add managed identities (#23)

* add managed identities for linux-based ACI devops agents. thanks @benjguin

.gitignore

@@ -46,4 +46,7 @@ go.sum
 Gemfile.lock
 
 # Mac folder attribute file
-.DS_Store
+.DS_Store
+
+# a developer can copy his/her own files in a me/ folder without having them in git
+**/me/

Dockerfile

@@ -20,6 +20,12 @@ ENV ARM_TENANT_ID=${BUILD_ARM_TENANT_ID}
 ENV ARM_TEST_LOCATION=${BUILD_ARM_TEST_LOCATION}
 ENV ARM_TEST_LOCATION_ALT=${BUILD_ARM_TEST_LOCATION_ALT}
 
+# Set environment variables for go.
+ENV AZURE_SUBSCRIPTION_ID=${BUILD_ARM_SUBSCRIPTION_ID}
+ENV AZURE_CLIENT_ID=${BUILD_ARM_CLIENT_ID}
+ENV AZURE_CLIENT_SECRET=${BUILD_ARM_CLIENT_SECRET}
+ENV AZURE_TENANT_ID=${BUILD_ARM_TENANT_ID}
+
 # Set work directory.
 RUN mkdir -p /go/src/${MODULE_NAME}
 COPY . /go/src/${MODULE_NAME}

README.md

@@ -36,6 +36,7 @@ The configuration below can be used to deploy Linux DevOps agents using Azure Co
 ```hcl
 module "aci-devops-agent" {
   source                  = "Azure/aci-devops-agent/azurerm"
+  version                 = "0.9.2"
   resource_group_name     = "rg-linux-devops-agents"
   location                = "westeurope"
   enable_vnet_integration = false
@@ -49,6 +50,8 @@ module "aci-devops-agent" {
     docker_tag        = "0.2-linux"
     cpu               = 1
     memory            = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   azure_devops_org_name              = "DEVOPS_ORG_NAME"
   azure_devops_personal_access_token = "DEVOPS_PERSONAL_ACCESS_TOKEN"
@@ -70,6 +73,7 @@ terraform destroy
 ```
 
 #### Terraform ACI DevOps Agents - Deploy Linux agents in an existing virtual network
+
 *Note: Virtual Network integration is only supported for Linux Containers in ACI. This part [does not apply to Windows Containers](https://docs.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#other-limitations).*
 The configuration below can be used to deploy Azure DevOps agents in Linux containers, in an existing virtual network.
 
@@ -104,6 +108,7 @@ resource "azurerm_subnet" "aci-subnet" {
 
 module "aci-devops-agent" {
   source                   = "Azure/aci-devops-agent/azurerm"
+  version                  = "0.9.2"
   resource_group_name      = "rg-linux-devops-agents"
   location                 = "westeurope"
   enable_vnet_integration  = true
@@ -120,6 +125,8 @@ module "aci-devops-agent" {
     docker_tag        = "0.2-linux"
     cpu               = 1
     memory            = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
 
   azure_devops_org_name              = "DEVOPS_ORG_NAME"
@@ -148,6 +155,7 @@ The configuration below can be used to deploy Azure DevOps Linux and Windows age
 ```hcl
 module "aci-devops-agent" {
   source                  = "Azure/aci-devops-agent/azurerm"
+  version                 = "0.9.2"
   resource_group_name     = "rg-aci-devops-agents-we"
   location                = "westeurope"
   enable_vnet_integration = false
@@ -161,6 +169,8 @@ module "aci-devops-agent" {
     docker_tag        = "0.2-linux"
     cpu               = 1
     memory            = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
 
   windows_agents_configuration = {
@@ -199,6 +209,7 @@ This module allows to download the Docker images to use for the agents from a pr
 ```hcl
 module "aci-devops-agent" {
   source                  = "Azure/aci-devops-agent/azurerm"
+  version                 = "0.9.2"
   resource_group_name     = "rg-linux-devops-agents"
   location                = "westeurope"
   enable_vnet_integration = false
@@ -212,6 +223,8 @@ module "aci-devops-agent" {
     docker_tag        = "0.2-linux"
     cpu               = 1
     memory            = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   azure_devops_org_name              = "DEVOPS_ORG_NAME"
   azure_devops_personal_access_token = "DEVOPS_PERSONAL_ACCESS_TOKEN"
@@ -238,6 +251,63 @@ You can destroy everything using `terraform destroy`:
 terraform destroy
 ```
 
+#### Terraform ACI DevOps Agents - Assign identities
+
+This module allows to assign both system and user assigned managed identities to the containers:
+
+NB: managed identities for container groups have limitations. Only Linux container groups that are not deployed to a virtual network can be assigned managed identities. See <https://docs.microsoft.com/en-us/azure/container-instances/container-instances-virtual-network-concepts#other-limitations> and <https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity> for more details.
+
+```hcl
+resource "azurerm_user_assigned_identity" "example1" {
+  resource_group_name = "rg-terraform-azure-devops-agents-e2e-tests-${var.random_suffix}"
+  location            = var.location
+
+  name = "identity1"
+}
+resource "azurerm_user_assigned_identity" "example2" {
+  resource_group_name = "rg-terraform-azure-devops-agents-e2e-tests-${var.random_suffix}"
+  location            = var.location
+
+  name = "identity2"
+}
+module "aci-devops-agent" {
+  source                  = "Azure/aci-devops-agent/azurerm"
+  version                 = "0.9.2"
+  resource_group_name     = "rg-linux-devops-agents"
+  location                = "westeurope"
+  enable_vnet_integration = false
+  create_resource_group   = true
+
+  linux_agents_configuration = {
+    agent_name_prefix = "linux-agent"
+    agent_pool_name   = "DEVOPS_POOL_NAME"
+    count             = 2,
+    docker_image      = "jcorioland.azurecr.io/azure-devops/aci-devops-agent"
+    docker_tag        = "0.2-linux"
+    cpu               = 1
+    memory            = 4
+    user_assigned_identity_ids = [azurerm_user_assigned_identity.example1.id, data.azurerm_identity.example2.id]
+    use_system_assigned_identity = true
+  }
+  azure_devops_org_name              = "DEVOPS_ORG_NAME"
+  azure_devops_personal_access_token = "DEVOPS_PERSONAL_ACCESS_TOKEN"
+}
+```
+
+Then, you can just Terraform it:
+
+```bash
+terraform init
+terraform plan -out aci-linux-devops-agents.plan
+terraform apply "aci-linux-devops-agents.plan"
+```
+
+You can destroy everything using `terraform destroy`:
+
+```bash
+terraform destroy
+```
+
 ## Test
 
 ### Configurations
@@ -260,7 +330,7 @@ We provide 2 ways to build, run, and test the module on a local development mach
 We provide simple script to quickly set up module development environment:
 
 ```sh
-$ curl -sSL https://raw.githubusercontent.com/Azure/terramodtest/master/tool/env_setup.sh | sudo bash
+curl -sSL https://raw.githubusercontent.com/Azure/terramodtest/master/tool/env_setup.sh | sudo bash
 ```
 
 #### Run test
@@ -268,9 +338,9 @@ $ curl -sSL https://raw.githubusercontent.com/Azure/terramodtest/master/tool/env
 Then simply run it in local shell:
 
 ```sh
-$ bundle install
-$ rake build
-$ rake full
+bundle install
+rake build
+rake full
 ```
 
 ### Docker
@@ -286,13 +356,20 @@ We provide a Dockerfile to build a new image based `FROM` the `microsoft/terrafo
 This builds the custom image:
 
 ```sh
-$ docker build --build-arg BUILD_ARM_SUBSCRIPTION_ID=$ARM_SUBSCRIPTION_ID --build-arg BUILD_ARM_CLIENT_ID=$ARM_CLIENT_ID --build-arg BUILD_ARM_CLIENT_SECRET=$ARM_CLIENT_SECRET --build-arg BUILD_ARM_TENANT_ID=$ARM_TENANT_ID -t azure-devops-agent-aci-test .
+docker build \
+    --build-arg BUILD_ARM_SUBSCRIPTION_ID=$ARM_SUBSCRIPTION_ID \
+    --build-arg BUILD_ARM_CLIENT_ID=$ARM_CLIENT_ID \
+    --build-arg BUILD_ARM_CLIENT_SECRET=$ARM_CLIENT_SECRET \
+    --build-arg BUILD_ARM_TENANT_ID=$ARM_TENANT_ID \
+    -t azure-devops-agent-aci-test .
 ```
 
+NB: cf `az ad sp create-for-rbac --help` to get build-arg values
+
 This runs the build and unit tests:
 
