Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Whitelist build agent on demand when pushing to ACR with firewall enabled
trigger:
- master
resources:
- repo: self
variables:
azureSubscription: '<azure-subscription>'
dockerRegistryServiceConnection: '<service-connection>'
imageRepository: '<repository-name>'
containerRegistry: '<registry>.azurecr.io'
dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
tag: '$(Build.BuildId)'
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: AzureCLI@2
name:
displayName: 'Add agent IP to firewall whitelist'
inputs:
azureSubscription: $(azureSubscription)
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
AGENT_IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"
if [ -z "$(az acr network-rule list --name $(containerRegistry) | grep ${AGENT_IP})"]
then
echo "Adding agent IP '${AGENT_IP}' to Azure Container Registry '$(containerRegistry)' firewall whitelist"
az acr network-rule add --name $(containerRegistry) --ip-address $AGENT_IP
else
echo "Agent is already whitelisted; skipping."
fi
- task: Docker@2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: |
$(tag)
- task: AzureCLI@2
displayName: 'Remove agent IP from firewall whitelist'
condition: always()
inputs:
azureSubscription: $(azureSubscription)
scriptType: 'bash'
scriptLocation: 'inlineScript'
inlineScript: |
AGENT_IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"
echo "Removing agent IP '${AGENT_IP}' from Azure Container Registry '$(containerRegistry)' firewall whitelist"
az acr network-rule remove --name $(containerRegistry) --ip-address $AGENT_IP --only-show-errors --output none
@eidermauricio

This comment has been minimized.

Copy link

@eidermauricio eidermauricio commented Mar 10, 2021

Hi @igoravl!
Thanks for sharing your pipeline! I've changed the implementation from Linux bash to PowerShell Core because It was not working on 'ubuntu-latest'. Finally, I got this:

- task: AzureCLI@2
  inputs:
    azureSubscription: ${{parameters.azureSubscription}}
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $agentIP = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
      $isWhitelisted = (az acr network-rule list --name ${{parameters.containerRegistry}}) | Select-String -Pattern '$agentIP'

      if ($isWhitelisted) {
        write-output "Agent is already whitelisted"
      } else {
        write-output "Adding agent IP '$agentIP' to ACR '${{parameters.containerRegistry}})' firewall whitelist"
        az acr network-rule add --name ${{parameters.containerRegistry}} --ip-address $agentIP
      }
  displayName: 'Add agent IP to firewall whitelist'

To remove the agent from whitelist I used this:

- task: AzureCLI@2
  inputs:
    azureSubscription: ${{parameters.azureSubscription}}
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $agentIP = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
      
      write-output "Removing agent IP '$agentIP' from ACR '${{parameters.containerRegistry}}' firewall whitelist"
      az acr network-rule remove --name ${{parameters.containerRegistry}} --ip-address $agentIP --only-show-errors --output none
  displayName: 'Remove agent IP from firewall whitelist'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment