diff --git a/docs/media/onboarding/import-a-git-repo.png b/docs/media/onboarding/import-a-git-repo.png new file mode 100644 index 00000000..ca4a8407 Binary files /dev/null and b/docs/media/onboarding/import-a-git-repo.png differ diff --git a/docs/onboarding/azure-devops-pipelines.md b/docs/onboarding/azure-devops-pipelines.md index 953de7fd..a6313210 100644 --- a/docs/onboarding/azure-devops-pipelines.md +++ b/docs/onboarding/azure-devops-pipelines.md @@ -2,6 +2,8 @@ This document provides steps required to onboard to the Azure Landing Zones design using Azure DevOps Pipelines. +> There are scripts available to help simplify the onboarding process to Azure Landing Zones design using Azure DevOps Pipelines. The [Azure DevOps Scripts](./azure-devops-scripts.md) document contains more detailed information on the those scripts. + **All steps will need to be repeated per Azure AD tenant.** --- @@ -45,18 +47,18 @@ If you don't wish to send usage data to Microsoft, you can set the `customerUsag ## Instructions -* [Step 1: Create Service Principal Account & Assign RBAC](#step-1--create-service-principal-account--assign-rbac) -* [Step 2: Configure Service Connection in Azure DevOps Project Configuration](#step-2--configure-service-connection-in-azure-devops-project-configuration) -* [Step 3: Configure Management Groups](#step-3--configure-management-groups) -* [Step 4: Configure Custom Roles](#step-4--configure-custom-roles) -* [Step 5: Configure Logging](#step-5--configure-logging) -* [Step 6: Configure Azure Policies](#step-6--configure-azure-policies) -* [Step 7: Configure Hub Networking](#step-7--configure-hub-networking) -* [Step 8: Configure Subscription Archetypes](#step-8--configure-subscription-archetypes) +* [Step 1 - Create Service Principal Account & Assign RBAC](#step-1---create-service-principal-account--assign-rbac) +* [Step 2 - Configure Service Connection in Azure DevOps Project Configuration](#step-2---configure-service-connection-in-azure-devops-project-configuration) +* [Step 3 - Configure Management Groups](#step-3---configure-management-groups) +* [Step 4 - Configure Custom Roles](#step-4---configure-custom-roles) +* [Step 5 - Configure Logging](#step-5--configure-logging) +* [Step 6 - Configure Azure Policies](#step-6---configure-azure-policies) +* [Step 7 - Configure Hub Networking](#step-7---configure-hub-networking) +* [Step 8 - Configure Subscription Archetypes](#step-8---configure-subscription-archetypes) --- -## Step 1: Create Service Principal Account & Assign RBAC +## Step 1 - Create Service Principal Account & Assign RBAC An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity. @@ -98,7 +100,7 @@ Note down the `appId`, `tenant` and `password`. These will be required to for s --- -## Step 2: Configure Service Connection in Azure DevOps Project Configuration +## Step 2 - Configure Service Connection in Azure DevOps Project Configuration * Settings * **Connection Type**: Azure Resource Manager @@ -137,7 +139,7 @@ Note down the `appId`, `tenant` and `password`. These will be required to for s --- -## Step 3: Configure Management Groups +## Step 3 - Configure Management Groups ### Step: 3.1: Update common.yml in git repository @@ -195,7 +197,7 @@ variables: --- -## Step 4: Configure Custom Roles +## Step 4 - Configure Custom Roles 1. Pipeline definition for Custom Roles. @@ -215,7 +217,7 @@ variables: --- -## Step 5: Configure Logging +## Step 5 - Configure Logging ### Step 5.1: Setup Azure AD Security Group (Recommended) @@ -358,37 +360,34 @@ In order to configure audit stream for Azure Monitor, identify the following inf --- -## Step 6: Configure Azure Policies +## Step 6 - Configure Azure Policies 1. Pipeline definition for Azure Policies. Overview of Azure Policy and definitions deployed refer to [readme.md under `/docs/policy`](../../docs/policy/readme.md) *Note: Pipelines are stored as YAML definitions in Git and imported into Azure DevOps Pipelines. This approach allows for portability and change tracking.* - 1. Go to Pipelines - 2. New Pipeline - 3. Choose Azure Repos Git - 4. Select Repository - 5. Select Existing Azure Pipeline YAML file - 6. Identify the pipeline in `.pipelines/policy.yml`. - 7. Save the pipeline (don't run it yet) - 8. Rename the pipeline to `policy-ci` - + 1. Go to Pipelines + 2. New Pipeline + 3. Choose Azure Repos Git + 4. Select Repository + 5. Select Existing Azure Pipeline YAML file + 6. Identify the pipeline in `.pipelines/policy.yml`. + 7. Save the pipeline (don't run it yet) + 8. Rename the pipeline to `policy-ci` 2. Run pipeline and wait for completion. --- -## Step 7: Configure Hub Networking - -1. Edit `./config/variables/-.yml` in Git. This configuration file was created in Step 3. +## Step 7 - Configure Hub Networking - Update networking section of the configuration file to deploy one of the two options: - - 1. [Hub Networking with Azure Firewall](../../docs/archetypes/hubnetwork-azfw.md) - 2. [Hub Networking with Fortinet Firewall (NVA)](../../docs/archetypes/hubnetwork-nva-fortigate.md) +1. Edit `./config/variables/-.yml` in Git. This configuration file was created in Step 3. + Update networking section of the configuration file to deploy one of the two options: + 1. [Hub Networking with Azure Firewall](../../docs/archetypes/hubnetwork-azfw.md) + 2. [Hub Networking with Fortinet Firewall (NVA)](../../docs/archetypes/hubnetwork-nva-fortigate.md) Depending on the preference, you may delete/comment the configuration that is not required. For example, when deploying option 1 (Azure Firewall) - remove/comment section of the configuration file titled "Hub Networking with Fortinet Firewalls". - + *Note:* **var-hubnetwork-subscriptionRoleAssignments** should include Azure AD security group's object ID responsible for managing Azure networking. If role assignments are not required, you must change the example provided with the following setting: ```yml @@ -396,7 +395,7 @@ In order to configure audit stream for Azure Monitor, identify the following inf [] ``` - Include the values for the following as well: + Include the values for the following as well: * Valid contact information for the Azure Service Health Alerts: email and phone number * Values for Azure resource tags * IP ranges for the virtual networks @@ -673,7 +672,7 @@ In order to configure audit stream for Azure Monitor, identify the following inf --- -## Step 8: Configure Subscription Archetypes +## Step 8 - Configure Subscription Archetypes 1. Configure Pipeline definition for subscription archetypes diff --git a/docs/onboarding/azure-devops-scripts.md b/docs/onboarding/azure-devops-scripts.md new file mode 100644 index 00000000..1a1f903a --- /dev/null +++ b/docs/onboarding/azure-devops-scripts.md @@ -0,0 +1,337 @@ +# Azure DevOps Scripts + +> Copyright (c) Microsoft Corporation. + Licensed under the MIT license. + THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. + +## Introduction + +This document discusses the scripts available to help simplify the onboarding process to Azure Landing Zones design using Azure DevOps pipelines. The [Azure DevOps Pipelines Onboarding Guide](./azure-devops-pipelines.md) document contains detailed onboarding instructions, and is referenced in this document. + +## Table of Contents + +- [Required Tools](#required-tools) +- [Required Permissions](#required-permissions) +- [Setting Up Azure DevOps](#setting-up-azure-devops) +- [Creating Your Repository](#creating-your-repository) +- [Using the Scripts to Configure Your Environment](#using-the-scripts-to-configure-your-environment) + +--- + +## Required Tools + +The instructions in this document and scripts in the `/scripts/onboarding` folder require the latest versions of the following tools are installed. Review each tool and complete any post-install configuration