Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Sub ID array for Role assignment #76

Merged
merged 4 commits into from
Mar 16, 2021
+46 −16
Merged

Implement Sub ID array for Role assignment #76

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f75a413
- Updated bullet numbering in README
Phydeauxman Mar 12, 2021
83363e1
- Reverted numbering changes made to README.md
Phydeauxman Mar 15, 2021
1a273d9
- Added description of sed command
Phydeauxman Mar 15, 2021
8abf9bb
- Added parameter to suppress WARNING on sp create
Phydeauxman Mar 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ Terraform resources to deploy Tier 0, 1, and 2, and the components of a [SACA hu
az login
```

1. [Prepare the Terraform provider cache](#Prepare-the-Terraform-provider-cache)
1. [Configure the Terraform Backend](#Configure-the-Terraform-Backend)
1. [Set Terraform Configuration Variables](#Set-Terraform-Configuration-Variables)
1. [Deploy Terraform Configuration](#Deploy-Terraform-Configuration)
2. [Prepare the Terraform provider cache](#Prepare-the-Terraform-provider-cache)
3. [Configure the Terraform Backend](#Configure-the-Terraform-Backend)
4. [Set Terraform Configuration Variables](#Set-Terraform-Configuration-Variables)
5. [Deploy Terraform Configuration](#Deploy-Terraform-Configuration)
Phydeauxman marked this conversation as resolved.
Show resolved Hide resolved

### Prepare the Terraform provider cache

Expand Down Expand Up @@ -50,7 +50,7 @@ The MLZ deployment architecture uses a single Service Principal whose credential
mlz_config_location="eastus"
```

1. Run `mlz_tf_setup.sh` at [scripts/mlz_tf_setup.sh](scripts/mlz_tf_setup.sh) to create:
2. Run `mlz_tf_setup.sh` at [scripts/mlz_tf_setup.sh](scripts/mlz_tf_setup.sh) to create:

- A config Resource Group to store the Key Vault
- Resource Groups for each tier to store the Terraform state Storage Account
Expand Down
55 changes: 40 additions & 15 deletions scripts/config/mlz_config_create.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ usage() {
error_log "usage: mlz_config_create.sh <mlz config>"
}

if [[ "$#" -lt 3 ]]; then
if [[ "$#" -lt 1 ]]; then
usage
exit 1
fi
Expand All @@ -33,33 +33,58 @@ mlz_tf_cfg=$(realpath "${1}")
# generate MLZ configuration names
. "${BASH_SOURCE%/*}/generate_names.sh" "${mlz_tf_cfg}"

# Create array of unique subscription IDs
mlz_sub_pattern="mlz_.*._subid"
mlz_subs=$(< "${mlz_tf_cfg}" sed 's:#.*$::g' | grep -w "${mlz_sub_pattern}")
Phydeauxman marked this conversation as resolved.
Show resolved Hide resolved
subs=()

for mlz_sub in $mlz_subs
do
# Grab value of variable
mlz_sub_id=$(echo "${mlz_sub#*=}" | tr -d '"')
if [[ ! "${subs[*]}" =~ ${mlz_sub_id} ]];then
subs+=("${mlz_sub_id}")
fi
done

# Create Azure AD application registration and Service Principal
echo "Verifying Service Principal is unique (${mlz_sp_name})"
if [[ -z $(az ad sp list --filter "displayName eq '${mlz_sp_name}'" --query "[].displayName" -o tsv) ]];then
echo "Service Principal does not exist...creating"
sp_pwd=$(az ad sp create-for-rbac \
--name "http://${mlz_sp_name}" \
--role Contributor \
--scopes "/subscriptions/${mlz_config_subid}" "/subscriptions/${mlz_saca_subid}" "/subscriptions/${mlz_tier0_subid}" "/subscriptions/${mlz_tier1_subid}" "/subscriptions/${mlz_tier2_subid}" \
--skip-assignment true \
--query password \
--output tsv)
Phydeauxman marked this conversation as resolved.
Show resolved Hide resolved

# Get Service Principal AppId
sp_clientid=$(az ad sp show \
--id "http://${mlz_sp_name}" \
--query appId \
--output tsv)

# Get Service Principal ObjectId
sp_objid=$(az ad sp show \
--id "http://${mlz_sp_name}" \
--query objectId \
--output tsv)

# Assign Contributor role to Service Principal
for sub in "${subs[@]}"
do
echo "Setting Contributor role assignment for ${mlz_sp_name} on subscription ID: ${sub}"
az role assignment create \
--role Contributor \
--assignee-object-id "${sp_objid}" \
--scope "/subscriptions/${sub}" \
--assignee-principal-type ServicePrincipal \
--output none
done
else
error_log "Service Principal named ${mlz_sp_name} already exists. This must be a unique Service Principal for your use only. Try again with a new enclave name. Exiting script."
exit 1
fi

# Get Service Principal AppId
sp_clientid=$(az ad sp show \
--id "http://${mlz_sp_name}" \
--query appId \
--output tsv)

# Get Service Principal ObjectId
sp_objid=$(az ad sp show \
--id "http://${mlz_sp_name}" \
--query objectId \
--output tsv)

# Validate or create Terraform Config resource group
if [[ -z $(az group show --name "${mlz_rg_name}" --subscription "${mlz_config_subid}" --query name --output tsv) ]];then
echo "Resource Group does not exist...creating resource group ${mlz_rg_name}"
Expand Down