ado-linked-var-group-5
| #!/bin/bash | |
| SC_NAME=${SC_NAME:-"Service Connection Name"} | |
| KEYVAULTNAME=${KEYVAULTNAME:-"keyvault"} | |
| AZ_SUBSCRIPTION=${AZ_SUBSCRIPTION:-"Azure Subscription"} | |
| AZ_SUBSCRIPTION_ID=${AZ_SUBSCRIPTION_ID:-"Azure Subscription ID"} | |
| ADO_ORG=${ADO_ORG:-"https://dev.azure.com/myorgname"} | |
| ADO_PROJECT=${ADO_PROJECT:-"MyProject"} | |
| SECRET_TEMPLATE=${SECRET_TEMPLATE:-"./secret-var-group.tpl"} | |
| echo "STAGE: ${STAGE}" | |
| echo "TEAM: ${TEAM}" | |
| echo "AZ_SUBSCRIPTION: ${AZ_SUBSCRIPTION}" | |
| echo "ENVRC: $ENVRC" | |
| echo "KEYVAULTNAME: ${KEYVAULTNAME}" | |
| echo "ADO_ORG: ${ADO_ORG}" | |
| echo "ADO_PROJECT: ${ADO_PROJECT}" | |
| echo "SECRET_TEMPLATE: ${SECRET_TEMPLATE}" | |
| echo "SC_NAME: ${SC_NAME}" | |
| ## We pull this from our super secret keyvault | |
| export ADO_USER="$(az keyvault secret show --name ADOUSER --vault-name $KEYVAULTNAME --subscription "$AZ_SUBSCRIPTION" --query value -o tsv)" | |
| export ADO_PAT="$(az keyvault secret show --name ADOPAT --vault-name $KEYVAULTNAME --subscription "$AZ_SUBSCRIPTION" --query value -o tsv)" | |
| get_ado_connection () { | |
| thiscon=`az devops service-endpoint list \ | |
| --detect false \ | |
| --subscription "$AZ_SUBSCRIPTION_ID" \ | |
| --organization "$ADO_ORG" \ | |
| --project "$ADO_PROJECT" \ | |
| -o table | grep $1 | head -n1 | awk '{print $1;}'` | |
| echo "$thiscon" | |
| } | |
| get_ado_vargroup () { | |
| group=`az pipelines variable-group list \ | |
| --detect false \ | |
| --subscription "$AZ_SUBSCRIPTION_ID" \ | |
| --organization "$ADO_ORG" \ | |
| --project "$ADO_PROJECT" \ | |
| -o table | grep $1 | head -n1 | awk '{print $1;}'` | |
| echo "$group" | |
| } | |
| remove_ado_vargroup () { | |
| echo "Attempting to remove vargroup id $1" | |
| if [ ! -z "$1" ]; then | |
| az pipelines variable-group delete \ | |
| --group-id "$1" \ | |
| --detect false \ | |
| --subscription "$AZ_SUBSCRIPTION_ID" \ | |
| --organization "$ADO_ORG" \ | |
| --project "$ADO_PROJECT" \ | |
| -y 2> /dev/null | |
| fi; | |
| } | |
| get_ado_project_id () { | |
| id=`az devops project show \ | |
| --project $1 \ | |
| --detect false \ | |
| --subscription "$AZ_SUBSCRIPTION_ID" \ | |
| --organization "$ADO_ORG" \ | |
| -o table | head -n1 | awk '{print $1;}'` | |
| echo "$id" | |
| } | |
| echo "Retrieving ${SC_NAME} service endpoint id first..." | |
| export service_endpoint_id=`get_ado_connection ${SC_NAME}` | |
| export vault_name=$KEYVAULTNAME | |
| export name=${SC_NAME}_secrets | |
| export description="${SC_NAME} (linked to ${KEYVAULTNAME})" | |
| export project="${ADO_PROJECT}" | |
| export project_id=`get_ado_project_id ${ADO_PROJECT}` | |
| ## If we have our service endpoint id we are good to go | |
| if [ ! -z "$service_endpoint_id" ]; then | |
| echo "ID for token replacement - ${SC_NAME} = $service_endpoint_id" | |
| DEPLOYVARS='$service_endpoint_id:$vault_name:$name:$description:$project:$project_id' | |
| envsubst "$DEPLOYVARS"< "${SECRET_TEMPLATE}" >/tmp/$(basename ${SECRET_TEMPLATE}).out | |
| vargroup=`get_ado_vargroup ${name}` | |
| if [[ ! -z "$vargroup" ]]; then | |
| echo "Removing old keyvault linked variable group ${name} ($vargroup)" | |
| echo "proceed?" | |
| read | |
| remove_ado_vargroup $vargroup | |
| fi | |
| curl -X POST \ | |
| --user "${ADO_USER}:${ADO_PAT}" \ | |
| -H "Content-Type: application/json" \ | |
| -d @${SECRET_TEMPLATE}.out \ | |
| "${ADO_ORG}/${ADO_PROJECT}/_apis/distributedtask/variablegroups?api-version=6.0-preview.2" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment