DscConfigurations icon indicating copy to clipboard operation
DscConfigurations copied to clipboard
verified publisher icon PowerShell

Add helper function or guidance for creation of Azure SP for test execution

Open PlagueHO opened this issue 8 years ago • 3 comments

To configure the automated testing on a DSC Config, users need to set up an Azure SP and configure the settings produced in the AppVeyor.yml.

This process usually requires a few steps to perform. It might be a good idea to include some helper functions to assist with doing things like this.

A function like this:

<#
  .SYNOPSIS
  New-AzureServicePrincipal

  .DESCRIPTION
  This task creates an Azure Service Principal in Azure AD that will be used for all installation automation.
  This can only be run interactively as the Login-AzureRmAccount will pop up an interactive window for 
  the user to log in with.
  The output of this task can be used to deploy the application in future and should be stored in each contributors AppVeyor account.
#>
[CmdletBinding()]
param
(
  [Parameter()]
  [System.String]
  $Name = 'DSCConfigurationTest',

  [Parameter(Mandatory = $true)]
  [System.String]
  $SubscriptionId,

  [Parameter(Mandatory = $true)]
  [System.String]
  $ADDomain,

  [Parameter(Mandatory = $true)]
  [SecureString]
  $ApplicationPassword
)

if ($SubscriptionId) {
  $account = Login-AzureRmAccount -SubscriptionId $SubscriptionId
} else {
  $account = Login-AzureRmAccount
}

Write-Host -Object "Creating '$Name' Service Principal in Azure AD"
$app = New-AzureRmADApplication `
  -DisplayName $Name `
  -HomePage "https://$ADDomain/$Name" `
  -IdentifierUris "https://$ADDomain/$Name" `
  -Password $ApplicationPassword
Write-Host -Object "Creating Azure AD Service Principal for ApplicationId '$($app.ApplicationId)'"
$null = New-AzureRmADServicePrincipal `
  -ApplicationId $app.ApplicationId
Write-Host -Object "Assigning role Contributor to AD Service Principal for ApplicationId '$($app.ApplicationId)'"

$roleAssignment = $null
$retryCount = 0

while (-not $roleAssignment -and ($retryCount -lt 10)) {
  try {
    $roleAssignment = New-AzureRmRoleAssignment `
      -RoleDefinitionName Contributor `
      -ServicePrincipalName $app.ApplicationId `
      -ErrorAction SilentlyContinue
  } catch {
    Write-Host -Object "Error assigning role Contributor to AD Service Principal for ApplicationId '$($app.ApplicationId)'. Retrying in 5 seconds..."
    Start-Sleep -Seconds 5
    $retryCount++
  }
} # while

if (-not $roleAssignment) {
  Write-Error -Message "Failed assigning role Contributor to AD Service Principal for ApplicationId '$($app.ApplicationId)'."
  return
}

Write-Host -Object "'$Name' service principal has been created."
Write-Host -Object "ApplicationID is '$($app.ApplicationId)'."
Write-Host -Object "SubscriptionID is '$SubscriptionId'."
Write-Host -Object "TenantID of '$($account.Context.Tenant.TenantId)'."

return [PSObject] @{
  ApplicationID  = $app.ApplicationId
  SubscriptionID = $SubscriptionId
  TenantID       = $account.Context.Tenant.TenantId
}

This could possibly be added to TestHelper.psm1 in DscConfiguration.Tests

PlagueHO avatar Jun 10 '17 11:06 PlagueHO

I want to suggest that this script also created the resource group, and the permission is set as Contributor on the resource group. Suggested in the issue https://github.com/PowerShell/DscConfiguration.Tests/issues/31.

johlju avatar Aug 04 '17 14:08 johlju

I minor bug in the script above $account.Context.Tenant.TenantId should be $account.Context.Tenant.Id

johlju avatar Aug 10 '17 13:08 johlju

Found another bug. The password must be passed in clear text to the cmdlet New-AzureRmADApplication when using parameter -Password. Updated the code to fix this, and the previous bug, in this gist.

johlju avatar Aug 13 '17 08:08 johlju