Whitelist build agent on demand when pushing to ACR with firewall enabled

azure-pipelines.yml

trigger:
- master

resources:
- repo: self

variables:
  azureSubscription: '<azure-subscription>'
  dockerRegistryServiceConnection: '<service-connection>'
  imageRepository: '<repository-name>'
  containerRegistry: '<registry>.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
  tag: '$(Build.BuildId)'
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Build and push stage
  jobs:  
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: AzureCLI@2
      name: 
      displayName: 'Add agent IP to firewall whitelist'
      inputs:
        azureSubscription: $(azureSubscription)
        scriptType: 'bash'
        scriptLocation: 'inlineScript'
        inlineScript: |
          AGENT_IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"
          
          if [ -z "$(az acr network-rule list --name $(containerRegistry) | grep ${AGENT_IP})"]
          then 
            echo "Adding agent IP '${AGENT_IP}' to Azure Container Registry '$(containerRegistry)' firewall whitelist"
            az acr network-rule add --name $(containerRegistry) --ip-address $AGENT_IP
          else
            echo "Agent is already whitelisted; skipping."
          fi
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: |
          $(tag)
    - task: AzureCLI@2
      displayName: 'Remove agent IP from firewall whitelist'
      condition: always()
      inputs:
        azureSubscription: $(azureSubscription)
        scriptType: 'bash'
        scriptLocation: 'inlineScript'
        inlineScript: |
          AGENT_IP="$(dig +short myip.opendns.com @resolver1.opendns.com)"
          
          echo "Removing agent IP '${AGENT_IP}' from Azure Container Registry '$(containerRegistry)' firewall whitelist"
          az acr network-rule remove --name $(containerRegistry) --ip-address $AGENT_IP --only-show-errors --output none

Hi @igoravl!
Thanks for sharing your pipeline! I've changed the implementation from Linux bash to PowerShell Core because It was not working on 'ubuntu-latest'. Finally, I got this:

- task: AzureCLI@2
  inputs:
    azureSubscription: ${{parameters.azureSubscription}}
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $agentIP = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
      $isWhitelisted = (az acr network-rule list --name ${{parameters.containerRegistry}}) | Select-String -Pattern '$agentIP'

      if ($isWhitelisted) {
        write-output "Agent is already whitelisted"
      } else {
        write-output "Adding agent IP '$agentIP' to ACR '${{parameters.containerRegistry}})' firewall whitelist"
        az acr network-rule add --name ${{parameters.containerRegistry}} --ip-address $agentIP
      }
  displayName: 'Add agent IP to firewall whitelist'

To remove the agent from whitelist I used this:

- task: AzureCLI@2
  inputs:
    azureSubscription: ${{parameters.azureSubscription}}
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $agentIP = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
      
      write-output "Removing agent IP '$agentIP' from ACR '${{parameters.containerRegistry}}' firewall whitelist"
      az acr network-rule remove --name ${{parameters.containerRegistry}} --ip-address $agentIP --only-show-errors --output none
  displayName: 'Remove agent IP from firewall whitelist'