diff --git a/src/core/saca-hub/main.tf b/src/core/saca-hub/main.tf index fed15832c..93b60cce0 100644 --- a/src/core/saca-hub/main.tf +++ b/src/core/saca-hub/main.tf @@ -27,6 +27,9 @@ provider "azurerm" { log_analytics_workspace { permanently_delete_on_destroy = true } + key_vault { + purge_soft_delete_on_destroy = true + } } } @@ -109,3 +112,52 @@ module "saca-firewall" { DeploymentName = var.deploymentname } } + +module "jumpbox-subnet" { + depends_on = [module.saca-hub-network, module.saca-firewall] + source = "../../modules/subnet" + + name = var.jumpbox_subnet.name + location = var.mlz_location + resource_group_name = azurerm_resource_group.hub.name + virtual_network_name = var.saca_vnetname + address_prefixes = var.jumpbox_subnet.address_prefixes + service_endpoints = lookup(var.jumpbox_subnet, "service_endpoints", []) + + enforce_private_link_endpoint_network_policies = lookup(var.jumpbox_subnet, "enforce_private_link_endpoint_network_policies", null) + enforce_private_link_service_network_policies = lookup(var.jumpbox_subnet, "enforce_private_link_service_network_policies", null) + + nsg_name = var.jumpbox_subnet.nsg_name + nsg_rules = var.jumpbox_subnet.nsg_rules + + routetable_name = var.jumpbox_subnet.routetable_name + firewall_ip_address = module.saca-firewall.firewall_public_ip + + log_analytics_storage_id = module.saca-hub-network.log_analytics_storage_id + log_analytics_workspace_id = module.saca-hub-network.log_analytics_workspace_id + + tags = { + DeploymentName = var.deploymentname + } +} + +module "jumpbox" { + depends_on = [module.saca-hub-network, module.jumpbox-subnet] + source = "../../modules/jumpbox" + + resource_group_name = azurerm_resource_group.hub.name + virtual_network_name = var.saca_vnetname + subnet_name = var.jumpbox_subnet.name + location = azurerm_resource_group.hub.location + + keyvault_name = var.jumpbox_keyvault_name + tenant_id = var.mlz_tenantid + object_id = var.mlz_objectid + + name = var.jumpbox_vm_name + size = var.jumpbox_vm_size + publisher = var.jumpbox_vm_publisher + offer = var.jumpbox_vm_offer + sku = var.jumpbox_vm_sku + image_version = var.jumpbox_vm_version +} diff --git a/src/core/saca-hub/saca-hub.front.json b/src/core/saca-hub/saca-hub.front.json index 855cd832e..d93d320c9 100644 --- a/src/core/saca-hub/saca-hub.front.json +++ b/src/core/saca-hub/saca-hub.front.json @@ -177,6 +177,85 @@ "default_val": "mlzDemoBastionHostIpCfg", "description": "The name of the Bastion Host IP Configuration", "options": [] + }, + { + "varname": "jumpbox_subnet.name", + "type": "text", + "default_val": "mlzDemoJumpboxSubnet", + "description": "The name of the jumpbox subnet", + "options": [] + }, + { + "varname": "jumpbox_subnet.address_prefixes", + "type": "list", + "default_val": [ + "10.0.100.160/27" + ], + "description": "The address space(s) (new line seperated) to be used for the jumpbox subnet.", + "options": [] + }, + { + "varname": "jumpbox_subnet.nsg_name", + "type": "text", + "default_val": "mlzDemoJumpboxSubnetNsg", + "description": "The name of the jumpbox subnet route table network security group", + "options": [] + }, + { + "varname": "jumpbox_subnet.routetable_name", + "type": "text", + "default_val": "mlzDemoJumpboxSubnetRt", + "description": "The name of the jumpbox subnet route table", + "options": [] + }, + { + "varname": "jumpbox_keyvault_name", + "type": "text", + "default_val": "mlzDemoJumpboxVmKv", + "description": "The name of the jumpbox credentials Key Vault", + "options": [] + }, + { + "varname": "jumpbox_vm_name", + "type": "text", + "default_val": "mlzDemoJumpboxVm", + "description": "The name of the jumpbox virtual