Merge pull request #149 from buildkite-plugins/SUP-4987-add-azure-backend

petetomasik · web-flow · commit f53d11489fd5 · 2026-01-28T15:43:38.000-05:00
Support Azure Blob Storage as cache backend
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@ The plugin supports various backends and compression algorithms, and some enviro
 - `zip/unzip` for zip compression
 - `aws` AWS CLI for reading and writing to an AWS S3 backend
 - `gsutil` or `gcloud storage` Google Cloud SDK CLI for reading and writing to a GCS backend
+- `az` Azure CLI for reading and writing to an Azure Blob Storage backend
 
 ## Mandatory parameters
 
@@ -64,6 +65,7 @@ Defines how the cache is stored and restored. Can be any string (see [Customizab
 * `fs` (default)
 * `s3`
 * `gcs`
+* `azure`
 
 #### `fs`
 
@@ -164,6 +166,128 @@ steps:
           compression: zstd
 ```
 
+#### `azure`
+
+Store cache in an Azure Blob Storage container. You need to make sure the `az` command is available and appropriately configured with the necessary credentials and access permissions.
+
+**Azure Authentication**: The backend supports multiple authentication methods. Azure CLI will automatically detect and use available credentials, or you can explicitly specify the authentication method.
+
+**Methods with explicit auth-mode support:**
+- **Microsoft Entra ID (formerly Azure AD)**: Use `az login` and optionally set `BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE=login` to enforce this method
+- **Storage Account Key**: Set `AZURE_STORAGE_KEY` environment variable and optionally set `BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE=key` to enforce this method
+
+**Methods using auto-detection only:**
+- **Connection String**: Set `AZURE_STORAGE_CONNECTION_STRING` environment variable (highest priority in auto-detection)
+- **SAS Token**: Set `AZURE_STORAGE_SAS_TOKEN` environment variable
+
+You also need the agent to have access to the following defined environment variables:
+* `BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER`: the container name to use (backend will fail if not defined)
+* `BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT`: the storage account name (backend will fail if not defined)
+* `BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX`: optional prefix to use for cache keys within the container
+* `BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE`: optional - set to `key` or `login` to enforce a specific authentication method (useful when multiple credentials are present)
+* `BUILDKITE_PLUGIN_AZURE_CACHE_QUIET`: optional - set to `true` to suppress progress bars and JSON metadata output from Azure CLI operations (error messages are still displayed). Defaults to `false`.
+
+#### Example with Storage Account Key
+
+```yaml
+env:
+  BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER: "my-cache-container" # Required: Azure container to store cache objects
+  BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT: "mystorageaccount" # Required: Azure storage account name
+  BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX: "buildkite/cache"
+  BUILDKITE_PLUGIN_AZURE_CACHE_QUIET: "true"
+  BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE: "key" # Use storage account key authentication
+
+steps:
+  - label: ':nodejs: Install dependencies'
+    command: npm ci
+    secrets:
+      - AZURE_STORAGE_KEY
+    plugins:
+      - cache#v1.9.0:
+          backend: azure
+          path: node_modules
+          manifest: package-lock.json
+          restore: file
+          save: file
+          compression: zstd
+```
+
+#### Example with Microsoft Entra ID
+
+**Note**: Microsoft Entra ID authentication requires authenticating with Azure before using the cache plugin. You can use `az login` in your agent setup, or use a plugin like [azure-login](https://github.com/buildkite-plugins/azure-login-buildkite-plugin) to authenticate with a managed identity. The authenticated identity must have the appropriate RBAC role (such as "Storage Blob Data Contributor") assigned to the storage account.
+
+```yaml
+env:
+  BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER: "my-cache-container" # Required: Azure container to store cache objects
+  BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT: "mystorageaccount" # Required: Azure storage account name
+  BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX: "buildkite/cache"
+  BUILDKITE_PLUGIN_AZURE_CACHE_QUIET: "true"
+  BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE: "login" # Use Microsoft Entra ID authentication
