ado-linked-var-group-5
#!/bin/bash | |
SC_NAME=${SC_NAME:-"Service Connection Name"} | |
KEYVAULTNAME=${KEYVAULTNAME:-"keyvault"} | |
AZ_SUBSCRIPTION=${AZ_SUBSCRIPTION:-"Azure Subscription"} | |
AZ_SUBSCRIPTION_ID=${AZ_SUBSCRIPTION_ID:-"Azure Subscription ID"} | |
ADO_ORG=${ADO_ORG:-"https://dev.azure.com/myorgname"} | |
ADO_PROJECT=${ADO_PROJECT:-"MyProject"} | |
SECRET_TEMPLATE=${SECRET_TEMPLATE:-"./secret-var-group.tpl"} | |
echo "STAGE: ${STAGE}" | |
echo "TEAM: ${TEAM}" | |
echo "AZ_SUBSCRIPTION: ${AZ_SUBSCRIPTION}" | |
echo "ENVRC: $ENVRC" | |
echo "KEYVAULTNAME: ${KEYVAULTNAME}" | |
echo "ADO_ORG: ${ADO_ORG}" | |
echo "ADO_PROJECT: ${ADO_PROJECT}" | |
echo "SECRET_TEMPLATE: ${SECRET_TEMPLATE}" | |
echo "SC_NAME: ${SC_NAME}" | |
## We pull this from our super secret keyvault | |
export ADO_USER="$(az keyvault secret show --name ADOUSER --vault-name $KEYVAULTNAME --subscription "$AZ_SUBSCRIPTION" --query value -o tsv)" | |
export ADO_PAT="$(az keyvault secret show --name ADOPAT --vault-name $KEYVAULTNAME --subscription "$AZ_SUBSCRIPTION" --query value -o tsv)" | |
get_ado_connection () { | |
thiscon=`az devops service-endpoint list \ | |
--detect false \ | |
--subscription "$AZ_SUBSCRIPTION_ID" \ | |
--organization "$ADO_ORG" \ | |
--project "$ADO_PROJECT" \ | |
-o table | grep $1 | head -n1 | awk '{print $1;}'` | |
echo "$thiscon" | |
} | |
get_ado_vargroup () { | |
group=`az pipelines variable-group list \ | |
--detect false \ | |
--subscription "$AZ_SUBSCRIPTION_ID" \ | |
--organization "$ADO_ORG" \ | |
--project "$ADO_PROJECT" \ | |
-o table | grep $1 | head -n1 | awk '{print $1;}'` | |
echo "$group" | |
} | |
remove_ado_vargroup () { | |
echo "Attempting to remove vargroup id $1" | |
if [ ! -z "$1" ]; then | |
az pipelines variable-group delete \ | |
--group-id "$1" \ | |
--detect false \ | |
--subscription "$AZ_SUBSCRIPTION_ID" \ | |
--organization "$ADO_ORG" \ | |
--project "$ADO_PROJECT" \ | |
-y 2> /dev/null | |
fi; | |
} | |
get_ado_project_id () { | |
id=`az devops project show \ | |
--project $1 \ | |
--detect false \ | |
--subscription "$AZ_SUBSCRIPTION_ID" \ | |
--organization "$ADO_ORG" \ | |
-o table | head -n1 | awk '{print $1;}'` | |
echo "$id" | |
} | |
echo "Retrieving ${SC_NAME} service endpoint id first..." | |
export service_endpoint_id=`get_ado_connection ${SC_NAME}` | |
export vault_name=$KEYVAULTNAME | |
export name=${SC_NAME}_secrets | |
export description="${SC_NAME} (linked to ${KEYVAULTNAME})" | |
export project="${ADO_PROJECT}" | |
export project_id=`get_ado_project_id ${ADO_PROJECT}` | |
## If we have our service endpoint id we are good to go | |
if [ ! -z "$service_endpoint_id" ]; then | |
echo "ID for token replacement - ${SC_NAME} = $service_endpoint_id" | |
DEPLOYVARS='$service_endpoint_id:$vault_name:$name:$description:$project:$project_id' | |
envsubst "$DEPLOYVARS"< "${SECRET_TEMPLATE}" >/tmp/$(basename ${SECRET_TEMPLATE}).out | |
vargroup=`get_ado_vargroup ${name}` | |
if [[ ! -z "$vargroup" ]]; then | |
echo "Removing old keyvault linked variable group ${name} ($vargroup)" | |
echo "proceed?" | |
read | |
remove_ado_vargroup $vargroup | |
fi | |
curl -X POST \ | |
--user "${ADO_USER}:${ADO_PAT}" \ | |
-H "Content-Type: application/json" \ | |
-d @${SECRET_TEMPLATE}.out \ | |
"${ADO_ORG}/${ADO_PROJECT}/_apis/distributedtask/variablegroups?api-version=6.0-preview.2" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment