Update cd pipeline to deploy to microsoft.com tenant

.github/workflows/cd.yml

@@ -1,18 +1,22 @@
-name: "Test samples in mCCF environment"
+name: "deploy-test-app-samples-to-mccf"
 
 on:
   push:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  id-token: write
+
 jobs:
   deploy:
     name: Managed CCF
     runs-on: ubuntu-20.04
     environment: dev
     env:
-      ccfName: mCCF${{ github.run_number }}
-      ResourceGroupLocation: "westeurope"
+      ccfName: ccf-app-samples-test-${{ github.run_number }}
+      rgName: ccf-app-samples-test-${{ github.run_number }}-rg
+      ResourceGroupLocation: "southcentralus"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
@@ -23,7 +27,9 @@ jobs:
       - name: Azure Login
         uses: Azure/login@v1.4.5
         with:
-          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}' # editorconfig-checker-disable-line
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Login to GH-CR to push the updated devcontainer image
         uses: docker/login-action@v1
@@ -37,24 +43,22 @@ jobs:
         with:
           inlineScript: |
             #!/bin/bash
-            az group create --name ${{ env.ccfName }} --location ${{ env.ResourceGroupLocation }}
+            az group create --name ${{ env.rgName }} --location ${{ env.ResourceGroupLocation }}
 
       - name: Deploy Managed CCF Network
         uses: azure/arm-deploy@v1
         with:
-          resourceGroupName: ${{ env.ccfName }}
+          resourceGroupName: ${{ env.rgName }}
           template: ./deploy/arm/mccf.json
-          parameters: ./deploy/arm/parameters.json mccfMemberBasedSecurityPrincipals="[{\"cert\":\"${{ secrets.PUBLIC_CERT }}\", \"encryptionKey\":\"\"}]" resourceName="${{ env.ccfName }}"
+          parameters: ./deploy/arm/parameters.json mccfMemberBasedSecurityPrincipals="[{\"cert\":\"${{ secrets.ARM_TEMPLATE_PUBLIC_CERT }}\", \"encryptionKey\":\"\"}]" resourceName="${{ env.ccfName }}"
 
       - name: Deploy Banking Sample to mCCF
         uses: devcontainers/ci@v0.2
         with:
           imageName: ghcr.io/microsoft/ccf-samples-devcontainer
           cacheFrom: ghcr.io/microsoft/ccf-samples-devcontainer
-          eventFilterForPush: push
-          refFilterForPush: refs/heads/main
           runCmd: |
-            cd banking-app && make test-mccf
+            cd banking-app && make test-mccf-cd
           env: |
             PUBLIC_CERT=${{ secrets.PUBLIC_CERT }}
             PRIVATE_CERT=${{ secrets.PRIVATE_CERT }}
@@ -65,7 +69,7 @@ jobs:
         with:
           imageName: ghcr.io/microsoft/ccf-samples-devcontainer
           runCmd: |
-            cd data-reconciliation-app && make test-mccf
+            cd data-reconciliation-app && make test-mccf-cd
           env: |
             PUBLIC_CERT=${{ secrets.PUBLIC_CERT }}
             PRIVATE_CERT=${{ secrets.PRIVATE_CERT }}
@@ -77,5 +81,5 @@ jobs:
         with:
           inlineScript: |
             #!/bin/bash
-            echo "Always delete resource group because of quota"
-            az group delete --name ${{ env.ccfName }} --yes --no-wait
+            echo "Always delete resource group because of quota limit"
+            az group delete --name ${{ env.rgName }} --yes --no-wait

banking-app/Makefile

@@ -44,6 +44,13 @@ test-mccf: build ## 🧪 Test the Banking Application in a Managed CCF environme
 	$(call check_defined, PRIVATE_CERT)
 	@. ../scripts/test_mccf.sh --address "${CCF_NAME}.confidential-ledger.azure.com" --signing-cert "${PUBLIC_CERT}" --signing-key "${PRIVATE_CERT}"
 
