Refactor auth-setup script to use dynamic variables and improve readability
هذا الالتزام موجود في:
Chris Ayers
@@ -1,35 +0,0 @@
|
|||||||
```bash
|
|
||||||
githubOrganizationName='codebytes'
|
|
||||||
githubRepositoryName='github-actions-demos'
|
|
||||||
|
|
||||||
applicationRegistrationDetails=$(az ad app create --display-name 'github-actions-demos')
|
|
||||||
applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id')
|
|
||||||
applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId')
|
|
||||||
|
|
||||||
az ad app federated-credential create \
|
|
||||||
--id $applicationRegistrationObjectId \
|
|
||||||
--parameters "{\"name\":\"github-actions-demos-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
|
||||||
az ad app federated-credential create \
|
|
||||||
--id $applicationRegistrationObjectId \
|
|
||||||
--parameters "{\"name\":\"github-actions-demos-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
|
||||||
az ad app federated-credential create \
|
|
||||||
--id $applicationRegistrationObjectId \
|
|
||||||
--parameters "{\"name\":\"github-actions-demos-env-dotnet\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dotnet\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
|
||||||
|
|
||||||
az ad sp create --id $applicationRegistrationObjectId
|
|
||||||
az role assignment create \
|
|
||||||
--assignee $applicationRegistrationAppId \
|
|
||||||
--role Contributor
|
|
||||||
|
|
||||||
AZURE_CLIENT_ID=$applicationRegistrationAppId
|
|
||||||
AZURE_TENANT_ID=$(az account show --query tenantId --output tsv)
|
|
||||||
AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
|
|
||||||
|
|
||||||
echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID"
|
|
||||||
echo "AZURE_TENANT_ID: $AZURE_TENANT_ID"
|
|
||||||
echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"
|
|
||||||
|
|
||||||
gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID"
|
|
||||||
gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID"
|
|
||||||
gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"
|
|
||||||
```
|
|
||||||
42
auth-setup.sh
Normal file
42
auth-setup.sh
Normal file
@@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
#set vars
|
||||||
|
#codebytes
|
||||||
|
githubOrganizationName=$(echo $(git remote get-url origin) | cut -f4 -d"/")
|
||||||
|
#secure-terraform-on-azure
|
||||||
|
githubRepositoryName=$(basename -s .git `git config --get remote.origin.url`)
|
||||||
|
|
||||||
|
#create app registration
|
||||||
|
applicationRegistrationDetails=$(az ad app create --display-name "${githubRepositoryName}")
|
||||||
|
applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id')
|
||||||
|
applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId')
|
||||||
|
|
||||||
|
#created federated creds
|
||||||
|
az ad app federated-credential create \
|
||||||
|
--id $applicationRegistrationObjectId \
|
||||||
|
--parameters "{\"name\":\"${githubRepositoryName}-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
||||||
|
az ad app federated-credential create \
|
||||||
|
--id $applicationRegistrationObjectId \
|
||||||
|
--parameters "{\"name\":\"${githubRepositoryName}-env-dev\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dev\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
||||||
|
az ad app federated-credential create \
|
||||||
|
--id $applicationRegistrationObjectId \
|
||||||
|
--parameters "{\"name\":\"${githubRepositoryName}-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
||||||
|
az ad app federated-credential create \
|
||||||
|
--id $applicationRegistrationObjectId \
|
||||||
|
--parameters "{\"name\":\"${githubRepositoryName}-branch-main\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}"
|
||||||
|
|
||||||
|
|
||||||
|
AZURE_CLIENT_ID=$applicationRegistrationAppId
|
||||||
|
AZURE_TENANT_ID=$(az account show --query tenantId --output tsv)
|
||||||
|
AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
|
||||||
|
|
||||||
|
az ad sp create --id $applicationRegistrationObjectId
|
||||||
|
az role assignment create --assignee $applicationRegistrationAppId --role Contributor --scope /subscriptions/$AZURE_SUBSCRIPTION_ID
|
||||||
|
|
||||||
|
echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID"
|
||||||
|
echo "AZURE_TENANT_ID: $AZURE_TENANT_ID"
|
||||||
|
echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"
|
||||||
|
|
||||||
|
gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID"
|
||||||
|
gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID"
|
||||||
|
gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID"
|
||||||
المرجع في مشكلة جديدة
حظر مستخدم