AzureCLI V3 task with Azure DevOps Service Connection support

.github/CODEOWNERS

@@ -32,6 +32,8 @@ Tasks/AzureCLIV1/      @microsoft/release-management-task-team @manolerazvan
 
 Tasks/AzureCLIV2/     @microsoft/release-management-task-team @manolerazvan 
 
+Tasks/AzureCLIV3/     @microsoft/release-management-task-team @manolerazvan 
+
 Tasks/AzureCloudPowerShellDeploymentV1/  @microsoft/release-management-task-team  @manolerazvan 
 
 Tasks/AzureCloudPowerShellDeploymentV2/  @microsoft/release-management-task-team @manolerazvan 

Tasks/AzureCLIV3/.npmrc

@@ -0,0 +1,5 @@
+scripts-prepend-node-path=true
+
+registry=https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/
+
+always-auth=true

Tasks/AzureCLIV3/Readme.md

@@ -0,0 +1,66 @@
+# Azure CLI
+
+## Overview
+This task supports running [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/overview) commands on Cross platform agents running Windows, Linux or Mac.
+
+### What's new in Version 3.0
+- Azure DevOps service connections support with automatic CLI extension installation
+- Workload Identity Federation support for Azure DevOps connections
+- Automatic organization and project configuration from pipeline context
+
+### What's new in Version 2.0
+- Supports running PowerShell and PowerShell Core script.
+- PowerShell Core script works with Xplat agents  (Windows, Linux or OSX), make sure the agent has PowerShell version 6 or more.
+- Powershell script works only with Windows agent, make sure the agent has PowerShell version 5 or below.
+
+## Contact Information
+Please report a problem at [Developer Community Forum](https://developercommunity.visualstudio.com/spaces/21/index.html) if you are facing problems in making this task work.  You can also share feedback about the task like, what more functionality should be added to the task, what other tasks you would like to have, at the same place.
+
+## Pre-requisites for the task
+The following pre-requisites need to be setup in the target machine(s) for the task to work properly.
+
+#### **Azure Subscription**
+To deploy to Azure, an Azure subscription has to be linked to Team Foundation Server or to Azure Pipelines using the Services tab in the settings section. Add the Azure subscription to use in the Build or Release Management definition by opening the Account Administration screen (gear icon on the top-right of the screen) and then click on the Services Tab.
+- For Azure Classic resources use 'Azure' endpoint type with Certificate or Credentials based authentication. If you are using credentials based auth, ensure that the credentials are for a [**work account**](https://azure.microsoft.com/en-in/pricing/member-offers/msdn-benefits-details/work-accounts-faq/) because Microsoft accounts like [**[email protected]**](https://github.com/Microsoft/azure-pipelines-tasks/blob/master/Tasks/DeployAzureResourceGroup) or [**[email protected]**](https://github.com/Microsoft/azure-pipelines-tasks/blob/master/Tasks/DeployAzureResourceGroup) are not supported.
+- For [ARM](https://azure.microsoft.com/en-in/documentation/articles/resource-group-overview/), use 'Azure Resource Manager' endpoint type, for more details follow the steps listed in the link [here](https://go.microsoft.com/fwlink/?LinkID=623000&clcid=0x409).
+
+#### **Azure DevOps Service Connection**
+For Azure DevOps CLI operations, you can use Azure DevOps service connections with Workload Identity Federation authentication. This allows secure access to Azure DevOps resources. The task will automatically install and configure the Azure DevOps CLI extension when using this connection type.
+
+#### **Azure CLI**
+The task needs the Azure CLI version to be installed on the automation agent, and the details are available [here](https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-install/).