+test-mccf-cd: build ## 🧪 Test the Banking Application in a Managed CCF environment
+	@echo -e "\e[34m$@\e[0m" || true
+	$(call check_defined, CCF_NAME)
+	$(call check_defined, PUBLIC_CERT)
+	$(call check_defined, PRIVATE_CERT)
+	@. ../scripts/test_mccf-cd.sh --address "${CCF_NAME}.confidential-ledger.azure.com" --signing-cert "${PUBLIC_CERT}" --signing-key "${PRIVATE_CERT}"
+
 # Run sandbox. Consider 3 members as 3 banks.
 # This is used in the demo scripts
 start-host: build ## 🏁 Start the CCF Sandbox for the demo

data-reconciliation-app/Makefile

@@ -47,6 +47,15 @@ test-mccf: build ## 🧪 Test the Data Reconciliation Application in a Managed C
 	$(call check_defined, PRIVATE_CERT)
 	@. ../scripts/test_mccf.sh --address "${CCF_NAME}.confidential-ledger.azure.com" --signing-cert "${PUBLIC_CERT}" --signing-key "${PRIVATE_CERT}"
 
+## This command is called from the Github workflow.
+## PUBLIC_CERT and PRIVATE_CERT are base64 encoded.
+test-mccf-cd: build ## 🧪 Test the Data Reconciliation Application in a Managed CCF environment
+	@echo -e "\e[34m$@\e[0m" || true
+	$(call check_defined, CCF_NAME)
+	$(call check_defined, PUBLIC_CERT)
+	$(call check_defined, PRIVATE_CERT)
+	@. ../scripts/test_mccf-cd.sh --address "${CCF_NAME}.confidential-ledger.azure.com" --signing-cert "${PUBLIC_CERT}" --signing-key "${PRIVATE_CERT}"
+
 unit-test: ## 🧪 Unit Test the Application
 	@echo -e "\e[34m$@\e[0m" || true
 	@npm run unit-test

scripts/test_mccf-cd.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+set -euo pipefail
+
+declare signing_cert=""
+declare signing_key=""
+
+function usage {
+    echo ""
+    echo "Open a network in mCCF and then run the tests."
+    echo ""
+    echo "usage: ./test_mccf.sh --address <ADDRESS> --signing-cert <CERT> --signing-key <CERT> [--interactive]"
+    echo ""
+    echo "  --address       string      The address of the primary CCF node"
+    echo "  --signing-cert  string      The signing certificate (member0)"
+    echo "  --signing-key   string      The signing key (member0)"
+    echo "  --interactive   boolean     Optional. Run in Demo mode"
+    echo ""
+}
+
+function failed {
+    printf "💥 Script failed: %s\n\n" "$1"
+    exit 1
+}
+
+# parse parameters
+
+if [ $# -gt 7 ]; then
+    usage
+    exit 1
+fi
+
+while [ $# -gt 0 ]
+do
+    case "$1" in
+        --address) address="$2"; shift 2;;
+        --signing-cert) signing_cert="$2"; shift 2;;
+        --signing-key) signing_key="$2"; shift 2;;
+        --interactive) interactive=1; shift;;
+        --help) usage; exit 0;;
+        *) usage; exit 1;;
+    esac
+done
+
+# validate parameters
+if [ -z "${signing_cert}" ]; then
+    failed "You must supply --signing-cert"
+fi
+if [ -z "${signing_key}" ]; then
+    failed "You must supply --signing-key"
+fi
+if [ -z "$address" ]; then
+    failed "You must supply --address"
+fi
+
+# Base64 decode
+export PUBLIC_CERT=$(echo "${signing_cert}" | base64 --decode)
+export PRIVATE_CERT=$(echo "${signing_key}" | base64 --decode)
+../scripts/test_mccf.sh --address "${address}" --signing-cert "${PUBLIC_CERT}" --signing-key "${PRIVATE_CERT}"