Merge pull request #589 from microsoft/southworks/add/identity-resources

[#548] Create Fn tests for supported authentication types - Adapt Create and Cleanup pipelines
2022-08-30 09:04:17 -05:00 · 2022-08-30 09:04:17 -05:00 · 44f8f28239
--- a/build/yaml/cleanupResources/cleanupResources.yml
+++ b/build/yaml/cleanupResources/cleanupResources.yml
@ -316,6 +316,29 @@ stages:
                Write-Host "No pre-existing $(INTERNALSTORAGEACCOUNTNAME) resource found."
              }

+- stage: "Delete_User_Identities"
+  displayName: "Delete User Assigned Managed Identities"
+  dependsOn:
+    - Delete_App_Service_Plan_DotNet
+    - Delete_App_Service_Plan_JS
+    - Delete_App_Service_Plan_Python
+  jobs:
+    - job: "Delete"
+      displayName: "Delete steps"
+      steps:
+        - checkout: none
+        - task: AzureCLI@2
+          displayName: "Delete User Assigned Managed Identities"
+          inputs:
+            azureSubscription: $(AZURESUBSCRIPTION)
+            scriptType: pscore
+            scriptLocation: inlineScript
+            inlineScript: |
+              az identity delete -n "bffnsimplehostbotdotnetmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+              az identity delete -n "bffnsimplehostbotjsmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+              az identity delete -n "bffnechoskillbotdotnetmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+              az identity delete -n "bffnechoskillbotjsmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+
 - stage: "Delete_Shared_Resource_Group"
  displayName: "Delete Shared Resource Group"
  dependsOn:
@ -326,6 +349,7 @@ stages:
    - Delete_CosmosDB
    - Delete_Container_Registry
    - Delete_Storage_Account
+    - Delete_User_Identities
  jobs:
    - job: "Delete"
      displayName: "Delete steps"
--- a/build/yaml/sharedResources/createAppRegistrations.yml
+++ b/build/yaml/sharedResources/createAppRegistrations.yml
@ -48,7 +48,7 @@ steps:
          Invoke-WebRequest -Uri "https://login.microsoftonline.com/${{ parameters.tenantId }}/oauth2/v2.0/token" -Method "POST" -Body $body | ConvertFrom-Json
        }

-        function CreateAppRegistration($token, $appName) {
+        function CreateAppRegistration($token, $appName, $audience) {
          # Create App Registration

          $headers = @{
@ -57,7 +57,7 @@ steps:

          $body = @{
            displayName    = $appName;
-            signInAudience = "AzureADandPersonalMicrosoftAccount"
+            signInAudience = $audience;
          } | ConvertTo-Json

          $app = Invoke-WebRequest -Uri "https://graph.microsoft.com/v1.0/applications" -Method "POST" -Headers $headers -Body $body -ContentType "application/json" | ConvertFrom-Json;
@ -73,6 +73,16 @@ steps:
          $app | Add-Member -MemberType NoteProperty -Name secret -Value $secret.secretText;

          $app
+
+          if ($audience -eq "AzureADMyOrg") {
+            # Create Service Principal Object
+
+            $body = @{
+                appId = $app.appId;
+            } | ConvertTo-Json
+
+            $servicePpal = Invoke-WebRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals" -Method "POST" -Headers $headers -Body $body -ContentType "application/json" | ConvertFrom-Json;
+          }
        }

