-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathconfigureAzureWorkloadIdentity.azcli
58 lines (46 loc) · 2.43 KB
/
configureAzureWorkloadIdentity.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Initialize git repository with current code
# Your Pulumi program should be in `infra` directory
# You should have added the infra.yml workflow file in the `.github\workflows` directory
git init
git add .
git commit -m "Initialize repository with infrastructure code"
# Create a new remote private GitHub repository
gh repo create pulumi-azure-workshop-lab --private --source=. --push
# Retrieve the repository full name (org/repo)
$repositoryFullName=$(gh repo view --json nameWithOwner -q ".nameWithOwner")
# Retrieve the current subscription and current tenant identifiers
$subscriptionId=$(az account show --query "id" -o tsv)
$tenantId=$(az account show --query "tenantId" -o tsv)
# Create an App Registration and its associated service principal
$appId=$(az ad app create --display-name "GitHub Action OIDC for ${repositoryFullName}" --query "appId" -o tsv)
$servicePrincipalId=$(az ad sp create --id $appId --query "id" -o tsv)
# Assign the contributor role to the service principal on the subscription
az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $servicePrincipalId --assignee-principal-type ServicePrincipal --scope /subscriptions/$subscriptionId
# Prepare parameters for federated credentials
$parametersJson = @{
name = "FederatedIdentityForWorkshop"
issuer = "https://token.actions.githubusercontent.com"
subject = "repo:${repositoryFullName}:ref:refs/heads/main"
description = "Deployments for Pulumi workshop"
audiences = @(
"api://AzureADTokenExchange"
)
}
# Change parameters to single line string with escaped quotes to make it work with Azure CLI
# https://medium.com/medialesson/use-dynamic-json-strings-with-azure-cli-commands-in-powershell-b191eccc8e9b
$parameters = $($parametersJson | ConvertTo-Json -Depth 100 -Compress).Replace("`"", "\`"")
# Create federated credentials
az ad app federated-credential create --id $appId --parameters $parameters
# Create GitHub secrets needed for the GitHub Actions
gh secret set ARM_TENANT_ID --body $tenantId
gh secret set ARM_SUBSCRIPTION_ID --body $subscriptionId
gh secret set ARM_CLIENT_ID --body $appId
# Replace by your Pulumi token
$pulumiToken = "pul-******************"
gh secret set PULUMI_ACCESS_TOKEN --body $pulumiToken
# Run workflow
gh workflow run infra.yml
$runId=$(gh run list --workflow=infra.yml --json databaseId -q ".[0].databaseId")
gh run watch $runId
# Open the repostory in the browser
gh repo view -w