Merge pull request #589 from microsoft/southworks/add/identity-resources

tracyboehrer · web-flow · commit 44f8f28239e3 · 2022-08-30T09:04:17.000-05:00
[#548] Create Fn tests for supported authentication types - Adapt Create and Cleanup pipelines
diff --git a/build/yaml/cleanupResources/cleanupResources.yml b/build/yaml/cleanupResources/cleanupResources.yml
@@ -316,6 +316,29 @@ stages:
                 Write-Host "No pre-existing $(INTERNALSTORAGEACCOUNTNAME) resource found."
               }
 
+- stage: "Delete_User_Identities"
+  displayName: "Delete User Assigned Managed Identities"
+  dependsOn:
+    - Delete_App_Service_Plan_DotNet
+    - Delete_App_Service_Plan_JS
+    - Delete_App_Service_Plan_Python
+  jobs:
+    - job: "Delete"
+      displayName: "Delete steps"
+      steps:
+        - checkout: none
+        - task: AzureCLI@2
+          displayName: "Delete User Assigned Managed Identities"
+          inputs:
+            azureSubscription: $(AZURESUBSCRIPTION)
+            scriptType: pscore
+            scriptLocation: inlineScript
+            inlineScript: |
+              az identity delete -n "bffnsimplehostbotdotnetmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+              az identity delete -n "bffnsimplehostbotjsmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+              az identity delete -n "bffnechoskillbotdotnetmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+              az identity delete -n "bffnechoskillbotjsmsi$($env:RESOURCESUFFIX)" -g "$(INTERNALSHAREDRESOURCEGROUPNAME)"
+
 - stage: "Delete_Shared_Resource_Group"
   displayName: "Delete Shared Resource Group"
   dependsOn:
@@ -326,6 +349,7 @@ stages:
     - Delete_CosmosDB
     - Delete_Container_Registry
     - Delete_Storage_Account
+    - Delete_User_Identities
   jobs:
     - job: "Delete"
       displayName: "Delete steps"
diff --git a/build/yaml/sharedResources/createAppRegistrations.yml b/build/yaml/sharedResources/createAppRegistrations.yml
@@ -48,7 +48,7 @@ steps:
           Invoke-WebRequest -Uri "https://login.microsoftonline.com/${{ parameters.tenantId }}/oauth2/v2.0/token" -Method "POST" -Body $body | ConvertFrom-Json
         }
 
-        function CreateAppRegistration($token, $appName) {
+        function CreateAppRegistration($token, $appName, $audience) {
           # Create App Registration
 
           $headers = @{
@@ -57,7 +57,7 @@ steps:
 
           $body = @{
             displayName    = $appName;
-            signInAudience = "AzureADandPersonalMicrosoftAccount"
+            signInAudience = $audience;
           } | ConvertTo-Json
 
           $app = Invoke-WebRequest -Uri "https://graph.microsoft.com/v1.0/applications" -Method "POST" -Headers $headers -Body $body -ContentType "application/json" | ConvertFrom-Json;
@@ -73,6 +73,16 @@ steps:
           $app | Add-Member -MemberType NoteProperty -Name secret -Value $secret.secretText;
 
           $app
+
+          if ($audience -eq "AzureADMyOrg") {
+            # Create Service Principal Object
+
+            $body = @{
+                appId = $app.appId;
+            } | ConvertTo-Json
+
+            $servicePpal = Invoke-WebRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals" -Method "POST" -Headers $headers -Body $body -ContentType "application/json" | ConvertFrom-Json;
+          }
         }
 
