Merge pull request #90 from arkahna/feature/refine-github-permissions

Work on improving the create service principal generator
arkahna · Dec 6, 2022 · b12f010 · b12f010
2 parents 73a65d6 + aa5f406
commit b12f010
Show file tree

Hide file tree

Showing 9 changed files with 108 additions and 7 deletions.
diff --git a/.changeset/brave-olives-reply.md b/.changeset/brave-olives-reply.md
@@ -0,0 +1,5 @@
+---
+'@arkahna/nx-terraform': minor
+---
+
+Improvements to service principal creation
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -10,5 +10,19 @@
     ],
     "[terraform]": {
         "editor.defaultFormatter": "hashicorp.terraform"
-    }
+    },
+    "hediet.vscode-drawio.theme": "Kennedy",
+    "hediet.vscode-drawio.customFonts": [
+        "Calibri"
+    ],
+    "hediet.vscode-drawio.defaultVertexStyle": {
+        "fontFamily": "Calibri",
+        "fillColor": "#dae8fc",
+        "strokeColor": "#6c8ebf",
+        "strokeWidth": "1",
+        "labelBackgroundColor": "none"
+    },
+    "hediet.vscode-drawio.defaultEdgeStyle": {
+        "edgeStyle": "orthogonalEdgeStyle;"
+    },
 }
diff --git a/libs/nx-terraform/README.md b/libs/nx-terraform/README.md
@@ -101,8 +101,30 @@ pnpm nx g \
   @arkahna/nx-terraform:add-project-environment \
   <projectname> \
   --environment <environmentname>
+```
+
+### create-environment-sp
+
+Creates a service principal for GitHub actions to use.
+
+Need to be logged in as an application administrator role.
+
+This generator will do the following:
+
+- Create a service principal
+- Grant the service principal the desired role on the environment resource group
+- Grant the service principal permissions to write to the terraform state store (if using Azure storage for state)
+- Grant the service principal permissions to read/write secrets in the environment KeyVault
+- Add the Application.ReadWrite.Owner permission to the service principal
+- Print the links and command line args to grant admin consent to the service principal (enabling Service Principal to Create and Maintain App Registrations)
+
+#### Usage
 
 ```
+pnpm nx g \
+  @arkahna/nx-terraform:create-environment-sp \
+  --environment <environmentname>
+```
 
 ## Executors
 
@@ -115,3 +137,7 @@ If you are running apply multiple times locally, run with `--leaveFirewallExcept
 ### Lint
 
 Needs tfsec installed, or set tfsec command to false. See https://github.com/aquasecurity/tfsec#installation
+
+## Concepts
+
+![Concepts](./docs/concepts.drawio.png)
diff --git a/libs/nx-terraform/docs/concepts.drawio.png b/libs/nx-terraform/docs/concepts.drawio.png
diff --git a/libs/nx-terraform/src/common/getEnvTfVars.ts b/libs/nx-terraform/src/common/getEnvTfVars.ts
@@ -19,7 +19,7 @@ export function getTfEnvVars(projectName: string, envConfig: EnvConfig, repoConf
         `project_name_tag=${projectName || ''}`,
         `cost_centre_tag=${repoConfig.azureCostCentre || ''}`,
         `resource_prefix=${repoConfig.azureResourcePrefix || ''}`,
-        `github_service_principal=${envConfig.github_service_principal || ''}`,
+        `github_service_principal=${envConfig.github_service_principal_name || ''}`,
         `github_service_principal_id=${envConfig.github_service_principal_id || ''}`,
     ]
 }

diff --git a/libs/nx-terraform/src/common/readConfigFromEnvFile.ts b/libs/nx-terraform/src/common/readConfigFromEnvFile.ts
@@ -72,7 +72,9 @@ export async function readConfigFromEnvFile(
         environmentFile,
         attributes,
         environmentFileBody: body,
-        github_service_principal: attributes.github_service_principal,
+        github_service_principal_name: attributes.github_service_principal_name,
         github_service_principal_id: attributes.github_service_principal_id,
+        github_service_principal_app_object_id: attributes.github_service_principal_app_object_id,
+        github_service_principal_app_client_id: attributes.github_service_principal_app_client_id,
     }
 }
diff --git a/libs/nx-terraform/src/executors/apply/executor.ts b/libs/nx-terraform/src/executors/apply/executor.ts
@@ -123,6 +123,9 @@ export default async function runExecutor(options: ApplyExecutorSchema, context:
         await execa('terragrunt', terragruntArguments, {
             stdio: 'inherit',
             cwd: projectRoot,
+            env: {
+                ...process.env,
+            },
         })
     } finally {
         if (options.leaveFirewallExceptions !== true) {

diff --git a/libs/nx-terraform/src/generators/create-environment-sp/generator.ts b/libs/nx-terraform/src/generators/create-environment-sp/generator.ts
@@ -40,6 +40,7 @@ export default async function (
     ]
 
     const idPlaceholder = 'ID_ONCE_CREATED'
+    const appIdPlaceholder = 'APP_ID_ONCE_CREATED'
     const storageContributorRoleAssignmentArgs = [
         'role',
         'assignment',
@@ -64,6 +65,21 @@ export default async function (
         kvScope,
     ]
 
+    const assignApplicationWritePermissions = [
+        'ad',
+        'app',
+        'permission',
+        'add',
+        '--id',
+        appIdPlaceholder,
+        '--api',
+        // Graph
+        '00000003-0000-0000-c000-000000000000',
+        '--api-permissions',
+        // Application.ReadWrite.OwnedBy
+        '18a4783c-866b-4cc7-a460-3d5e5662c884=Role',
+    ]
+
     if (isDryRun()) {
         console.log('Will run:')
 
@@ -74,6 +90,8 @@ export default async function (
         }
 
         console.log(`> ${getEscapedCommand(`az`, keyvaultRoleAssignmentArgs)}`)
+
+        console.log(`> ${getEscapedCommand(`az`, assignApplicationWritePermissions)}`)
     }
 
     return async () => {
@@ -83,20 +101,34 @@ export default async function (
             stdio: 'inherit',
         })
 
-        const { stdout } = await execa(`az`, [
+        const { stdout: stdoutAdList } = await execa(`az`, [
             'ad',
             'sp',
             'list',
             '--display-name',
             servicePrincipalName,
         ])
-        const servicePrincipalObjectId: string = JSON.parse(stdout)[0].id
+        const servicePrincipalObjectId: string = JSON.parse(stdoutAdList)[0].id
         console.log(`Service principal id: ${servicePrincipalObjectId}`)
 
+        const { stdout: stdoutAppList } = await execa(`az`, [
+            'ad',
+            'app',
+            'list',
+            '--display-name',
+            servicePrincipalName,
+        ])
+        const appObjectId: string = JSON.parse(stdoutAppList)[0].id
+        const appClientId: string = JSON.parse(stdoutAppList)[0].appId
+        console.log(`Service principal app object id: ${appObjectId}`)
+        console.log(`Service principal app client id: ${appClientId}`)
+
         const newAttributes: Record<string, string | undefined> = {
             ...environmentConfig.attributes,
-            github_service_principal: servicePrincipalName,
+            github_service_principal_name: servicePrincipalName,
             github_service_principal_id: servicePrincipalObjectId,
+            github_service_principal_app_object_id: appObjectId,
+            github_service_principal_app_client_id: appClientId,
         }
 
         fs.writeFileSync(
@@ -124,6 +156,7 @@ ${environmentConfig.environmentFileBody}
             )
         }
 
+        console.log()
         console.log(`> ${getEscapedCommand(`az`, keyvaultRoleAssignmentArgs)}`)
         await execa(
             'az',
@@ -135,6 +168,24 @@ ${environmentConfig.environmentFileBody}
             },
         )
 
+        console.log(`> ${getEscapedCommand(`az`, assignApplicationWritePermissions)}`)
+        await execa(
+            'az',
+            assignApplicationWritePermissions.map((arg) =>
+                arg === appIdPlaceholder ? appObjectId : arg,
+            ),
+            {
+                stdio: 'inherit',
+            },
+        )
+
+        console.log(
+            `Application link: https://portal.azure.com/?feature.msaljs=false#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/${appClientId}/isMSAApp~/false`,
+        )
+        console.log(
+            `Consent link: https://login.microsoftonline.com/${environmentConfig.tenantId}/adminconsent?client_id=${appClientId}`,
+        )
+
         console.log(`🎉 Success 🎉`)
         console.log(
             `🎉 Ensure you copy the credentials, the secret will not be stored in ${environmentConfig.environmentFile} 🎉`,

diff --git a/libs/nx-terraform/src/generators/project/files/azure/nx-vars.tf__template__ b/libs/nx-terraform/src/generators/project/files/azure/nx-vars.tf__template__
@@ -81,7 +81,7 @@ variable "cost_centre_tag" {
 }
 
 variable "github_service_principal" {
-  description = "The name of the github service principal which deploys this environment (if configured through NX)."
+  description = "The id of the github service principal which deploys this environment (if configured through NX)."
   type        = string
   nullable    = true
 }