This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
Work on improving the create service principal generator #90
Merged
Merged
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
'@arkahna/nx-terraform': minor | ||
--- | ||
|
||
Improvements to service principal creation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -101,8 +101,30 @@ pnpm nx g \ | |
@arkahna/nx-terraform:add-project-environment \ | ||
<projectname> \ | ||
--environment <environmentname> | ||
``` | ||
|
||
### create-environment-sp | ||
|
||
Creates a service principal for GitHub actions to use. | ||
|
||
Need to be logged in as an application administrator role. | ||
|
||
This generator will do the following: | ||
|
||
- Create a service principal | ||
- Grant the service principal the desired role on the environment resource group | ||
- Grant the service principal permissions to write to the terraform state store (if using Azure storage for state) | ||
- Grant the service principal permissions to read/write secrets in the environment KeyVault | ||
- Add the Application.ReadWrite.Owner permission to the service principal | ||
- Print the links and command line args to grant admin consent to the service principal (enabling Service Principal to Create and Maintain App Registrations) | ||
|
||
#### Usage | ||
|
||
``` | ||
pnpm nx g \ | ||
@arkahna/nx-terraform:create-environment-sp \ | ||
--environment <environmentname> | ||
``` | ||
|
||
## Executors | ||
|
||
|
@@ -115,3 +137,7 @@ If you are running apply multiple times locally, run with `--leaveFirewallExcept | |
### Lint | ||
|
||
Needs tfsec installed, or set tfsec command to false. See https://github.com/aquasecurity/tfsec#installation | ||
|
||
## Concepts | ||
|
||
![Concepts](./docs/concepts.drawio.png) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think a visual around how it ends up causing the projects to be structured will be handy |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,6 +40,7 @@ export default async function ( | |
] | ||
|
||
const idPlaceholder = 'ID_ONCE_CREATED' | ||
const appIdPlaceholder = 'APP_ID_ONCE_CREATED' | ||
const storageContributorRoleAssignmentArgs = [ | ||
'role', | ||
'assignment', | ||
|
@@ -64,6 +65,21 @@ export default async function ( | |
kvScope, | ||
] | ||
|
||
const assignApplicationWritePermissions = [ | ||
'ad', | ||
'app', | ||
'permission', | ||
'add', | ||
'--id', | ||
appIdPlaceholder, | ||
'--api', | ||
// Graph | ||
'00000002-0000-0000-c000-000000000000', | ||
'--api-permissions', | ||
// Application.ReadWrite.OwnedBy | ||
'824c81eb-e3f8-4ee6-8f6d-de7f50d565b7=Role', | ||
] | ||
|
||
if (isDryRun()) { | ||
console.log('Will run:') | ||
|
||
|
@@ -74,6 +90,8 @@ export default async function ( | |
} | ||
|
||
console.log(`> ${getEscapedCommand(`az`, keyvaultRoleAssignmentArgs)}`) | ||
|
||
console.log(`> ${getEscapedCommand(`az`, assignApplicationWritePermissions)}`) | ||
} | ||
|
||
return async () => { | ||
|
@@ -83,20 +101,34 @@ export default async function ( | |
stdio: 'inherit', | ||
}) | ||
|
||
const { stdout } = await execa(`az`, [ | ||
const { stdout: stdoutAdList } = await execa(`az`, [ | ||
'ad', | ||
'sp', | ||
'list', | ||
'--display-name', | ||
servicePrincipalName, | ||
]) | ||
const servicePrincipalObjectId: string = JSON.parse(stdout)[0].id | ||
const servicePrincipalObjectId: string = JSON.parse(stdoutAdList)[0].id | ||
console.log(`Service principal id: ${servicePrincipalObjectId}`) | ||
|
||
const { stdout: stdoutAppList } = await execa(`az`, [ | ||
'ad', | ||
'app', | ||
'list', | ||
'--display-name', | ||
servicePrincipalName, | ||
]) | ||
const appObjectId: string = JSON.parse(stdoutAppList)[0].id | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It now gathers and outputs the AD Object ID as well as the app id and the app Object ID. Different commands need one of these ids. It then stores all 3 in the dev markdown. |
||
const appClientId: string = JSON.parse(stdoutAppList)[0].appId | ||
console.log(`Service principal app object id: ${appObjectId}`) | ||
console.log(`Service principal app client id: ${appClientId}`) | ||
|
||
const newAttributes: Record<string, string | undefined> = { | ||
...environmentConfig.attributes, | ||
github_service_principal: servicePrincipalName, | ||
github_service_principal_name: servicePrincipalName, | ||
github_service_principal_id: servicePrincipalObjectId, | ||
github_service_principal_app_object_id: appObjectId, | ||
github_service_principal_app_client_id: appClientId, | ||
} | ||
|
||
fs.writeFileSync( | ||
|
@@ -124,6 +156,7 @@ ${environmentConfig.environmentFileBody} | |
) | ||
} | ||
|
||
console.log() | ||
console.log(`> ${getEscapedCommand(`az`, keyvaultRoleAssignmentArgs)}`) | ||
await execa( | ||
'az', | ||
|
@@ -135,6 +168,24 @@ ${environmentConfig.environmentFileBody} | |
}, | ||
) | ||
|
||
console.log(`> ${getEscapedCommand(`az`, assignApplicationWritePermissions)}`) | ||
await execa( | ||
'az', | ||
assignApplicationWritePermissions.map((arg) => | ||
arg === appIdPlaceholder ? appObjectId : arg, | ||
), | ||
{ | ||
stdio: 'inherit', | ||
}, | ||
) | ||
|
||
console.log( | ||
`Application link: https://portal.azure.com/?feature.msaljs=false#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/${appClientId}/isMSAApp~/false`, | ||
) | ||
console.log( | ||
`Consent link: https://login.microsoftonline.com/${environmentConfig.tenantId}/adminconsent?client_id=${appClientId}`, | ||
) | ||
|
||
console.log(`🎉 Success 🎉`) | ||
console.log( | ||
`🎉 Ensure you copy the credentials, the secret will not be stored in ${environmentConfig.environmentFile} 🎉`, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some doco, it's now doing a fair bit