instructions provided. + +### Azure CLI + +Install instructions: + +- + +After installation: + +- Sign in with `az login` + + +### Azure CLI devops extension + +Install instructions: + +- + +After installation: + +- Sign-in with a Personal Access Token (PAT): + . For example: + `az devops login --organization https://dev.azure.com/[DEVOPS-ORG]` + +Optionally, you may also want to perform the following steps: + +- Set the default Azure DevOps organization and project. For example: + `az devops configure --defaults project=[DEVOPS-PROJECT] organization=https://dev.azure.com/[DEVOPS-ORG]` + +- Verify the default values are set correctly. For example: + `az devops configure --list` + +These additional steps are optional since the scripts use the `DEVOPS_ORG` and `DEVOPS_PROJECT_NAME` environment variables. Setting the default Azure DevOps organization and project may be useful when you are invoking the `az devops` commands directly. + +- For other `az devops` commands, refer to the following documentation: + +### jq.exe + +Install instructions: + +- + +Verify that the path to `jq.exe` is included in the `echo %PATH%` output, i.e. it must be part of your system path or user environment path for the user running these scripts. + +### Git for Windows + +Download from here: + +- + +Git for Windows includes Unix utilities (e.g. `cut`, `tr`, etc.) that are used by these scripts. + +Verify that the path to these utilities is included in the `echo %PATH%` output, i.e. it must be part of your system path or user environment path for the user running these scripts. The default installation location for these files is `C:\Program Files\Git\usr\bin`. + +--- + +## Required Permissions + +### Azure DevOps + +If you need to create Azure DevOps project(s) or manage organization-wide policy settings, your user account will need to be a member of the `Project Collection Administrators` group in your Azure DevOps organization. + +If you don't need to create Azure DevOps project(s) or manage organization-wide policy settings, then your user account will only need to be a member of the `Project Administrators` group in an existing Azure DevOps project. + +Detailed instructions on how to configure security & usage settings for Azure DevOps are outside the scope of this documentation. For additional information on these topics, refer to the following: [Settings, Security & Usage documentation](https://docs.microsoft.com/azure/devops/organizations). + +### Azure Active Directory + +Your user account needs the `Global administrator` role assigned in your Azure Active Directory. + +Perform the following steps to verify your administrative access level: + +1. Navigate to +1. Select the `Azure Active Directory` service +1. Select `Manage > Roles and administrators` +1. Select the `Global administrator` role +1. Verify your account is assigned the `Global administrator` role + +Next, ensure your account has elevated access at Azure AD tenant root scope, so that you are able to manage management groups: + Reference: + +Here are some sample Azure CLI commands you can use: + +> **Note**: these commands are available as scripts in the `/scripts/onboarding` folder: `add-root-user-access-admin.bat`, `list-root-user-access-admin.bat`, and `remove-root-user-access-admin.bat`. + +- Elevate currently signed in user: + `az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"` + +- List role assignments: + `az role assignment list --role "User Access Administrator" --scope "/" -o table` + +- Remove elevated access: + `az role assignment delete --assignee username@example.com --role "User Access Administrator" --scope "/"` + +### Azure Subscriptions + +You will need to either have the ability to create new Azure subscriptions or have Azure subscriptions created for you and ready for use. If you need to create Azure subscriptions, then review the following documentation that discusses the role requirements depending on whether your Azure subscriptions are procured through an Azure Enterprise Agreement, Microsoft Customer Agreement, Microsoft Partner Agreement, or Microsoft Online Service Program billing account: [Create an additional Azure subscription](https://docs.microsoft.com/azure/cost-management-billing/manage/create-subscription). + +--- + +## Setting Up Azure DevOps + +Azure DevOps is used to define pipelines that automate landing zone deployments. It may also be used as the location for the repository files. + +> This section is optional if you have already created and configured your Azure DevOps organization and project. + +Refer to the instructions in [Azure DevOps Setup](../../docs/onboarding/azure-devops-setup.md) for assistance in setting up a new Azure DevOps environment or validating an existing one against best practices. + +--- + +## Creating Your Repository + +> This section is optional. If you have already forked or cloned the `CanadaPubSecALZ` repository into a repository of your choosing, then proceed to the next section. + +There are two options for hosting the repository code, outlined in the following subsections. Regardless of where you manage your repository (Azure DevOps or GitHub), the pipelines used to run the automation workflow reside in Azure DevOps. + +### Import the `CanadaPubSecALZ` GitHub repository into your Azure DevOps repository + +> Choose this option if you are already using (or more comfortable working with) Azure DevOps as a location for maintaining your repository files. This option is also a good choice if you want to simplify Azure DevOps pipelines creation by referencing Git repositories in Azure DevOps instead of GitHub Enterprise. + +Follow the instructions in the documentation [Import a Git repo](https://docs.microsoft.com/azure/devops/repos/git/import-git-repository?view=azure-devops). + +In the instructions above, you will use the following Clone URL value: `https://github.com/Azure/CanadaPubSecALZ.git`, and the process will look similar to the following screenshot at the import stage: + +![Import a Git Repo](../media/onboarding/import-a-git-repo.png) + +Once you have imported the `CanadaPubSecALZ` repository into your Azure DevOps repository, it will not have any connection with the original GitHub repository. If you would like to synchronize with the original GitHub repository, you will need to add a remote pointing to the original repo. + +To add a remote named `upstream` to the GitHub repository, first clone your newly imported copy in Azure DevOps, and then run the following commands from the cloned repository workspace: + +```bash +git remote add upstream https://github.com/Azure/CanadaPubSecALZ.git +git remote update +``` + +Once you have established a remote (upstream) connection from your Azure DevOps repository back to the original GitHub repository, you can get updates using the following `git` command: + +```bash +git pull upstream main && git push +``` + +This is just one example of interacting with the remote (upstream). It shows how to update the `main` branch of your Azure DevOps repository with the `main` branch of the original GitHub repository. Additional operations such as pushing changes from your repository back to the original are also possible, but beyond the scope of this documentation. + +### Fork the `CanadaPubSecALZ` GitHub repository into your GitHub repository + +> Choose this option if you are already using (or more comfortable working with) GitHub Enterprise, as opposed to Azure DevOps as a location for maintaining your repository files. + +Follow the instructions in the documentation [Fork a repo](https://docs.github.com/get-started/quickstart/fork-a-repo). + +Using the documentation above, you will perform the following steps: + + 1. Navigate to + 1. Click on the `Fork` button + +If you are a member of a GitHub organization, you will