-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeployResourcesProject.sh
executable file
·149 lines (104 loc) · 6.82 KB
/
deployResourcesProject.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/bin/bash
set -ev
projectId=bccGraphWebjob-$RANDOM
echo $'\e[1;33m'$projectId$'\e[0m'
location="westus"
rgName=$projectId-RG
az config set defaults.location=$location defaults.group=$rgName core.output=tsv extension.use_dynamic_install=yes_without_prompt --only-show-errors
#
# Deploy Azure Resources
#
rgId=$(az group create --name $rgName --query id)
appSvcName=$projectId-AppSvcFreePlan
# Deploy WebApp Service Plan
az appservice plan create --name $appSvcName --sku FREE --query provisioningState --output none
webAppName=$projectId-WebApp
# Deploy WebApp
webAppManagedId=$(az webapp create -p $appSvcName -n $webAppName --assign-identity --scope $rgId --only-show-errors --query identity.principalId)
webAppPubIPs=$(az webapp show -n $webAppName --query possibleOutboundIpAddresses)
keyVaultName=$projectId-KV
# Deploy KeyVault with network rule to allow access from WebApp public IP and default action Deny
az keyvault create -n "$keyVaultName" --network-acls-ips ${webAppPubIPs//,/ } --default-action Deny --output none
# Adding KeyVault policy to allow access from WebApp Managed Identity
az keyvault set-policy --name $keyVaultName --object-id $webAppManagedId --secret-permissions get list --output none
# Add KeyVault name as an environment variable to the WebApp
az webapp config appsettings set -n $webAppName --settings KEY_VAULT_NAME=$keyVaultName --output none
adAppName=$projectId-ADApp
# Register AD App for app-only auth of the Graph Console Application
adAppId=$(az ad app create --display-name $adAppName --is-fallback-public-client --sign-in-audience AzureADMyOrg --query appId)
# Add password to the AD App
adAppPw=$(az ad app credential reset --id $adAppId --query password -o tsv --only-show-errors)
# Add Graph API permissions to the AD App
az ad app permission add --id $adAppId --api 00000003-0000-0000-c000-000000000000 --api-permissions 75359482-378d-4052-8f01-80520e7db3cd=Role --only-show-errors
az ad app permission add --id $adAppId --api 00000003-0000-0000-c000-000000000000 --api-permissions 01d4889c-1287-42c6-ac1f-5d1e02578ef6=Role --only-show-errors
az ad app permission add --id $adAppId --api 00000003-0000-0000-c000-000000000000 --api-permissions df021288-bdef-4463-88db-98f22de89214=Role --only-show-errors
az ad app permission add --id $adAppId --api 00000003-0000-0000-c000-000000000000 --api-permissions e2a3a72e-5f79-4c64-b1b1-878b674786c9=Role --only-show-errors
az ad app permission add --id $adAppId --api 00000003-0000-0000-c000-000000000000 --api-permissions b633e1c5-b582-4048-a93e-9f11b44c7e96=Role --only-show-errors
# Add Service Principal to the AD App
az ad sp create --id $adAppId --output none
# Grant permissions to the AD App
az ad app permission grant --id $adAppId --api 00000003-0000-0000-c000-000000000000 --scope Files.Read.All Files.ReadWrite.All Mail.ReadWrite Mail.Send User.Read.All --output none
# Admin-Consent permissions to the AD App
set +e
az ad app permission admin-consent --id $adAppId 2>null
while [ $? -ne 0 ]
do
sleep 5
echo "Retrying admin-consent..."
az ad app permission admin-consent --id $adAppId 2>null
done
set -e
localpubip=$(dig +short myip.opendns.com @resolver1.opendns.com)
# Add network rule for local public ip
az keyvault network-rule add --name $keyVaultName --ip-address $localpubip --output none
# Add AD App ID and Password as secrets to the KeyVault
az keyvault secret set --vault-name $keyVaultName --name clientId --value $adAppId --output none
az keyvault secret set --vault-name $keyVaultName --name clientSecret --value $adAppPw --output none
tenantId=$(az account show --query tenantId)
# Add Tenant ID as a secret to the KeyVault
az keyvault secret set --vault-name $keyVaultName --name tenantId --value $tenantId --output none
# Remove network rule for local public ip
az keyvault network-rule remove --name $keyVaultName --ip-address $localpubip --output none
#
# Deploy DevOps Project and Pipelines
#
subsId=$(az account show --query id)
spName=$projectId-sp
# Register Azure Service Principal for the pipelines with enough rights to deploy and run the webjob
spKey=$(az ad sp create-for-rbac --name $spName --role "Website Contributor" --scopes $rgId --only-show-errors --query password)
spClientId=$(az ad sp list --display-name $spName --query [].appId)
subsName=$(az account show --query name)
# Adjust for your enviroment
devOpsOrgUrl=https://dev.azure.com/Better-Computing-Consulting
az devops configure --defaults organization=$devOpsOrgUrl
#az login
#export AZURE_DEVOPS_EXT_GITHUB_PAT=enter-github-pat-here
export AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=$spKey
# Create Azure DevOps project
az devops project create --name $projectId --output none
# Create AzureRM service endpoint
azRMSvcId=$(az devops service-endpoint azurerm create --azure-rm-service-principal-id $spClientId \
--azure-rm-subscription-id $subsId --azure-rm-subscription-name "$subsName" --azure-rm-tenant-id $tenantId \
--name AzureServiceConnection --project $projectId --query id)
# Enable AzureRM service endpoint for all pipelines
az devops service-endpoint update --id $azRMSvcId --enable-for-all true --project $projectId --output none
# Create GitHub service endpoint
gitHubSvcId=$(az devops service-endpoint github create --github-url https://github.com/ --name GitHubService --project $projectId --query id)
# Enable Github service endpoint for all pipelines
az devops service-endpoint update --id $gitHubSvcId --enable-for-all true --project $projectId --output none
# Adjust for your enviroment
pipelinesRepo=https://github.com/Better-Computing-Consulting/microsoft-graph-api-excel-emailer-webjob
# Create BuildDeploy Pipeline
pipelineId=$(az pipelines create --name BuildDeployPipeline --project $projectId --repository $pipelinesRepo --branch master \
--yml-path azure-pipelines.yml --skip-first-run true --service-connection $gitHubSvcId --only-show-errors --query id)
echo $'\e[1;33m'$devOpsOrgUrl/$projectId/_build?definitionId=$pipelineId$'\e[0m'
# Create pipeline WebAppName and ResGrpName variables
az pipelines variable create --name WebAppName --value $webAppName --project $projectId --pipeline-id $pipelineId --output none
az pipelines variable create --name ResGrpName --value $rgName --project $projectId --pipeline-id $pipelineId --output none
# Create CronRun Pipeline
pipelineId=$(az pipelines create --name CronRunPipeline --project $projectId --repository $pipelinesRepo --branch master \
--yml-path cron-pipeline.yml --skip-first-run true --service-connection $gitHubSvcId --only-show-errors --query id)
echo $'\e[1;33m'$devOpsOrgUrl/$projectId/_build?definitionId=$pipelineId$'\e[0m'
# Create pipeline WebAppName and ResGrpName variables
az pipelines variable create --name WebAppName --value $webAppName --project $projectId --pipeline-id $pipelineId --output none
az pipelines variable create --name ResGrpName --value $rgName --project $projectId --pipeline-id $pipelineId --output none