Last active
November 8, 2023 23:53
-
-
Save colbylwilliams/936915653c3670a4894ab4d6e6242784 to your computer and use it in GitHub Desktop.
This script will create an AAD app, service principal, and OIDC federated credentials for each # environment type in a GitHub repository. It assigns each environment type's AAD app the Reader # role to the DevCenter project and the Deployment Environments User role to the DevCenter project # environment type. Finally it creates a repository envi…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This script will create an AAD app, service principal, and OIDC federated credentials for each | |
# environment type in a GitHub repository. It assigns each environment type's AAD app the Reader | |
# role to the DevCenter project and the Deployment Environments User role to the DevCenter project | |
# environment type. Finally it creates a repository environment corrisponding to each environment | |
# type and sets an environment variable AZURE_CLIENT_ID with the client id for AAD app. | |
repo_org=REPOSITORY_ORGANIZATION # e.g. "contoso" | |
repo_name=REPOSITORY_NAME # e.g. "eShop" | |
tenant=AZURE_TENANT_ID # e.g. "72f988bf-86f1-41af-91ab-2d7cd022db47" | |
dev_center=DEV_CENTER_NAME # e.g. "Contoso-DevCenter" | |
project_name=DEV_CENTER_PROJECT_NAME # e.g. "Contoso-Ecommerce" | |
project_resource_group=DEV_CENTER_PROJECT_RESOURCE_GROUP # e.g. "Contoso-Ecommerce" | |
project_subscription=DEV_CENTER_PROJECT_SUBSCRIPTION # e.g. "090cfcd9-42da-4b2b-a3d3-0fa4b90brff5" | |
repo="$repo_org/$repo_name" | |
project_rid="/subscriptions/$project_subscription/resourceGroups/$project_resource_group/providers/Microsoft.DevCenter/projects/$project_name" | |
repo_variables=$( gh variable list -R "$repo" ) | |
echo "Setting repo global variables" | |
gh variable set -R "$repo" AZURE_TENANT_ID -b "$tenant" | |
gh variable set -R "$repo" AZURE_SUBSCRIPTION_ID -b "$project_subscription" | |
echo "" | |
echo "Checking if repo already contains variable 'AZURE_CLIENT_ID'" | |
if [[ $repo_variables == *"AZURE_CLIENT_ID"* ]]; then | |
echo "ERROR: Repository should not have a variable 'AZURE_CLIENT_ID'"; exit 1 | |
fi | |
echo "" | |
for environment_type in "Sandbox" "Dev" "Test" "Prod" | |
do | |
echo "Checking if repo environment '$environment_type' variables already contains '$environment_type'" | |
env_variables=$( gh variable list -R "$repo" --env "$environment_type" ) | |
if [[ $env_variables == *"AZURE_CLIENT_ID"* ]]; then | |
echo "ERROR: Repo environment '$environment_type' already has a variable 'AZURE_CLIENT_ID'"; exit 1 | |
fi | |
done | |
echo "" | |
for environment_type in "Sandbox" "Dev" "Test" "Prod" | |
do | |
# Create AAD app | |
app_name="GitHub OIDC $dev_center $project_name $environment_type" | |
echo "Creating AAD app '$app_name'" | |
app=$(az ad app create --display-name "$app_name") | |
app_object_id=$(jq -r '.id' <<< "$app") | |
app_client_id=$(jq -r '.appId' <<< "$app") | |
echo "Created AAD app object id '$app_object_id' and client id '$app_client_id'"; echo "" | |
# Create AAD service principal | |
echo "Creating AAD service principal for AAD app '$app_name'" | |
sp=$(az ad sp create --id "$app_object_id") | |
sp_object_id=$(jq -r '.id' <<< "$sp") | |
echo "Created AAD service principal with object id '$sp_object_id'"; echo "" | |
# Create OIDC federated credentials | |
credentials_name="GH-OIDC-$repo_name-$environment_type" | |
echo "Creating OIDC federated credentials '$credentials_name' to connect to the repos '$environment_type' environment" | |
az rest --method POST \ | |
--uri "https://graph.microsoft.com/beta/applications/$app_object_id/federatedIdentityCredentials" \ | |
--body '{"name":"'$credentials_name'","issuer":"https://token.actions.githubusercontent.com","subject":"repo:'"$repo:environment:$environment_type"'","description":"'"$app_name"'","audiences":["api://AzureADTokenExchange"]}' | |
echo "" | |
# Assign AAD app roles | |
echo "Assigning AAD app '$app_name' ($sp_object_id) the Reader role to DevCenter project '$project_name'" | |
az role assignment create --scope "$project_rid" --role Reader --assignee-object-id $sp_object_id --assignee-principal-type ServicePrincipal | |
echo "" | |
echo "Assigning AAD app '$app_name' ($sp_object_id) the Deployment Environments User role to DevCenter project '$project_name' environment type '$environment_type''" | |
az role assignment create --scope "$project_rid/environmentTypes/$environment_type" --role "Deployment Environments User" --assignee-object-id $sp_object_id --assignee-principal-type ServicePrincipal | |
echo "" | |
# ensure repo environment exists | |
echo "Ensuring repo environment '$environment_type' exists" | |
gh api -X PUT "/repos/$repo/environments/$environment_type" --silent | |
echo "" | |
# create repo environment variables | |
echo "Saving environment variables to repo for environment type '$environment_type'" | |
gh variable set AZURE_CLIENT_ID -R "$repo" -b "$app_client_id" --env "$environment_type" | |
echo ""; echo "done." | |
echo "===================================="; echo "" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment