Replace AAD and MS Graph hardcoded URIs with az commands (#3314)

* replace AAD and MS Graph hardcoded URIs with az commands to get the corresponding URI for the environment

* fix linting errors

devops/scripts/aad/create_api_application.sh

@@ -30,7 +30,7 @@ Examples:
     3. $0 --name 'TRE' --tre-url https://mytre.region.cloudapp.azure.com --admin-consent --automation-account
 
 USAGE
-    exit 1
+    exit 2
 }
 
 if ! command -v az &> /dev/null; then
@@ -56,7 +56,7 @@ declare treUrl=""
 declare currentUserId=""
 declare automationAppId=""
 declare automationAppObjectId=""
-declare msGraphUri="https://graph.microsoft.com/v1.0"
+declare msGraphUri=""
 declare spPassword=""
 
 # Initialize parameters specified from command line
@@ -85,7 +85,6 @@ while [[ $# -gt 0 ]]; do
         *)
             echo "Invalid option: $1."
             show_usage
-            exit 2
         ;;
     esac
 done
@@ -100,6 +99,7 @@ fi
 uxAppName="$appName UX"
 appName="$appName API"
 currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-errors)
+msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
 echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Azure AD tenant.\e[0m"

devops/scripts/aad/create_application_administrator.sh

@@ -23,7 +23,7 @@ Options:
     -r,--reset-password         Optional, switch to automatically reset the password. Default 0
 
 USAGE
-    exit 1
+    exit 2
 }
 
 if ! command -v az &> /dev/null; then
@@ -38,7 +38,7 @@ declare grantAdminConsent=0
 declare resetPassword=0
 declare currentUserId=""
 declare spId=""
-declare msGraphUri="https://graph.microsoft.com/v1.0"
+declare msGraphUri=""
 declare appName=""
 declare applicationPermission="Application.ReadWrite.OwnedBy"
 
@@ -64,7 +64,6 @@ while [[ $# -gt 0 ]]; do
         *)
             echo "Invalid option: $1."
             show_usage
-            exit 2
         ;;
     esac
 done
@@ -83,6 +82,7 @@ if [[ -z "$appName" ]]; then
 fi
 appName="$appName Application Admin"
 currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-errors)
+msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
 echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Azure AD tenant.\e[0m"

devops/scripts/aad/create_automation_administrator.sh

@@ -19,7 +19,7 @@ Options:
     -r,--reset-password         Optional, switch to automatically reset the password. Default 0
 
 USAGE
-    exit 1
+    exit 2
 }
 
 if ! command -v az &> /dev/null; then
@@ -32,7 +32,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
 declare resetPassword=0
 declare currentUserId=""
-declare msGraphUri="https://graph.microsoft.com/v1.0"
+declare msGraphUri=""
 declare appName=""
 
 # Initialize parameters specified from command line
@@ -49,7 +49,6 @@ while [[ $# -gt 0 ]]; do
         *)
             echo "Invalid option: $1."
             show_usage
-            exit 2
         ;;
     esac
 done
@@ -68,6 +67,7 @@ if [[ -z "$appName" ]]; then
 fi
 appName="$appName Automation Admin"
 currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-errors)
+msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
 echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Azure AD tenant.\e[0m"

devops/scripts/aad/create_or_update_service_principal.sh

@@ -10,7 +10,8 @@ function wait_for_new_service_principal()
   servicePrincipalId=$1
   retries=10
   counter=0
-  local msGraphUri="https://graph.microsoft.com/v1.0"
+  local msGraphUri=""
+  msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 
   output=$(az rest --method GET --uri "${msGraphUri}/servicePrincipals/${servicePrincipalId}" 2>/dev/null || true)
 

devops/scripts/aad/create_workspace_application.sh

@@ -25,7 +25,7 @@ Options:
     -r,--reset-password             Optional, switch to automatically reset the password. Default 0
 
 USAGE
-    exit 1
+    exit 2
 }
 
 if ! command -v az &> /dev/null; then
@@ -46,7 +46,7 @@ declare spPassword=""
 declare grantAdminConsent=0
 declare currentUserId=""
 declare uxClientId=""
-declare msGraphUri="https://graph.microsoft.com/v1.0"
+declare msGraphUri=""
 declare appName=""
 declare automationClientId=""
 declare applicationAdminClientId=""
@@ -82,7 +82,6 @@ while [[ $# -gt 0 ]]; do
         *)
             echo "Invalid option: $1."
             show_usage
-            exit 2
         ;;
     esac
 done
@@ -101,6 +100,7 @@ if [[ -z "$applicationAdminClientId" ]]; then
 fi
 applicationAdminObjectId=$(az ad sp show --id "${applicationAdminClientId}" --query id -o tsv --only-show-errors)
 currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-errors)
+msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
 echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Azure AD tenant.\e[0m"

devops/scripts/aad/grant_admin_consent.sh

@@ -13,7 +13,8 @@ function grant_admin_consent()
     principalId=$1
     resourceId=$2
     appRoleId=$3
-    local msGraphUri="https://graph.microsoft.com/v1.0"
+    local msGraphUri=""
+    msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 
     # test if enabled to avoid "Permission being assigned already exists on the object" error
     is_enabled=$(az rest --method GET \

devops/scripts/aad/wait_for_new_service_principal.sh

@@ -9,7 +9,8 @@ function wait_for_new_service_principal()
   servicePrincipalId=$1
   retries=10
   counter=0
-  local msGraphUri="https://graph.microsoft.com/v1.0"
+  local msGraphUri=""
+  msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 
   output=$(az rest --method GET --uri "${msGraphUri}/servicePrincipals/${servicePrincipalId}" 2>/dev/null || true)
 

devops/scripts/get_access_token.sh

@@ -5,12 +5,14 @@ set -o pipefail
 # Uncomment this line to see each command for debugging (careful: this will show secrets!)
 # set -o xtrace
 
