Updates for multisub bootstrap

scripts/lib/azure_ad.sh

@@ -31,46 +31,63 @@ create_federated_identity() {
     success " - service principal created."
 
     if [ "${sp}" = '' ]; then
-      information "Failed to create the app and sp. retrying"
-      sleep 5
-      create_federated_identity ${appName}
+      information "Failed to create the app and sp. Check your permissions."
+      exit 1
     fi
 
-    app_object_id=$(echo ${app} | jq -r ".id")
-    client_id=$(echo ${sp} | jq -r ".appId")
-    object_id=$(echo ${sp} | jq -r ".id")
+    export app_object_id=$(echo ${app} | jq -r ".id")
+    sp_client_id=$(echo ${sp} | jq -r ".appId")
+    sp_object_id=$(echo ${sp} | jq -r ".id")
 
-    register_gitops_secret ${gitops_pipelines} "AZURE_CLIENT_ID" ${client_id}
-    register_gitops_secret ${gitops_pipelines} "AZURE_OBJECT_ID" ${object_id}
-    register_gitops_secret ${gitops_pipelines} "AZURE_TENANT_ID" ${tenant_id}
+    if [ ! -z  ${gitops_pipelines} ]; then
+      register_gitops_secret ${gitops_pipelines} "AZURE_CLIENT_ID" ${sp_client_id}
+      register_gitops_secret ${gitops_pipelines} "AZURE_OBJECT_ID" ${app_object_id}
+      register_gitops_secret ${gitops_pipelines} "AZURE_TENANT_ID" ${tenant_id}
+    fi
 
   else
     success " - application already created."
     success " - service principal already created."
-  fi
 
+    app=$(az ad app list --filter "displayname eq '${appName}'" -o json --only-show-errors) && debug "app: ${app}"
+    sp=$(az ad sp list --filter "DisplayName eq '${appName}'" --only-show-errors) && debug "sp: ${sp}"
+    export app_object_id=$(echo ${app} | jq -r ".[0].id")
+    sp_client_id=$(echo ${app} | jq -r ".[0].appId")
+    sp_object_id=$(echo ${sp} | jq -r ".[0].id")
 
-  app=$(az ad app list --filter "displayname eq '${appName}'" -o json --only-show-errors)
-  sp=$(az ad sp list --filter "DisplayName eq '${appName}'" --only-show-errors)
-  export app_object_id=$(echo ${app} | jq -r ".[0].id")
-  create_gitops_federated_credentials ${gitops_pipelines} ${appName}
 
-  az role assignment create \
-    --role "Owner" \
-    --assignee-object-id $(echo ${sp} | jq -r ".[0].id") \
-    --assignee-principal-type ServicePrincipal \
-    --scope /subscriptions/${TF_VAR_tfstate_subscription_id} \
-    --only-show-errors
+    if [ ! -z  ${gitops_pipelines} ]; then
+      register_gitops_secret ${gitops_pipelines} "AZURE_CLIENT_ID" ${sp_client_id}
+      register_gitops_secret ${gitops_pipelines} "AZURE_OBJECT_ID" ${app_object_id}
+      register_gitops_secret ${gitops_pipelines} "AZURE_TENANT_ID" ${tenant_id}
+    fi
+
+    fi
 
+  if [ ! -z  ${gitops_pipelines} ]; then
+    create_gitops_federated_credentials ${gitops_pipelines} ${appName}
+
+    scope="/subscriptions/${sub_management:=$(az account show --query id -o tsv)}"
+    information "Granting Reader role to ${appName} on ${scope}"
+    az role assignment create \
+      --role "Reader" \
+      --assignee-object-id ${sp_object_id} \
+      --assignee-principal-type ServicePrincipal \
+      --scope ${scope} \
+      --only-show-errors
+  fi
 }
 
 
 function create_federated_credentials {
 
-  cred=$(az rest --uri "https://graph.microsoft.com/beta/applications/${app_object_id}/federatedIdentityCredentials" --query "value[?name=='${1}'].{name:name}[0]" -o tsv)
+  debug "az rest --uri \"https://graph.microsoft.com/beta/applications/${app_object_id}/federatedIdentityCredentials\" --query \"value[?name==\'${1}\'].{name:name}[0]\" -o json"
+
+  cred=$(az rest --uri "https://graph.microsoft.com/beta/applications/${app_object_id}/federatedIdentityCredentials" --query "value[?name=='${1}'].{name:name}[0]" -o json | jq -r .name)
+  debug "value is '${cred}'"
 