be prompted to select the destination account where the repository will be forked into. + +If you are not a member of any GitHub organizations, the CanadaPubSecALZ repository will be automatically forked into your personal account. + +After the repository fork operation has completed, you will be redirected to the newly forked GitHub repository. + +Once you have forked the `CanadaPubSecALZ` repository into your GitHub repository, it will not have any connection with the original GitHub repository. If you would like to synchronize with the original GitHub repository, you will need to add a remote pointing to the original repo. + +To add a remote named `upstream` to the GitHub repository, first clone your newly imported copy in Azure DevOps, and then run the following commands from the cloned repository workspace: + +```bash +git remote add upstream https://github.com/Azure/CanadaPubSecALZ.git +git remote update +``` + +Once you have established a remote (upstream) connection from your Azure DevOps repository back to the original GitHub repository, you can get updates using the following `git` command: + +```bash +git pull upstream main && git push +``` + +This is just one example of interacting with the remote (upstream). It shows how to update the `main` branch of your Azure DevOps repository with the `main` branch of the original GitHub repository. Additional operations such as pushing changes from your repository back to the original are also possible, but beyond the scope of this documentation. + +--- + +## Using the Scripts to Configure Your Environment + +The following subsections go through the process of using the scripts to configure Azure DevOps pipelines for deploying Azure Landing Zones. Follow the steps and run the scripts in the order the subsections are presented, as some steps have dependencies on previous steps. For example, you will need an Azure service principal created before you can create an Azure DevOps service endpoint. + +### Create an environment variable settings file + +Make a copy of the `set-variables.DevOpsOrgName.bat`, replacing `DevOpsOrgName` portion of the file name with the name of your Azure DevOps organization or any other meaningful name (no spaces). + +Next, edit the newly created file, using the guidance in the following table. + +| Variable Name | Description | Example +| ---- | ---- | ---- +| DEVOPS_TENANT_ID | Azure AD tenant identifier. | c0196602-5a7d-4b1e-9128-69dbf7152c18 +| DEVOPS_MGMT_GROUP_NAME | Azure AD root management group name. | Tenant Root Group +| DEVOPS_SP_NAME | Azure service principal name. The service principal has Owner RBAC at the tenant root scope. | spn-azure-platform-ops +| DEVOPS_SG_NAME | Azure security group name for 'Owner` RBAC subscription, network, and logging | alz-owners +| DEVOPS_ORG | Azure DevOps organization URL. | +| DEVOPS_PROJECT_NAME | Azure DevOps project name. | CanadaPubSecALZ +| DEVOPS_REPO_NAME_OR_URL | Azure DevOps or GitHub repository name or URL. | CanadaPubSecALZ +| DEVOPS_REPO_TYPE | Repository type. Can be `tfsgit` or `github`. | tfsgit +| DEVOPS_REPO_BRANCH | Repository branch name. | main +| DEVOPS_PIPELINE_NAME_SUFFIX | Azure DevOps pipeline name suffix | -ci +| DEVOPS_SE_NAME | Azure DevOps service endpoint name. | spn-azure-platform-ops +| DEVOPS_SE_TEMPLATE | File name for the generated Azure DevOps service endpoint template JSON file. | service-endpoint.AzDevOpsOrg.json +| DEVOPS_VARIABLES_GROUP_NAME | Azure DevOps variable group name. Leave this set to `firewall-secrets` as the YAML pipeline for networking is hard-coded to use this value. | firewall-secrets +| DEVOPS_VARIABLES_VALUES | Specify values for the NVA firewall username and password in format `key=value key=value`. Replace `YourUsername` and `YourPassword` in the example with your values. DO NOT commit changes that include username and password plaintext values to your repository. | var-hubnetwork-nva-fwUsername=YourUserName var-hubnetwork-nva-fwPassword=YourPassword +| DEVOPS_VARIABLES_ARE_SECRET | Indicates whether variables in the variable group are marked as secret. Possible values are `true` or `false`. Recommend using `true` unless you plan to reconfigure your variable group to use another secure source such as KeyVault. | true +| DEVOPS_OUTPUT_DIR | Name of temporary folder for generated files. | .\output + +Once you have saved your changes to the newly created file, run it from the command line. After running your new script, run the `list-variables.bat` script to view these environment variable settings. + +### Create service principal + +Run the `create-service-principal.bat` script to create an Azure AD service principal with `Owner` RBAC at the tenant root scope. + +> There is also a `delete-service-principal.bat` script that you can use to delete an existing service principal. For example, if you want to re-create the service principal, use the `delete-service-principal.bat` script followed by the `create-service-principal.bat` script. + +If you would rather perform this step manually, detailed guidance is available at the following location: [Step 1 - Create Service Principal Account & Assign RBAC](azure-devops-pipelines.md#step-1---create-service-principal-account--assign-rbac). + +### Create service endpoint + +Note that this script, `create-service-endpoint.bat`, depends on the output from a successful run of the `create-service-principal.bat` script (mentioned in the previous section), which contains the service principal password. If that output does not exist, you will be prompted for the service principal password. + +Run the `create-service-endpoint.bat` script to create an Azure DevOps service endpoint (aka service connection). this script uses an output file generated in the previous step to provide the service principal attributes needed to create the service endpoint. + +> There is also a `delete-service-endpoint.bat` script that you can use to delete an existing service endpoint. For example, if you want to re-create the service endpoint, use the `delete-service-endpoint.bat` script followed by the `create-service-endpoint.bat` script. + +If you would rather perform this step manually, detailed guidance is available at the following location: [Step 2 - Configure Service Connection in Azure DevOps Project Configuration](azure-devops-pipelines.md#step-2---configure-service-connection-in-azure-devops-project-configuration). + +### Create landing zone pipelines + +Run the `create-pipelines.bat` script to create the landing zone pipelines: + +- management-groups-ci +- roles-ci +- platform-logging policy-ci +- platform-connectivity-hub-nva-ci +- platform-connectivity-hub-azfw-ci +- platform-connectivity-hub-azfw-policy-ci +- subscriptions-ci + +If you would rather perform these steps manually, detailed guidance is available in the following sections of the [Azure DevOps Pipelines Onboarding Guide](./azure-devops-pipelines.md): + +- [Step 3 - Configure Management Groups](./azure-devops-pipelines.md#step-3---configure-management-groups) +- [Step 4 - Configure Custom Roles](./azure-devops-pipelines.md#step-4---configure-custom-roles) +- [Step 5 - Configure Logging](./azure-devops-pipelines.md#step-5--configure-logging) +- [Step 6 - Configure Azure Policies](./azure-devops-pipelines.md#step-6---configure-azure-policies) +- [Step 7 - Configure Hub Networking](./azure-devops-pipelines.md#step-7---configure-hub-networking) +- [Step 8 - Configure Subscription Archetypes](./azure-devops-pipelines.md#step-8---configure-subscription-archetypes) + +### Give pipelines access to service endpoint + +Run the `share-service-endpoint.bat` script to allow all pipelines in the project to use the service endpoint. + +If you would rather perform this step manually, detailed guidance is available at the following