AzureCLI improved message on expired secrets (#19670)

* Add new message for expired secret scenario

* Add new error message for expired secrets

* Bump tasks versions

* Add messages to task.loc.json

Tasks/AzureCLIV1/Strings/resources.resjson/en-US/resources.resjson

@@ -34,5 +34,6 @@
   "loc.messages.ErrorInSettingUpSubscription": "Error in setting up subscription",
   "loc.messages.SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
   "loc.messages.SettingAzureCloud": "Setting active cloud to: %s",
-  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used"
+  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+  "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
 }

Tasks/AzureCLIV1/azureclitask.ts

@@ -108,7 +108,19 @@ export class azureclitask {
 
             //set the task result to either succeeded or failed based on error was thrown or not
             if (toolExecutionError) {
-                tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailed", toolExecutionError));
+                let message = tl.loc("ScriptFailed", toolExecutionError);
+
+                const expiredSecretErrorCode = "AADSTS7000222";
+                let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
+                if (serviceEndpointSecretIsExpired) {
+                    const organizationURL = tl.getVariable('System.CollectionUri');
+                    const projectName = tl.getVariable('System.TeamProject');
+                    const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
+
+                    message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
+                }
+
+                tl.setResult(tl.TaskResult.Failed, message);
             }
             else {
                 tl.setResult(tl.TaskResult.Succeeded, tl.loc("ScriptReturnCode", 0));

Tasks/AzureCLIV1/task.json

@@ -20,7 +20,7 @@
     "version": {
         "Major": 1,
         "Minor": 237,
-        "Patch": 0
+        "Patch": 2
     },
     "minimumAgentVersion": "2.0.0",
     "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -157,6 +157,7 @@
         "ErrorInSettingUpSubscription": "Error in setting up subscription",
         "SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
         "SettingAzureCloud": "Setting active cloud to: %s",
-        "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used"
+        "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+        "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
     }
 }

Tasks/AzureCLIV1/task.loc.json

@@ -20,7 +20,7 @@
   "version": {
     "Major": 1,
     "Minor": 237,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -157,6 +157,7 @@
     "ErrorInSettingUpSubscription": "ms-resource:loc.messages.ErrorInSettingUpSubscription",
     "SettingAzureConfigDir": "ms-resource:loc.messages.SettingAzureConfigDir",
     "SettingAzureCloud": "ms-resource:loc.messages.SettingAzureCloud",
-    "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning"
+    "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning",
+    "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink"
   }
 }

Tasks/AzureCLIV2/Strings/resources.resjson/en-US/resources.resjson

@@ -45,5 +45,6 @@
   "loc.messages.JS_InvalidFilePath": "Script file could not be found at specified script location: '%s'. Please verify the script exists at the specified path. If you want to use inline script, specify input `Script Location` as `inlineScript`.",
   "loc.messages.JS_InvalidErrorActionPreference": "Invalid ErrorActionPreference '%s'. The value must be one of: 'Stop', 'Continue', or 'SilentlyContinue'",
   "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
-  "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'"
+  "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
+  "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
 }

Tasks/AzureCLIV2/azureclitask.ts

@@ -95,7 +95,19 @@ export class azureclitask {
             if(toolExecutionError === FAIL_ON_STDERR) {
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedStdErr"));
             } else if (toolExecutionError) {
-                tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailed", toolExecutionError));
+                let message = tl.loc("ScriptFailed", toolExecutionError);
+
+                const expiredSecretErrorCode = "AADSTS7000222";
+                let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
+                if (serviceEndpointSecretIsExpired) {
+                    const organizationURL = tl.getVariable('System.CollectionUri');
+                    const projectName = tl.getVariable('System.TeamProject');
+                    const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
+
+                    message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
+                }
+
+                tl.setResult(tl.TaskResult.Failed, message);
             } else if (exitCode != 0){
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedWithExitCode", exitCode));
             }

Tasks/AzureCLIV2/task.json

@@ -20,7 +20,7 @@
     "version": {
         "Major": 2,
         "Minor": 237,
-        "Patch": 0
+        "Patch": 2
     },
     "minimumAgentVersion": "2.0.0",
     "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -200,6 +200,7 @@
         "JS_InvalidFilePath": "Script file could not be found at specified script location: '%s'. Please verify the script exists at the specified path. If you want to use inline script, specify input `Script Location` as `inlineScript`.",
         "JS_InvalidErrorActionPreference": "Invalid ErrorActionPreference '%s'. The value must be one of: 'Stop', 'Continue', or 'SilentlyContinue'",
         "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
-        "UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'"
+        "UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
+        "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
     }
 }