-  if [ -z "${cred}" ]; then
-    info "Adding federated credential to ${app_object_id} with 'name':'${1}','subject':'${2}','description':'${3}'"
+  if [ "${cred}" = '' ]; then
+    information "Adding federated credential to ${app_object_id} with 'name':'${1}','subject':'${2}','description':'${3}'"
 
     az rest --method POST \
       --uri "https://graph.microsoft.com/beta/applications/${app_object_id}/federatedIdentityCredentials" \

scripts/lib/bootstrap.sh

@@ -21,13 +21,16 @@ bootstrap() {
     create_federated_identity ${aad_app_name}
   fi
 
-  process_gitops_agent_pool ${gitops_agent_pool_type}
+  if [ ! -z ${gitops_pipelines} ]; then
+    process_gitops_agent_pool ${gitops_agent_pool_type}
+  fi
 
   if [ ! -z ${bootstrap_script} ]; then
     register_rover_context
-    ${bootstrap_script} "topology_file=${caf_ignite_playbook}" "GITOPS_SERVER_URL=${GITOPS_SERVER_URL}" "RUNNER_NUMBERS=${gitops_number_runners}" "AGENT_TOKEN=${AGENT_TOKEN}" "gitops_agent=${gitops_agent_pool_type}" "ROVER_AGENT_DOCKER_IMAGE=${ROVER_AGENT_DOCKER_IMAGE}" "AZURE_OBJECT_ID=${app_object_id}" "subscription_deployment_mode=${subscription_deployment_mode}" "sub_management=${sub_management}" "sub_connectivity=${sub_connectivity}" "sub_identity=${sub_identity}" "sub_security=${sub_security}"
+    ${bootstrap_script} "topology_file=${caf_ignite_playbook}" "GITOPS_SERVER_URL=${GITOPS_SERVER_URL}" "RUNNER_NUMBERS=${gitops_number_runners}" "AGENT_TOKEN=${AGENT_TOKEN}" "gitops_agent=${gitops_agent_pool_type}" "ROVER_AGENT_DOCKER_IMAGE=${ROVER_AGENT_DOCKER_IMAGE}" "AZURE_OBJECT_ID=${app_object_id}" "subscription_deployment_mode=${subscription_deployment_mode}" "sub_management=${sub_management}" "sub_connectivity=${sub_connectivity}" "sub_identity=${sub_identity}" "sub_security=${sub_security}" "gitops_pipelines=${gitops_pipelines}"
   fi
 
+  information "Done."
 }
 
 assert_sessions() {
@@ -69,7 +72,7 @@ assert_gitops_session() {
 
 
 process_gitops_agent_pool() {
-  information "@call process_gitops_agent_pool"
+  information "@call process_gitops_agent_pool for ${1}"
 
   case "${1}" in
     "github")

scripts/rover.sh

@@ -44,7 +44,6 @@ export TF_IN_AUTOMATION="true" #Overriden in logger if log-severity is passed in
 export TF_VAR_tf_cloud_organization=${TF_CLOUD_ORGANIZATION}
 export TF_VAR_tf_cloud_hostname=${TF_CLOUD_HOSTNAME:="app.terraform.io"}
 export REMOTE_credential_path_json=${REMOTE_credential_path_json:="$(echo ~)/.terraform.d/credentials.tfrc.json"}
-export gitops_pipelines="github"
 export gitops_terraform_backend_type=${TF_VAR_backend_type:="azurerm"}
 export gitops_agent_pool_type=${GITOPS_AGENT_POOL_TYPE:="github"}
 export gitops_agent_pool_name=${GITOPS_AGENT_POOL_NAME}