From 774840ddc65eb6651613894bc939c665864fe1d8 Mon Sep 17 00:00:00 2001 From: Chris Ayers Date: Thu, 26 Sep 2024 13:59:39 +0000 Subject: [PATCH] Refactor auth-setup script to use dynamic variables and improve readability --- auth-setup.md | 35 ----------------------------------- auth-setup.sh | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 35 deletions(-) delete mode 100644 auth-setup.md create mode 100644 auth-setup.sh diff --git a/auth-setup.md b/auth-setup.md deleted file mode 100644 index fc45d44..0000000 --- a/auth-setup.md +++ /dev/null @@ -1,35 +0,0 @@ -```bash -githubOrganizationName='codebytes' -githubRepositoryName='github-actions-demos' - -applicationRegistrationDetails=$(az ad app create --display-name 'github-actions-demos') -applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id') -applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId') - -az ad app federated-credential create \ - --id $applicationRegistrationObjectId \ - --parameters "{\"name\":\"github-actions-demos-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}" -az ad app federated-credential create \ - --id $applicationRegistrationObjectId \ - --parameters "{\"name\":\"github-actions-demos-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}" -az ad app federated-credential create \ - --id $applicationRegistrationObjectId \ - --parameters "{\"name\":\"github-actions-demos-env-dotnet\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dotnet\",\"audiences\":[\"api://AzureADTokenExchange\"]}" - -az ad sp create --id $applicationRegistrationObjectId -az role assignment create \ - --assignee $applicationRegistrationAppId \ - --role Contributor - -AZURE_CLIENT_ID=$applicationRegistrationAppId -AZURE_TENANT_ID=$(az account show --query tenantId --output tsv) -AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv) - -echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID" -echo "AZURE_TENANT_ID: $AZURE_TENANT_ID" -echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID" - -gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID" -gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID" -gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID" -``` \ No newline at end of file diff --git a/auth-setup.sh b/auth-setup.sh new file mode 100644 index 0000000..4a526d1 --- /dev/null +++ b/auth-setup.sh @@ -0,0 +1,42 @@ +#!/bin/sh + +#set vars +#codebytes +githubOrganizationName=$(echo $(git remote get-url origin) | cut -f4 -d"/") +#secure-terraform-on-azure +githubRepositoryName=$(basename -s .git `git config --get remote.origin.url`) + +#create app registration +applicationRegistrationDetails=$(az ad app create --display-name "${githubRepositoryName}") +applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id') +applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId') + +#created federated creds +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}" +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-env-dev\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dev\",\"audiences\":[\"api://AzureADTokenExchange\"]}" +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}" +az ad app federated-credential create \ + --id $applicationRegistrationObjectId \ + --parameters "{\"name\":\"${githubRepositoryName}-branch-main\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}" + + +AZURE_CLIENT_ID=$applicationRegistrationAppId +AZURE_TENANT_ID=$(az account show --query tenantId --output tsv) +AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv) + +az ad sp create --id $applicationRegistrationObjectId +az role assignment create --assignee $applicationRegistrationAppId --role Contributor --scope /subscriptions/$AZURE_SUBSCRIPTION_ID + +echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID" +echo "AZURE_TENANT_ID: $AZURE_TENANT_ID" +echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID" + +gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID" +gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID" +gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"