-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGhAppRegistration.psm1
131 lines (104 loc) · 3.75 KB
/
GhAppRegistration.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#Requires –Modules Az.Accounts, Az.Resources
#Requires -Version 7.2
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$PSDefaultParameterValues['*:ErrorAction']='Stop'
New-Variable -Name DirectoryReadAllAppRoleId -Value '7ab1d382-f21e-4acd-a863-ba3e13f7da61' -Option Constant -Scope Script
New-Variable -Name MsGraphResourceId -Value 'e51b873a-e178-4e6a-ab84-b07d68b33bc8' -Option Constant -Scope Script
New-Variable -Name AzRoleUserAccessAdministrator -Value '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' -Option Constant -Scope Script
New-Variable -Name AzRoleContributor -Value 'b24988ac-6180-42a0-ab88-20f7382dd24c' -Option Constant -Scope Script
New-Variable -Name MicrosoftGraphApiId -Value '00000003-0000-0000-c000-000000000000' -Option Constant -Scope Script
New-Variable -Name FedCredentialName -Value 'GitHub' -Option Constant -Scope Script
New-Variable -Name GitHubIssuer -Value 'https://token.actions.githubusercontent.com' -Option Constant -Scope Script
<#
.SYNOPSIS
Creates an Azure AD application with Federated Credentials for GitHub
.DESCRIPTION
Creates an Azure AD application and the associated Federated Credentials
required to integrate using OIDC
.PARAMETER Name
Specifies the name of the application.
.PARAMETER Subject
Specifies the subject for the OIDC integration, such as "repo:MyOrg/MyRepo:environment:dev"
.INPUTS
Pipe objects are not supported
.OUTPUTS
System.String. The application identifier
#>
function New-GhAzOidcApplication {
[OutputType([System.Guid])]
[CmdletBinding()]
param (
[Parameter()]
[string]
$Name,
[Parameter()]
[string]
$Subject
)
$spn = Get-AzADServicePrincipal -DisplayName $Name
if ($spn) {
return $spn.AppId
}
$spn = New-AzADServicePrincipal -DisplayName $Name
$app = Get-AzADApplication -ApplicationId $spn.AppId
$principalId = $spn.Id
$AppPermissions = @{
ObjectId = $app.id
ApiId = $MicrosoftGraphApiId
PermissionId = $DirectoryReadAllAppRoleId
Type = 'Role'
}
Add-AzADAppPermission @AppPermissions
$FedCredential = @{
ApplicationObjectId = $app.Id
Audience = @('api://AzureADTokenExchange')
Issuer = $GitHubIssuer
Name = $FedCredentialName
Subject = $Subject
}
New-AzADAppFederatedCredential @FedCredential | Out-Null
Set-AzGraphConsentedRole -PrincipalId $principalId -RoleId $DirectoryReadAllAppRoleId
@{
AppId = $app.Id
SpnId = $spn.Id
}
}
<#
.SYNOPSIS
Creates a role for the principal with administrative consent
.DESCRIPTION
Creates a role and applies administrative consent for a Graph Resource
.PARAMETER PrincipalId
The service principal ID associated with the application
.PARAMETER RoleId
The Microsoft Graph Role to be applied
.OUTPUTS
None
#>
function Set-AzGraphConsentedRole {
[CmdletBinding()]
param(
[string]
$PrincipalId,
[string]
$RoleId
)
$oken = Get-AzAccessToken -ResourceTypeName MSGraph
$headers = @{
Authorization = "Bearer $($oken.Token)"
'Content-Type' = 'application/json'
}
$AdminConsent = @{
Method = 'POST'
Uri = "https://graph.microsoft.com/v1.0/servicePrincipals/$PrincipalId/appRoleAssignments"
Body = @{
principalId = $PrincipalId
resourceId = $MsGraphResourceId
appRoleId = $RoleId
} | ConvertTo-Json
Headers = $headers
}
Invoke-RestMethod @AdminConsent | Out-Null
}
Export-ModuleMember -Function New-GhAzOidcApplication, Set-AzGraphConsentedRole