forked from microsoft/azure-pipelines-tasks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathazure-pipelines.yml
120 lines (109 loc) · 5.57 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
parameters:
- name: Service Connection
displayName: Override Service Connection
type: string
default: '<from subscriptionConnection variable>'
- name: jobType
displayName: Job type
type: string
default: agentJob
values:
- agentJob
- containerJob
- deploymentJob
- environmentVM
- name: poolName
displayName: Agent Pool
type: string
default: 'Azure Pipelines'
- name: vmImage
displayName: Agent Pool
type: string
default: 'ubuntu-latest'
- name: environmentName
displayName: Environment
type: string
default: 'scratch'
steps:
- task: AzureCLI@2
displayName: 'AzureCLI $(serviceConnection)'
inputs:
addSpnToEnvironment: true
azureSubscription: janARM # Task property referencing Service Connection -------------------------------------------------------
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
Write-Host "`n$($PSStyle.Bold)Service Connection name: '$(serviceConnection)'$($PSStyle.Reset) -----------------------------------------------"
Get-ChildItem -Path Env: -Recurse -Include ENDPOINT_DATA_* | Sort-Object -Property Name `
| Select-Object -First 1 -ExpandProperty Name `
| ForEach-Object { $_ -replace 'ENDPOINT_DATA_','' } `
| Set-Variable serviceConnectionId
Write-Host "Service Connection ID: ${serviceConnectionId}"
Write-Host "`nVariables added by 'addSpnToEnvironment':" -NoNewline
Get-ChildItem -Path Env: -Recurse -Include idToken, `
servicePrincipalId, `
servicePrincipalKey,`
tenantId `
| Sort-Object -Property Name `
| Select-Object -Property Name `
| Format-Table -HideTableHeaders
if ($env:servicePrincipalKey) {
Write-Host "Using Service Principal secret for authentication"
} elseif ($env:idToken) {
Write-Host "Using Workload Identity federation (OIDC) for authentication"
}
Write-Host "`n$($PSStyle.Formatting.FormatAccent)az account show$($PSStyle.Reset)"
az account show -o json `
| Tee-Object -FilePath subscription.json `
| ConvertFrom-Json `
| Set-Variable subscription
Get-Content subscription.json
$appId = $subscription.user.name
Write-Host "`n$($PSStyle.Bold)Service Connection role assignments:$($PSStyle.Reset) ---------------------------------------------------------------"
Write-Host "$($PSStyle.Formatting.FormatAccent)az role assignment list --assignee <appId>$($PSStyle.Reset)"
az role assignment list --all `
--assignee $appId `
-o json `
| Tee-Object -FilePath roleAssignments.json `
| ConvertFrom-Json `
| Select-Object -Property roleDefinitionName, scope `
| Sort-Object -Property roleDefinitionName
| Format-Table -AutoSize -Wrap
Write-Host "`n$($PSStyle.Bold)Service Connection Service Principal object:$($PSStyle.Reset) -------------------------------------------------------"
Write-Host "$($PSStyle.Formatting.FormatAccent)az ad sp show --id <appId>$($PSStyle.Reset)"
az ad sp show --id $appId `
-o json `
| Tee-Object -FilePath servicePrincipal.json `
| ConvertFrom-Json `
| Set-Variable servicePrincipal
Get-Content servicePrincipal.json
if ($servicePrincipal.servicePrincipalType -eq 'ManagedIdentity') {
"https://portal.azure.com/#@{0}/resource{1}" -f $subscription.tenantId, $servicePrincipal.alternativeNames[1] | Set-Variable azurePortalLink
} else {
"https://portal.azure.com/{0}/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/{1}/isMSAApp/" -f $subscription.tenantId, $appId | Set-Variable azurePortalLink
}
Write-Host "`nAzure Portal link for Service Principal of type '$($servicePrincipal.servicePrincipalType)':`n$($azurePortalLink)"
Write-Host "`n$($PSStyle.Bold)Subscriptions the Service Connection has access to:$($PSStyle.Reset) ------------------------------------------------"
Write-Host "$($PSStyle.Formatting.FormatAccent)az account list$($PSStyle.Reset)"
az account list --query "sort_by([].{Name:name, SubscriptionId:id}, &Name)" `
-o table
Write-Host "`n$($PSStyle.Bold)Resource groups that the Service Connection has access to in subscription '$(az account show --query name -o tsv)':$($PSStyle.Reset) -------------"
Write-Host "$($PSStyle.Formatting.FormatAccent)az group list$($PSStyle.Reset)"
az group list --query "sort_by([].{Name:name, ResourceId:id}, &Name)" `
-o table
workingDirectory: '$(Build.ArtifactStagingDirectory)'
- task: AzurePowerShell@5
displayName: 'AzurePowerShell $(serviceConnection)'
inputs:
azureSubscription: janARM
scriptType: inlineScript
inline: |
Get-AzContext Format-List
Get-AzContext | Select-Object -ExpandProperty Subscription | Format-List
azurePowerShellVersion: 'latestVersion'
pwsh: true
failOnStandardError: true
- pwsh: |
Install-Module -Name Az -Repository PSGallery -Force
Import-Module Az
Get-AzContext