Added a JSON array parameter to the ARM template for additional principals to be granted access to the lab resources

NJLangley · NJLangley · commit 353e7f6b20d6 · 2021-09-16T22:09:37.000+01:00
diff --git a/.github/workflows/deploy.sh b/.github/workflows/deploy.sh
@@ -5,18 +5,9 @@ echo "Connection info:"
 az account show | jq '. | {tenantId: .tenantId, subscriptionName: .name, userName: .user.name, userType: .user.type}'
 echo
 
-echo "Configuring variables for secrets:"
 echo "========================================================================================================================================================================================================"
-echo
-
-# ls -a
-
-
-# # Can we run a shell script to tidy this up?
-# . ./.github/workflows/deploy_dev_test_lab.sh -?
-
-# echo "========================================================================================================================================================================================================"
 
+echo "Configuring variables for secrets:"
 
 ARTIFACT_SOURCE_NAME=$(az lab artifact-source list --resource-group $RESOURCE_GROUP \
                                                     --lab-name $LAB_NAME \
@@ -39,16 +30,16 @@ echo "Service Principal Object Id:     $SERVICEPRINCIPALID"
 
 # Build a JSON snippet with the client/app id, object id and client secret for the devops SPN. This is used by the ARM template to grant permissions on resources so that the devops SPN
 # can deploy code into them. The ARM template generates the required .runsettings file for the integration tests as an output, which reuses the devops SPN to access resources to test.
-SERVICEPRINCIPALINFO=$( echo $SERVICEPRINCIPALCREDENTIALS | jq '{ tenantId, clientId, clientSecret, $clientObjectId }' --arg 'clientObjectId' $SERVICEPRINCIPALID -c )
-
-echo "Service Principal Info:          $SERVICEPRINCIPALINFO"
+SERVICE_PRINCIPAL_INFO=$( echo $SERVICE_PRINCIPAL_CREDENTIALS | jq '{ tenantId, clientId, clientSecret, $clientObjectId }' --arg 'clientObjectId' $SERVICEPRINCIPALID -c )
+echo "Service Principal Info:          $SERVICE_PRINCIPAL_INFO"
 
 echo "Building parameters file for ARM deployment..."
 PARAMETERS_FILE="$(pwd)/azuredeploy.parameters.json"
 echo $'[ { "name":"branch", "value":"'$BRANCH_NAME'" },' \
     '  { "name":"commit", "value":"'$GITHUB_SHA'" },' \
     '  { "name":"location", "value":"UK South" },' \
-    '  { "name":"devopsServicePrincipalCredentials", "value":' $SERVICEPRINCIPALINFO ' }' \
+    '  { "name":"devopsServicePrincipalCredentials", "value":' $SERVICE_PRINCIPAL_INFO ' },' \
+    '  { "name":"additionalPrincipals", "value":' "${ADDITIONAL_PRINCIPALS:=[]}" ' }' \
     ']' \
 | jq '.' > "$PARAMETERS_FILE"
 #cat $PARAMETERS_FILE
@@ -84,20 +75,22 @@ echo "::error Error provisioning lab environment"
 exit 1
 fi
 
-echo "========================================================================================================================================================================================================"
 DEPLOYMENTOUTPUT=$(az deployment group list --resource-group $ENVIRONMENT_INSTANCE_RESOURCE_GROUP_NAME --query '[0].properties.outputs')
 
+echo "Setting Job Outputs"
+echo "========================================================================================================================================================================================================"
+
+
+# These don't show in the output, but we can view then in a yaml step as below
+#   echo "ENVIRONMENT_INSTANCE_NAME:                ${{ steps.create-devtest-labs-environment.outputs.ENVIRONMENT_INSTANCE_NAME }}"
+
 # DEBUG: Use this to get the full deployment output JSON. If the ARM template outputs a full reference to a resource, we can find the bits we need easily.
-# echo "::set-output name=DEPLOYMENTOUTPUT::$DEPLOYMENTOUTPUT"
+#echo "::set-output name=DEPLOYMENTOUTPUT::$DEPLOYMENTOUTPUT"
 
-echo "Deployment Outputs"
-#echo "::set-output name=STORAGE_ACCOUNTCONNECTION_STRING::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.storageAccountConnectionString.value')"
 echo "::set-output name=STORAGE_ACCOUNT_NAME::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.storageAccountName.value')"
 echo "::set-output name=STORAGE_CONTAINER_NAME::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.storageContainerName.value')"
 echo "::set-output name=FUNCTIONS_APP_NAME::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.functionsAppName.value')"
 echo "::set-output name=FUNCTIONS_APP_URI::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.functionsAppUri.value')"
 echo "::set-output name=KEY_VAULT_NAME::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.keyVaultName.value')"
-#echo "::set-output name=FUNCTIONS_APP_KEY::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.functionsAppKey.value')"
 echo "::set-output name=RUN_SETTINGS::$(echo $DEPLOYMENTOUTPUT | jq --raw-output '.runSettings.value')"
 
-echo "========================================================================================================================================================================================================"
diff --git a/.github/workflows/test_azure_devtest_labs_integration.yml b/.github/workflows/test_azure_devtest_labs_integration.yml
@@ -73,7 +73,8 @@ jobs:
         # This runs in a container, so all output is passed back using 'echo "::set-output name=OUTPUT_VAR_NAME::value here"', as files created won't persist.
         inlineScript: |
           # We need the secrets in an environment variable so they get passed to our shell script that does the work
-          export SERVICEPRINCIPALCREDENTIALS=$'${{ secrets.AZURE_DEV_TEST_LABS_CREDENTIALS }}'
+          export SERVICE_PRINCIPAL_CREDENTIALS=$'${{ secrets.AZURE_DEV_TEST_LABS_CREDENTIALS }}'
+          export ADDITIONAL_PRINCIPALS=$'${{ secrets.ADDITIONAL_PRINCIPALS }}'
 