         function SaveAppRegistrationIntoKeyVault($vaultName, $bot, $app) {
@@ -107,17 +117,22 @@ steps:
           @{ appName = "bffnsimplehostbotpython"; variables = @{ appId = "BffnSimpleHostBotPythonAppId"; appSecret = "BffnSimpleHostBotPythonAppSecret"; objectId = "BffnSimpleHostBotPythonAppObjectId" }},
           @{ appName = "bffnechoskillbotpython"; variables = @{ appId = "BffnEchoSkillBotPythonAppId"; appSecret = "BffnEchoSkillBotPythonAppSecret"; objectId = "BffnEchoSkillBotPythonAppObjectId" }},
           @{ appName = "bffnwaterfallhostbotpython"; variables = @{ appId = "BffnWaterfallHostBotPythonAppId"; appSecret = "BffnWaterfallHostBotPythonAppSecret"; objectId = "BffnWaterfallHostBotPythonAppObjectId" }},
-          @{ appName = "bffnwaterfallskillbotpython"; variables = @{ appId = "BffnWaterfallSkillBotPythonAppId"; appSecret = "BffnWaterfallSkillBotPythonAppSecret"; objectId = "BffnWaterfallSkillBotPythonAppObjectId" }}
+          @{ appName = "bffnwaterfallskillbotpython"; variables = @{ appId = "BffnWaterfallSkillBotPythonAppId"; appSecret = "BffnWaterfallSkillBotPythonAppSecret"; objectId = "BffnWaterfallSkillBotPythonAppObjectId" }},
+          @{ appName = "bffnsimplehostbotdotnetst"; variables = @{ appId = "BffnSimpleHostBotDotNetSTAppId"; appSecret = "BffnSimpleHostBotDotNetSTAppSecret"; objectId = "BffnSimpleHostBotDotNetSTAppObjectId"; signInAudience = "AzureADMyOrg" }},
+          @{ appName = "bffnsimplehostbotjsst"; variables = @{ appId = "BffnSimpleHostBotJSSTAppId"; appSecret = "BffnSimpleHostBotJSSTAppSecret"; objectId = "BffnSimpleHostBotJSSTAppObjectId"; signInAudience = "AzureADMyOrg" }},
+          @{ appName = "bffnechoskillbotdotnetst"; variables = @{ appId = "BffnEchoSkillBotDotNetSTAppId"; appSecret = "BffnEchoSkillBotDotNetSTAppSecret"; objectId = "BffnEchoSkillBotDotNetSTObjectId"; signInAudience = "AzureADMyOrg" }},
+          @{ appName = "bffnechoskillbotjsst"; variables = @{ appId = "BffnEchoSkillBotJSSTAppId"; appSecret = "BffnEchoSkillBotJSSTAppSecret"; objectId = "BffnEchoSkillBotJSSTAppObjectId"; signInAudience = "AzureADMyOrg" }}
         )
 
         $token = GetToken
 
         foreach ($bot in $bots) {
           $botName = "$($bot.appName)${{ parameters.resourceSuffix }}"
+          $audience = $($bot.variables.signInAudience) ?? "AzureADMultipleOrgs"
           Write-Host "`n[$botName] Starting"
           Write-Host "Creating App Registration ..."
-          
-          $app = CreateAppRegistration $token $botName
+
+          $app = CreateAppRegistration $token $botName $audience
           Write-Host "
             App Registration:
               Name: $botName
diff --git a/build/yaml/sharedResources/createSharedResources.yml b/build/yaml/sharedResources/createSharedResources.yml
@@ -253,3 +253,22 @@ stages:
           scriptType: pscore
           scriptLocation: inlineScript
           inlineScript: "az deployment group create --name $(INTERNALSTORAGEACCOUNTNAME) --resource-group $(INTERNALRESOURCEGROUPNAME) --template-file build/templates/template-storage-account-resources.json --parameters storageAccountName=$(INTERNALSTORAGEACCOUNTNAME)"
+
+- stage: Create_User_Identities
+  displayName: "Create User Assigned Managed Identities"
+  dependsOn: Create_Resource_Group
+  jobs:
+    - job: Deploy_User_Identities
+      displayName: "Deploy steps"
+      steps:
+      - task: AzureCLI@2
+        displayName: "Deploy User Assigned Managed Identities"
+        inputs:
+          azureSubscription: $(AZURESUBSCRIPTION)
+          scriptType: pscore
+          scriptLocation: inlineScript
+          inlineScript: |
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnsimplehostbotdotnetmsi$($env:RESOURCESUFFIX)"
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnsimplehostbotjsmsi$($env:RESOURCESUFFIX)"
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnechoskillbotdotnetmsi$($env:RESOURCESUFFIX)"
+            az identity create -g "$(INTERNALRESOURCEGROUPNAME)" -n "bffnechoskillbotjsmsi$($env:RESOURCESUFFIX)"