+
+steps:
+  - label: ':nodejs: Install dependencies'
+    command: npm ci
+    plugins:
+      - azure-login#v1.0.1:  # Authenticate with managed identity first
+          use-identity: true
+          client-id: your-managed-identity-client-id
+      - cache#v1.9.0:
+          backend: azure
+          path: node_modules
+          manifest: package-lock.json
+          restore: file
+          save: file
+          compression: zstd
+```
+
+#### Example with Connection String
+
+```yaml
+env:
+  BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER: "my-cache-container" # Required: Azure container to store cache objects
+  BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT: "mystorageaccount" # Required: Azure storage account name
+  BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX: "buildkite/cache"
+  BUILDKITE_PLUGIN_AZURE_CACHE_QUIET: "true"
+
+steps:
+  - label: ':nodejs: Install dependencies'
+    command: npm ci
+    secrets:
+      - AZURE_STORAGE_CONNECTION_STRING
+    plugins:
+      - cache#v1.9.0:
+          backend: azure
+          path: node_modules
+          manifest: package-lock.json
+          restore: file
+          save: file
+          compression: zstd
+```
+
+#### Example with SAS Token
+
+```yaml
+env:
+  BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER: "my-cache-container" # Required: Azure container to store cache objects
+  BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT: "mystorageaccount" # Required: Azure storage account name
+  BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX: "buildkite/cache"
+  BUILDKITE_PLUGIN_AZURE_CACHE_QUIET: "true"
+
+steps:
+  - label: ':nodejs: Install dependencies'
+    command: npm ci
+    secrets:
+      - AZURE_STORAGE_SAS_TOKEN
+    plugins:
+      - cache#v1.9.0:
+          backend: azure
+          path: node_modules
+          manifest: package-lock.json
+          restore: file
+          save: file
+          compression: zstd
+```
+
 ### `compression` (string)
 
 Allows for the cached file/folder to be saved/restored as a single file. You will need to make sure to use the same compression when saving and restoring or it will cause a cache miss.
diff --git a/backends/cache_azure b/backends/cache_azure
@@ -0,0 +1,208 @@
+#!/bin/bash
+
+# Validate required configuration
+if [ -z "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}" ]; then
+  echo '+++ 🚨 Missing Azure container configuration'
+  exit 1
+fi
+
+if [ -z "${BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT}" ]; then
+  echo '+++ 🚨 Missing Azure storage account configuration'
+  exit 1
+fi
+
+build_key() {
+  if [ -n "${BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX}" ]; then
+    echo "${BUILDKITE_PLUGIN_AZURE_CACHE_PREFIX}/${1}"
+  else
+    echo "$1"
+  fi
+}
+
+az_cmd() {
+  local subcommand="$1"
+  shift
+
+  local cmd_args=(az storage blob "${subcommand}")
+  cmd_args+=(--account-name "${BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT}")
+
+  if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+    # Only upload and download support --no-progress
+    if [ "${subcommand}" = "upload" ] || [ "${subcommand}" = "download" ]; then
+      cmd_args+=(--no-progress)
+    fi
+    cmd_args+=(--only-show-errors)
+  fi
+
+  if [ -n "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" ]; then
+    cmd_args+=(--auth-mode "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}")
+
+    # When using key auth mode, explicitly pass the account key
+    if [ "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" = "key" ] && [ -n "${AZURE_STORAGE_KEY}" ]; then
+      cmd_args+=(--account-key "${AZURE_STORAGE_KEY}")
+    fi
+  fi
+
+  # When quiet mode is enabled, suppress stdout (progress bars, JSON output)
+  # but preserve stderr (error messages)
+  if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+    "${cmd_args[@]}" "$@" >/dev/null
+  else
+    "${cmd_args[@]}" "$@"
+  fi
+}
+
+azure_exists() {
+  local key="$1"
+  local blob_name
+  blob_name="$(build_key "${key}")"
+
+  # Try to check if exact blob exists
+  if az_cmd show \
+    --container-name "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}" \
+    --name "${blob_name}" &>/dev/null; then
+    return 0
+  fi
+
+  # Check if it's a directory-like prefix (with trailing slash)
+  local list_args=(az storage blob list)
+  list_args+=(--container-name "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}")
