-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.go
71 lines (61 loc) · 2.4 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package main
import (
"github.com/pulumi/pulumi-azure-native-sdk/authorization/v2"
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
type ServicePrincipalEnvelope struct {
ServicePrincipal *azuread.ServicePrincipal
ServicePrincipalPass *azuread.ServicePrincipalPassword
}
type RoleAssignments struct {
Name string
Definition string
Scope pulumi.IDOutput
}
const StorageContributor string = "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe"
const CdnContributor string = "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45"
// create an Azure Service Principal to be used by CI/CD for deploying built code, expiring CDN content
func (pr *projectResources) generateCICDServicePrincipal() (err error) {
cicd := "cicd-actions" + "-" + pr.cfgKeys.projectKey + "-" + pr.cfgKeys.envKey
app, err := azuread.NewApplication(pr.pulumiCtx, cicd, &azuread.ApplicationArgs{
DisplayName: pulumi.String(cicd),
})
if err != nil {
return err
}
spDesc := pulumi.Sprintf("Service Principal used for CI/CD purposes within %s-%s", pr.cfgKeys.projectKey, pr.cfgKeys.envKey)
nspArgs := azuread.ServicePrincipalArgs{
ClientId: app.ClientId,
UseExisting: pulumi.Bool(false),
Description: spDesc,
}
pr.svcPrincipals.cicd.ServicePrincipal, err = azuread.NewServicePrincipal(pr.pulumiCtx, cicd+"-serviceprincipal", &nspArgs)
if err != nil {
return err
}
// authorize new SP to modify any resources required to deploy code to this project
ra := []RoleAssignments{
{cicd + "-storagerole", StorageContributor, pr.webStorageAccount.ID()},
{cicd + "-cdnrole", CdnContributor, pr.webCdnProfile.ID()},
}
for _, v := range ra {
_, err = authorization.NewRoleAssignment(pr.pulumiCtx, v.Name, &authorization.RoleAssignmentArgs{
PrincipalId: pr.svcPrincipals.cicd.ServicePrincipal.ID(),
PrincipalType: pulumi.String("ServicePrincipal"),
RoleDefinitionId: pulumi.String(v.Definition),
Scope: v.Scope,
})
if err != nil {
return err
}
}
// generate password / client secret for Service Principal
pr.svcPrincipals.cicd.ServicePrincipalPass, err = azuread.NewServicePrincipalPassword(pr.pulumiCtx, cicd+"-secret", &azuread.ServicePrincipalPasswordArgs{
ServicePrincipalId: pr.svcPrincipals.cicd.ServicePrincipal.ID(),
})
if err != nil {
return err
}
return
}