Migrate ESRP code signing to AME MSI

.pipelines/typescript-build-and-publish.yaml

@@ -15,22 +15,40 @@ pr: none
 variables:
   Codeql.Enabled: true
 
+  # ESRP Code Signing
+  # ESRP Registration: https://portal.esrp.microsoft.com/Onboarding/AccountDetails?clientId=142047f4-eda8-4853-8776-c2e81803ea13
+  # Service connection in devdiv Azure DevOps: Devtunnels-esrp-ame-msi (https://devdiv.visualstudio.com/OnlineServices/_settings/adminservices?resourceId=702454c9-77bd-4750-820e-5ce2e483f9f5)
+  # Managed identity that this service connection has federated access to: tunnels-ppe-esrp-id (client id 01ee3ff5-3b24-4b62-996e-6217f7cf3487) in AME tenant (33e01921-4d64-4f8c-a055-5bdaffd5e33d).
+  # Signing certificate: esrp-sign in tunnels-ppe-esrp-kv
+  # ESRP used to use a cert to authenticate as app in Microsoft tenant, but now it uses a managed identity in AME tenant.
+  # The migration was done following these TSGs:
+  # https://eng.ms/docs/microsoft-security/identity/trust-and-security-services/tss-high-security-environments/tss-esrp-fabric-and-platform-services/esrp-documentation/tsgs/sfi/tsg501-eliminate-access-to-codesigning-from-corp-tenants
+  # https://eng.ms/docs/microsoft-security/identity/trust-and-security-services/tss-high-security-environments/tss-esrp-fabric-and-platform-services/esrp-documentation/tsgs/sfi/tsg506-integrating-esrp-release-ado-extension
+
+  EsrpConnectedServiceName: 'Devtunnels-esrp-ame-msi' # Service connection with ESRP MSI based authentication
+  EsrpAppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' # Managed identity tenant id for ESRP
+  EsrpAppRegistrationClientId: '01ee3ff5-3b24-4b62-996e-6217f7cf3487' # Managed identity client id for ESRP
+  EsrpClientId: '142047f4-eda8-4853-8776-c2e81803ea13' # ESRP Client Id, the Old App Registration Id to which we mapped our Managed Identity Id to
+  EsrpAuthAKVName: 'tunnels-ppe-esrp-kv' # Key Vault name where the signing certificate is stored
+  EsrpAuthSignCertName: 'esrp-sign' # Code signing certificate name in the Key Vault
+
 steps:
 - template: typescript-build-steps.yaml
 
-- task: EsrpRelease@7
+- task: EsrpRelease@9
   inputs:
-    connectedservicename: 'Devtunnels-esrp-cert-based'
-    keyvaultname: 'tunnels-dev-kv'
-    authcertname: 'esrp-cert'
-    signcertname: 'esrp-sign'
-    clientid: '142047f4-eda8-4853-8776-c2e81803ea13'
-    intent: 'PackageDistribution'
-    contenttype: 'npm'
-    folderlocation: '$(System.DefaultWorkingDirectory)/ts/out/pkg'
-    waitforreleasecompletion: true
-    owners: 'jfullerton@microsoft.com'
-    approvers: 'jasongin@microsoft.com, debekoe@microsoft.com, ilbiryuk@microsoft.com'
-    serviceendpointurl: 'https://api.esrp.microsoft.com'
-    mainpublisher: 'ESRPRELPACMAN'
-    domaintenantid: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+    ConnectedServiceName: '$(EsrpConnectedServiceName)'
+    UseManagedIdentity: true
+    AppRegistrationTenantId: '$(EsrpAppRegistrationTenantId)'
+    AppRegistrationClientId: '$(EsrpAppRegistrationClientId)'
+    DomainTenantId: '$(EsrpAppRegistrationTenantId)'
+    KeyVaultName: '$(EsrpAuthAKVName)'
+    SignCertName: '$(EsrpAuthSignCertName)'
+    ClientId: '$(EsrpClientId)'
+    Intent: 'PackageDistribution'
+    ContentType: 'npm'
+    FolderLocation: '$(System.DefaultWorkingDirectory)/ts/out/pkg'
+    WaitForReleaseCompletion: true
+    Owners: 'plequere@microsoft.com'
+    Approvers: 'jasongin@microsoft.com, jroberts@microsoft.com, nkotchar@microsoft.com'
+    MainPublisher: 'ESRPRELPACMAN'