 ```sh
-$ docker run --rm \
+docker run --rm \
     -e TF_VAR_azure_devops_org_name=$AZDO_ORG_NAME \
     -e TF_VAR_azure_devops_personal_access_token=$AZDO_PAT \
     -e TF_VAR_azure_devops_pool_name=$AZDO_POOL_NAME \
@@ -302,7 +379,7 @@ $ docker run --rm \
 This runs the end to end tests:
 
 ```sh
-$ docker run --rm \
+docker run --rm \
     -e TF_VAR_azure_devops_org_name=$AZDO_ORG_NAME \
     -e TF_VAR_azure_devops_personal_access_token=$AZDO_PAT \
     -e TF_VAR_azure_devops_pool_name=$AZDO_POOL_NAME \
@@ -312,7 +389,7 @@ $ docker run --rm \
 This runs the full tests:
 
 ```sh
-$ docker run --rm \
+docker run --rm \
     -e TF_VAR_azure_devops_org_name=$AZDO_ORG_NAME \
     -e TF_VAR_azure_devops_personal_access_token=$AZDO_PAT \
     -e TF_VAR_azure_devops_pool_name=$AZDO_POOL_NAME \

Rakefile

@@ -30,7 +30,7 @@ end
 
 namespace :integration do
   task :test do
-    success = system ("cd test && go test -v ./ -timeout 30m -parallel 1")
+    success = system ("cd test && go test -v ./ -timeout 60m -parallel 1")
     if not success 
       raise "ERROR: Go test failed!\n".red
     end

main.tf

@@ -19,6 +19,15 @@ data "azurerm_subnet" "subnet" {
   resource_group_name  = var.vnet_resource_group_name
 }
 
+locals {
+  # umi == user managed identity, smi == system managed identity
+  use_umi                    = length(var.linux_agents_configuration.user_assigned_identity_ids) > 0
+  use_smi                    = var.linux_agents_configuration.use_system_assigned_identity
+  identity_block_smi         = local.use_smi && !local.use_umi ? [1] : []
+  identity_block_umi         = local.use_umi && !local.use_smi ? [1] : []
+  identity_block_umi_and_smi = local.use_umi && local.use_smi ? [1] : []
+}
+
 # Linux Agents - deployed only if variable linux_agents_configuration.count > 0
 
 resource "azurerm_network_profile" "linux_network_profile" {
@@ -78,6 +87,31 @@ resource "azurerm_container_group" "linux-container-group" {
       server   = var.image_registry_credential.server
     }
   }
+
+  # identity block generated depending on cases
+  # if a system assigned managed identity only is requested
+  dynamic "identity" {
+    for_each = local.identity_block_smi
+    content {
+      type = "SystemAssigned"
+    }
+  }
+  # if user assigned managed identities only are requested
+  dynamic "identity" {
+    for_each = local.identity_block_umi
+    content {
+      type         = "UserAssigned"
+      identity_ids = var.linux_agents_configuration.user_assigned_identity_ids
+    }
+  }
+  # if both system and user assigned managed identities are requested
+  dynamic "identity" {
+    for_each = local.identity_block_umi_and_smi
+    content {
+      type         = "SystemAssigned, UserAssigned"
+      identity_ids = var.linux_agents_configuration.user_assigned_identity_ids
+    }
+  }
 }
 
 # Windows Agents - deployed only if variable windows_agents_configuration.count > 0

test/azure_devops_agent_aci_test.go

@@ -6,6 +6,7 @@ import (
 	"math/rand"
 	"os"
 	"strconv"
+	"strings"
 	"testing"
 	"time"
 
@@ -13,6 +14,8 @@ import (
 	test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
 	"github.com/microsoft/azure-devops-go-api/azuredevops"
 	"github.com/microsoft/azure-devops-go-api/azuredevops/taskagent"
+	"github.com/Azure/azure-sdk-for-go/services/containerinstance/mgmt/2020-11-01/containerinstance"
+	"github.com/Azure/go-autorest/autorest/azure/auth"
 )
 
 // This function tests the deployment of Azure DevOps Linux agents
@@ -78,6 +81,94 @@ func TestDeployAzureDevOpsLinuxAgents(t *testing.T) {
 	})
 }
 