location: [Step 2 - Configure Service Connection in Azure DevOps Project Configuration](azure-devops-pipelines.md#step-2---configure-service-connection-in-azure-devops-project-configuration). + +### Create variable group + +The `firewall-secrets` variable group is required by the networking pipeline when using a Fortinet firewall deployment configuration. It is optional for all other scenarios. + +If needed, run the `create-variable-group.bat` script to created the required variable group and variables in Azure DevOps. + +### Create security group + +Run the `create-security-group.bat` script to create a new Azure security group. The security group name is defined using the `%DEVOPS_SG_NAME%` environment variable. Save the Azure security group GUID provided by this script for later use when configuring your environment. It will be used in the `securityGroupObjectIds` values in the environment configuration (YAML) files and subscription configuration (JSON) files. + +### Configure your environment + +Before running the landing zone pipelines, you will need to create and edit configuration files (YAML and JSON) with values corresponding to your environment, along with specific configuration information needed for each layer: management groups, roles, logging, policy, networking, and subscriptions. + +Detailed guidance on these configuration requirements is available in the [Azure DevOps Pipelines Onboarding Guide](./azure-devops-pipelines.md). In that documentation you can start at this location: [Step 3 - Configure Management Groups](./azure-devops-pipelines.md#step-3---configure-management-groups), since Step 1 and Step 2 have already been completed using the scripts mentioned above in this document. As you work through Steps 3 - 8 in the other document, keep in mind that you can skip any instructions related to creating the service principal, service endpoint, or Azure DevOps pipelines that you have already performed using the scripts in this document. + +### Run pipelines + +Run the `run-pipelines.bat` script to interactively run individual landing zone pipelines. Note that at present time the `subscriptions-ci` pipeline is not included in the list of runnable pipelines as the script requires additional work to enable that capability. + +### Clear environment variables used by scripts + +Run the `unset-variables.bat` script to clear (unset) all "DEVOPS_" environment variables + +--- + +## Files + +### .gitignore + +The `/scripts/onboarding/.gitignore` file prevents the `./output` folder (default value for `%DEVOPS_OUTPUT_DIR%`) contents from being added to Azure Repos. This is important as the `create-service-principal.bat` and `create-service-endpoint.bat` scripts use this folder to store the client id and password for the service principal, and you do not want to expose these values in the repository. + +### Scripts + +| Area | File Name | Description +| ---- | ---- | ---- +| Azure | `create-security-group.bat` | Create an Azure security group to be used in the `securityGroupObjectIds` values in environment configuration (YAML) files and subscription configuration (JSON) files +| Azure | `delete-management-groups.bat` | Deletes all management groups in the current tenant, with the exception of the 'Tenant Root Group'. It is useful for resetting the management groups in your Azure AD tenant. Exercise caution when using this script as it will remove **all** management groups in the Azure AD tenant. +| Azure | `list-management-groups.bat` | List all Management Groups in the current tenant. It is useful for validating the successful deployment of the Management Groups pipeline. +| Azure DevOps | `create-pipelines.bat` | Create the Azure DevOps pipelines for landing zone deployment. +| Azure DevOps | `create-service-endpoint.bat` | Create a new Azure DevOps service endpoint for use with Azure Pipelines. +| Azure DevOps | `create-variable-group.bat` | Create a variable group to store secrets used by the pipelines. +| Azure DevOps | `delete-pipelines.bat` | Delete the Azure DevOps pipelines. +| Azure DevOps | `delete-service-endpoint.bat` | Delete the specified service endpoint used by Azure DevOps pipelines. +| Azure DevOps | `run-pipelines.bat` | Runs all landing zone pipelines in sequence. +| Azure DevOps | `service-endpoint.[ENV].json` | Template files generated by the `create-service-endpoint.bat` script. +| Azure DevOps | `service-endpoint.template.json` | Template file used by the `create-service-endpoint.bat` script to generate environment-specific templates in the `%DEVOPS_OUTPUT_DIR%` folder. +| Azure DevOps | `share-service-endpoint.bat` | Update the existing Azure DevOps service endpoint, allowing it to be used by all pipelines in the project. +| Azure DevOps | `update-variable-group.bat` | Update the existing Azure DevOps variable group, applying or removing the `secret` attribute as specified. This script is called by `create-variable-group.bat` and can also be invoked directly. +| Environment | `list-variables.bat` | Display all `DEVOPS_` environment variables. +| Environment | `set-variables.[ENV].bat` | These scripts, one per environment, set the base `DEVOPS_` environment variables. +| Environment | `unset-variables.bat` | Unset all `DEVOPS_` environment variables. +| Tenant | `add-root-user-access-admin.bat` | Elevate the currently signed-in user to "User Access Administrator" role. +| Tenant | `create-service-principal.bat` | Create a new Azure service principal that is used for pipeline authentication. +| Tenant | `delete-service-principal.bat` | Delete the specified Azure service principal. +| Tenant | `list-root-user-access-admin.bat` | List the users with elevated "User Access Administrator" role at tenant root scope. +| Tenant | `remove-root-user-access-admin.bat` | Remove the specified user from elevated "User Access Administrator" role at tenant root scope. +| Utility | `whereami-azure.bat` | Show all identities signed-in with the current Azure CLI session. +| Utility | `whoami-azure.bat` | Show the active identity signed-in with the current Azure CLI session. diff --git a/scripts/onboarding/.gitignore b/scripts/onboarding/.gitignore new file mode 100644 index 00000000..ea1472ec --- /dev/null +++ b/scripts/onboarding/.gitignore @@ -0,0 +1 @@ +output/ diff --git a/scripts/onboarding/add-root-user-access-admin.bat b/scripts/onboarding/add-root-user-access-admin.bat new file mode 100644 index 00000000..afd62e97 --- /dev/null +++ b/scripts/onboarding/add-root-user-access-admin.bat @@ -0,0 +1,17 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Elevating the currently signed-in user to "User Access Administrator" role... +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +call az rest --method post --url "/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" diff --git a/scripts/onboarding/create-pipelines.bat b/scripts/onboarding/create-pipelines.bat new file mode 100644 index 00000000..0880d94c --- /dev/null +++ b/scripts/onboarding/create-pipelines.bat @@ -0,0 +1,38 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Creating Azure DevOps pipelines in the context of: +echo. +echo DevOps Organization: %DEVOPS_ORG% +echo DevOps Project: %DEVOPS_PROJECT_NAME% +echo Repository Name/URL: %DEVOPS_REPO_NAME_OR_URL% +echo Repository Type: %DEVOPS_REPO_TYPE% +echo Repository Branch: %DEVOPS_REPO_BRANCH% +echo Azure Pipeline Suffix: %DEVOPS_PIPELINE_NAME_SUFFIX% +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM Process all pipeline definitions +for %%N in (management-groups roles platform-logging policy platform-connectivity-hub-nva platform-connectivity-hub-azfw platform-connectivity-hub-azfw-policy subscriptions) do ( + + REM Check for pipeline existence + set FOUND= + for /f usebackq %%F in (`call az pipelines list -o tsv --query="[?name=='%%N-%DEVOPS_PIPELINE_NAME_SUFFIX%'].name | [0]"`) do set FOUND=true + + REM Only create Azure DevOps pipeline if it does *not* already exist + if not defined FOUND ( + echo Creating pipeline [%%N%DEVOPS_PIPELINE_NAME_SUFFIX%]... + call az pipelines create --name "%%N%DEVOPS_PIPELINE_NAME_SUFFIX%" --repository %DEVOPS_REPO_NAME_OR_URL% --repository-type %DEVOPS_REPO_TYPE% --branch %DEVOPS_REPO_BRANCH% --skip-first-run --yaml-path "/.pipelines/%%N.yml" --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% + ) else ( + echo Pipeline [%%N%DEVOPS_PIPELINE_NAME_SUFFIX%] already exists. Skipping creation. + ) +) diff --git a/scripts/onboarding/create-security-group.bat b/scripts/onboarding/create-security-group.bat new file mode 100644 index 00000000..9d3f2b12 --- /dev/null +++ b/scripts/onboarding/create-security-group.bat @@ -0,0 +1,36 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Create an Azure security group in the context of: +echo. +echo DEVOPS_SG_NAME = %DEVOPS_SG_NAME% +echo. +echo If these settings are not correct, please exit, update/run the set-variables.[YourEnv].bat script, and re-run this script +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +set DEVOPS_SG_ID= + +REM Find existing Azure security group id by name (if it exists) +for /f usebackq %%G in (`call az ad group list --filter "displayname eq '%DEVOPS_SG_NAME%'" --query "[].objectId" -o tsv`) do set DEVOPS_SG_ID=%%G + +REM Create Azure security group if not exist and get its id +if defined DEVOPS_SG_ID ( + echo Located existing Azure security group [%DEVOPS_SG_NAME%] +) else ( + echo Creating Azure security group [%DEVOPS_SG_NAME%] + for /f usebackq %%G in (`call az ad group create --display-name %DEVOPS_SG_NAME% --mail-nickname %DEVOPS_SG_NAME% --query "objectId" -o tsv`) do set DEVOPS_SG_ID=%%G +) + +echo Azure security group id: %DEVOPS_SG_ID% +echo Save the security group id for later use in the environment (YAML) +echo and subscription (JSON) configuration files. diff --git a/scripts/onboarding/create-service-endpoint.bat b/scripts/onboarding/create-service-endpoint.bat new file mode 100644 index 00000000..9ba8ad24 --- /dev/null +++ b/scripts/onboarding/create-service-endpoint.bat @@ -0,0 +1,95 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Create an Azure DevOps service endpoint (aka service connection) in the context of: +echo. +echo DEVOPS_OUTPUT_DIR = %DEVOPS_OUTPUT_DIR% +echo DEVOPS_TENANT_ID = %DEVOPS_TENANT_ID% +echo DEVOPS_MGMT_GROUP_NAME = %DEVOPS_MGMT_GROUP_NAME% +echo DEVOPS_ORG = %DEVOPS_ORG% +echo DEVOPS_PROJECT_NAME = %DEVOPS_PROJECT_NAME% +echo DEVOPS_SE_NAME = %DEVOPS_SE_NAME% +echo DEVOPS_SE_TEMPLATE = %DEVOPS_SE_TEMPLATE% +echo DEVOPS_SP_NAME = %DEVOPS_SP_NAME% +echo. +echo If these settings are not correct, please exit, update/run the set-variables.[YourEnv].bat script, and re-run this script +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM Check output directory exists +if not exist %DEVOPS_OUTPUT_DIR% ( + echo Output directory [%DEVOPS_OUTPUT_DIR%] does not exist; creating it now... + md %DEVOPS_OUTPUT_DIR% +) + +REM Set DEVOPS_SP_ID and DEVOPS_SP_PW environment variables +if exist %DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out ( + echo Setting DEVOPS_SP_ID and DEVOPS_SP_PW based on file output from 'create-service-principal.bat' that was stored in [%DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out]... + for /f "usebackq delims=" %%I in (`jq "".appId"" %DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out`) do set DEVOPS_SP_ID=%%~I + for /f "usebackq delims=" %%I in (`jq "".password"" %DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out`) do set DEVOPS_SP_PW=%%~I + echo Service principal ID and KEY are located in file [%DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out] +) + +REM Get the Service Principal key if not already present +if defined DEVOPS_SP_PW goto SkipServicePrincipalPrompt +echo. +choice /C YN /M "The service principal key must be entered/pasted here. Do you have it ready?" +if errorlevel 2 exit /b 0 +echo. +echo Enter or paste the service principal key here: +set /p DEVOPS_SP_PW="" +if not defined DEVOPS_SP_PW ( + echo. + echo The service principal key is *not* defined in environment variable DEVOPS_SP_PW + echo Exiting the script; please re-run and provide the Service Principal key when prompted + echo. + goto :EOF +) +:SkipServicePrincipalPrompt + +REM Set DEVOPS_MGMT_GROUP_ID env var based on lookup by DEVOPS_MGMT_GROUP_NAME +echo Performing lookup of AAD root management group ID by name... +for /f "usebackq delims=" %%I in (`call az account management-group list --query "[?displayName == '%DEVOPS_MGMT_GROUP_NAME%'].name | [0]"`) do set DEVOPS_MGMT_GROUP_ID=%%I +if not defined DEVOPS_MGMT_GROUP_ID ( + echo. + echo Error on lookup of DEVOPS_MGMT_GROUP_ID by DEVOPS_MGMT_GROUP_NAME [%DEVOPS_MGMT_GROUP_NAME%] + echo. + goto :EOF +) + +REM Set DEVOPS_SP_ID env var based on lookup by DEVOPS_SP_NAME +echo Performing lookup of AAD service principal ID by name... +for /f "usebackq delims=" %%I in (`call az ad sp list --filter "DisplayName eq '%DEVOPS_SP_NAME%'" --query "[0].appId"`) do set DEVOPS_SP_ID=%%I +if not defined DEVOPS_SP_ID ( + echo. + echo Error on lookup of DEVOPS_SP_ID by DEVOPS_SP_NAME [%DEVOPS_SP_NAME%] + echo. + goto :EOF +) + +REM Set DEVOPS_PROJECT_ID env var based on lookup by DEVOPS_PROJECT_NAME +echo Performing lookup of Azure DevOps project ID by name... +for /f "usebackq delims=" %%I in (`call az devops project show --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --query "id"`) do set DEVOPS_PROJECT_ID=%%I +if not defined DEVOPS_PROJECT_ID ( + echo. + echo Error on lookup of DEVOPS_PROJECT_ID by DEVOPS_PROJECT_NAME [%DEVOPS_PROJECT_NAME%] + echo. + goto :EOF +) + +REM Create service endpoint definition file +echo Creating a service endpoint definition file... +jq "(.name, .serviceEndpointProjectReferences[0].name) |= \"%DEVOPS_SE_NAME%\" | (.authorization.parameters.serviceprincipalid) |= \"%DEVOPS_SP_ID%\" | (.authorization.parameters.serviceprincipalkey) |= \"%DEVOPS_SP_PW%\" | (.authorization.parameters.tenantid) |= \"%DEVOPS_TENANT_ID%\" | (.data.managementGroupId) |= \"%DEVOPS_MGMT_GROUP_ID%\" | (.data.managementGroupName) |= \"%DEVOPS_MGMT_GROUP_NAME%\" | (.serviceEndpointProjectReferences[0].projectReference.id) |= \"%DEVOPS_PROJECT_ID%\" | (.serviceEndpointProjectReferences[0].projectReference.name) |= \"%DEVOPS_PROJECT_NAME%\"" .\service-endpoint.template.json >%DEVOPS_OUTPUT_DIR%\%DEVOPS_SE_TEMPLATE% + +REM Create the Service Endpoint +echo Creating the Azure DevOps service endpoint using existing Azure service principal and generated template... +call az devops service-endpoint create --service-endpoint-configuration %DEVOPS_OUTPUT_DIR%\%DEVOPS_SE_TEMPLATE% --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% diff --git a/scripts/onboarding/create-service-principal.bat b/scripts/onboarding/create-service-principal.bat new file mode 100644 index 00000000..85dabca1 --- /dev/null +++ b/scripts/onboarding/create-service-principal.bat @@ -0,0 +1,37 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Create an Azure service principal in the context of: +echo. +echo DEVOPS_OUTPUT_DIR = %DEVOPS_OUTPUT_DIR% +echo DEVOPS_SP_NAME = %DEVOPS_SP_NAME% +echo. +echo If these settings are not correct, please exit, update/run the set-variables.[YourEnv].bat script, and re-run this script +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM Check output directory exists +if not exist %DEVOPS_OUTPUT_DIR% ( + echo Creating output directory [%DEVOPS_OUTPUT_DIR%]... + md %DEVOPS_OUTPUT_DIR% +) + +REM Create an Azure AD service principal +echo Creating Azure AD service principal named [%DEVOPS_SP_NAME%] with Owner role at tenant root scope... +call az ad sp create-for-rbac --name "%DEVOPS_SP_NAME%" --role "Owner" --scopes "/" >%DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out + +if not errorlevel 1 ( + echo Azure AD service principal created and information stored in file: %DEVOPS_OUTPUT_DIR%\%DEVOPS_SP_NAME%.out + echo. + echo NOTE: Keep this file secure as it contains ID and password for the service principal. + echo. +) diff --git a/scripts/onboarding/create-variable-group.bat b/scripts/onboarding/create-variable-group.bat new file mode 100644 index 00000000..06332e8b --- /dev/null +++ b/scripts/onboarding/create-variable-group.bat @@ -0,0 +1,51 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Create an Azure DevOps variable group in the context of: +echo. +echo DevOps Organization: %DEVOPS_ORG% +echo DevOps Project: %DEVOPS_PROJECT_NAME% +echo DevOps Variable Group: %DEVOPS_VARIABLES_GROUP_NAME% +echo DevOps Variables: %DEVOPS_VARIABLES_VALUES% +echo DevOps Variables are Secret: %DEVOPS_VARIABLES_ARE_SECRET% +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +set ID= +REM Check whether variable group exists (get ID) +for /f usebackq %%V in (`call az pipelines variable-group list -o tsv --query "[?name=='%DEVOPS_VARIABLES_GROUP_NAME%'].id | [0]"`) do set ID=%%V + +REM Delete variable group if it already exists +if defined ID ( + choice /C YN /M "Variable group [%DEVOPS_VARIABLES_GROUP_NAME%] exists with ID [%ID%]. Do you want to delete and re-create it?" + if errorlevel 2 exit /b 0 + echo Deleting variable group [%DEVOPS_VARIABLES_GROUP_NAME%]... + call az pipelines variable-group delete --id %ID% --yes --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% +) + +REM Create the variable group +echo Creating variable group [%DEVOPS_VARIABLES_GROUP_NAME%] with variables: %DEVOPS_VARIABLES_VALUES%... +call az pipelines variable-group create --name %DEVOPS_VARIABLES_GROUP_NAME% --authorize true --query "[?name=='%DEVOPS_VARIABLES_GROUP_NAME%'].id | [0]" -o tsv --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --variables %DEVOPS_VARIABLES_VALUES% +echo. +echo Variable group [%DEVOPS_VARIABLES_GROUP_NAME%] has been created. +echo. +echo NOTE that this variable group is accessible from all pipelines. +echo. +echo RECOMMENDED that you use the Azure DevOps portal to restrict access to this +echo variable group to only the `platform-connectivity-hub-nva` pipeline. +echo. +echo RECOMMENDED that you DO NOT commit to your repository any changes made +echo to this file that include a plaintext username or password. +echo. + +REM Set variables as secret in Azure DevOps if requested +if "%DEVOPS_VARIABLES_ARE_SECRET%" == "true" call update-variable-group.bat true diff --git a/scripts/onboarding/delete-management-groups.bat b/scripts/onboarding/delete-management-groups.bat new file mode 100644 index 00000000..cf45cb79 --- /dev/null +++ b/scripts/onboarding/delete-management-groups.bat @@ -0,0 +1,79 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +set TMPFILE=management-groups.txt + +REM Get currently signed-in user identity +echo. +echo Getting currently signed-in user identity... +echo. +call az ad signed-in-user show --query "userPrincipalName" + +REM Get default subscription information +echo. +echo Getting default subscription information... +echo. +call az account list --query "[?isDefault].{Name:name, Id:id, AAD:homeTenantId, User:user.name}" -o table + +REM Get list of management groups in reverse order +echo. +echo Getting list of all management groups... +echo. +call az account management-group list -o tsv | sed "/Tenant Root Group/d" | cut -f 1 - | sort -k 1r - >%TMPFILE% + +REM Show user all management groups found +echo. +echo Management groups +echo ----------------- +cat %TMPFILE% +echo. + +REM Prompt user confirmation to delete all management groups +echo. +echo WARNING: +echo ------------------------------------------------------------------- +echo Continuing this script will delete the listed management groups, +echo which will also disassociate any subscriptions associated with each +echo management group. Subscriptions associated with a management group +echo that is being deleted will be re-parented to the tenant root scope. +echo. +echo Also note that this script will delete **all** management groups +echo defined in the current tenant, whether or not they were created for +echo your `CanadaPubSecALZ` work or by some other means. +echo. +echo Be sure you understand the implications of continuing this script +echo before proceeding. If you're not 100% certain, then select "N" at +echo the following prompt. +echo ------------------------------------------------------------------- +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 +echo. + +REM Delete all management groups (in hierarchy reverse order) +for /f usebackq %%m in (`cat %TMPFILE%`) do ( + + REM Check for subscriptions that need to be removed from management group + echo Checking management group [%%m] for subscriptions that need to be removed first... + for /f "usebackq delims=" %%s in ( + `call az account management-group show --name "%%m" --expand --query "children[?type=='/subscriptions'].{Name:displayName}" -o tsv` + ) do ( + echo removing subscription [%%s] from management group [%%m]... + call az account management-group subscription remove --name "%%m" --subscription "%%s" + ) + echo Deleting management group: %%m + call az account management-group delete --name %%m +) + +REM Remove %TMPFILE% temporary file +if exist %TMPFILE% ( + echo Deleting temporary file '%TMPFILE%' + erase %TMPFILE% +) diff --git a/scripts/onboarding/delete-pipelines.bat b/scripts/onboarding/delete-pipelines.bat new file mode 100644 index 00000000..3e69e72a --- /dev/null +++ b/scripts/onboarding/delete-pipelines.bat @@ -0,0 +1,27 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Deleting Azure DevOps pipelines in the context of: +echo. +echo DevOps Organization: %DEVOPS_ORG% +echo DevOps Project: %DEVOPS_PROJECT_NAME% +echo Azure Pipeline Suffix: %DEVOPS_PIPELINE_NAME_SUFFIX% +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM Process all pipeline definitions +for %%N in (management-groups roles platform-logging policy platform-connectivity-hub-nva platform-connectivity-hub-azfw platform-connectivity-hub-azfw-policy subscriptions) do ( + echo. + echo Deleting pipeline [%%N]... + echo. + call az pipelines list -o tsv --query "[?name == '%%N%DEVOPS_PIPELINE_NAME_SUFFIX%'].id" -o tsv | call az pipelines delete --id @- --yes --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% +) diff --git a/scripts/onboarding/delete-service-endpoint.bat b/scripts/onboarding/delete-service-endpoint.bat new file mode 100644 index 00000000..e4a7e2b8 --- /dev/null +++ b/scripts/onboarding/delete-service-endpoint.bat @@ -0,0 +1,24 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Deleting Azure DevOps service endpoint (aka service connection) in the context of: +echo. +echo DevOps Organization = %DEVOPS_ORG% +echo DevOps Project = %DEVOPS_PROJECT_NAME% +echo DevOps Service Endpoint = %DEVOPS_SE_NAME% +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM Delete Azure DevOps service endpoint +echo Deleting Azure DevOps service endpoint %DEVOPS_SE_NAME%... +call az devops service-endpoint list --query "[?name == '%DEVOPS_SE_NAME%'].id" -o tsv | call az devops service-endpoint delete --yes --id @- +echo. diff --git a/scripts/onboarding/delete-service-principal.bat b/scripts/onboarding/delete-service-principal.bat new file mode 100644 index 00000000..d0703d39 --- /dev/null +++ b/scripts/onboarding/delete-service-principal.bat @@ -0,0 +1,21 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Deleting Azure service principal in the context of: +echo. +echo DEVOPS_SP_NAME = %DEVOPS_SP_NAME% +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM Delete service principal +echo Deleting