+  list_args+=(--account-name "${BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT}")
+  list_args+=(--prefix "${blob_name}/")
+  list_args+=(--num-results 1)
+  list_args+=(--query '[0].name')
+  list_args+=(--output tsv)
+
+  # Note: list command does not support --no-progress
+  if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+    list_args+=(--only-show-errors)
+  fi
+
+  if [ -n "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" ]; then
+    list_args+=(--auth-mode "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}")
+
+    # When using key auth mode, explicitly pass the account key
+    if [ "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" = "key" ] && [ -n "${AZURE_STORAGE_KEY}" ]; then
+      list_args+=(--account-key "${AZURE_STORAGE_KEY}")
+    fi
+  fi
+
+  local result
+  result=$("${list_args[@]}" 2>/dev/null)
+
+  [ -n "${result}" ]
+}
+
+restore_cache() {
+  local from="$1"
+  local to="$2"
+  local blob_name
+  blob_name="$(build_key "${from}")"
+
+  # Check if it's a single blob or a directory
+  if az_cmd show \
+    --container-name "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}" \
+    --name "${blob_name}" &>/dev/null; then
+    # Single file - use download
+    az_cmd download \
+      --container-name "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}" \
+      --name "${blob_name}" \
+      --file "${to}"
+  else
+    # Directory - use download-batch
+    local batch_args=(az storage blob download-batch)
+    batch_args+=(--account-name "${BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT}")
+    batch_args+=(--source "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}")
+    batch_args+=(--destination "${to}")
+    batch_args+=(--pattern "${blob_name}/*")
+
+    if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+      batch_args+=(--no-progress)
+      batch_args+=(--only-show-errors)
+    fi
+
+    if [ -n "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" ]; then
+      batch_args+=(--auth-mode "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}")
+
+      # When using key auth mode, explicitly pass the account key
+      if [ "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" = "key" ] && [ -n "${AZURE_STORAGE_KEY}" ]; then
+        batch_args+=(--account-key "${AZURE_STORAGE_KEY}")
+      fi
+    fi
+
+    # When quiet mode is enabled, suppress stdout but preserve stderr
+    if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+      "${batch_args[@]}" >/dev/null
+    else
+      "${batch_args[@]}"
+    fi
+  fi
+}
+
+save_cache() {
+  local to="$1"
+  local from="$2"
+  local blob_name
+  blob_name="$(build_key "${to}")"
+
+  if [ ! -e "${from}" ]; then
+    echo "+++ 🚨 Cache source path does not exist: ${from}" >&2
+    return 1
+  fi
+
+  if [ -f "${from}" ]; then
+    # Single file - use upload
+    az_cmd upload \
+      --container-name "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}" \
+      --name "${blob_name}" \
+      --file "${from}" \
+      --overwrite
+  else
+    # Directory - use upload-batch
+    local batch_args=(az storage blob upload-batch)
+    batch_args+=(--account-name "${BUILDKITE_PLUGIN_AZURE_CACHE_ACCOUNT}")
+    batch_args+=(--destination "${BUILDKITE_PLUGIN_AZURE_CACHE_CONTAINER}")
+    batch_args+=(--source "${from}")
+    batch_args+=(--destination-path "${blob_name}")
+    batch_args+=(--overwrite)
+
+    if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+      batch_args+=(--no-progress)
+      batch_args+=(--only-show-errors)
+    fi
+
+    if [ -n "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" ]; then
+      batch_args+=(--auth-mode "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}")
+
+      # When using key auth mode, explicitly pass the account key
+      if [ "${BUILDKITE_PLUGIN_AZURE_CACHE_AUTH_MODE}" = "key" ] && [ -n "${AZURE_STORAGE_KEY}" ]; then
+        batch_args+=(--account-key "${AZURE_STORAGE_KEY}")
+      fi
+    fi
+
+    # When quiet mode is enabled, suppress stdout but preserve stderr
+    if [[ "${BUILDKITE_PLUGIN_AZURE_CACHE_QUIET:-false}" =~ ^(true|on|1)$ ]]; then
+      "${batch_args[@]}" >/dev/null
+    else
+      "${batch_args[@]}"
+    fi
+  fi
+}
+
+exists_cache() {
+  if [ -z "$1" ]; then exit 1; fi
+  azure_exists "$1"
+}
+
+OPCODE="$1"
+shift
+
+if [ "$OPCODE" = 'exists' ]; then
+  exists_cache "$@"
+elif [ "$OPCODE" = 'get' ]; then
+  restore_cache "$@"
+elif [ "$OPCODE" = 'save' ]; then
+  save_cache "$@"
+else
+  exit 255
+fi
diff --git a/tests/cache_azure.bats b/tests/cache_azure.bats