+// This function tests the deployment of Azure DevOps Linux agents with managed identities
+func TestDeployAzureDevOpsLinuxAgentsWithManagedIdentities(t *testing.T) {
+	t.Parallel()
+
+	fixtureFolder := "./fixture/linux-agents-managed-identities"
+
+	// generate a random suffix for the test
+	rand.Seed(time.Now().UnixNano())
+	randomInt := rand.Intn(9999)
+	randomSuffix := strconv.Itoa(randomInt)
+	os.Setenv("TF_VAR_random_suffix", randomSuffix)
+
+	// randomize the agent pool name
+	devopsPoolName := os.Getenv("TF_VAR_azure_devops_pool_name")
+	testPoolName := fmt.Sprintf("%s-%s", devopsPoolName, randomSuffix)
+	os.Setenv("TF_VAR_azure_devops_pool_name", testPoolName)
+
+	devopsOrganizationName := os.Getenv("TF_VAR_azure_devops_org_name")
+	devopsPersonalAccessToken := os.Getenv("TF_VAR_azure_devops_personal_access_token")
+	devopsOrganizationURL := fmt.Sprintf("https://dev.azure.com/%s", devopsOrganizationName)
+
+	defer deleteAzureDevOpsAgentTestPool(testPoolName, devopsOrganizationURL, devopsPersonalAccessToken)
+	err := createAzureDevOpsAgentTestPool(testPoolName, devopsOrganizationURL, devopsPersonalAccessToken)
+	if err != nil {
+		t.Fatalf("Cannot create Azure DevOps agent pool for the test: %v", err)
+	}
+
+	// Deploy the example
+	test_structure.RunTestStage(t, "setup", func() {
+		terraformOptions := configureTerraformOptions(t, fixtureFolder)
+
+		// Save the options so later test stages can use them
+		test_structure.SaveTerraformOptions(t, fixtureFolder, terraformOptions)
+
+		// This will init and apply the resources and fail the test if there are any errors
+		terraform.InitAndApply(t, terraformOptions)
+	})
+
+	// Check whether the length of output meets the requirement
+	test_structure.RunTestStage(t, "validate", func() {
+		// add wait time for ACI to get connectivity
+		time.Sleep(45 * time.Second)
+
+		// ensure deployment was successful
+		expectedAgentsCount := 2
+
+		actualAgentsCount, err := getAgentsCount(testPoolName, devopsOrganizationURL, devopsPersonalAccessToken)
+
+		if err != nil {
+			t.Fatalf("Cannot retrieve the number of agents that were deployed: %v", err)
+		}
+
+		if expectedAgentsCount != actualAgentsCount {
+			t.Fatalf("Test failed. Expected number of agents is %d. Actual number of agents is %d", expectedAgentsCount, actualAgentsCount)
+		}
+
+		// ensure managed identities were assigned: 1 system identity, 2 user assigned identities
+		expectedAgentSystemIdentitiesCount := 1
+		expectedAgentUserAssignedIdentitiesCount := 2
+
+		terraformOptions := test_structure.LoadTerraformOptions(t, fixtureFolder)
+		// remove quotes because of https://github.com/hashicorp/terraform/issues/27100
+		resourceGroupName := removeQuotes(terraform.Output(t, terraformOptions, "resource_group_name"))
+		linuxContainerGroupName := removeQuotes(terraform.Output(t, terraformOptions, "linux_container_group_name"))
+
+		systemIdentitiesCount, userAssignedIdentitiesCount, err := getAgentIdentitiesCount(resourceGroupName, linuxContainerGroupName)
+
+		if err != nil {
+			t.Fatalf("Cannot retrieve the identities for agents that were deployed: %v", err)
+		}
+
+		if expectedAgentSystemIdentitiesCount != systemIdentitiesCount || expectedAgentUserAssignedIdentitiesCount != userAssignedIdentitiesCount {
+			t.Fatalf("Test failed. System identities: %d (actual) vs %d (expected), user assigned identities %d (actual) vs %d (expected)", 
+			systemIdentitiesCount, expectedAgentSystemIdentitiesCount, userAssignedIdentitiesCount, expectedAgentUserAssignedIdentitiesCount)
+		}
+
+		if expectedAgentUserAssignedIdentitiesCount != userAssignedIdentitiesCount {
+			t.Fatalf("Test failed. Expected number of agent user assigned identities is %d. Actual number of agent user assigned identities is %d", expectedAgentUserAssignedIdentitiesCount, userAssignedIdentitiesCount)
+		}
+	})
+
+	// At the end of the test, clean up any resources that were created
+	test_structure.RunTestStage(t, "teardown", func() {
+		terraformOptions := test_structure.LoadTerraformOptions(t, fixtureFolder)
+		terraform.Destroy(t, terraformOptions)
+	})
+}
+
 // This function tests the deployment of Azure DevOps Linux agents into an existing virtual network
 func TestDeployAzureDevOpsLinuxAgentsInVirtualNetwork(t *testing.T) {
 	t.Parallel()
@@ -330,6 +421,38 @@ func getAgentsCount(devopsPoolName string, devopsOrganizationURL string, devopsP
 	return len(*agents), nil
 }
 
