From 64c9979f9c2dc64eb3a2304e9530ec4437980756 Mon Sep 17 00:00:00 2001 From: Harvey Bendana Date: Tue, 10 May 2022 18:08:07 -0700 Subject: [PATCH] add password credential workflow to Service principal creation. fix type in cosmosdb name --- bicep/main.bicep | 27 +++++++++------------ deploy.ps1 | 62 ++++++++++++++++++++--------------------------- deployParams.json | 4 --- 3 files changed, 38 insertions(+), 55 deletions(-) delete mode 100644 deployParams.json diff --git a/bicep/main.bicep b/bicep/main.bicep index 7f61832..c74a7b3 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -1,18 +1,15 @@ // Global parameters targetScope = 'subscription' +@description('guid used for naming all resources') +param guid string = newGuid() + @description('location for all resources') param location string = deployment().location -@minLength(4) -@maxLength(30) -@description('string used for naming all resources') -param name string - @description('contributor role definition ID') param roleId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c' -@secure() @description('key vault SPN ID secret') param spnIdValue string @@ -21,15 +18,15 @@ param spnIdValue string param spnSecretValue string // Naming variables -var appServicePlanName = '${name}-asp' -var containerRegistryName = '${name}cr' -var cosmosAccountName = '${name}-dbaccount' -var cosmosDbContainerName = '${name}-dbcontainer' -var cosmosDbName = '${name}-db' -var keyVaultName = '${name}-kv' -var managedIdentityName = '${name}-mi' -var resourceGroupName = '${name}-rg' -var websiteName = '${name}-service' +var appServicePlanName = 'ipam-asp-${uniqueString(guid)}' +var containerRegistryName = 'ipamcr${uniqueString(guid)}' +var cosmosAccountName = 'ipam-dbacct-${uniqueString(guid)}' +var cosmosDbContainerName = 'ipam-dbcntnr-${uniqueString(guid)}' +var cosmosDbName = 'ipam-db-${uniqueString(guid)}' +var keyVaultName = 'ipam-kv-${uniqueString(guid)}' +var managedIdentityName = 'ipam-mi-${uniqueString(guid)}' +var resourceGroupName = 'ipam-rg-${uniqueString(guid)}' +var websiteName = 'ipam-${uniqueString(guid)}' //Resource group resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { diff --git a/deploy.ps1 b/deploy.ps1 index 50174c3..4fcf430 100644 --- a/deploy.ps1 +++ b/deploy.ps1 @@ -5,16 +5,19 @@ ############################################################################################################### # Intake and set parameters +# Parameter help description +Param( + [Parameter(Mandatory=$false)] + [string] + $location="westus2" +) $azureSvcMgmtApiPermissions =@("41094075-9dad-400e-a0bd-54e686782033") $azureSvcMgmtApiPermissionsScope = "user_impersonation" $azureSvcMgmtAppId ="797f4846-ba00-4fd7-ba43-dac1f8f63013" -$parameters = Get-Content ./deployParams.json | ConvertFrom-Json -$location = $parameters.location $logFile = "./deploy_$(get-date -format `"yyyyMMddhhmmsstt`").log" $msGraphApiPermissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a", "e1fe6dd8-ba31-4d61-89e7-88639da4683d") $msGraphApiPermissionsScope = "Directory.Read.All User.Read" $msGraphAppId = "00000003-0000-0000-c000-000000000000" -$name = $parameters.name.ToLower() $tenantId = (Get-AzContext).Tenant.Id # Set preference variables @@ -31,23 +34,6 @@ else { } -# Validate name parameter -Function ValidateName -{ - param ( - [ValidateLength(4,30)] - [ValidatePattern('^(?!-)(?!.*--)[a-z]')] - [parameter(Mandatory=$true)] - [string] - $Name -) - - write-host "Name is"$Name - -} - -ValidateName $Name - # Validate Location $validLocations = Get-AzLocation Function ValidateLocation { @@ -67,11 +53,13 @@ Function ValidateLocation { ValidateLocation $location try { - # Create IPAM service principal + # Create IPAM service principal and assign it reader role at tenant root group level Write-Host "INFO: Creating Azure Service Principal" -ForegroundColor green Write-Verbose -Message "Creating Azure Service Principal" $sp = New-AzADServicePrincipal ` - -DisplayName "$($Name)-sp" + -DisplayName "ipam-sp" ` + -Scope "/providers/Microsoft.Management/managementGroups/$($tenantId)" ` + -Role "Reader" } catch { $_ | Out-File -FilePath $logFile -Append @@ -81,17 +69,20 @@ catch { } try { - # Assign reader role at tenant scope to IPAM service principal - Write-Host "INFO: Assigning Reader Role at Tenant Scope to Service Principal" -ForegroundColor Green - Write-Verbose -Message "Assigning Reader Role at Tenant Scope to Service Principal" - New-AzRoleAssignment ` - -RoleDefinitionName "Reader" ` - -ObjectId $sp.Id ` - -Scope "/providers/Microsoft.Management/managementGroups/$($tenantId)" + # Generate password credential for service principal + Write-Host "INFO: Generating Password Credential for Service Principal" -ForegroundColor Green + Write-Verbose -Message "Generating Password credential for Service Principal" + $startDate = Get-Date + $endDate = (Get-Date).AddYears(2) + $spCred = New-AzADAppCredential ` + -ApplicationId $sp.AppId ` + -StartDate $startDate ` + -EndDate $endDate + } catch { $_ | Out-File -FilePath $logFile -Append - Write-Host "ERROR: Unable to assign Role to Service Principal due to an exception, see $logFile for detailed information!" -ForegroundColor red + Write-Host "ERROR: Unable to Generate Password Credential for Service Principal due to an exception, see $logFile for detailed information!" -ForegroundColor red exit } @@ -132,11 +123,11 @@ catch { } # Instantiate Microsoft Graph service principal object -$msGraphSp = Get-AzureADServicePrincipal ` +$msGraphSp = Get-AzADServicePrincipal ` -ApplicationId $msGraphAppId # Instantiate Azure Service Management service principal object -$azureSvcMgmtSp = Get-AzureADServicePrincipal ` +$azureSvcMgmtSp = Get-AzADServicePrincipal ` -ApplicationId $azureSvcMgmtAppId # Connect to Microsoft Graph @@ -182,10 +173,9 @@ try { # Deploy IPAM bicep template Write-Host "INFO: Deploying IPAM bicep template" -ForegroundColor green Write-Verbose -Message "Deploying bicep template" - $deploymentParameters =@{ - 'name' = $name; - 'spnIdValue' = $sp.Id - 'spnSecretValue' = $sp.PasswordCredentials.SecretText + $deploymentParameters = @{ + 'spnIdValue' = $sp.AppId + 'spnSecretValue' = $spCred.SecretText } New-AzSubscriptionDeployment ` diff --git a/deployParams.json b/deployParams.json deleted file mode 100644 index dbdb359..0000000 --- a/deployParams.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name": "ipaminfra", - "location": "westus2" -} \ No newline at end of file