           # Execute the script to create the dev test lab
           chmod +x ./.github/workflows/deploy.sh
diff --git a/Azure-DevTestLab/Environments/sqlcollaborative_AzureDataPipelineTools/azuredeploy.json b/Azure-DevTestLab/Environments/sqlcollaborative_AzureDataPipelineTools/azuredeploy.json
@@ -27,6 +27,9 @@
         "devopsServicePrincipalCredentials": {
             "type": "object"
         },
+        "additionalPrincipals": {
+            "type": "array"
+        },
         "adlsStorageAccountContainerName": {
             "type": "string",
             "defaultValue": "test"
@@ -80,23 +83,9 @@
     },
     "resources": [
         /********************************************************************************************************************************************
-        ****    Resource group permissions
+        ****    Dev-Ops Service Principal Permissions (Things not granted by owner/contributor at the RG level)
         ********************************************************************************************************************************************/
         
-        // Add the devops service principal as a reader on the resource group (DevTest Labs is configured to create an RG for each lab).
-
-        // // 'Reader' scoped to the resource group. This already exists, here as an example
-        // {
-        //     "type": "Microsoft.Authorization/roleAssignments",
-        //     "apiVersion": "[variables('authorizationApiVersion')]",
-        //     "name": "[guid(resourceGroup().id, 'devopsServicePrincipal_rg_reader')]",
-        //     "properties": {
-        //         "roleDefinitionId": "[variables('reader')]",
-        //         "principalId": "[parameters('devopsServicePrincipalCredentials').client_object_id]"
-        //     }
-        // },
-
-
         // 'Storage Blob Data Contributor' scoped to the storage account container
         {
             "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
@@ -143,10 +132,12 @@
 
 
 
-
-
-        // Add IAM access for functions app. See the following page for details of how to get the object id for the SPN
-        //   https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/
+        /********************************************************************************************************************************************
+        ****    Functions App Service Principal Permissions (Allow the functions app to access resources)
+        ****    
+        ****    Adds IAM access for functions app. See the following page for details of how to get the object id for the SPN
+        ****      https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/
+        ********************************************************************************************************************************************/
         
         // 'Reader' scoped to the storage account
         {
@@ -180,6 +171,76 @@
             ]
         },
 
+
+        /********************************************************************************************************************************************
+        ****    Additional principals arte added using the additional principals array parameter
+        ****    
+        ****    Use the copy() function to loop over the array and add permissions for those users / groups / service principals using their object
+        ****    id's.
+        ********************************************************************************************************************************************/
+        
+        // 'Reader' scoped to the resource group. This already exists, here as an example
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "[variables('authorizationApiVersion')]",
+            "name": "[guid(resourceGroup().id, parameters('additionalPrincipals')[copyIndex()])]",
+            "properties": {
+                "roleDefinitionId": "[variables('reader')]",
+                "principalId": "[parameters('additionalPrincipals')[copyIndex()]]"
+            },
+            "copy": {
+                "name": "principalCopy",
+                "count": "[length(parameters('additionalPrincipals'))]"
+            }
+        },
+
+        // 'Storage Blob Data Contributor' scoped to the storage account container
+        {
+            "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments",
+            "name": "[concat(variables('adlsStorageAccountName'), '/default/', parameters('adlsStorageAccountContainerName'), '/Microsoft.Authorization/', guid(resourceGroup().id, parameters('additionalPrincipals')[copyIndex()], variables('adlsStorageAccountName'), parameters('adlsStorageAccountContainerName'), variables('storageBlobDataContributor')))]",
+            "apiVersion": "[variables('authorizationApiVersion')]",
+            "properties": {
+                "roleDefinitionId": "[variables('storageBlobDataContributor')]",
+                "principalId": "[parameters('additionalPrincipals')[copyIndex()]]"
+            },
+            "dependsOn": [
+                "[concat('Microsoft.Storage/storageAccounts/', variables('adlsStorageAccountName'), '/blobServices/default/containers/', parameters('adlsStorageAccountContainerName'))]"
+            ],
+            "copy": {
+                "name": "principalCopy",
+                "count": "[length(parameters('additionalPrincipals'))]"
+            }
+        },
+
+        // Assign access policies to the key vault. Need to test adding this to the KV template...
+        {
+            "type": "Microsoft.KeyVault/vaults/accessPolicies",
+            "name": "[concat(variables('keyVaultName'), '/add')]",
+            "apiVersion": "[variables('keyVaultApiVersion')]",
+            "properties": {
+                "copy": [
+                    {
+                        "name": "accessPolicies",
+                        "count": "[length(parameters('additionalPrincipals'))]",
+                        "input": {
+                            "tenantId": "[subscription().tenantId]",
+                            "objectId": "[parameters('additionalPrincipals')[copyIndex('accessPolicies')]]",
+                            "permissions": {
+                                "secrets": [
+                                    "list",
+                                    "get"
+                                ]
+                            }
+                        }
+                    }
+                ]
+            },
+            "dependsOn": [
+                "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]"
+            ]
+        },
+
+
         /********************************************************************************************************************************************
         ****    ADLS storage
         ********************************************************************************************************************************************/