machine", + "options": [] + }, + { + "varname": "jumpbox_vm_size", + "type": "text", + "default_val": "Standard_DS1_v2", + "description": "The size of the jumpbox virtual machine", + "options": [] + }, + { + "varname": "jumpbox_vm_publisher", + "type": "text", + "default_val": "MicrosoftWindowsServer", + "description": "The publisher of the jumpbox virtual machine source image", + "options": [] + }, + { + "varname": "jumpbox_vm_offer", + "type": "text", + "default_val": "WindowsServer", + "description": "The offer of the jumpbox virtual machine source image", + "options": [] + }, + { + "varname": "jumpbox_vm_sku", + "type": "text", + "default_val": "2019-datacenter-gensecond", + "description": "The SKU of the jumpbox virtual machine source image", + "options": [] + }, + { + "varname": "jumpbox_vm_version", + "type": "text", + "default_val": "latest", + "description": "The version of the jumpbox virtual machine source image", + "options": [] } ] } diff --git a/src/core/saca-hub/saca-hub.orig.tfvars.json b/src/core/saca-hub/saca-hub.orig.tfvars.json index 3282afecf..b0da84228 100644 --- a/src/core/saca-hub/saca-hub.orig.tfvars.json +++ b/src/core/saca-hub/saca-hub.orig.tfvars.json @@ -25,5 +25,49 @@ "bastion_host_name": "{BASTION_HOST_NAME}", "bastion_address_space": "{BASTION_ADDRESS_SPACE}", "bastion_public_ip_name": "{BASTION_PUBLIC_IP_NAME}", - "bastion_ipconfig_name": "{BASTION_IPCONFIG_NAME}" -} \ No newline at end of file + "bastion_ipconfig_name": "{BASTION_IPCONFIG_NAME}", + "jumpbox_subnet": { + "name": "{JUMPBOX_SUBNET_NAME}", + "address_prefixes": [ + "{JUMPBOX_SUBNET_SPACE}" + ], + "service_endpoints": [ + "Microsoft.Storage" + ], + "enforce_private_link_endpoint_network_policies": false, + "enforce_private_link_service_network_policies": false, + "nsg_name": "{JUMPBOX_SUBNET_NSG_NAME}", + "nsg_rules": { + "allow_ssh": { + "name": "allow_ssh", + "priority": "100", + "direction": "Inbound", + "access": "Allow", + "protocol": "Tcp", + "source_port_range": "22", + "destination_port_range": "", + "source_address_prefix": "*", + "destination_address_prefix": "" + }, + "allow_rdp": { + "name": "allow_rdp", + "priority": "200", + "direction": "Inbound", + "access": "Allow", + "protocol": "Tcp", + "source_port_range": "3389", + "destination_port_range": "", + "source_address_prefix": "*", + "destination_address_prefix": "" + } + }, + "routetable_name": "{JUMPBOX_SUBNET_RT_NAME}" + }, + "jumpbox_keyvault_name": "{JUMPBOX_KEYVAULT_NAME}", + "jumpbox_vm_name": "{JUMPBOX_VM_NAME}", + "jumpbox_vm_size": "{JUMPBOX_VM_SIZE}", + "jumpbox_vm_publisher": "{JUMPBOX_VM_PUBLISHER}", + "jumpbox_vm_offer": "{JUMPBOX_VM_OFFER}", + "jumpbox_vm_sku": "{JUMPBOX_VM_SKU}", + "jumpbox_vm_version": "{JUMPBOX_VM_VERSION}" +} diff --git a/src/core/saca-hub/saca-hub.tfvars.sample b/src/core/saca-hub/saca-hub.tfvars.sample index 8deafce85..5a99eee0b 100644 --- a/src/core/saca-hub/saca-hub.tfvars.sample +++ b/src/core/saca-hub/saca-hub.tfvars.sample @@ -38,3 +38,52 @@ bastion_host_name = "{BASTION_HOST_NAME}", bastion_address_space = "{BASTION_ADDRESS_SPACE}", bastion_public_ip_name = "{BASTION_PUBLIC_IP_NAME}", bastion_ipconfig_name = "{BASTION_IPCONFIG_NAME}" + +################################# +# Jumpbox VM Configuration +################################# + +jumpbox_subnet = { + name = "{JUMPBOX_SUBNET_NAME}" + address_prefixes = ["{JUMPBOX_SUBNET_SPACE}"] + service_endpoints = ["Microsoft.Storage"] + + enforce_private_link_endpoint_network_policies = false + enforce_private_link_service_network_policies = false + + nsg_name = "{JUMPBOX_SUBNET_NSG_NAME}" + nsg_rules = { + "allow_ssh" = { + name = "allow_ssh" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "22" + destination_port_range = "" + source_address_prefix = "*" + destination_address_prefix = "" + }, + "allow_rdp" = { + name = "allow_rdp" + priority = "200" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "3389" + destination_port_range = "" + source_address_prefix = "*" + destination_address_prefix = "" + } + } + + routetable_name = "{JUMPBOX_SUBNET_RT_NAME}" +} + +jumpbox_keyvault_name = "{JUMPBOX_KEYVAULT_NAME}" +jumpbox_vm_name = "{JUMPBOX_VM_NAME}" +jumpbox_vm_size = "{JUMPBOX_VM_SIZE}" +jumpbox_vm_publisher = "{JUMPBOX_VM_PUBLISHER}" +jumpbox_vm_offer = "{JUMPBOX_VM_OFFER}" +jumpbox_vm_sku = "{JUMPBOX_VM_SKU}" +jumpbox_vm_version = "{JUMPBOX_VM_VERSION}" \ No newline at end of file diff --git a/src/core/saca-hub/variables.tf b/src/core/saca-hub/variables.tf index d9312bc47..25eb6e1fd 100644 --- a/src/core/saca-hub/variables.tf +++ b/src/core/saca-hub/variables.tf @@ -32,6 +32,10 @@ variable "mlz_clientsecret" { description = "The account to deploy with" } +variable "mlz_objectid" { + description = "The account to deploy with" +} + ################################# # SACA Hub Configuration ################################# @@ -140,3 +144,112 @@ variable "bastion_ipconfig_name" { default = "mlzDemoBastionHostIpCfg" type = string } + +################################# +# Jumpbox VM Configuration +################################# + +variable "jumpbox_subnet" { + description = "The subnet for jumpboxes" + type = object({ + name = string + address_prefixes = list(string) + service_endpoints = list(string) + + enforce_private_link_endpoint_network_policies = bool + enforce_private_link_service_network_policies = bool + + nsg_name = string + nsg_rules = map(object({ + name = string + priority = string + direction = string + access = string + protocol = string + source_port_range = string + destination_port_range = string + source_address_prefix = string + destination_address_prefix = string + })) + + routetable_name = string + }) + default = { + name = "mlzDemoJumpboxSubnet" + address_prefixes = ["10.0.100.160/27"] + service_endpoints = ["Microsoft.Storage"] + + enforce_private_link_endpoint_network_policies = false + enforce_private_link_service_network_policies = false + + nsg_name = "mlzDemoJumpboxSubnetNsg" + nsg_rules = { + "allow_ssh" = { + name = "allow_ssh" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "22" + destination_port_range = "" + source_address_prefix = "*" + destination_address_prefix = "" + }, + "allow_rdp" = { + name = "allow_rdp" + priority = "200" + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_port_range = "3389" + destination_port_range = "" + source_address_prefix = "*" + destination_address_prefix = "" + } + } + + routetable_name = "mlzDemoJumpboxSubnetRt" + } +} + +variable "jumpbox_keyvault_name" { + description = "The name of the jumpbox virtual machine keyvault" + default = "mlzDemoJumpboxVmKv" + type = string +} + +variable "jumpbox_vm_name" { + description = "The name of the jumpbox virtual machine" + default = "mlzDemoJumpboxVm" + type = string +} + +variable "jumpbox_vm_size" { + description = "The size of the jumpbox virtual machine" + default = "Standard_DS1_v2" + type = string +} + +variable "jumpbox_vm_publisher" { + description = "The publisher of the jumpbox virtual machine source image" + default = "MicrosoftWindowsServer" + type = string +} + +variable "jumpbox_vm_offer" { + description = "The offer of the jumpbox virtual machine source image" + default = "WindowsServer" + type = string +} + +variable "jumpbox_vm_sku" { + description = "The SKU of the jumpbox virtual machine source image" + default = "2019-datacenter-gensecond" + type = string +} + +variable "jumpbox_vm_version" { + description = "The version of the jumpbox virtual machine source image" + default = "latest" + type = string +} diff --git a/src/core/tier-0/variables.tf b/src/core/tier-0/variables.tf index 69fb2a221..4c84b1f45 100644 --- a/src/core/tier-0/variables.tf +++ b/src/core/tier-0/variables.tf @@ -31,6 +31,10 @@ variable "mlz_clientsecret" { description = "The account to deploy with" } +variable "mlz_objectid" { + description = "The account to deploy with" +} + ################################# # Tier 0 Configuration ################################# diff --git a/src/core/tier-1/variables.tf b/src/core/tier-1/variables.tf index 059bcb128..dd8cc3d25 100644 --- a/src/core/tier-1/variables.tf +++ b/src/core/tier-1/variables.tf @@ -31,6 +31,10 @@ variable "mlz_clientsecret" { description = "The account to deploy with" } +variable "mlz_objectid" { + description = "The account to deploy with" +} + ################################# # Tier 1 Configuration ################################# diff --git a/src/core/tier-2/variables.tf b/src/core/tier-2/variables.tf index f8917f8e7..cb64aa874 100644 --- a/src/core/tier-2/variables.tf +++ b/src/core/tier-2/variables.tf @@ -31,6 +31,10 @@ variable "mlz_clientsecret" { description = "The account to deploy with" } +variable "mlz_objectid" { + description = "The account to deploy with" +} + ################################# # Tier 2 Configuration ################################# diff --git a/src/modules/firewall/output.tf b/src/modules/firewall/output.tf index 59e481eb9..e04bdd4c6 100644 --- a/src/modules/firewall/output.tf +++ b/src/modules/firewall/output.tf @@ -1,2 +1,7 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. + +output "firewall_public_ip" { + description = "The public IP for the firewall" + value = azurerm_public_ip.fw_client_pip.ip_address +} diff --git a/src/modules/hub/output.tf b/src/modules/hub/output.tf index b7f49746b..70939f587 100644 --- a/src/modules/hub/output.tf +++ b/src/modules/hub/output.tf @@ -43,3 +43,7 @@ output "log_analytics_workspace_name" { output "log_analytics_workspace_id" { value = azurerm_log_analytics_workspace.loganalytics.id } + +output "log_analytics_storage_id" { + value = module.hub-network.log_analytics_storage_id +} diff --git a/src/modules/jumpbox/main.tf b/src/modules/jumpbox/main.tf new file mode 100644 index 000000000..8caf83ca3 --- /dev/null +++ b/src/modules/jumpbox/main.tf @@ -0,0 +1,71 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +resource "random_id" "jumpbox-keyvault" { + byte_length = 12 +} + +resource "azurerm_key_vault" "jumpbox-keyvault" { + name = format("%.24s", lower(replace("${var.keyvault_name}${random_id.jumpbox-keyvault.id}", "/[[:^alnum:]]/", ""))) + location = var.location + resource_group_name = var.resource_group_name + tenant_id = var.tenant_id + soft_delete_retention_days = 90 + sku_name = "standard" # 'standard' or 'premium' case sensitive + + access_policy { + tenant_id = var.tenant_id + object_id = var.object_id + + key_permissions = [ + "create", + "get", + ] + + secret_permissions = [ + "set", + "get", + "delete", + "purge", + "recover" + ] + } +} + +resource "random_password" "jumpbox-password" { + length = 16 + special = true + override_special = "_%@" +} + +resource "azurerm_key_vault_secret" "jumpbox-password" { + name = "jumpbox-password" + value = random_password.jumpbox-password.result + key_vault_id = azurerm_key_vault.jumpbox-keyvault.id +} + +resource "random_string" "jumpbox-username" { + length = 12 + special = false +} + +resource "azurerm_key_vault_secret" "jumpbox-username" { + name = "jumpbox-username" + value = random_string.jumpbox-username.result + key_vault_id = azurerm_key_vault.jumpbox-keyvault.id +} + +module "jumpbox-virtual-machine" { + source = "../windows-virtual-machine" + resource_group_name = var.resource_group_name + virtual_network_name = var.virtual_network_name + subnet_name = var.subnet_name + name = var.name + size = var.size + admin_username = azurerm_key_vault_secret.jumpbox-username.value + admin_password = azurerm_key_vault_secret.jumpbox-password.value + publisher = var.publisher + offer = var.offer + sku = var.sku + image_version = var.image_version +} diff --git a/src/modules/jumpbox/output.tf b/src/modules/jumpbox/output.tf new file mode 100644 index 000000000..e69de29bb diff --git a/src/modules/jumpbox/variables.tf b/src/modules/jumpbox/variables.tf new file mode 100644 index 000000000..4fb21d5ec --- /dev/null +++ b/src/modules/jumpbox/variables.tf @@ -0,0 +1,67 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +variable "resource_group_name" { + description = "The name of the resource group the jumpbox resides in" + type = string +} + +variable "virtual_network_name" { + description = "The name of the virtual network the jumpbox resides in" + type = string +} + +variable "subnet_name" { + description = "The name of the subnet the jumpbox resides in" + type = string +} + +variable "location" { + description = "The region to deploy the jumpbox resides into" + type = string +} + +variable "keyvault_name" { + description = "The name of the keyvault to store jumpbox credentials in" + type = string +} + +variable "tenant_id" { + description = "The tenant ID of the keyvault to store jumpbox credentials in" + type = string +} + +variable "object_id" { + description = "The object ID with access the keyvault to store and retrieve jumpbox credentials" + type = string +} + +variable "name" { + description = "The name of the virtual machine" + type = string +} + +variable "size" { + description = "The size of the virtual machine" + type = string +} + +variable "publisher" { + description = "The publisher of the virtual machine source image" + type = string +} + +variable "offer" { + description = "The offer of the virtual machine source image" + type = string +} + +variable "sku" { + description = "The SKU of the virtual machine source image" + type = string +} + +variable "image_version" { + description = "The version of the virtual machine source image" + type = string +} diff --git a/src/modules/windows-virtual-machine/main.tf b/src/modules/windows-virtual-machine/main.tf new file mode 100644 index 000000000..47ff1554b --- /dev/null +++ b/src/modules/windows-virtual-machine/main.tf @@ -0,0 +1,49 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +data "azurerm_resource_group" "vm_resource_group" { + name = var.resource_group_name +} + +data "azurerm_subnet" "vm_subnet" { + name = var.subnet_name + virtual_network_name = var.virtual_network_name + resource_group_name = var.resource_group_name +} + +resource "azurerm_network_interface" "windows_vm" { + name = "${var.name}_NIC" + resource_group_name = data.azurerm_resource_group.vm_resource_group.name + location = data.azurerm_resource_group.vm_resource_group.location + + ip_configuration { + name = "${var.name}_IPCONFIG" + subnet_id = data.azurerm_subnet.vm_subnet.