Tasks/AzureCLIV2/task.loc.json

@@ -20,7 +20,7 @@
   "version": {
     "Major": 2,
     "Minor": 237,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -200,6 +200,7 @@
     "JS_InvalidFilePath": "ms-resource:loc.messages.JS_InvalidFilePath",
     "JS_InvalidErrorActionPreference": "ms-resource:loc.messages.JS_InvalidErrorActionPreference",
     "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning",
-    "UnacceptedScriptLocationValue": "ms-resource:loc.messages.UnacceptedScriptLocationValue"
+    "UnacceptedScriptLocationValue": "ms-resource:loc.messages.UnacceptedScriptLocationValue",
+    "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink"
   }
 }

_generated/AzureCLIV1.versionmap.txt

@@ -1,2 +1,2 @@
-Default|1.237.0
-Node20_229_2|1.237.1
+Default|1.237.2
+Node20_229_2|1.237.3

_generated/AzureCLIV1/Strings/resources.resjson/en-US/resources.resjson

@@ -34,5 +34,6 @@
   "loc.messages.ErrorInSettingUpSubscription": "Error in setting up subscription",
   "loc.messages.SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
   "loc.messages.SettingAzureCloud": "Setting active cloud to: %s",
-  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used"
+  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+  "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
 }

_generated/AzureCLIV1/azureclitask.ts

@@ -108,7 +108,19 @@ export class azureclitask {
 
             //set the task result to either succeeded or failed based on error was thrown or not
             if (toolExecutionError) {
-                tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailed", toolExecutionError));
+                let message = tl.loc("ScriptFailed", toolExecutionError);
+
+                const expiredSecretErrorCode = "AADSTS7000222";
+                let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
+                if (serviceEndpointSecretIsExpired) {
+                    const organizationURL = tl.getVariable('System.CollectionUri');
+                    const projectName = tl.getVariable('System.TeamProject');
+                    const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
+
+                    message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
+                }
+
+                tl.setResult(tl.TaskResult.Failed, message);
             }
             else {
                 tl.setResult(tl.TaskResult.Succeeded, tl.loc("ScriptReturnCode", 0));

_generated/AzureCLIV1/task.json

@@ -20,7 +20,7 @@
   "version": {
     "Major": 1,
     "Minor": 237,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -157,10 +157,11 @@
     "ErrorInSettingUpSubscription": "Error in setting up subscription",
     "SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
     "SettingAzureCloud": "Setting active cloud to: %s",
-    "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used"
+    "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+    "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at\u00A0%s See\u00A0https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
   },
   "_buildConfigMapping": {
-    "Default": "1.237.0",
-    "Node20_229_2": "1.237.1"
+    "Default": "1.237.2",
+    "Node20_229_2": "1.237.3"
   }
 }

_generated/AzureCLIV1/task.loc.json

@@ -20,7 +20,7 @@
   "version": {
     "Major": 1,
     "Minor": 237,
-    "Patch": 0
+    "Patch": 2
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -157,10 +157,11 @@
     "ErrorInSettingUpSubscription": "ms-resource:loc.messages.ErrorInSettingUpSubscription",
     "SettingAzureConfigDir": "ms-resource:loc.messages.SettingAzureConfigDir",
     "SettingAzureCloud": "ms-resource:loc.messages.SettingAzureCloud",
-    "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning"
+    "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning",
+    "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink"
   },
   "_buildConfigMapping": {
-    "Default": "1.237.0",
-    "Node20_229_2": "1.237.1"
+    "Default": "1.237.2",
+    "Node20_229_2": "1.237.3"
   }
 }

_generated/AzureCLIV1_Node20/Strings/resources.resjson/en-US/resources.resjson

@@ -34,5 +34,6 @@
   "loc.messages.ErrorInSettingUpSubscription": "Error in setting up subscription",
   "loc.messages.SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
   "loc.messages.SettingAzureCloud": "Setting active cloud to: %s",
-  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used"
+  "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+  "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
 }

_generated/AzureCLIV1_Node20/azureclitask.ts

@@ -108,7 +108,19 @@ export class azureclitask {
 
             //set the task result to either succeeded or failed based on error was thrown or not
             if (toolExecutionError) {
-                tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailed", toolExecutionError));
+                let message = tl.loc("ScriptFailed", toolExecutionError);
+
+                const expiredSecretErrorCode = "AADSTS7000222";
+                let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
+                if (serviceEndpointSecretIsExpired) {
+                    const organizationURL = tl.getVariable('System.CollectionUri');
+                    const projectName = tl.getVariable('System.TeamProject');
+                    const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
+
+                    message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
+                }
+
+                tl.setResult(tl.TaskResult.Failed, message);
             }
             else {
                 tl.setResult(tl.TaskResult.Succeeded, tl.loc("ScriptReturnCode", 0));

_generated/AzureCLIV1_Node20/task.json

@@ -20,7 +20,7 @@
   "version": {
     "Major": 1,
     "Minor": 237,
-    "Patch": 1
+    "Patch": 3
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "Azure CLI $(scriptPath)",
@@ -161,10 +161,11 @@
     "ErrorInSettingUpSubscription": "Error in setting up subscription",
     "SettingAzureConfigDir": "Setting AZURE_CONFIG_DIR env variable to: %s",
     "SettingAzureCloud": "Setting active cloud to: %s",
-    "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used"
+    "GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
+    "ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at\u00A0%s See\u00A0https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
   },
   "_buildConfigMapping": {
-    "Default": "1.237.0",
-    "Node20_229_2": "1.237.1"
+    "Default": "1.237.2",
+    "Node20_229_2": "1.237.3"
   }
 }

_generated/AzureCLIV1_Node20/task.loc.json

@@ -20,7 +20,7 @@
   "version": {
     "Major": 1,
     "Minor": 237,
-    "Patch": 1
+    "Patch": 3
   },
   "minimumAgentVersion": "2.0.0",
   "instanceNameFormat": "ms-resource:loc.instanceNameFormat",
@@ -161,10 +161,11 @@
     "ErrorInSettingUpSubscription": "ms-resource:loc.messages.ErrorInSettingUpSubscription",
     "SettingAzureConfigDir": "ms-resource:loc.messages.SettingAzureConfigDir",
     "SettingAzureCloud": "ms-resource:loc.messages.SettingAzureCloud",
-    "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning"
+    "GlobalCliConfigAgentVersionWarning": "ms-resource:loc.messages.GlobalCliConfigAgentVersionWarning",
+    "ExpiredServicePrincipalMessageWithLink": "ms-resource:loc.messages.ExpiredServicePrincipalMessageWithLink"
   },
   "_buildConfigMapping": {
-    "Default": "1.237.0",
-    "Node20_229_2": "1.237.1"
+    "Default": "1.237.2",
+    "Node20_229_2": "1.237.3"
   }
 }

_generated/AzureCLIV2.versionmap.txt

@@ -1,2 +1,2 @@
-Default|2.237.0
-Node20_229_2|2.237.1
+Default|2.237.2
+Node20_229_2|2.237.3

_generated/AzureCLIV2/Strings/resources.resjson/en-US/resources.resjson

@@ -45,5 +45,6 @@
   "loc.messages.JS_InvalidFilePath": "Script file could not be found at specified script location: '%s'. Please verify the script exists at the specified path. If you want to use inline script, specify input `Script Location` as `inlineScript`.",
   "loc.messages.JS_InvalidErrorActionPreference": "Invalid ErrorActionPreference '%s'. The value must be one of: 'Stop', 'Continue', or 'SilentlyContinue'",
   "loc.messages.GlobalCliConfigAgentVersionWarning": "For agent version < 2.115.0, only global Azure CLI configuration can be used",
-  "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'"
+  "loc.messages.UnacceptedScriptLocationValue": "%s is not a valid value for task input 'Script Location' (scriptLocation in YAML). Value can either be'inlineScript' or 'scriptPath'",
+  "loc.messages.ExpiredServicePrincipalMessageWithLink": "Secret expired, update service connection at %s See https://aka.ms/azdo-rm-workload-identity-conversion to learn more about conversion to secret-less service connections."
 }

_generated/AzureCLIV2/azureclitask.ts

@@ -95,7 +95,19 @@ export class azureclitask {
             if(toolExecutionError === FAIL_ON_STDERR) {
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedStdErr"));
             } else if (toolExecutionError) {
-                tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailed", toolExecutionError));
+                let message = tl.loc("ScriptFailed", toolExecutionError);
+
+                const expiredSecretErrorCode = "AADSTS7000222";
+                let serviceEndpointSecretIsExpired = toolExecutionError.indexOf(expiredSecretErrorCode) >= 0;
+                if (serviceEndpointSecretIsExpired) {
+                    const organizationURL = tl.getVariable('System.CollectionUri');
+                    const projectName = tl.getVariable('System.TeamProject');
+                    const serviceConnectionLink = encodeURI(`${organizationURL}${projectName}/_settings/adminservices?resourceId=${connectedService}`);
+
+                    message = tl.loc('ExpiredServicePrincipalMessageWithLink', serviceConnectionLink);
+                }
+
+                tl.setResult(tl.TaskResult.Failed, message);
             } else if (exitCode != 0){
                 tl.setResult(tl.TaskResult.Failed, tl.loc("ScriptFailedWithExitCode", exitCode));
             }