Skip to content

Instantly share code, notes, and snippets.

@zloeber
Created January 16, 2020 03:19
Show Gist options
  • Save zloeber/e90da169dec0ec0c96fffd457ef5b33a to your computer and use it in GitHub Desktop.
Save zloeber/e90da169dec0ec0c96fffd457ef5b33a to your computer and use it in GitHub Desktop.
ado-linked-var-group-5
#!/bin/bash
SC_NAME=${SC_NAME:-"Service Connection Name"}
KEYVAULTNAME=${KEYVAULTNAME:-"keyvault"}
AZ_SUBSCRIPTION=${AZ_SUBSCRIPTION:-"Azure Subscription"}
AZ_SUBSCRIPTION_ID=${AZ_SUBSCRIPTION_ID:-"Azure Subscription ID"}
ADO_ORG=${ADO_ORG:-"https://dev.azure.com/myorgname"}
ADO_PROJECT=${ADO_PROJECT:-"MyProject"}
SECRET_TEMPLATE=${SECRET_TEMPLATE:-"./secret-var-group.tpl"}
echo "STAGE: ${STAGE}"
echo "TEAM: ${TEAM}"
echo "AZ_SUBSCRIPTION: ${AZ_SUBSCRIPTION}"
echo "ENVRC: $ENVRC"
echo "KEYVAULTNAME: ${KEYVAULTNAME}"
echo "ADO_ORG: ${ADO_ORG}"
echo "ADO_PROJECT: ${ADO_PROJECT}"
echo "SECRET_TEMPLATE: ${SECRET_TEMPLATE}"
echo "SC_NAME: ${SC_NAME}"
## We pull this from our super secret keyvault
export ADO_USER="$(az keyvault secret show --name ADOUSER --vault-name $KEYVAULTNAME --subscription "$AZ_SUBSCRIPTION" --query value -o tsv)"
export ADO_PAT="$(az keyvault secret show --name ADOPAT --vault-name $KEYVAULTNAME --subscription "$AZ_SUBSCRIPTION" --query value -o tsv)"
get_ado_connection () {
thiscon=`az devops service-endpoint list \
--detect false \
--subscription "$AZ_SUBSCRIPTION_ID" \
--organization "$ADO_ORG" \
--project "$ADO_PROJECT" \
-o table | grep $1 | head -n1 | awk '{print $1;}'`
echo "$thiscon"
}
get_ado_vargroup () {
group=`az pipelines variable-group list \
--detect false \
--subscription "$AZ_SUBSCRIPTION_ID" \
--organization "$ADO_ORG" \
--project "$ADO_PROJECT" \
-o table | grep $1 | head -n1 | awk '{print $1;}'`
echo "$group"
}
remove_ado_vargroup () {
echo "Attempting to remove vargroup id $1"
if [ ! -z "$1" ]; then
az pipelines variable-group delete \
--group-id "$1" \
--detect false \
--subscription "$AZ_SUBSCRIPTION_ID" \
--organization "$ADO_ORG" \
--project "$ADO_PROJECT" \
-y 2> /dev/null
fi;
}
get_ado_project_id () {
id=`az devops project show \
--project $1 \
--detect false \
--subscription "$AZ_SUBSCRIPTION_ID" \
--organization "$ADO_ORG" \
-o table | head -n1 | awk '{print $1;}'`
echo "$id"
}
echo "Retrieving ${SC_NAME} service endpoint id first..."
export service_endpoint_id=`get_ado_connection ${SC_NAME}`
export vault_name=$KEYVAULTNAME
export name=${SC_NAME}_secrets
export description="${SC_NAME} (linked to ${KEYVAULTNAME})"
export project="${ADO_PROJECT}"
export project_id=`get_ado_project_id ${ADO_PROJECT}`
## If we have our service endpoint id we are good to go
if [ ! -z "$service_endpoint_id" ]; then
echo "ID for token replacement - ${SC_NAME} = $service_endpoint_id"
DEPLOYVARS='$service_endpoint_id:$vault_name:$name:$description:$project:$project_id'
envsubst "$DEPLOYVARS"< "${SECRET_TEMPLATE}" >/tmp/$(basename ${SECRET_TEMPLATE}).out
vargroup=`get_ado_vargroup ${name}`
if [[ ! -z "$vargroup" ]]; then
echo "Removing old keyvault linked variable group ${name} ($vargroup)"
echo "proceed?"
read
remove_ado_vargroup $vargroup
fi
curl -X POST \
--user "${ADO_USER}:${ADO_PAT}" \
-H "Content-Type: application/json" \
-d @${SECRET_TEMPLATE}.out \
"${ADO_ORG}/${ADO_PROJECT}/_apis/distributedtask/variablegroups?api-version=6.0-preview.2"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment