/pkg/armhelpers/graph.go
Go | 125 lines | 97 code | 19 blank | 9 comment | 11 complexity | 5f1d5d0dd16f6d4421eb32989b6ace06 MD5 | raw file
Possible License(s): MIT, Apache-2.0, 0BSD, AGPL-3.0, BSD-3-Clause, LGPL-3.0
- package armhelpers
- import (
- "fmt"
- "regexp"
- "time"
- "github.com/Azure/azure-sdk-for-go/arm/authorization"
- "github.com/Azure/azure-sdk-for-go/arm/graphrbac"
- "github.com/Azure/go-autorest/autorest/date"
- "github.com/Azure/go-autorest/autorest/to"
- "github.com/satori/go.uuid"
- log "github.com/sirupsen/logrus"
- )
- const (
- // AADContributorRoleID is the role id that exists in every subscription for 'Contributor'
- AADContributorRoleID = "b24988ac-6180-42a0-ab88-20f7382dd24c"
- // AADRoleReferenceTemplate is a template for a roleDefinitionId
- AADRoleReferenceTemplate = "/subscriptions/%s/providers/Microsoft.Authorization/roleDefinitions/%s"
- // AADRoleResourceGroupScopeTemplate is a template for a roleDefinition scope
- AADRoleResourceGroupScopeTemplate = "/subscriptions/%s/resourceGroups/%s"
- )
- // CreateGraphApplication creates an application via the graphrbac client
- func (az *AzureClient) CreateGraphApplication(applicationCreateParameters graphrbac.ApplicationCreateParameters) (graphrbac.Application, error) {
- return az.applicationsClient.Create(applicationCreateParameters)
- }
- // CreateGraphPrincipal creates a service principal via the graphrbac client
- func (az *AzureClient) CreateGraphPrincipal(servicePrincipalCreateParameters graphrbac.ServicePrincipalCreateParameters) (graphrbac.ServicePrincipal, error) {
- return az.servicePrincipalsClient.Create(servicePrincipalCreateParameters)
- }
- // CreateRoleAssignment creates a role assignment via the authorization client
- func (az *AzureClient) CreateRoleAssignment(scope string, roleAssignmentName string, parameters authorization.RoleAssignmentCreateParameters) (authorization.RoleAssignment, error) {
- return az.authorizationClient.Create(scope, roleAssignmentName, parameters)
- }
- // CreateApp is a simpler method for creating an application
- func (az *AzureClient) CreateApp(appName, appURL string, replyURLs *[]string, requiredResourceAccess *[]graphrbac.RequiredResourceAccess) (applicationID, servicePrincipalObjectID, servicePrincipalClientSecret string, err error) {
- notBefore := time.Now()
- notAfter := time.Now().Add(10000 * 24 * time.Hour)
- startDate := date.Time{Time: notBefore}
- endDate := date.Time{Time: notAfter}
- servicePrincipalClientSecret = uuid.NewV4().String()
- log.Debugf("ad: creating application with name=%q identifierURL=%q", appName, appURL)
- applicationReq := graphrbac.ApplicationCreateParameters{
- AvailableToOtherTenants: to.BoolPtr(false),
- DisplayName: to.StringPtr(appName),
- Homepage: to.StringPtr(appURL),
- IdentifierUris: to.StringSlicePtr([]string{appURL}),
- ReplyUrls: replyURLs,
- PasswordCredentials: &[]graphrbac.PasswordCredential{
- {
- KeyID: to.StringPtr(uuid.NewV4().String()),
- StartDate: &startDate,
- EndDate: &endDate,
- Value: to.StringPtr(servicePrincipalClientSecret),
- },
- },
- RequiredResourceAccess: requiredResourceAccess,
- }
- applicationResp, err := az.CreateGraphApplication(applicationReq)
- if err != nil {
- return "", "", "", err
- }
- applicationID = to.String(applicationResp.AppID)
- log.Debugf("ad: creating servicePrincipal for applicationID: %q", applicationID)
- servicePrincipalReq := graphrbac.ServicePrincipalCreateParameters{
- AppID: applicationResp.AppID,
- AccountEnabled: to.BoolPtr(true),
- }
- servicePrincipalResp, err := az.servicePrincipalsClient.Create(servicePrincipalReq)
- if err != nil {
- return "", "", "", err
- }
- servicePrincipalObjectID = to.String(servicePrincipalResp.ObjectID)
- return applicationID, servicePrincipalObjectID, servicePrincipalClientSecret, nil
- }
- // CreateRoleAssignmentSimple is a wrapper around RoleAssignmentsClient.Create
- func (az *AzureClient) CreateRoleAssignmentSimple(resourceGroup, servicePrincipalObjectID string) error {
- roleAssignmentName := uuid.NewV4().String()
- roleDefinitionID := fmt.Sprintf(AADRoleReferenceTemplate, az.subscriptionID, AADContributorRoleID)
- scope := fmt.Sprintf(AADRoleResourceGroupScopeTemplate, az.subscriptionID, resourceGroup)
- roleAssignmentParameters := authorization.RoleAssignmentCreateParameters{
- Properties: &authorization.RoleAssignmentProperties{
- RoleDefinitionID: to.StringPtr(roleDefinitionID),
- PrincipalID: to.StringPtr(servicePrincipalObjectID),
- },
- }
- re := regexp.MustCompile("(?i)status=(\\d+)")
- for {
- _, err := az.CreateRoleAssignment(
- scope,
- roleAssignmentName,
- roleAssignmentParameters,
- )
- if err != nil {
- match := re.FindStringSubmatch(err.Error())
- if match != nil && (match[1] == "403") {
- //insufficient permissions. stop now
- log.Debugf("Failed to create role assignment (will abort now): %q", err)
- return err
- }
- log.Debugf("Failed to create role assignment (will retry): %q", err)
- time.Sleep(3 * time.Second)
- continue
- }
- break
- }
- return nil
- }