+func getAgentIdentitiesCount(resourceGroupName string, containerGroupName string) (int, int, error) {
+	systemAssignedIdentitiesCount := 0
+	userAssignedIdentitiesCount := 0
+
+	azSubscriptionId := os.Getenv("AZURE_SUBSCRIPTION_ID")
+	ctx := context.Background()
+
+	authorizer, err := auth.NewAuthorizerFromEnvironment()
+	if err != nil {
+		return -1, -1, err
+	}
+
+	containerGroupsClient := containerinstance.NewContainerGroupsClient(azSubscriptionId)
+	containerGroupsClient.Authorizer = authorizer
+	containerGroup, err := containerGroupsClient.Get(ctx, resourceGroupName, containerGroupName)
+	if err != nil {
+		return -1, -1, err
+	}
+
+	if containerGroup.Identity != nil {
+		if strings.Contains(fmt.Sprintf("%s", containerGroup.Identity.Type), "SystemAssigned") {
+			systemAssignedIdentitiesCount = 1
+		}
+
+		if containerGroup.Identity.UserAssignedIdentities != nil {
+			userAssignedIdentitiesCount = len(containerGroup.Identity.UserAssignedIdentities)
+		}
+	}
+
+	return systemAssignedIdentitiesCount, userAssignedIdentitiesCount, nil
+}
+
 func createAzureDevOpsAgentTestPool(devopsPoolName string, devopsOrganizationURL string, devopsPersonalAccessToken string) error {
 	ctx := context.Background()
 	devopsConnection := azuredevops.NewPatConnection(devopsOrganizationURL, devopsPersonalAccessToken)
@@ -389,3 +512,13 @@ func getAgentPool(ctx context.Context, devopsTaskAgentClient taskagent.Client, d
 
 	return &(*matchingAgentPools)[0], nil
 }
+
+func removeQuotes(s string) (string) {
+	if len(s) > 0 && s[0] == '"' {
+		s = s[1:]
+	}
+	if len(s) > 0 && s[len(s)-1] == '"' {
+		s = s[:len(s)-1]
+	}
+	return s
+}

test/fixture/linux-agents-import-rg/main.tf

@@ -8,13 +8,15 @@ module "aci-devops-agent" {
   enable_vnet_integration = false
   create_resource_group   = false
   linux_agents_configuration = {
-    agent_name_prefix = "linuxagent-${var.random_suffix}"
-    count             = var.agents_count
-    docker_image      = var.agent_docker_image
-    docker_tag        = var.agent_docker_tag
-    agent_pool_name   = var.azure_devops_pool_name
-    cpu               = 1
-    memory            = 4
+    agent_name_prefix            = "linuxagent-${var.random_suffix}"
+    count                        = var.agents_count
+    docker_image                 = var.agent_docker_image
+    docker_tag                   = var.agent_docker_tag
+    agent_pool_name              = var.azure_devops_pool_name
+    cpu                          = 1
+    memory                       = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   resource_group_name                = azurerm_resource_group.rg.name
   location                           = azurerm_resource_group.rg.location

