Last active
March 13, 2020 20:04
-
-
Save adbertram/0b7202cbf6e109fb50bdba5d48350012 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Var setup | |
| ## Be sure to fill in your values here | |
| $resourceGroupName = 'AcmeApp' | |
| $region = 'xxxxxxx' | |
| $localVMAdminPw = 'I like azure.' ## a single password for demo purposes | |
| $sqlAdminUsername = 'sqladmin' | |
| $sqlAdminPw = 'I like azure.' | |
| $projectName = 'AcmeApp' ## common term used through set up | |
| $subscriptionName = 'xxxxxx' | |
| $subscriptionId = 'xxxxxxx' | |
| $tenantId = 'xxxxxxxxxx' | |
| $orgName = 'adbertram' | |
| $repoName = $projectName | |
| $gitHubRepoUrl = "https://github.com/$orgName/$repoName" | |
| #endregion | |
| # #region Login | |
| # az login | |
| # az account set --subscription $subscriptionName | |
| # #endregion | |
| # #region Install the Azure CLI DevOps extension | |
| # $null = az devops configure --defaults organization=https://dev.azure.com/$orgName | |
| # #endregion | |
| #region Create the resource group to put everything in | |
| $null = az group create --location $region --name $resourceGroupName | |
| #endregion | |
| #region Create the service principal | |
| $spIdUri = "https://$projectName" | |
| $sp = az ad sp create-for-rbac --name $spIdUri | ConvertFrom-Json | |
| #endregion | |
| #region Key vault | |
| ## Create the key vault. Enabling for template deployment because we'll be using it during an ARM deployment | |
| ## via an Azure DevOps pipeline later | |
| $kvName = "$projectName-KV" | |
| $keyVault = az keyvault create --location $region --name $kvName --resource-group $resourceGroupName --enabled-for-template-deployment true | ConvertFrom-Json | |
| # ## Create the key vault secrets | |
| $null = az keyvault secret set --name "$projectName-AppPw" --value $sp.password --vault-name $kvName | |
| $null = az keyvault secret set --name StandardVmAdminUsername --value "$projectName" --vault-name $kvName | |
| $null = az keyvault secret set --name StandardVmAdminPassword --value $localVMAdminPw --vault-name $kvName | |
| $null = az keyvault secret set --name SqlAdminUsername --value $sqlAdminUsername --vault-name $kvName | |
| $null = az keyvault secret set --name SqlAdminPassword --value $sqlAdminPw --vault-name $kvName | |
| ## Give service principal created earlier access to secrets. This allows the steps in the pipeline to read the AD application's pw and the default VM password | |
| $null = az keyvault set-policy --name $kvName --spn $spIdUri --secret-permissions get list | |
| #endregion | |
| #region Instal the Pester test runner extension in the org | |
| $null = az devops extension install --extension-id PesterRunner --publisher-id Pester | |
| #endregion | |
| #region Create the Azure DevOps project | |
| $null = az devops project create --name $projectName | |
| $null = az devops configure --defaults project=$projectName | |
| #endregion | |
| #region Create the service connections | |
| ## Run $sp.password and copy it to the clipboard | |
| $sp.Password | |
| $armEndpoint = az devops service-endpoint azurerm create --azure-rm-service-principal-id $sp.appId --azure-rm-subscription-id $subscriptionId --azure-rm-subscription-name $subscriptionName --azure-rm-tenant-id $tenantId --name 'ARM' | ConvertFrom-Json | |
| ## Grant all pipelines use of this service connection "Grant access permission to all pipelines" in the GUI | |
| $null = az devops service-endpoint update --id $armEndpoint.id --enable-for-all | |
| ## Create service connection for GitHub for CI process in pipeline | |
| $gitHubServiceEndpoint = az devops service-endpoint github create --github-url $gitHubRepoUrl --name 'GitHub' | ConvertFrom-Json | |
| ## paste in the GitHub token when prompted (https://github.com/settings/tokens) | |
| ## when prompted, use the value of $sp.password for the Azure RM service principal key | |
| ## Grant all pipelines use of this service connection "Grant access permission to all pipelines" in the GUI | |
| $null = az devops service-endpoint update --id $gitHubServiceEndpoint.id --enable-for-all | |
| #endregion | |
| #region Create the variable group | |
| $varGroup = az pipelines variable-group create --name $projectName --authorize true --variables foo=bar | ConvertFrom-Json ## dummy variable because it won't allow creation without it | |
| Read-Host "Now link the key vault $kvName to the variable group $projectName in the DevOps web portal and create a '$projectName-AppPw' and StandardVmAdminPassword variables with a password of your choosing." | |
| #endregion | |
| ## Create the pipeline | |
| ## set the PAT to avoid getting prompted --doesn't work... | |
| # export AZURE_DEVOPS_EXT_GITHUB_PAT=$gitHubAccessToken ## in CMD?? | |
| ### [System.Environment]::SetEnvironmentVariable("AZURE_DEVOPS_EXT_GITHUB_PAT", $gitHubAccessToken ,"Machine") ??? | |
| az pipelines create --name $projectName --repository $gitHubRepoUrl --branch master --service-connection $gitHubServiceEndpoint.id --skip-run | |
| ## Add the GitHub PAT here interactively | |
| #region Cleanup | |
| ## Remove the SP | |
| $spId = ((az ad sp list --all | ConvertFrom-Json) | where { $spIdUri -in $_.serviceprincipalnames }).objectId | |
| $null = az ad sp delete --id $spId | |
| ## Remove the resource group | |
| $null = az group delete --name $resourceGroupName --yes --no-wait | |
| ## remove project | |
| $projectId = ((az devops project list | convertfrom-json).value | where { $_.name -eq $projectName }).id | |
| $null = az devops project delete --id $projectId --yes | |
| #endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment