Merge pull request #270 from aztfmod/bootstrap_multisub

Add multisubscription in rover bootstrap for github workflows
aztfmod · Jul 1, 2022 · 76fdabd · 76fdabd
2 parents 15a70ae + 3d29955
commit 76fdabd
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 8 deletions.
diff --git a/scripts/lib/azure_ad.sh b/scripts/lib/azure_ad.sh
@@ -70,11 +70,13 @@ function create_federated_credentials {
   cred=$(az rest --uri "https://graph.microsoft.com/beta/applications/${app_object_id}/federatedIdentityCredentials" --query "value[?name=='${1}'].{name:name}[0]" -o tsv)
 
   if [ -z "${cred}" ]; then
-    echo "Adding federated credential to ${app_object_id} with 'name':'${1}','subject':'${2}','description':'${3}'"
+    info "Adding federated credential to ${app_object_id} with 'name':'${1}','subject':'${2}','description':'${3}'"
 
     az rest --method POST \
       --uri "https://graph.microsoft.com/beta/applications/${app_object_id}/federatedIdentityCredentials" \
       --body "{'name':'${1}','issuer':'https://token.actions.githubusercontent.com','subject':'${2}','description':'${3}','audiences':['api://AzureADTokenExchange']}"
+  else
+    information "Federated tokens up-to-date for '${2}'."
   fi
 
 }
diff --git a/scripts/lib/bootstrap.sh b/scripts/lib/bootstrap.sh
@@ -23,9 +23,9 @@ bootstrap() {
 
   process_gitops_agent_pool ${gitops_agent_pool_type}
 
-  if [ ! -z ${bootstrap_scenario_file} ]; then
+  if [ ! -z ${bootstrap_script} ]; then
     register_rover_context
-    ${bootstrap_scenario_file} "GITOPS_SERVER_URL=${GITOPS_SERVER_URL}" "RUNNER_NUMBERS=${gitops_number_runners}" "AGENT_TOKEN=${AGENT_TOKEN}" "gitops_agent=${gitops_agent_pool_type}" "ROVER_AGENT_DOCKER_IMAGE=${ROVER_AGENT_DOCKER_IMAGE}"
+    ${bootstrap_script} "topology_file=${caf_ignite_playbook}" "GITOPS_SERVER_URL=${GITOPS_SERVER_URL}" "RUNNER_NUMBERS=${gitops_number_runners}" "AGENT_TOKEN=${AGENT_TOKEN}" "gitops_agent=${gitops_agent_pool_type}" "ROVER_AGENT_DOCKER_IMAGE=${ROVER_AGENT_DOCKER_IMAGE}" "AZURE_OBJECT_ID=${app_object_id}" "subscription_deployment_mode=${subscription_deployment_mode}" "sub_management=${sub_management}" "sub_connectivity=${sub_connectivity}" "sub_identity=${sub_identity}" "sub_security=${sub_security}"
   fi
 
 }
@@ -53,6 +53,7 @@ assert_gitops_session() {
   case "${1}" in
     "github")
       GITOPS_SERVER_URL=${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}
+      AGENT_TOKEN=$(gh api --method POST -H "Accept: application/vnd.github.v3+json" /repos/${GITHUB_REPOSITORY}/actions/runners/registration-token | jq -r .token)
       check_github_session
       ;;
     "tfcloud")
@@ -111,8 +112,19 @@ register_rover_context() {
   register_gitops_secret ${gitops_pipelines} "CAF_TERRAFORM_LZ_URL" ${GIT_URL}
   register_gitops_secret ${gitops_pipelines} "CAF_GITOPS_TERRAFORM_BACKEND_TYPE" ${gitops_terraform_backend_type}
   register_gitops_secret ${gitops_pipelines} "CAF_BACKEND_TYPE_HYBRID" ${backend_type_hybrid}
-  register_gitops_secret ${gitops_pipelines} "AZURE_MANAGEMENT_SUBSCRIPTION_ID" ${TF_VAR_tfstate_subscription_id}
-  register_gitops_secret ${gitops_pipelines} "ARM_USE_OIDC" true
+  register_gitops_secret ${gitops_pipelines} "RUNNER_REGISTRATION_TOKEN" ${AGENT_TOKEN}
+  register_gitops_secret ${gitops_pipelines} "RUNNER_NUMBERS" ${gitops_number_runners}
+
+  if [ ! -z ${ARM_USE_OIDC} ]; then
+    register_gitops_secret ${gitops_pipelines} "ARM_USE_OIDC" ${ARM_USE_OIDC}
+  fi
+
+  if [ "${subscription_deployment_mode}" = "multi_subscriptions" ]; then
+    register_gitops_secret ${gitops_pipelines} "AZURE_MANAGEMENT_SUBSCRIPTION_ID" ${sub_management}
+    register_gitops_secret ${gitops_pipelines} "AZURE_CONNECTIVITY_SUBSCRIPTION_ID" ${sub_connectivity}
+    register_gitops_secret ${gitops_pipelines} "AZURE_IDENTITY_SUBSCRIPTION_ID" ${sub_identity}
+    register_gitops_secret ${gitops_pipelines} "AZURE_SECURITY_SUBSCRIPTION_ID" ${sub_security}
+  fi
 
 }
 
@@ -152,6 +164,7 @@ create_gitops_federated_credentials() {
     "github")
       debug "github"
       create_federated_credentials "github-${git_project}-pull_request" "repo:${git_org_project}:pull_request" "${2}"
+      create_federated_credentials "github-${git_project}-refs-heads-bootstrap" "repo:${git_org_project}:ref:refs/heads/bootstrap" "${2}"
       ;;
     *)
       echo "Create a federated secret not supported yet for ${1}. You can submit a pull request"

diff --git a/scripts/rover.sh b/scripts/rover.sh
@@ -133,7 +133,7 @@ while (( "$#" )); do
             shift 1
             export caf_command="ignite"
             ;;
-        --playbook)
+        --playbook | -playbook)
             export caf_ignite_playbook=${2}
             shift 2
             ;;
@@ -266,8 +266,8 @@ while (( "$#" )); do
                 export caf_command="bootstrap"
                 shift 1
                 ;;
-        -bootstrap-scenario-file)
-                export bootstrap_scenario_file=${2}
+        -bootstrap-scenario-file | -bootstrap-script)
+                export bootstrap_script=${2}
                 shift 2
                 ;;
         -aad-app-name)
@@ -309,6 +309,30 @@ while (( "$#" )); do
                 export gitops_agent_pool_id=${2}
                 shift 2
                 ;;
+        -subscription-deployment-mode)
+                export subscription_deployment_mode=${2}
+                shift 2
+                ;;
+        -sub-management)
+                export sub_management=${2}
+                shift 2
+                ;;
+        -sub-connectivity)
+                export sub_connectivity=${2}
+                shift 2
+                ;;
+        -sub-identity)
+                export sub_identity=${2}
+                shift 2
+                ;;
+        -sub-security)
+                export sub_security=${2}
+                shift 2
+                ;;
+        -arm_use_oidc)
+                export ARM_USE_OIDC=true
+                shift 1
+                ;;
         *) # preserve positional arguments
                 PARAMS+="${1} "
                 shift