Last active
November 21, 2022 12:55
-
-
Save subudear/8547c4a72b67431b2016b15e0eb15d30 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[cmdletbinding()] | |
Param ( | |
[Parameter(Mandatory=$true)] | |
$apimServiceName, | |
[Parameter(Mandatory=$true)] | |
$resourceGroupName, | |
[Parameter(Mandatory=$true)] | |
$location, | |
[Parameter(Mandatory=$true)] | |
$organisation, | |
[Parameter(Mandatory=$true)] | |
$sku, | |
[Parameter(Mandatory=$true)] | |
$adminEmail, | |
[Parameter(Mandatory=$true)] | |
$certificatePath, | |
[Parameter(Mandatory=$true)] | |
$keyVaultName, | |
[Parameter(Mandatory=$true)] | |
$svcPrincipalAppObjectId, | |
[Parameter(Mandatory=$true)] | |
$resourceGroupNameKeyVault, | |
[Parameter(Mandatory=$true)] | |
$secretName, | |
[Parameter(Mandatory=$true)] | |
$certPassword, | |
[Parameter(Mandatory=$true)] | |
$proxyHostname, | |
[Parameter(Mandatory=$true)] | |
$portalHostname | |
) | |
Function createAPIMService | |
{ | |
Write-Host $apimServiceName # this is the APIM service name | |
Write-Host $resourceGroupName #The APIM service will be created in this resource group. | |
Write-Host $location # APIM service will be created in this location | |
Write-Host $organisation #APIM service will be part of this organisation | |
Write-Host $sku # This could be 'Developer' or 'Standard' or 'Premium' | |
Write-Host $adminEmail #provide admin email where emails related to APIM will be sent | |
Write-Host $certificatePath #When certificate is downloaded and converted to pfx format, it will be saved in this path on build agent. | |
Write-Host $keyVaultName | |
Write-Host $resourceGroupNameKeyVault | |
Write-Host $svcPrincipalAppObjectId | |
Write-Host $secretName | |
Write-Host $certPassword | |
Write-Host $proxyHostname | |
Write-Host $portalHostname | |
#Service principal used in pipeline should have access to Key vault. Then only the access to Key can be set byy pipeline. | |
Set-AzKeyVaultAccessPolicy -BypassObjectIdValidation -VaultName $keyVaultName -ResourceGroupName $resourceGroupNameKeyVault -ObjectId $svcPrincipalAppObjectId -PermissionsToKeys list,get -PermissionsToSecrets list,get,set -PermissionsToCertificates list,get | |
$val = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName | |
write-output $val | |
#Remove access to keyvault | |
Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectID $svcPrincipalAppObjectId | |
$pfxBytes = [System.Convert]::FromBase64String($val.SecretValueText) | |
#write-output $pfxBytes | |
$pfx = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection | |
write-output $pfx | |
$pfx.Import($pfxBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) | |
$pfxProtectedBytes = $pfx.Export([Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, $certPassword) | |
#Write the bytes to a file in build agent | |
[io.file]::WriteAllBytes($certificatePath, $pfxProtectedBytes) | |
# Create the Api Management service. Since the SKU is not specified, it creates a service with Developer SKU. | |
$result = New-AzApiManagement -ResourceGroupName $resourceGroupName -Name $apimServiceName -Location $location -Organization $organisation -AdminEmail $adminEmail -VpnType "Internal" -Sku $sku | |
#Write-Host "result: " $result | |
# Certificate related details | |
# Certificate containing Common Name CN="gateway.devint.bptitanium.net" or CN=*.bptitanium.net | |
$proxyCertificatePath = $certificatePath | |
$proxyCertificatePassword = $certPassword | |
# Certificate containing Common Name CN="portal.devint.bptitanium.net" or CN=*.bptitanium.net | |
$portalCertificatePath = $certificatePath | |
$portalCertificatePassword = $certPassword | |
$gatewayCertPfxPasswordSecure = ConvertTo-SecureString -String $proxyCertificatePassword -AsPlainText -Force | |
$portalCertPfxPasswordSecure = ConvertTo-SecureString -String $portalCertificatePassword -AsPlainText -Force | |
$proxyHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $proxyHostname -HostnameType Proxy -PfxPath $proxyCertificatePath -PfxPassword $gatewayCertPfxPasswordSecure | |
#Write-Host "Proxy: " $proxyHostnameConfig | |
$portalHostnameConfig = New-AzApiManagementCustomHostnameConfiguration -Hostname $portalHostname -HostnameType Portal -PfxPath $portalCertificatePath -PfxPassword $portalCertPfxPasswordSecure | |
#Write-Host "portal: " $portalHostnameConfig | |
$apim = Get-AzApiManagement -ResourceGroupName $resourceGroupName -Name $apimServiceName | |
#Write-Host $apim | |
$apim.ProxyCustomHostnameConfiguration = $proxyHostnameConfig | |
$apim.PortalCustomHostnameConfiguration = $portalHostnameConfig | |
Set-AzApiManagement -InputObject $apim | |
} | |
createAPIMService $apimServiceName $resourceGroupName $location $organisation $sku $adminEmail $certificatePath $keyVaultName $resourceGroupNameKeyVault $svcPrincipalAppObjectId $secretName $certPassword $proxyHostname $portalHostname |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment