-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup-githubAzureOIDC.ps1
More file actions
113 lines (90 loc) · 5.17 KB
/
setup-githubAzureOIDC.ps1
File metadata and controls
113 lines (90 loc) · 5.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<#
.SYNOPSIS
Setup OIDC between GitHub and Microsoft Azure.
.NOTES
Version: 1.0
Author: Sam De Wolf
Creation Date: 9 January 2022
.EXAMPLE
PS C:\>setup-githubAzureOIDC.ps1
#>
# region Functions
function New-AzureAdAppReg {
[cmdletbinding()]
param (
[Parameter(Mandatory = $true, HelpMessage = "The name of the application registration")]
[ValidateNotNullOrEmpty()]
[string]
$APP_NAME,
[Parameter(Mandatory = $true, HelpMessage = "The name of the GitHub repository")]
[ValidateNotNullOrEmpty()]
[string]
$GH_REPO,
[Parameter(Mandatory = $true, HelpMessage = "The name of the User that needs to be set as owner on the application registration")]
[ValidateNotNullOrEmpty()]
[string]
$OWNER,
[Parameter(Mandatory = $true, HelpMessage = "The Id of the Azure Active Directory tenant")]
[ValidateNotNullOrEmpty()]
[string]
$TENANT_ID
)
try {
Write-Host "Creating Azure Active Directory application $APP_NAME..." -ForegroundColor Green
$APP_ID = $(az ad app create --display-name ${APP_NAME} --query appId -o tsv)
# wait for AAD app to be created or the script will fail
Start-Sleep -Seconds 5
Write-Host "APP_ID: $APP_ID created.`n" -ForegroundColor Yellow
Write-Host "Creating Service Principal..." -ForegroundColor Green
$SP_ID = $(az ad sp create --id $APP_ID --query objectId -o tsv)
Start-Sleep -Seconds 5
Write-Host "SPN_ID: $SP_ID created.`n" -ForegroundColor Yellow
Write-Host "Getting Azure Subscription Id..." -ForegroundColor Green
$SUB_ID = $(az account show --query id -o tsv)
Write-Host "SUB_ID: $SUB_ID.`n" -ForegroundColor Yellow
Write-Host "Assign Contributor role to $SP_ID (SPN) on $SUB_ID (Subscription)..." -ForegroundColor Green
az role assignment create --role contributor --subscription $SUB_ID --assignee-object-id $SP_ID --assignee-principal-type ServicePrincipal
$APP_OBJ_ID = $(az ad app show --id $APP_ID --query objectId -o tsv)
Write-Host "APP_OBJECT_ID: $APP_OBJ_ID`n" -ForegroundColor Yellow
Write-Host "Set Owner on application registration..." -ForegroundColor Green
$USER_OBJ_ID = $(az ad user show --id $OWNER --query objectId --out tsv)
az ad app owner add --id $APP_OBJ_ID --owner-object-id $USER_OBJ_ID
Write-Host "Creating federated Identity Credential..." -ForegroundColor Green
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${APP_OBJ_ID}/federatedIdentityCredentials" --body "{'name':'refpathfic','issuer':'https://token.actions.githubusercontent.com','subject':'repo:${GH_REPO}:ref:refs/heads/main','description':'main','audiences':['api://AzureADTokenExchange']}"
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${APP_OBJ_ID}/federatedIdentityCredentials" --body "{'name':'prfic','issuer':'https://token.actions.githubusercontent.com','subject':'repo:${GH_REPO}:pull-request','description':'pr','audiences':['api://AzureADTokenExchange']}"
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${APP_OBJ_ID}/federatedIdentityCredentials" --body "{'name':'envfic','issuer':'https://token.actions.githubusercontent.com','subject':'repo:${GH_REPO}:environment:Production','description':'Environment Production','audiences':['api://AzureADTokenExchange']}"
Write-Host "Creating GitHub repository secrets...`n" -ForegroundColor Green
Write-Host AZURE_CLIENT_ID=$APP_ID
Write-Host AZURE_SUBSCRIPTION_ID=$SUB_ID
Write-Host AZURE_TENANT_ID=$TENANT_ID
Write-Host "Creating GitHub secrets...`n" -ForegroundColor Green
gh secret set AZURE_CLIENT_ID --body=$APP_ID --repo $GH_REPO
gh secret set AZURE_SUBSCRIPTION_ID --body=$SUB_ID --repo $GH_REPO
gh secret set AZURE_TENANT_ID --body=$TENANT_ID --repo $GH_REPO
Write-Host "GitHub $GH_REPO secrets...`n" -ForegroundColor Yellow
$GH_REPO_SECRETS = $(gh secret list --repo $GH_REPO)
Write-Host $GH_REPO_SECRETS
}
catch {
$exception = $_.Exception.Message
Write-Host "An error occured - ", $exception
exit;
}
}
# endregion Functions
## -----Variables Section Start ----- ##
$APP_NAME = '<replace-me>'
$GH_REPO = 'dewolfs/github-oidc-azure'
$OWNER = '<replace-me>'
$TENANT_ID = '<replace-me>'
$SUB_ID = '<replace-me>'
## -----Variables Section End ----- ##
Write-Host "Make sure you are logged in to Azure CLI and GitHub CLI...`n`n" -ForegroundColor Green
Write-Host "Using the Azure AD Tenant: $TENANT_ID`n" -ForegroundColor Yellow
az account set --subscription $SUB_ID
Write-Host "Applying changes to Azure Subscription ID: $SUB_ID`n" -ForegroundColor Yellow
Write-Host "Start setup OpenID Connect between GitHub and Azure...`n`
- Creating Azure AD Application Registration with name <$APP_NAME>`n`
- Configuring the GitHub repository <$GH_REPO>`n" -ForegroundColor Green
New-AzureAdAppReg -APP_NAME $APP_NAME -GH_REPO $GH_REPO -TENANT_ID $TENANT_ID -OWNER $OWNER
Write-Host "Script ended..." -ForegroundColor Green