Update VMs for Patch Tuesday May 2023 (#31358)

* Update PowerShell Core to not vulnerable versions.

* Fix Android create-image relative paths.

* Update pools and add docs.

* Get android create-vmss to setup managed identity.

scripts/azure-pipelines/android/create-image.ps1

@@ -1 +1 @@
-../linux/create-image.ps1 -Prefix "And-" -ProvisionScript (Get-ChildItem .\provision-image.sh).fullname
+& "$PSScriptRoot/../linux/create-image.ps1" -Prefix "And-" -ProvisionScript "$PSScriptRoot/provision-image.sh"

scripts/azure-pipelines/android/create-vmss.ps1

@@ -3,4 +3,4 @@ Param(
   [parameter(Mandatory=$true)]
   [string]$ImageName
 )
-../linux/create-vmss.ps1 -ImageName $ImageName -Prefix "PrAnd-"
+& "$PSScriptRoot/../linux/create-vmss.ps1" -ImageName $ImageName -Prefix "PrAnd-" -AddAndroidContainerRegistryPermissions

scripts/azure-pipelines/android/setup-managed-identity.ps1

@@ -1,17 +0,0 @@
-# Create a system managed identity
-# Adding to existing Scale set
-$scaleSetResourceGroup = "PrAnd-2023-04-17"
-$scaleSetName = "PrAnd-2023-04-17Vmss"
-
-$vm = Get-AzVMss -ResourceGroupName $scaleSetResourceGroup -Name $scaleSetName
-Update-AzVMss -ResourceGroupName $scaleSetResourceGroup -VMScaleSetName $scaleSetName -IdentityType SystemAssigned
-
-$spID = $vm.Identity.PrincipalId
-
-$acrGroup = "And-Registry"
-$acrName = "AndContainerRegistry"
-
-$resourceID = (Get-AzContainerRegistry -ResourceGroupName $acrGroup -Name $acrName).Id
-
-# needs admin privileges
-New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull

scripts/azure-pipelines/azure-pipelines.yml

@@ -2,10 +2,10 @@
 # SPDX-License-Identifier: MIT
 #
 variables:
-  windows-pool: 'PrWin-2023-04-12'
-  linux-pool: 'PrLin-2023-04-12'
+  android-pool: 'PrAnd-2023-05-09'
+  linux-pool: 'PrLin-2023-05-09'
+  windows-pool: 'PrWin-2023-05-09'
   osx-pool: 'PrOsx-2022-02-04'
-  android-pool: 'PrAnd-2023-04-17'
   linux-docker-image: 'andcontainerregistry.azurecr.io/vcpkg-android:2023-04-20'
 
 parameters:

scripts/azure-pipelines/linux/create-vmss.ps1

@@ -27,7 +27,8 @@ Param(
   [parameter(Mandatory=$true)]
   [string]$ImageName,
   [parameter(Mandatory=$false)]
-  [string]$Prefix = "PrLin-"
+  [string]$Prefix = "PrLin-",
+  [switch]$AddAndroidContainerRegistryPermissions
 )
 
 $Location = 'eastasia'
@@ -65,7 +66,8 @@ $Vmss = New-AzVmssConfig `
   -UpgradePolicyMode Manual `
   -EvictionPolicy Delete `
   -Priority Spot `
-  -MaxPrice -1
+  -MaxPrice -1 `
+  -IdentityType SystemAssigned
 
 $NicName = $ResourceGroupName + 'NIC'
 New-AzNetworkInterface `
@@ -103,11 +105,23 @@ $Vmss = Set-AzVmssBootDiagnostic `
   -VirtualMachineScaleSet $Vmss `
   -Enabled $true
 
-New-AzVmss `
+$VmssCreated = New-AzVmss `
   -ResourceGroupName $ResourceGroupName `
   -Name $VmssName `
   -VirtualMachineScaleSet $Vmss
 
+if ($AddAndroidContainerRegistryPermissions) {
+  $spID = $VmssCreated.Identity.PrincipalId
+
+  $acrGroup = "And-Registry"
+  $acrName = "AndContainerRegistry"
+  
+  $resourceID = (Get-AzContainerRegistry -ResourceGroupName $acrGroup -Name $acrName).Id
+
+  # needs admin privileges
+  New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull
+}
+
 Write-Host "Location: $Location"
 Write-Host "Resource group name: $ResourceGroupName"
 Write-Host 'Finished!'

scripts/azure-pipelines/patch-tuesday-checklist.md

@@ -0,0 +1,21 @@
+## First time machine setup:
+* [ ] Install Azure PowerShell: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps
+
+## Each Patch Tuesday:
+* [ ] Check for depends:vm-update PRs and make relevant changes if possible.
+* [ ] Check for Service 360 alerts about vulnerable software we are installing in the VMs and
+      update that. (Most often PowerShell needs to be updated to the current 7.2.x release)
+* [ ] Run android/create-image.ps1
+* [ ] Run linux/create-image.ps1
+* [ ] Run windows/create-image.ps1
+* [ ] Run android/create-vmss.ps1
+* [ ] Run linux/create-vmss.ps1
+* [ ] Run windows/create-vmss.ps1
+* [ ] Create new pools for all 3 of these in Azure DevOps: https://dev.azure.com/vcpkg/public/_settings/agentqueues
+    * Android: 4 agents
+    * Linux: 4 agents
+    * Windows: 22 agents
+* [ ] Update azure-pipelines.yml to point to the new pools.
+* [ ] Submit PR with those changes.
+* [ ] Submit a full CI rebuild with those changes: https://dev.azure.com/vcpkg/public/_build?definitionId=29  
+      refs/pull/NUMBER/head

scripts/azure-pipelines/windows/deploy-pwsh.ps1

@@ -5,5 +5,5 @@
 
 # REPLACE WITH UTILITY-PREFIX.ps1
 
-$PwshUrl = 'https://github.com/PowerShell/PowerShell/releases/download/v7.3.3/PowerShell-7.3.3-win-x64.msi'
+$PwshUrl = 'https://github.com/PowerShell/PowerShell/releases/download/v7.3.4/PowerShell-7.3.4-win-x64.msi'
 InstallMSI -Url $PwshUrl -Name 'PowerShell Core'

scripts/vcpkgTools.xml

@@ -194,11 +194,11 @@
         <archiveName>ninja-freebsd-1.8.2.zip</archiveName>
     </tool>
     <tool name="powershell-core" os="windows">
-        <version>7.2.8</version>
+        <version>7.2.11</version>
         <exeRelativePath>pwsh.exe</exeRelativePath>
-        <url>https://github.com/PowerShell/PowerShell/releases/download/v7.2.8/PowerShell-7.2.8-win-x86.zip</url>
-        <sha512>b91ad901837099b34f689ae654b238a1171141adce8be6fc52f48373a7e79117072e84ab38e427c1ac66647dd86a19f1c6c6cba2b8e365d656c65c8447069c72</sha512>
-        <archiveName>PowerShell-7.2.8-win-x86.zip</archiveName>
+        <url>https://github.com/PowerShell/PowerShell/releases/download/v7.2.11/PowerShell-7.2.11-win-x86.zip</url>
+        <sha512>e9581122101ad161ad628a6feb63e61d3ef8f064a3f325465e8a1a4a6cfc1affbc9bf63146efae0aa65ff9ea5c93018af2c413dc0940f0d162edef805659ec84</sha512>
+        <archiveName>PowerShell-7.2.11-win-x86.zip</archiveName>
     </tool>
     <tool name="node" os="windows">
         <version>16.15.1</version>