pmatthews05/Install-ServiceConnectionManagementGroup.ps1

## Install-ServiceConnectionManagementGroup.ps1
<#
.SYNOPSIS
Creates a service connection for a ManagementGroup
Please ensure you are already logged to azure using az login
#>
param(
    # Azure DevOps Personal Access Token (PAT) for the 'https://dev.azure.com/[ORG]' Azure DevOps tenancy
    [Parameter(Mandatory)]
    [string]
    $PersonalAccessToken,

    # The Azure DevOps organisation to create the service connection in, available from System.TeamFoundationCollectionUri if running from pipeline.
    [string]
    $TeamFoundationCollectionUri = $($Env:System_TeamFoundationCollectionUri -replace '%20', ' '),

    # The name of the project to which this build or release belongs, available from $(System.TeamProject) if running from pipeline
    [string]
    $TeamProject = $Env:System_TeamProject,

    [string]
    $AppRegistrationName,

    [securestring]
    $AppPassword
)

$ErrorActionPreference = 'Stop'
$InformationPreference = 'Continue'
#Clearing default.
az configure --defaults group=
$account = az account show | ConvertFrom-Json
$Env:AZURE_DEVOPS_EXT_PAT = $PersonalAccessToken

Write-Information -MessageData:"Adding Azure DevOps Extension..."
az extension add --name azure-devops
Write-Information -MessageData "Configure defaults Organization:$TeamFoundationCollectionUri..."
az devops configure --defaults organization="$TeamFoundationCollectionUri"

Write-Information -MessageData "Getting App Registration: $AppRegistrationName..."
$AppReg = az ad app list --all --query "[?displayName == '$AppRegistrationName']" | ConvertFrom-Json

Write-Information -MessageData "Give App Registration access to Management Group Root..."
az role assignment create --role "Owner" --assignee $($AppReg.appId) --scope "/"

Write-Information -MessageData "Checking if $TeamProject project exists..."
$ProjectDetails = az devops project list --query "value[?name == '$TeamProject']" | Select-Object -First 1 | ConvertFrom-Json
if(-not $ProjectDetails){
    Write-Information -MessageData "Creating $TeamProject project..."
    $ProjectDetails = az devops project create --name $TeamProject
}

Write-Information -MessageData "Checking if service endpoint already exists..."
$ServiceEndpoint = az devops service-endpoint list --project "$TeamProject" --query "[?name == '$($AppReg.DisplayName)-Mg']" | Select-Object -First 1 | ConvertFrom-Json

if (-not $ServiceEndpoint) {
    Write-Information -MessageData "Getting Json file for Management Group..."
    $managementGroupJson = Get-Content -Raw -Path "$PSScriptRoot/management-group.json"

    $configFilePath = "$PSScriptRoot/temp-managementGroup.json"

    $managementGroupJson = $managementGroupJson -replace '##TenantId##', $($Account.homeTenantId) `
                                                -replace '##ManagementGroupId##', $($Account.homeTenantId) `
                                                -replace '##ManagementGroupName##', "Tenant Root Group" `
                                                    -replace '##ServicePrincipalId##', $($AppReg.appId) `
                                                    -replace '##ServicePrincipalKey##', $(ConvertFrom-SecureString -SecureString:$AppPassword -AsPlainText) `
                                                    -replace '##Name##', "$($AppReg.DisplayName)-Mg" `
                                                    -replace '##ProjectId##', $($ProjectDetails.id) `
                                                    -replace '##ProjectName##', $($ProjectDetails.name)

    Write-Information -MessageData "Saving management json file..."
    Set-Content -Value:$managementGroupJson -Path:$configFilePath

    Write-Information -MessageData "Creating Service Connection name:$($AppReg.DisplayName)-Mg for project $TeamProject..."
    $ServiceEndpoint = az devops service-endpoint create --project "$TeamProject" --service-endpoint-configuration "$configFilePath" | ConvertFrom-Json

    Write-Information -MessageData "Clean up temp files"
    Remove-Item -Path $configFilePath
}