+If an agent is already running on the machine on which the Azure CLI is installed, ensure to restart the agent to ensure all the relevant environment variables are updated.
+
+## Parameters of the task
+The task is used to run Azure CLI commands on Cross platform agents running Windows, Linux or Mac . The mandatory fields are highlighted with a *.
+
+* **Azure Connection Type**\*: Specify Azure endpoint type, for Azure Classic resources use 'Azure' endpoint, for Azure ARM resources use 'Azure Resource Manager' endpoint. This parameter is shown only when the selected task version is 0.* as Azure CLI task v1.0 supports only Azure Resource Manager (ARM) subscriptions
+
+* **Azure Subscription**\*: Select the Azure Subscription where the Azure CLI commands have to be executed. If none exists, then click on the Manage link, to navigate to the Services tab in the Administrators panel. In the tab click on New Service Endpoint and select Azure Resource Manager from the dropdown.
+
+* **Connection Type**\*: Select the type of service connection to use. Choose 'Azure Resource Manager' for Azure Resource Manager service connections or 'Azure DevOps' for Azure DevOps service connections.
+
+* **Azure Resource Manager Connection**\*: Select the Azure Resource Manager service connection. This field is visible when Connection Type is set to 'Azure Resource Manager'.
+
+* **Azure DevOps Service Connection**\*: Select an Azure DevOps service connection. This field is visible when Connection Type is set to 'Azure DevOps'.
+
+* **Script Type**\*: Select the type of script to be executed on the agent. Task supports four types: Batch / Shell / PowerShell / PowerShell Core scripts, default selection being empty. Select Shell/PowerShell Core script when running on Linux agent or Batch/PowerShell/PowerShell Core script when running on Windows agent. PowerShell Core script can run on cross-platform agents (Linux, macOS, or Windows) 
+
+* **Script Location**\*: Select the mode of providing the script. Task supports two modes: one as a Script Path to a linked artifact and another as an inline script, default selection being the "Script Path"
+
+* **Script Path**\*: When using Windows based agent, specify the path to the .bat , .cmd , .ps1 script whereas when using Linux based agent, specify the path to the .sh , .ps1 script you want to run. The path must be a fully qualified path or a valid path relative to the default working directory. Note: You must also specify the respective script type in above field.
+
+* **Inline Script**\*: Specify the script inline here. When using Windows based agent use batch or PowerShell or PowerShell Core scripting whereas use shell or PowerShell Core scripting when using Linux based agents. Note: You must also specify the respective script type in above field.
+
+* **Script Arguments**: Specify arguments to pass to the script.
+
+* **Working folder**: Specify the working directory in which you want to run the script. If you leave it empty, the working directory is the folder where the script is located.
+
+* **Fail on standard error**: Select this check box if you want the build to fail if errors are written to the StandardError stream.
+
+* **Access service principal details in script**: Select this check box if you want to add service principal id , service principal key and tenantId of the Azure endpoint to the script's execution environment. You can use variables: `servicePrincipalId`, `servicePrincipalKey` and `tenantId` in your script. This is honored only when the Azure endpoint has Service Principal authentication scheme. \
+\
+Syntax to access environment variables based on script type.\
+*Powershell script:* `$env:servicePrincipalId`\
+*Batch script:* `%servicePrincipalId%` \
+*Shell script:* `$servicePrincipalId`

Tasks/AzureCLIV3/Strings/resources.resjson/en-US/resources.resjson

@@ -0,0 +1,66 @@
+{
+  "loc.friendlyName": "Azure CLI",
+  "loc.helpMarkDown": "[Learn more about this task](http://github.com/microsoft/azure-pipelines-tasks/blob/master/Tasks/AzureCLIV3/Readme.md) or [see the Azure CLI documentation](https://docs.microsoft.com/cli/azure/)",
+  "loc.description": "Run Azure CLI commands against an Azure subscription in a PowerShell Core/Shell script when running on Linux agent or PowerShell/PowerShell Core/Batch script when running on Windows agent.",
+  "loc.instanceNameFormat": "Azure CLI $(scriptPath)",
+  "loc.releaseNotes": "What's new in Version 3.0:\n- Support for dual connection types: Azure Resource Manager and Azure DevOps service connections. \n- Azure DevOps CLI integration with automatic extension installation and configuration. \n- Workload Identity Federation support for Azure DevOps connections.",
+  "loc.group.displayName.advanced": "Advanced",
+  "loc.input.label.connectionType": "Connection Type",
+  "loc.input.help.connectionType": "Type of service connection to use",
+  "loc.input.label.connectedServiceNameARM": "Azure Resource Manager connection",
+  "loc.input.help.connectedServiceNameARM": "Select an Azure Resource Manager service connection for the deployment",
+  "loc.input.label.azureDevOpsServiceConnection": "Azure DevOps Service Connection",
+  "loc.input.help.azureDevOpsServiceConnection": "Select an Azure DevOps service connection",
+  "loc.input.label.scriptType": "Script Type",
+  "loc.input.help.scriptType": "Type of script: PowerShell/PowerShell Core/Bat/Shell script. Select Shell/PowerShell Core script when running on Linux agent or Batch/PowerShell/PowerShell Core script when running on Windows agent. PowerShell Core script can run on cross-platform agents (Linux, macOS, or Windows).",
+  "loc.input.label.scriptLocation": "Script Location",
+  "loc.input.help.scriptLocation": "Path to script: File path or Inline script",
+  "loc.input.label.scriptPath": "Script Path",
+  "loc.input.help.scriptPath": "Fully qualified path of the script(.ps1 or .bat or .cmd when using Windows based agent else .ps1 or .sh when using linux based agent) or a path relative to the the default working directory",
+  "loc.input.label.inlineScript": "Inline Script",
+  "loc.input.help.inlineScript": "You can write your scripts inline here. When using Windows agent, use PowerShell or PowerShell Core or batch scripting whereas use PowerShell Core or shell scripting when using Linux based agents. For batch files use the prefix \"call\" before every azure command. You can also pass predefined and custom variables to this script using arguments \n\n example for PowerShell/PowerShellCore/shell: \naz --version \naz account show \n\n example for batch:\ncall  az --version \ncall az account show",
+  "loc.input.label.scriptArguments": "Script Arguments",
+  "loc.input.help.scriptArguments": "Arguments passed to the script",
+  "loc.input.label.powerShellErrorActionPreference": "ErrorActionPreference",
+  "loc.input.help.powerShellErrorActionPreference": "Prepends the line `$ErrorActionPreference = 'VALUE'` at the top of your powershell/powershell core script.",
+  "loc.input.label.addSpnToEnvironment": "Access service principal details in script",
+  "loc.input.help.addSpnToEnvironment": "Adds service principal id, service principal key and tenant id of the Azure endpoint you chose to the script's execution environment. You can use variables: `servicePrincipalId`, `servicePrincipalKey` and `tenantId` in your script.\n\nThis is honored only when the Azure endpoint has Service Principal authentication scheme.\n\nSyntax to access environment variables based on script type.\n\nPowershell script: $env:servicePrincipalId\n\nBatch script: %servicePrincipalId% \n\nShell script: $servicePrincipalId",
+  "loc.input.label.useGlobalConfig": "Use global Azure CLI configuration",
+  "loc.input.help.useGlobalConfig": "If this is false, this task will use its own separate [Azure CLI configuration directory](https://docs.microsoft.com/en-us/cli/azure/azure-cli-configuration?view=azure-cli-latest#cli-configuration-file). This can be used to run Azure CLI tasks in *parallel* releases",
+  "loc.input.label.cwd": "Working Directory",
+  "loc.input.help.cwd": "Current working directory where the script is run.  Empty is the root of the repo (build) or artifacts (release), which is $(System.DefaultWorkingDirectory)",
+  "loc.input.label.failOnStandardError": "Fail on Standard Error",
+  "loc.input.help.failOnStandardError": "If this is true, this task will fail when any errors are written to the StandardError stream. Unselect the checkbox to ignore standard errors and rely on exit codes to determine the status",
+  "loc.input.label.powerShellIgnoreLASTEXITCODE": "Ignore $LASTEXITCODE",
+  "loc.input.help.powerShellIgnoreLASTEXITCODE": "If this is false, the line `if ((Test-Path -LiteralPath variable:\\LASTEXITCODE)) { exit $LASTEXITCODE }` is appended to the end of your script. This will cause the last exit code from an external command to be propagated as the exit code of powershell. Otherwise the line is not appended to the end of your script.",
+  "loc.input.label.visibleAzLogin": "az login output visibility",
+  "loc.input.help.visibleAzLogin": "If this is set to true, az login command will output to the task. Setting it to false will suppress the az login output",
+  "loc.input.label.keepAzSessionActive": "[Experimental] Keep Azure CLI session active",
+  "loc.input.help.keepAzSessionActive": "When enabled, this task will continuously sign into Azure to avoid AADSTS700024 errors when requesting access tokens beyond the IdToken expiry date. Note that this feature is EXPERIMENTAL, may not work in all scenarios and you are using it without any guarantees. Valid only for service connections using the Workload Identity Federation authentication scheme.",
+  "loc.messages.ScriptReturnCode": "Script exited with return code: %d",
+  "loc.messages.ScriptFailed": "Script failed with error: %s",
+  "loc.messages.ScriptFailedStdErr": "Script has output to stderr. Failing as failOnStdErr is set to true.",
+  "loc.messages.ScriptFailedWithExitCode": "Script failed with exit code: %d",
+  "loc.messages.UnsupportedEndpointScheme": "Unsupported service connection authorization scheme: Service Principal for AzureRM",
+  "loc.messages.AzureSDKNotFound": "Azure CLI 2.x is not installed on this machine.",
+  "loc.messages.FailedToLogout": "The following error occurred while logging out: %s",
+  "loc.messages.LoginFailed": "Azure login failed",
+  "loc.messages.MSILoginFailed": "Azure login failed using Managed Service Identity",
+  "loc.messages.AuthSchemeNotSupported": "Auth Scheme %s is not supported",
+  "loc.messages.ErrorInSettingUpSubscription": "Error in setting up subscription",
+  "loc.messages.SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
+  "loc.messages.SettingAzureCloud": "Setting active cloud to: %s",
+  "loc.messages.JS_InvalidFilePath": "Script file could not be found at specified script location: '%s'. Please verify the script exists at the specified path. If you want to use inline script, specify input `Script Location` as `inlineScript`.",
+  "loc.messages.JS_InvalidErrorActionPreference": "Invalid ErrorActionPreference '%s'. The value must be one of: 'Stop', 'Continue', or 'SilentlyContinue'",
+  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+  "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
+  "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections.",
+  "loc.messages.ProxyConfig": "az tool is configured to use %s as proxy server",
+  "loc.messages.FailedToRefreshAzSession": "The following error occurred while trying to refresh az-cli session: %s",
+  "loc.messages.RefreshingAzSession": "Attempting to refresh az-cli session...",
+  "loc.messages.KeepingAzSessionActiveUnsupportedScheme": "The 'keepAzSessionActive' input might be used only for workload identity federation ARM service connection. The referenced service endpoint auth scheme was unexpected: %s. Change the scheme or remove 'keepAzSessionActive' input.",
+  "loc.messages.FailedToInstallAzureDevOpsCLI": "Failed to install Azure DevOps CLI extension",
+  "loc.messages.FailedToLoginAzureDevOpsCLI": "Failed to login to Azure DevOps CLI",
+  "loc.messages.FailedToSetAzureDevOpsOrganization": "Failed to set Azure DevOps organization",
+  "loc.messages.FailedToSetAzureDevOpsProject": "Failed to set Azure DevOps project"
+}

Tasks/AzureCLIV3/Tests/.npmrc

@@ -0,0 +1,3 @@
+registry=https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/
+
+always-auth=true