test/fixture/linux-agents-managed-identities/main.tf

@@ -0,0 +1,38 @@
+locals {
+  resource_group_name = "rg-terraform-azure-devops-agents-e2e-tests-${var.random_suffix}"
+}
+resource "azurerm_resource_group" "rg" {
+  name     = local.resource_group_name
+  location = var.location
+}
+resource "azurerm_user_assigned_identity" "example1" {
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  name                = "identity1"
+}
+resource "azurerm_user_assigned_identity" "example2" {
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+  name                = "identity2"
+}
+module "aci-devops-agent" {
+  source                  = "../../../"
+  enable_vnet_integration = false
+  create_resource_group   = false
+  linux_agents_configuration = {
+    agent_name_prefix            = "linuxagent-${var.random_suffix}"
+    count                        = var.agents_count
+    docker_image                 = var.agent_docker_image
+    docker_tag                   = var.agent_docker_tag
+    agent_pool_name              = var.azure_devops_pool_name
+    cpu                          = 1
+    memory                       = 4
+    user_assigned_identity_ids   = [azurerm_user_assigned_identity.example1.id, azurerm_user_assigned_identity.example2.id]
+    use_system_assigned_identity = true
+  }
+  resource_group_name                = azurerm_resource_group.rg.name
+  location                           = var.location
+  azure_devops_org_name              = var.azure_devops_org_name
+  azure_devops_personal_access_token = var.azure_devops_personal_access_token
+  depends_on                         = [azurerm_resource_group.rg]
+}

test/fixture/linux-agents-managed-identities/output.tf

@@ -0,0 +1,8 @@
+output "resource_group_name" {
+  value       = azurerm_resource_group.rg.name
+  description = "resource group where linux container agent are deployed"
+}
+output "linux_container_group_name" {
+  value       = module.aci-devops-agent.linux_agents_names[0]
+  description = "name of the first Linux container group"
+}

test/fixture/linux-agents-managed-identities/provider.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 2.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}

test/fixture/linux-agents-managed-identities/variables.tf

@@ -0,0 +1,43 @@
+variable "azure_devops_org_name" {
+  type        = string
+  description = "The name of the Azure DevOps organization in which the containerized agents will be deployed (e.g. https://dev.azure.com/YOUR_ORGANIZATION_NAME, must exist)"
+}
+
+variable "azure_devops_pool_name" {
+  type        = string
+  description = "The name of the Azure DevOps agent pool in which the containerized agents will be deployed (must exist)"
+}
+
+variable "azure_devops_personal_access_token" {
+  type        = string
+  description = "The personal access token to use to connect to Azure DevOps (see https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops#permissions)"
+}
+
+variable "location" {
+  type        = string
+  description = "The Azure location to use"
+  default     = "westeurope"
+}
+
+variable "agent_docker_image" {
+  type        = string
+  description = "The Docker image to use for the Linux agent"
+  default     = "jcorioland/aci-devops-agent"
+}
+
+variable "agent_docker_tag" {
+  type        = string
+  description = "The Docker tag to use for the Linux agent"
+  default     = "0.2-linux"
+}
+
+variable "agents_count" {
+  type        = number
+  description = "The number of agents to create"
+  default     = 2
+}
+
+variable "random_suffix" {
+  type        = number
+  description = "A random suffix for resources generated during the test"
+}

test/fixture/linux-agents-private-registry/main.tf

@@ -3,13 +3,15 @@ module "aci-devops-agent" {
   enable_vnet_integration = false
   create_resource_group   = true
   linux_agents_configuration = {
-    agent_name_prefix = "linuxagent-${var.random_suffix}"
-    count             = var.agents_count
-    docker_image      = var.agent_docker_image
-    docker_tag        = var.agent_docker_tag
-    agent_pool_name   = var.azure_devops_pool_name
-    cpu               = 1
-    memory            = 4
+    agent_name_prefix            = "linuxagent-${var.random_suffix}"
+    count                        = var.agents_count
+    docker_image                 = var.agent_docker_image
+    docker_tag                   = var.agent_docker_tag
+    agent_pool_name              = var.azure_devops_pool_name
+    cpu                          = 1
+    memory                       = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   image_registry_credential = {
     username = var.docker_registry_username

test/fixture/linux-agents-vnet/main.tf

@@ -34,13 +34,15 @@ module "aci-devops-agent" {
   vnet_name                = azurerm_virtual_network.vnet.name
   subnet_name              = azurerm_subnet.aci-subnet.name
   linux_agents_configuration = {
-    agent_name_prefix = "linuxagent-${var.random_suffix}"
-    count             = var.agents_count
-    docker_image      = var.agent_docker_image
-    docker_tag        = var.agent_docker_tag
-    agent_pool_name   = var.azure_devops_pool_name
-    cpu               = 1
-    memory            = 4
+    agent_name_prefix            = "linuxagent-${var.random_suffix}"
+    count                        = var.agents_count
+    docker_image                 = var.agent_docker_image
+    docker_tag                   = var.agent_docker_tag
+    agent_pool_name              = var.azure_devops_pool_name
+    cpu                          = 1
+    memory                       = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   resource_group_name                = "rg-terraform-azure-devops-agents-e2e-tests-${var.random_suffix}"
   location                           = var.location