        function SaveAppRegistrationIntoKeyVault($vaultName, $bot, $app) {
@ -107,17 +117,22 @@ steps:
          @{ appName = "bffnsimplehostbotpython"; variables = @{ appId = "BffnSimpleHostBotPythonAppId"; appSecret = "BffnSimpleHostBotPythonAppSecret"; objectId = "BffnSimpleHostBotPythonAppObjectId" }},
          @{ appName = "bffnechoskillbotpython"; variables = @{ appId = "BffnEchoSkillBotPythonAppId"; appSecret = "BffnEchoSkillBotPythonAppSecret"; objectId = "BffnEchoSkillBotPythonAppObjectId" }},
          @{ appName = "bffnwaterfallhostbotpython"; variables = @{ appId = "BffnWaterfallHostBotPythonAppId"; appSecret = "BffnWaterfallHostBotPythonAppSecret"; objectId = "BffnWaterfallHostBotPythonAppObjectId" }},
-          @{ appName = "bffnwaterfallskillbotpython"; variables = @{ appId = "BffnWaterfallSkillBotPythonAppId"; appSecret = "BffnWaterfallSkillBotPythonAppSecret"; objectId = "BffnWaterfallSkillBotPythonAppObjectId" }}
+          @{ appName = "bffnwaterfallskillbotpython"; variables = @{ appId = "BffnWaterfallSkillBotPythonAppId"; appSecret = "BffnWaterfallSkillBotPythonAppSecret"; objectId = "BffnWaterfallSkillBotPythonAppObjectId" }},
+          @{ appName = "bffnsimplehostbotdotnetst"; variables = @{ appId = "BffnSimpleHostBotDotNetSTAppId"; appSecret = "BffnSimpleHostBotDotNetSTAppSecret"; objectId = "BffnSimpleHostBotDotNetSTAppObjectId"; signInAudience = "AzureADMyOrg" }},
+          @{ appName = "bffnsimplehostbotjsst"; variables = @{ appId = "BffnSimpleHostBotJSSTAppId"; appSecret = "BffnSimpleHostBotJSSTAppSecret"; objectId = "BffnSimpleHostBotJSSTAppObjectId"; signInAudience = "AzureADMyOrg" }},
+          @{ appName = "bffnechoskillbotdotnetst"; variables = @{ appId = "BffnEchoSkillBotDotNetSTAppId"; appSecret = "BffnEchoSkillBotDotNetSTAppSecret"; objectId = "BffnEchoSkillBotDotNetSTObjectId"; signInAudience = "AzureADMyOrg" }},
+          @{ appName = "bffnechoskillbotjsst"; variables = @{ appId = "BffnEchoSkillBotJSSTAppId"; appSecret = "BffnEchoSkillBotJSSTAppSecret"; objectId = "BffnEchoSkillBotJSSTAppObjectId"; signInAudience = "AzureADMyOrg" }}
        )

        $token = GetToken

        foreach ($bot in $bots) {
          $botName = "$($bot.appName)${{ parameters.resourceSuffix }}"
+          $audience = $($bot.variables.signInAudience) ?? "AzureADMultipleOrgs"
          Write-Host "`n[$botName] Starting"
          Write-Host "Creating App Registration ..."
-          
-          $app = CreateAppRegistration $token $botName
+
+          $app = CreateAppRegistration $token $botName $audience
          Write-Host "
            App Registration:
              Name: $botName
--- a/build/yaml/sharedResources/createSharedResources.yml
+++ b/build/yaml/sharedResources/createSharedResources.yml
@ -253,3 +253,22 @@ stages:
          scriptType: pscore
          scriptLocation: inlineScript
          inlineScript: "az deployment group create --name $(INTERNALSTORAGEACCOUNTNAME) --resource-group $(INTERNALRESOURCEGROUPNAME) --template-file build/templates/template-storage-account-resources.json --parameters storageAccountName=$(INTERNALSTORAGEACCOUNTNAME)"
+
+- stage: Create_User_Identities
+  displayName: "Create User Assigned Managed Identities"
+  dependsOn: Create_Resource_Group
+  jobs:
+    - job: Deploy_User_Identities
+      displayName: "Deploy steps"
+      steps:
+      - task: AzureCLI@2
+        displayName: "Deploy User Assigned Managed Identities"
+        inputs:
+          azureSubscription: $(AZURESUBSCRIPTION)
+          scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: |
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnsimplehostbotdotnetmsi$($env:RESOURCESUFFIX)"
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnsimplehostbotjsmsi$($env:RESOURCESUFFIX)"
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnechoskillbotdotnetmsi$($env:RESOURCESUFFIX)"
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnechoskillbotjsmsi$($env:RESOURCESUFFIX)"