Write-Information -MessageData "Updating Service Connection to be enabled for all pipelines..."
az devops service-endpoint update --project "$TeamProject" --id "$($ServiceEndpoint.id)" --enable-for-all true | Out-Null
	<#
	.SYNOPSIS
	Creates a service connection for a ManagementGroup
	Please ensure you are already logged to azure using az login
	#>
	param(
	# Azure DevOps Personal Access Token (PAT) for the 'https://dev.azure.com/[ORG]' Azure DevOps tenancy
	[Parameter(Mandatory)]
	[string]
	$PersonalAccessToken,

	# The Azure DevOps organisation to create the service connection in, available from System.TeamFoundationCollectionUri if running from pipeline.
	[string]
	$TeamFoundationCollectionUri = $($Env:System_TeamFoundationCollectionUri -replace '%20', ' '),

	# The name of the project to which this build or release belongs, available from $(System.TeamProject) if running from pipeline
	[string]
	$TeamProject = $Env:System_TeamProject,

	[string]
	$AppRegistrationName,

	[securestring]
	$AppPassword
	)

	$ErrorActionPreference = 'Stop'
	$InformationPreference = 'Continue'
	#Clearing default.
	az configure --defaults group=
	$account = az account show \| ConvertFrom-Json
	$Env:AZURE_DEVOPS_EXT_PAT = $PersonalAccessToken

	Write-Information -MessageData:"Adding Azure DevOps Extension..."
	az extension add --name azure-devops
	Write-Information -MessageData "Configure defaults Organization:$TeamFoundationCollectionUri..."
	az devops configure --defaults organization="$TeamFoundationCollectionUri"

	Write-Information -MessageData "Getting App Registration: $AppRegistrationName..."
	$AppReg = az ad app list --all --query "[?displayName == '$AppRegistrationName']" \| ConvertFrom-Json

	Write-Information -MessageData "Give App Registration access to Management Group Root..."
	az role assignment create --role "Owner" --assignee $($AppReg.appId) --scope "/"

	Write-Information -MessageData "Checking if $TeamProject project exists..."
	$ProjectDetails = az devops project list --query "value[?name == '$TeamProject']" \| Select-Object -First 1 \| ConvertFrom-Json
	if(-not $ProjectDetails){
	Write-Information -MessageData "Creating $TeamProject project..."
	$ProjectDetails = az devops project create --name $TeamProject
	}

	Write-Information -MessageData "Checking if service endpoint already exists..."
	$ServiceEndpoint = az devops service-endpoint list --project "$TeamProject" --query "[?name == '$($AppReg.DisplayName)-Mg']" \| Select-Object -First 1 \| ConvertFrom-Json

	if (-not $ServiceEndpoint) {
	Write-Information -MessageData "Getting Json file for Management Group..."
	$managementGroupJson = Get-Content -Raw -Path "$PSScriptRoot/management-group.json"

	$configFilePath = "$PSScriptRoot/temp-managementGroup.json"

	$managementGroupJson = $managementGroupJson -replace '##TenantId##', $($Account.homeTenantId) `
	-replace '##ManagementGroupId##', $($Account.homeTenantId) `
	-replace '##ManagementGroupName##', "Tenant Root Group" `
	-replace '##ServicePrincipalId##', $($AppReg.appId) `
	-replace '##ServicePrincipalKey##', $(ConvertFrom-SecureString -SecureString:$AppPassword -AsPlainText) `
	-replace '##Name##', "$($AppReg.DisplayName)-Mg" `
	-replace '##ProjectId##', $($ProjectDetails.id) `
	-replace '##ProjectName##', $($ProjectDetails.name)

	Write-Information -MessageData "Saving management json file..."
	Set-Content -Value:$managementGroupJson -Path:$configFilePath

	Write-Information -MessageData "Creating Service Connection name:$($AppReg.DisplayName)-Mg for project $TeamProject..."
	$ServiceEndpoint = az devops service-endpoint create --project "$TeamProject" --service-endpoint-configuration "$configFilePath" \| ConvertFrom-Json

	Write-Information -MessageData "Clean up temp files"
	Remove-Item -Path $configFilePath
	}

	Write-Information -MessageData "Updating Service Connection to be enabled for all pipelines..."
	az devops service-endpoint update --project "$TeamProject" --id "$($ServiceEndpoint.id)" --enable-for-all true \| Out-Null