test/fixture/linux-agents/main.tf

@@ -3,13 +3,15 @@ module "aci-devops-agent" {
   enable_vnet_integration = false
   create_resource_group   = true
   linux_agents_configuration = {
-    agent_name_prefix = "linuxagent-${var.random_suffix}"
-    count             = var.agents_count
-    docker_image      = var.agent_docker_image
-    docker_tag        = var.agent_docker_tag
-    agent_pool_name   = var.azure_devops_pool_name
-    cpu               = 1
-    memory            = 4
+    agent_name_prefix            = "linuxagent-${var.random_suffix}"
+    count                        = var.agents_count
+    docker_image                 = var.agent_docker_image
+    docker_tag                   = var.agent_docker_tag
+    agent_pool_name              = var.azure_devops_pool_name
+    cpu                          = 1
+    memory                       = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   resource_group_name                = "rg-terraform-azure-devops-agents-e2e-tests-${var.random_suffix}"
   location                           = var.location

test/fixture/linux-and-windows-agents/main.tf

@@ -3,13 +3,15 @@ module "aci-devops-agent" {
   enable_vnet_integration = false
   create_resource_group   = true
   linux_agents_configuration = {
-    agent_name_prefix = "linux-agent-${var.random_suffix}"
-    count             = 2,
-    docker_image      = var.linux_agent_docker_image
-    docker_tag        = var.linux_agent_docker_tag
-    agent_pool_name   = var.linux_azure_devops_pool_name
-    cpu               = 1
-    memory            = 4
+    agent_name_prefix            = "linux-agent-${var.random_suffix}"
+    count                        = 2,
+    docker_image                 = var.linux_agent_docker_image
+    docker_tag                   = var.linux_agent_docker_tag
+    agent_pool_name              = var.linux_azure_devops_pool_name
+    cpu                          = 1
+    memory                       = 4
+    user_assigned_identity_ids   = []
+    use_system_assigned_identity = false
   }
   windows_agents_configuration = {
     agent_name_prefix = "windows-agent-${var.random_suffix}"

test/go.mod

@@ -1,9 +1,14 @@
 module test
 
-go 1.13
+go 1.14
 
 require (
 	github.com/docker/distribution v2.7.1+incompatible
 	github.com/gruntwork-io/terratest v0.27.2
 	github.com/microsoft/azure-devops-go-api/azuredevops v1.0.0-b1
+	github.com/Azure/azure-sdk-for-go v55.1.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.19
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.7
+	github.com/Azure/go-autorest/autorest/to v0.4.0
+	github.com/Azure/go-autorest/autorest/validation v0.3.1
 )

variables.tf

@@ -50,23 +50,27 @@ variable "azure_devops_personal_access_token" {
 
 variable "linux_agents_configuration" {
   type = object({
-    count             = string,
-    docker_image      = string,
-    docker_tag        = string,
-    agent_name_prefix = string,
-    agent_pool_name   = string,
-    cpu               = string,
-    memory            = string
+    count                        = string,
+    docker_image                 = string,
+    docker_tag                   = string,
+    agent_name_prefix            = string,
+    agent_pool_name              = string,
+    cpu                          = string,
+    memory                       = string,
+    user_assigned_identity_ids   = list(string),
+    use_system_assigned_identity = bool
   })
   description = "(Optional) The configuration of the Linux agents to deploy"
   default = {
-    count             = 0,
-    docker_image      = "",
-    docker_tag        = "",
-    agent_name_prefix = "",
-    agent_pool_name   = "",
-    cpu               = "1",
-    memory            = "2"
+    count                        = 0,
+    docker_image                 = "",
+    docker_tag                   = "",
+    agent_name_prefix            = "",
+    agent_pool_name              = "",
+    cpu                          = "1",
+    memory                       = "2",
+    user_assigned_identity_ids   = [],
+    use_system_assigned_identity = false
   }
 }