+activeDirectoryUri="$(az cloud show --query endpoints.activeDirectory --output tsv)"
+
 if [ -n "${TEST_ACCOUNT_CLIENT_ID:-}" ] && [ -n "${TEST_ACCOUNT_CLIENT_SECRET:-}" ] && [ -n "${AAD_TENANT_ID:-}" ] && [ -n "${API_CLIENT_ID:-}" ]
 then
   # Use client credentials flow with TEST_ACCOUNT_CLIENT_ID/SECRET
   echo "Using TEST_ACCOUNT_CLIENT_ID to get token via client credential flow"
   token_response=$(curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
-    https://login.microsoftonline.com/"${AAD_TENANT_ID}"/oauth2/v2.0/token \
+    "${activeDirectoryUri}/${AAD_TENANT_ID}"/oauth2/v2.0/token \
     -d "client_id=${TEST_ACCOUNT_CLIENT_ID}"   \
     -d 'grant_type=client_credentials'   \
     -d "scope=api://${API_CLIENT_ID}/.default"   \
@@ -21,7 +23,7 @@ then
   echo "Using TEST_USER_NAME to get token via resource owner password credential flow"
   token_response=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d \
     "grant_type=password&resource=""${API_CLIENT_ID}""&client_id=""${TEST_APP_ID}""&username=""${TEST_USER_NAME}""&password=""${TEST_USER_PASSWORD}""&scope=default)" \
-    https://login.microsoftonline.com/"${AAD_TENANT_ID}"/oauth2/token)
+    "${activeDirectoryUri}/${AAD_TENANT_ID}"/oauth2/token)
 fi
 
 if [ -n "${token_response:-}" ]

templates/workspace_services/azureml/terraform/get_app_role_members.sh

@@ -6,12 +6,14 @@ eval "$(jq -r '@sh "AUTH_CLIENT_ID=\(.auth_client_id) AUTH_CLIENT_SECRET=\(.auth
 
 az login --allow-no-subscriptions --service-principal --username "$AUTH_CLIENT_ID" --password "$AUTH_CLIENT_SECRET" --tenant "$AUTH_TENANT_ID" > /dev/null
 
+msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
+
 # get the service principal object id
-sp=$(az rest --method GET --uri "https://graph.microsoft.com/v1.0/serviceprincipals?\$filter=appid eq '${WORSKPACE_CLIENT_ID}'" -o json)
+sp=$(az rest --method GET --uri "${msGraphUri}/serviceprincipals?\$filter=appid eq '${WORSKPACE_CLIENT_ID}'" -o json)
 spId=$(echo "$sp" | jq -r '.value[0].id')
 
 # filter to the Workspace Researcher Role
 workspaceResearcherRoleId=$(echo "$sp" | jq -r '.value[0].appRoles[] | select(.value == "WorkspaceResearcher") | .id')
-principals=$(az rest --method GET --uri "https://graph.microsoft.com/v1.0/serviceprincipals/${spId}/appRoleAssignedTo" -o json | jq -r --arg workspaceResearcherRoleId "${workspaceResearcherRoleId}" '.value[] | select(.appRoleId == $workspaceResearcherRoleId) | .principalId')
+principals=$(az rest --method GET --uri "${msGraphUri}/serviceprincipals/${spId}/appRoleAssignedTo" -o json | jq -r --arg workspaceResearcherRoleId "${workspaceResearcherRoleId}" '.value[] | select(.appRoleId == $workspaceResearcherRoleId) | .principalId')
 
 jq -n --arg principals "$principals" '{"principals":$principals}'

templates/workspace_services/health-services/terraform/get_app_role_members.sh

@@ -6,12 +6,14 @@ eval "$(jq -r '@sh "AUTH_CLIENT_ID=\(.auth_client_id) AUTH_CLIENT_SECRET=\(.auth
 
 az login --allow-no-subscriptions --service-principal --username "$AUTH_CLIENT_ID" --password "$AUTH_CLIENT_SECRET" --tenant "$AUTH_TENANT_ID" > /dev/null
 
+msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
+
 # get the service principal object id
-sp=$(az rest --method GET --uri "https://graph.microsoft.com/v1.0/serviceprincipals?\$filter=appid eq '${WORSKPACE_CLIENT_ID}'" -o json)
+sp=$(az rest --method GET --uri "${msGraphUri}/serviceprincipals?\$filter=appid eq '${WORSKPACE_CLIENT_ID}'" -o json)
 spId=$(echo "$sp" | jq -r '.value[0].id')
 
 # filter to the Workspace Researcher Role
 workspaceResearcherRoleId=$(echo "$sp" | jq -r '.value[0].appRoles[] | select(.value == "WorkspaceResearcher") | .id')
-principals=$(az rest --method GET --uri "https://graph.microsoft.com/v1.0/serviceprincipals/${spId}/appRoleAssignedTo" -o json | jq -r --arg workspaceResearcherRoleId "${workspaceResearcherRoleId}" '.value[] | select(.appRoleId == $workspaceResearcherRoleId) | .principalId')
+principals=$(az rest --method GET --uri "${msGraphUri}/serviceprincipals/${spId}/appRoleAssignedTo" -o json | jq -r --arg workspaceResearcherRoleId "${workspaceResearcherRoleId}" '.value[] | select(.appRoleId == $workspaceResearcherRoleId) | .principalId')
 
 jq -n --arg principals "$principals" '{"principals":$principals}'