service principal: %DEVOPS_SP_NAME%... +call az ad sp list --display-name "%DEVOPS_SP_NAME%" --query "[0].objectId" -o tsv | call az ad sp delete --id @- diff --git a/scripts/onboarding/list-management-groups.bat b/scripts/onboarding/list-management-groups.bat new file mode 100644 index 00000000..27c06192 --- /dev/null +++ b/scripts/onboarding/list-management-groups.bat @@ -0,0 +1,15 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +REM Get list of management groups in reverse order +echo. +echo Management groups +echo ----------------- +call az account management-group list -o tsv | cut -f 1 - | sort -k 1r - diff --git a/scripts/onboarding/list-root-user-access-admin.bat b/scripts/onboarding/list-root-user-access-admin.bat new file mode 100644 index 00000000..290a27e2 --- /dev/null +++ b/scripts/onboarding/list-root-user-access-admin.bat @@ -0,0 +1,15 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Listing users with elevated "User Access Administrator" role at tenant root scope... +echo. + +call az role assignment list --role "User Access Administrator" --scope "/" -o table diff --git a/scripts/onboarding/list-variables.bat b/scripts/onboarding/list-variables.bat new file mode 100644 index 00000000..0f44dbab --- /dev/null +++ b/scripts/onboarding/list-variables.bat @@ -0,0 +1,17 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +set ENV_VAR_PATTERN="DEVOPS_" + +echo. +echo Your environment variables matching [%ENV_VAR_PATTERN%] are: +echo. +set %ENV_VAR_PATTERN% +echo. diff --git a/scripts/onboarding/remove-root-user-access-admin.bat b/scripts/onboarding/remove-root-user-access-admin.bat new file mode 100644 index 00000000..1de94840 --- /dev/null +++ b/scripts/onboarding/remove-root-user-access-admin.bat @@ -0,0 +1,26 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +if '%1' == '' goto Usage + +echo. +echo Removing user [%1] from elevated "User Access Administrator" role at tenant root scope... +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +call az role assignment delete --assignee %1 --role "User Access Administrator" --scope "/" + +goto :EOF + +:Usage +echo. +echo Missing parameter. Specify a user (UPN) to remove from the elevated "User Access Administrator" role at root scope of the tenant for the currently signed-in user. +echo. diff --git a/scripts/onboarding/run-pipelines.bat b/scripts/onboarding/run-pipelines.bat new file mode 100644 index 00000000..78537fc4 --- /dev/null +++ b/scripts/onboarding/run-pipelines.bat @@ -0,0 +1,86 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Runn Azure DevOps pipelines in the context of: +echo. +echo DevOps Organization: %DEVOPS_ORG% +echo DevOps Project: %DEVOPS_PROJECT_NAME% +echo Repository Branch: %DEVOPS_REPO_BRANCH% +echo Azure Pipeline Suffix: %DEVOPS_PIPELINE_NAME_SUFFIX% +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +REM The [S] option to run the subscriptions pipeline is commented-out as +REM it requires one or more GUIDs or partial GUIDs that are unique for +REM identifying subscription configuration (JSON) files to operate upon. +REM Additional work on this script is required to enable this capability. + +:Prompt +echo. +echo Options: +echo [M] management-groups +echo [R] roles +echo [L] platform-logging +echo [P] policy +echo [N] platform-connectivity-hub-nva +echo [Y] platform-connectivity-hub-azfw +echo [Z] platform-connectivity-hub-azfw-policy +echo [S] subscriptions +echo [X] exit +echo. +choice /C MRLPNYZSX /M "Select option?" +goto case_%errorlevel% + +:case_1 +set PIPELINE=management-groups%DEVOPS_PIPELINE_NAME_SUFFIX% +goto :RunPipeline + +:case_2 +set PIPELINE=roles-ci +goto :RunPipeline + +:case_3 +set PIPELINE=platform-logging%DEVOPS_PIPELINE_NAME_SUFFIX% +goto :RunPipeline + +:case_4 +set PIPELINE=policy-ci +goto :RunPipeline + +:case_5 +set PIPELINE=platform-connectivity-hub-nva%DEVOPS_PIPELINE_NAME_SUFFIX% +goto :RunPipeline + +:case_6 +set PIPELINE=platform-connectivity-hub-azfw%DEVOPS_PIPELINE_NAME_SUFFIX% +goto :RunPipeline + +:case_7 +set PIPELINE=platform-connectivity-hub-azfw-policy%DEVOPS_PIPELINE_NAME_SUFFIX% +goto :RunPipeline + +:case_8 +set PIPELINE=subscriptions%DEVOPS_PIPELINE_NAME_SUFFIX% +echo. +echo Running the [%PIPELINE%] pipeline from this script is not supported at this time. +goto :Prompt + +:case_9 +exit /b 0 + +:RunPipeline +echo. +echo Running pipeline: %PIPELINE%... +echo. +call az pipelines run --name %PIPELINE% --branch %DEVOPS_REPO_BRANCH% --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --open +echo. +goto Prompt diff --git a/scripts/onboarding/service-endpoint.template.json b/scripts/onboarding/service-endpoint.template.json new file mode 100644 index 00000000..cc546709 --- /dev/null +++ b/scripts/onboarding/service-endpoint.template.json @@ -0,0 +1,39 @@ +{ + "administratorsGroup": null, + "authorization": { + "scheme": "ServicePrincipal", + "parameters": { + "serviceprincipalid": "", + "authenticationType": "spnKey", + "serviceprincipalkey": "", + "tenantid": "" + } + }, + "createdBy": null, + "data": { + "environment": "AzureCloud", + "scopeLevel": "ManagementGroup", + "creationMode": "Manual", + "managementGroupId": "", + "managementGroupName": "" + }, + "description": "Service principal with RBAC Owner at Tenant Root Group", + "groupScopeId": null, + "name": "", + "operationStatus": null, + "readersGroup": null, + "serviceEndpointProjectReferences": [ + { + "description": "Service principal with RBAC Owner at Tenant Root Group", + "name": "", + "projectReference": { + "id": "", + "name": "" + } + } + ], + "type": "azurerm", + "url": "https://management.azure.com/", + "isShared": false, + "owner": "library" +} \ No newline at end of file diff --git a/scripts/onboarding/set-variables.DevOpsOrgName.bat b/scripts/onboarding/set-variables.DevOpsOrgName.bat new file mode 100644 index 00000000..9ddcd134 --- /dev/null +++ b/scripts/onboarding/set-variables.DevOpsOrgName.bat @@ -0,0 +1,58 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +REM Azure AD tenant GUID +set DEVOPS_TENANT_ID= + +REM Azure AD tenant root management group name +set DEVOPS_MGMT_GROUP_NAME=Tenant Root Group + +REM Azure service principal name for 'Owner' RBAC at tenant root scope +set DEVOPS_SP_NAME=spn-azure-platform-ops + +REM Azure security group name for 'Owner` RBAC subscription, network, and logging +set DEVOPS_SG_NAME=alz-owners + +REM Azure DevOps organization URL +set DEVOPS_ORG= + +REM Azure DevOps project name (prefer no spaces) +set DEVOPS_PROJECT_NAME= + +REM Repository name or URL +set DEVOPS_REPO_NAME_OR_URL= + +REM Repository type: 'tfsgit' or 'github' +set DEVOPS_REPO_TYPE=tfsgit + +REM Repository branch name (default) +set DEVOPS_REPO_BRANCH=main + +REM Azure DevOps pipeline name suffix (default) +set DEVOPS_PIPELINE_NAME_SUFFIX=-ci + +REM Azure DevOps service endpoint name (service connection in project settings) +set DEVOPS_SE_NAME=spn-azure-platform-ops + +REM Azure DevOps service endpoint template file (generated) +set DEVOPS_SE_TEMPLATE=service-endpoint.DEVOPS-ORG-NAME.json + +REM Do not change this value (hard-coded in YAML pipeline definition) +set DEVOPS_VARIABLES_GROUP_NAME=firewall-secrets + +REM Variables is a space-delimited key=value string. Provide values for +REM 'var-hubnetwork-nva-fwUsername' and 'var-hubnetwork-nva-fwPassword'. +set DEVOPS_VARIABLES_VALUES=var-hubnetwork-nva-fwUsername=YourUserName var-hubnetwork-nva-fwPassword=YourPassword + +REM Are variables in the firewall-secrets group marked as secret? 'true' or 'false'. +set DEVOPS_VARIABLES_ARE_SECRET=true + +REM Folder path for generated output files +set DEVOPS_OUTPUT_DIR=.