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_windows_virtual_machine" "windows_vm" { + name = var.name + computer_name = substr(var.name, 0, 14) # computer_name can only be 15 characters maximum + resource_group_name = data.azurerm_resource_group.vm_resource_group.name + location = data.azurerm_resource_group.vm_resource_group.location + size = var.size + admin_username = var.admin_username + admin_password = var.admin_password + network_interface_ids = [ + azurerm_network_interface.windows_vm.id, + ] + + os_disk { + caching = "ReadWrite" + storage_account_type = "StandardSSD_LRS" + } + + source_image_reference { + publisher = var.publisher + offer = var.offer + sku = var.sku + version = var.image_version + } +} diff --git a/src/modules/windows-virtual-machine/output.tf b/src/modules/windows-virtual-machine/output.tf new file mode 100644 index 000000000..e69de29bb diff --git a/src/modules/windows-virtual-machine/variables.tf b/src/modules/windows-virtual-machine/variables.tf new file mode 100644 index 000000000..7d0f4c7eb --- /dev/null +++ b/src/modules/windows-virtual-machine/variables.tf @@ -0,0 +1,57 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +variable "resource_group_name" { + description = "The name of the resource group the virtual machine resides in" + type = string +} + +variable "virtual_network_name" { + description = "The name of the virtual network the virtual machine resides in" + type = string +} + +variable "subnet_name" { + description = "The name of the subnet the virtual machine resides in" + type = string +} + +variable "name" { + description = "The name of the virtual machine" + type = string +} + +variable "size" { + description = "The size of the virtual machine" + type = string +} + +variable "admin_username" { + description = "The admin username of the virtual machine" + type = string +} + +variable "admin_password" { + description = "The admin password of the virtual machine" + type = string +} + +variable "publisher" { + description = "The publisher of the virtual machine source image" + type = string +} + +variable "offer" { + description = "The offer of the virtual machine source image" + type = string +} + +variable "sku" { + description = "The SKU of the virtual machine source image" + type = string +} + +variable "image_version" { + description = "The version of the virtual machine source image" + type = string +} diff --git a/src/scripts/config/generate_names.sh b/src/scripts/config/generate_names.sh index bed61497b..e7b572e24 100755 --- a/src/scripts/config/generate_names.sh +++ b/src/scripts/config/generate_names.sh @@ -60,6 +60,7 @@ export mlz_rg_name="${mlz_rg_name_full:0:63}" export mlz_sp_name="${mlz_sp_name_full:0:120}" export mlz_sp_kv_name="serviceprincipal-clientid" export mlz_sp_kv_password="serviceprincipal-pwd" +export mlz_sp_obj_name="serviceprincipal-objectid" export mlz_login_app_kv_name="login-app-clientid" export mlz_login_app_kv_password="login-app-pwd" export mlz_kv_name="${mlz_kv_name_full:0:24}" diff --git a/src/scripts/config/generate_vars.sh b/src/scripts/config/generate_vars.sh index e7dfc56bd..affa2c84c 100755 --- a/src/scripts/config/generate_vars.sh +++ b/src/scripts/config/generate_vars.sh @@ -52,6 +52,7 @@ touch "$config_vars" echo "tf_be_sa_name=${tf_sa_name}" echo "sp_client_id_secret_name=${mlz_sp_kv_name}" echo "sp_client_pwd_secret_name=${mlz_sp_kv_password}" + echo "sp_object_id_secret_name=${mlz_sp_obj_name}" echo "environment=${tf_environment}" echo "container_name=${container_name}" } >> "$config_vars" diff --git a/src/scripts/config/get_sp_identity.sh b/src/scripts/config/get_sp_identity.sh index 51cbcf635..6bf68ed1b 100755 --- a/src/scripts/config/get_sp_identity.sh +++ b/src/scripts/config/get_sp_identity.sh @@ -16,7 +16,7 @@ error_log() { } usage() { - echo "get_sp_identity.sh: Given a MLZTF config.vars file, export a mlz_client_id and mlz_client_secret" + echo "get_sp_identity.sh: Given a MLZTF config.vars file, export a mlz_client_id, mlz_client_secret, and mlz_object_id" error_log "usage: get_sp_identity.sh " } @@ -35,6 +35,7 @@ config_vars=$1 # Source configuration file . "${config_vars}" +# query for service principal client ID kv_id_exists="az keyvault secret show \ --name ${sp_client_id_secret_name} \ --vault-name ${mlz_cfg_kv_name} \ @@ -53,7 +54,7 @@ else export client_id fi -# Query Key Vault for Service Principal Password +# query for service principal password kv_pwd_exists="az keyvault secret show \ --name ${sp_client_pwd_secret_name} \ --vault-name ${mlz_cfg_kv_name} \ @@ -72,6 +73,24 @@ else export client_secret fi +# query for service principal object ID +kv_obj_id_exists="az keyvault secret show \ + --name ${sp_object_id_secret_name} \ + --vault-name ${mlz_cfg_kv_name} \ + --subscription ${mlz_cfg_sub_id}" +if ! $kv_obj_id_exists &> /dev/null; then + echo "The Key Vault secret ${sp_object_id_secret_name} does not exist...validate config.vars file and re-run script" + exit 1 +else + object_id=$(az keyvault secret show \ + --name "${sp_object_id_secret_name}" \ + --vault-name "${mlz_cfg_kv_name}" \ + --subscription "${mlz_cfg_sub_id}" \ + --query value \ + --output tsv) + export object_id +fi + # Validate Service Principal exists sp_exists="az ad sp show \ --id ${client_id}" diff --git a/src/scripts/config/mlz_config_create.sh b/src/scripts/config/mlz_config_create.sh index 2ef8dcee9..fd2d10994 100755 --- a/src/scripts/config/mlz_config_create.sh +++ b/src/scripts/config/mlz_config_create.sh @@ -211,4 +211,11 @@ az keyvault secret set \ --value "${sp_clientid}" \ --output none +az keyvault secret set \ + --name "${mlz_sp_obj_name}" \ + --subscription "${mlz_config_subid}" \ + --vault-name "${mlz_kv_name}" \ + --value "${sp_objid}" \ + --output none + echo "INFO: MLZ resources for ${mlz_env_name} created!" diff --git a/src/scripts/docker/deploy_ui_local.sh b/src/scripts/docker/deploy_ui_local.sh index 5560f371b..55b267ff9 100755 --- a/src/scripts/docker/deploy_ui_local.sh +++ b/src/scripts/docker/deploy_ui_local.sh @@ -85,6 +85,7 @@ echo "export TF_ENV=$tf_environment" echo "export MLZ_ENV=$mlz_env_name" echo "export MLZCLIENTID=$mlz_client_id" echo "export MLZCLIENTSECRET=$mlz_client_secret" +echo "export MLZOBJECTID=$mlz_object_id" echo "for PowerShell:" echo "\$env:CLIENT_ID='$auth_client_id'" @@ -104,6 +105,7 @@ echo "\$env:TF_ENV='$tf_environment'" echo "\$env:MLZ_ENV='$mlz_env_name'" echo "\$env:MLZCLIENTID='$(az keyvault secret show --name "${mlz_sp_kv_name}" --vault-name "${mlz_kv_name}" --query value --output tsv)'" echo "\$env:MLZCLIENTSECRET='$(az keyvault secret show --name "${mlz_sp_kv_password}" --vault-name "${mlz_kv_name}" --query value --output tsv)'" +echo "\$env:MLZOBJECTID='$(az keyvault secret show --name "${mlz_sp_obj_name}" --vault-name "${mlz_kv_name}" --query value --output tsv)'" echo "==============================" echo "INFO: 2) Then, execute the web server with:" diff --git a/src/scripts/terraform/apply_terraform.sh b/src/scripts/terraform/apply_terraform.sh index c39c36a24..c48cfda83 100755 --- a/src/scripts/terraform/apply_terraform.sh +++ b/src/scripts/terraform/apply_terraform.sh @@ -75,5 +75,6 @@ apply_command+=" -var-file=${globalvars}" apply_command+=" -var-file=${tfvars}" apply_command+=" -var mlz_clientid=${client_id}" apply_command+=" -var mlz_clientsecret=${client_secret}" +apply_command+=" -var mlz_objectid=${object_id}" eval "${apply_command}" diff --git a/src/scripts/terraform/destroy_terraform.sh b/src/scripts/terraform/destroy_terraform.sh index 042679210..3f048ec30 100755 --- a/src/scripts/terraform/destroy_terraform.sh +++ b/src/scripts/terraform/destroy_terraform.sh @@ -77,5 +77,6 @@ destroy_command+=" -var-file=${globalvars}" destroy_command+=" -var-file=${tfvars}" destroy_command+=" -var mlz_clientid=${client_id}" destroy_command+=" -var mlz_clientsecret=${client_secret}" +destroy_command+=" -var mlz_objectid=${object_id}" eval "${destroy_command}"