-
Notifications
You must be signed in to change notification settings - Fork 53
/
configure_aad.sh
executable file
·61 lines (54 loc) · 2.5 KB
/
configure_aad.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/bin/bash
# This script will register an AAD application used for OIDC and authentication.
# The application secret is stored in the keyvault under a secret named azhop-oidc-password
set -e
AZHOP_CONFIG=config.yml
ANSIBLE_VARIABLES=playbooks/group_vars/all.yml
if [ ! -e $AZHOP_CONFIG ]; then
echo "$AZHOP_CONFIG doesn't exist, exiting"
exit 1
fi
key_vault=$(yq eval '.key_vault' $ANSIBLE_VARIABLES)
if [ "$key_vault" == "" ]; then
echo "Keyvault retrieved from $ANSIBLE_VARIABLES is empty"
exit 1
fi
aadName=$(yq eval '.resource_group' config.yml)
if [ "$aadName" == "" ]; then
echo "Resource group retrieved from $ANSIBLE_VARIABLES is empty"
exit 1
fi
azhop_uri=$(yq eval '.ondemand_fqdn' $ANSIBLE_VARIABLES)
if [ "$azhop_uri" == "" ]; then
echo "ondemand_fqdn retrieved from $ANSIBLE_VARIABLES is empty"
exit 1
fi
# Create the AAD application, generate a client secret, and register it with the AAD tenant
# Store the secret under <appId>-password in the keyvault
appId=$(az ad app list --display-name $aadName --query [].appId -o tsv)
if [ "$appId" == "" ]; then
az ad app create --display-name $aadName \
--web-redirect-uris "https://$azhop_uri/oidc" \
--public-client-redirect-uris "https://$azhop_uri/oidc" \
--required-resource-accesses @aad_manifest.json \
--optional-claims @aad_claims.json \
--key-type password
appId=$(az ad app list --display-name $aadName --query [].appId -o tsv)
current_password=$(az ad app credential reset --id $appId | jq -r '.password')
SECRET_NAME="$appId-password"
echo "Generating a password for $aadName and storing it as secret $SECRET_NAME in keyvault $key_vault"
az keyvault secret set --value "$current_password" --name $SECRET_NAME --vault-name $key_vault -o table > /dev/null
else
SECRET_NAME="$appId-password"
echo "AAD application $aadName already exists"
current_password=$(az keyvault secret list --vault-name $key_vault --query "[?name=='$SECRET_NAME'].name" -o tsv)
if [ "$current_password" == "" ] ; then
appId=$(az ad app list --display-name $aadName --query [].appId -o tsv)
echo "Generating a password for $aadName and storing it as secret $SECRET_NAME in keyvault $key_vault"
current_password=$(az ad app credential reset --id $appId | jq -r '.password')
az keyvault secret set --value "$current_password" --name $SECRET_NAME --vault-name $key_vault -o table > /dev/null
else
echo "$SECRET_NAME has already a secret stored in keyvault $key_vault"
fi
fi
echo "AAD appId: $appId"