Skip to content

Commit

Permalink
chore: backfill app reg client supplied key
Browse files Browse the repository at this point in the history
  • Loading branch information
Christian Crowhurst committed Nov 30, 2024
1 parent f3fb721 commit 213c652
Showing 1 changed file with 35 additions and 6 deletions.
41 changes: 35 additions & 6 deletions tools/infrastructure/provision-azure-resources.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -173,9 +173,12 @@
. "$PSScriptRoot/ps-functions/Set-AzureResourceGroup.ps1"
. "$PSScriptRoot/ps-functions/Set-AzureSqlAADUser.ps1"

# TODO: DELETE these cmdlets, and remove lines below once deployment of app role's using bicep has rolled out
# TODO: DELETE these cmdlets, and remove lines below once deployment of app reg using bicep has rolled out
. "$PSScriptRoot/ps-functions/Get-AppRoleId.ps1"
. "$PSScriptRoot/ps-functions/Revoke-ADAppRolePermission.ps1"

# TODO: remove line below once deployment of app reg using bicep has rolled out
. "$PSScriptRoot/ps-functions/Invoke-EnsureHttpSuccess.ps1"

$templatePath = Join-Path $PSScriptRoot arm-templates
}
Expand Down Expand Up @@ -287,17 +290,43 @@


#-----------------------------------------------------------------------------------------------
# TODO: remove lines below once deployment of app role's using bicep has rolled out
Write-Information '7.0. Remove original app role assignments...'
$funcApp = $convention.SubProducts.InternalApi
# TODO: remove this section once deployment of app reg using bicep has rolled out
Write-Information '7.0.0 Remove original app role assignments...'
$funcAppName = $convention.SubProducts.InternalApi.ResourceName
$appOnlyAppRoleName = 'app_only'
$funcAppRoleId = Get-AppRoleId $appOnlyAppRoleName $funcApp.ResourceName
$funcAppRoleId = Get-AppRoleId $appOnlyAppRoleName $funcAppName -EA Stop
$api = $convention.SubProducts.Api
$appRoleGrants = [PSCustomObject]@{
ManagedIdentityDisplayName = $api.ManagedIdentity.Primary
ManagedIdentityResourceGroupName = $appResourceGroup.ResourceName
}
$appRoleGrants | Revoke-ADAppRolePermission -TargetAppDisplayName $funcApp.ResourceName -AppRoleId $funcAppRoleId -EA Continue
$appRoleGrants | Revoke-ADAppRolePermission -TargetAppDisplayName $funcAppName -AppRoleId $funcAppRoleId -EA Continue

Write-Information '7.0.1. Backfill uniqueName to app registrations...'
$targetAppAdRegistration = Get-AzADApplication -DisplayName $funcAppName -EA Stop
$appRegJson = @{ uniqueName = $funcAppName } | ConvertTo-Json -Compress
Write-Information " Backfill AD app registration client supplied key for '$funcAppName' (ID: '$($targetAppAdRegistration.Id)')..."
$appRegUrl = "https://graph.microsoft.com/v1.0/applications/$($targetAppAdRegistration.Id)"
{ Invoke-AzRestMethod -Method PATCH -Uri $appRegUrl -Payload $appRegJson -EA Stop } |
Invoke-EnsureHttpSuccess | Out-Null

Write-Information '7.0.2. Remove original app roles...'
if ($targetAppAdRegistration.AppRole) {
# note: REST endpoint is sensitive to id being case sensitive
$appRoles = $targetAppAdRegistration.AppRole | Select-Object `
@{n='allowedMemberTypes'; e={@(, $_.AllowedMemberType)}}, DisplayName, Description, `
@{n='id'; e={$_.Id}}, @{n='isEnabled'; e={$false}}, Origin, Value

$appRegJson = @{ appRoles = $appRoles } | ConvertTo-Json -Compress -Depth 100
Write-Information " Disable app role for '$funcAppName' to allow for it be deleted..."
{ Invoke-AzRestMethod -Method PATCH -Uri $appRegUrl -Payload $appRegJson -EA Stop } |
Invoke-EnsureHttpSuccess | Out-Null

$appRegJson = @{ appRoles = @() } | ConvertTo-Json -Compress
Write-Information ' ...delete app role'
{ Invoke-AzRestMethod -Method PATCH -Uri $appRegUrl -Payload $appRegJson -EA Stop } |
Invoke-EnsureHttpSuccess | Out-Null
}


#-----------------------------------------------------------------------------------------------
Expand Down

0 comments on commit 213c652

Please sign in to comment.