'https://docs.microsoft.com/azure/azure-resource-manager/resource-group-create-service-principal-portal'. Original error: 
  Insufficient privileges to complete the operation.
  

• No longer needed to preregister a Service Principal with Secret and input it for the AzureClientId and AzureClientSecret inputs.
• Solves having to rotate SPN secrets
• Can easily be used with AzureCLI@2 task for Azure Pipelines
• Can easily be used with GitHub Action for Azure CLI

Azure Pipeline example using new UseAzureCliAuth switch

Service-connection is using Azure managed identity and federated credentials

steps:

  # Using Azure CLI credentials for Packer
  - task: AzureCLI@2
    displayName: Generate ${{ parameters.imageType }} Image
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        git clone https://github.com/feliasson/runner-images.git # Temp add for my fork
        cd ./runner-images
        git checkout UseAzureCliAuth-1 # Temp add for my branch
        cd ./helpers
        Import-Module ./GenerateResourcesAndImage.ps1
        
        GenerateResourcesAndImage `
        -SubscriptionId ${{ parameters.subscriptionId }} `
        -ResourceGroupName temp-azcli-runner-image-rg `
        -ImageType ${{ parameters.imageType }} `
        -AzureLocation ${{ parameters.location }} `
        -ImageGenerationRepositoryRoot $(Build.SourcesDirectory)/runner-images `
        -ReuseResourceGroup `
        -UseAzureCliAuth `
        -Verbose

Azure Pipeline example using old SPN method

Service-connection is using Azure managed identity and federated credentials

  steps:

  # Using SPN credentials for Packer
  - task: AzureCLI@2
    displayName: Generate ${{ parameters.imageType }} Image
    inputs:
      azureSubscription: ${{ parameters.azureSubscription }}
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        git clone https://github.com/feliasson/runner-images.git # Temp add for my fork
        cd ./runner-images
        git checkout UseAzureCliAuth-1 # Temp add for my branch
        cd ./helpers
        Import-Module ./GenerateResourcesAndImage.ps1
        
        GenerateResourcesAndImage `
        -SubscriptionId ${{ parameters.subscriptionId }} `
        -ResourceGroupName temp-spn-runner-image-rg `
        -ImageType ${{ parameters.imageType }} `
        -AzureLocation ${{ parameters.location }} `
        -ImageGenerationRepositoryRoot $(Build.SourcesDirectory)/runner-images `
        -AzureClientId $(appId) `
        -AzureClientSecret $(appSecret) `
        -ReuseResourceGroup `
        -Verbose

Running locally using my az login credentials only

Related issue:

#10236 - I added the suggestion to let active az login be used if found

Check list

• Related issue / work item is attached
• Tests are written (if applicable)
• Documentation is updated (if applicable) - I didn't see any other optional parameters documented
• Changes are tested and related VM images are successfully generated

[feliasson]

Fixed slight adjustment to suggestion in #10236 to properly handle the error if not logged in, it would not enter the catch block otherwise

[kedar-1]

Tested UseAzureCliAuth option based on the code above and works as expected.

[feliasson]

@mikhailkoliada @shamil-mubarakshin
You guys made the latest commits to the GenerateResourcesAndImage.ps1 helper script. What do I need to do to get some traction on this PR? I have waited 3 weeks already.

[flannoo]

We are currently waiting for this as well, since we prefer to use OIDC authentication (federated) instead of client secrets in our devops pipelines. Would be great if this can be released short term.

Thanks!

[invisiblepancake]

i got that azufe certific in an milestone oslt. check where its from =) its been an few days bender.