\output diff --git a/scripts/onboarding/set-variables.ocag148outlook.bat b/scripts/onboarding/set-variables.ocag148outlook.bat new file mode 100644 index 00000000..94d50abf --- /dev/null +++ b/scripts/onboarding/set-variables.ocag148outlook.bat @@ -0,0 +1,58 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +REM Azure AD tenant GUID +set DEVOPS_TENANT_ID=c0156602-5e7d-47be-9128-69dbf7152c17 + +REM Azure AD tenant root management group name +set DEVOPS_MGMT_GROUP_NAME=Tenant Root Group + +REM Azure service principal name for 'Owner' RBAC at tenant root scope +set DEVOPS_SP_NAME=spn-azure-platform-ops + +REM Azure security group name for 'Owner` RBAC subscription, network, and logging +set DEVOPS_SG_NAME=alz-owners + +REM Azure DevOps organization URL +set DEVOPS_ORG=https://dev.azure.com/ocag148outlook + +REM Azure DevOps project name (prefer no spaces) +set DEVOPS_PROJECT_NAME=CanadaPubSecALZ + +REM Repository name or URL +set DEVOPS_REPO_NAME_OR_URL=CanadaPubSecALZ + +REM Repository type: 'tfsgit' or 'github' +set DEVOPS_REPO_TYPE=tfsgit + +REM Repository branch name (default) +set DEVOPS_REPO_BRANCH=main + +REM Azure DevOps pipeline name suffix (default) +set DEVOPS_PIPELINE_NAME_SUFFIX=-ci + +REM Azure DevOps service endpoint name (service connection in project settings) +set DEVOPS_SE_NAME=spn-azure-platform-ops + +REM Azure DevOps service endpoint template file (generated) +set DEVOPS_SE_TEMPLATE=service-endpoint.ocag148outlook.json + +REM Do not change this value (hard-coded in YAML pipeline definition) +set DEVOPS_VARIABLES_GROUP_NAME=firewall-secrets + +REM Variables is a space-delimited key=value string. Provide values for +REM 'var-hubnetwork-nva-fwUsername' and 'var-hubnetwork-nva-fwPassword'. +set DEVOPS_VARIABLES_VALUES=var-hubnetwork-nva-fwUsername=YourUserName var-hubnetwork-nva-fwPassword=YourPassword + +REM Are variables in the firewall-secrets group marked as secret? 'true' or 'false'. +set DEVOPS_VARIABLES_ARE_SECRET=true + +REM Folder path for generated output files +set DEVOPS_OUTPUT_DIR=.\output diff --git a/scripts/onboarding/share-service-endpoint.bat b/scripts/onboarding/share-service-endpoint.bat new file mode 100644 index 00000000..dce0c96e --- /dev/null +++ b/scripts/onboarding/share-service-endpoint.bat @@ -0,0 +1,47 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo Share the Azure DevOps service endpoint (aka service connection) with all pipelines in the context of: +echo. +echo DEVOPS_ORG = %DEVOPS_ORG% +echo DEVOPS_PROJECT_NAME = %DEVOPS_PROJECT_NAME% +echo DEVOPS_SE_NAME = %DEVOPS_SE_NAME% +echo. +echo If these settings are not correct, please exit, update/run the set-variables.[YourEnv].bat script, and re-run this script +echo. +choice /C YN /M "Do you want to proceed?" +if errorlevel 2 exit /b 0 + +echo. +echo Configure existing Azure DevOps service endpoint to share with all pipelines in the project +echo. + +REM Set DEVOPS_SE_ID env var based on lookup by DEVOPS_SE_NAME +echo Performing lookup of Azure DevOps service endpoint ID by name... +for /f "usebackq delims=" %%I in (`call az devops service-endpoint list --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --query "[?name == '%DEVOPS_SE_NAME%'].id | [0]"`) do set DEVOPS_SE_ID=%%I +if not defined DEVOPS_SE_ID ( + echo. + echo Error on lookup of DEVOPS_SE_ID by DEVOPS_SE_NAME [%DEVOPS_SE_NAME%] + echo. + exit /b 1 +) + +REM Update the Service Endpoint properties to allow it to be used by all pipelines in the project +echo Updating the Azure DevOps service endpoint [%DEVOPS_SE_NAME%] to allow it to be used by all pipelines in the project [%DEVOPS_PROJECT_NAME%]... +call az devops service-endpoint update --id %DEVOPS_SE_ID% --enable-for-all --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% + +echo. +echo RECOMMENDED: Navigate to the Azure DevOps project settings, select "Service connections", select the "%DEVOPS_SE_NAME%" service endpoint, select "Security", and review the assigned project and pipeline access permissions. +echo. +echo If you have more pipelines than just the landing zone pipelines defined in your project, +echo it is recommended that you restrict access to this service endpoint to only the landing +echo zone pipelines that require access to it. +echo. diff --git a/scripts/onboarding/unset-variables.bat b/scripts/onboarding/unset-variables.bat new file mode 100644 index 00000000..5e8ef8bf --- /dev/null +++ b/scripts/onboarding/unset-variables.bat @@ -0,0 +1,29 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +REM echo Enter pattern for environment variable match: +REM set /p ENV_VAR_PATTERN="" + +set ENV_VAR_PATTERN="DEVOPS_" + +echo. +echo Your environment variables matching [%ENV_VAR_PATTERN%] are: +echo. +set %ENV_VAR_PATTERN% +echo. + +choice /C "YN" /M "Do you want to clear all of these environment variables?" +if errorlevel 2 exit /b 0 + +REM Unset environment variables +for /f "usebackq delims==" %%A in (`set %ENV_VAR_PATTERN%`) do set %%A= +echo. +echo environment variables matching [%ENV_VAR_PATTERN%] have been cleared! +echo. diff --git a/scripts/onboarding/update-variable-group.bat b/scripts/onboarding/update-variable-group.bat new file mode 100644 index 00000000..8fef22c2 --- /dev/null +++ b/scripts/onboarding/update-variable-group.bat @@ -0,0 +1,40 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +if '%1' == 'true' goto SkipPrompt +if '%1' == 'false' goto SkipPrompt + +echo. +echo Updating Azure DevOps variable group in the context of: +echo. +echo DevOps Organization: %DEVOPS_ORG% +echo DevOps Project: %DEVOPS_PROJECT_NAME% +echo DevOps Variable Group: %DEVOPS_VARIABLES_GROUP_NAME% +echo DevOps Variables are Secret: %DEVOPS_VARIABLES_ARE_SECRET% +echo. +choice /C YN /M "Is this correct?" +if errorlevel 2 exit /b 0 + +:SkipPrompt + +REM Update secret setting for variables in the variable group +:CheckAgain +echo Looking up ID for variable group [%DEVOPS_VARIABLES_GROUP_NAME%]... +for /f "usebackq delims=" %%I in (`call az pipelines variable-group list -o tsv --query "[?name=='%DEVOPS_VARIABLES_GROUP_NAME%'].id | [0]"`) do set ID=%%I +if not defined ID goto CheckAgain + +echo Found ID [%ID%] for variable group [%DEVOPS_VARIABLES_GROUP_NAME%] +echo Updating all variables in this group to mark as secret=%DEVOPS_VARIABLES_ARE_SECRET%: + +for /f "usebackq delims=" %%V in (`call az pipelines variable-group variable list --group-id %ID% --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% --query "[keys(@)][]" -o tsv`) do ( + + echo Marking variable [%%V] as secret=%DEVOPS_VARIABLES_ARE_SECRET%... + call az pipelines variable-group variable update --group-id %ID% --name %%V --secret %DEVOPS_VARIABLES_ARE_SECRET% --org %DEVOPS_ORG% --project %DEVOPS_PROJECT_NAME% +) diff --git a/scripts/onboarding/whereami-azure.bat b/scripts/onboarding/whereami-azure.bat new file mode 100644 index 00000000..850b1948 --- /dev/null +++ b/scripts/onboarding/whereami-azure.bat @@ -0,0 +1,17 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +echo. +echo All signed-in user identities are: +echo. + +call az account list --query [].user.name | sed "s/,//" | uniq + +echo. diff --git a/scripts/onboarding/whoami-azure.bat b/scripts/onboarding/whoami-azure.bat new file mode 100644 index 00000000..0f499dd2 --- /dev/null +++ b/scripts/onboarding/whoami-azure.bat @@ -0,0 +1,17 @@ +@echo off +REM // ---------------------------------------------------------------------------------- +REM // Copyright (c) Microsoft Corporation. +REM // Licensed under the MIT license. +REM // +REM // THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, +REM // EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES +REM // OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. +REM // ---------------------------------------------------------------------------------- + +for /f "usebackq delims=" %%W in (`call az ad signed-in-user show --query "userPrincipalName"`) do set WHOAMI_AZURE=%%~W + +echo. +echo Currently signed-in user is: +echo. +echo %WHOAMI_AZURE% +echo.