From a57b415ebf48231cc1d78fb785f8f18602da9701 Mon Sep 17 00:00:00 2001 From: Jesper Fajers Date: Mon, 13 Nov 2023 09:04:52 +0100 Subject: [PATCH] Update Code Improvement (#828) * Update * Update to Checkout v4 * Remove ARMAzOpsSetup.ps1 --- .github/workflows/dependencies.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/super-linter.yml | 2 +- .github/workflows/tests.yml | 4 +- .github/workflows/wiki-sync.yml | 4 +- scripts/ARMAzOpsSetup.ps1 | 205 ------------------ scripts/Dependencies.ps1 | 12 +- scripts/Remove-AzOpsTestsDeployment.ps1 | 6 +- .../functions/Get-AzOpsManagementGroup.ps1 | 11 +- .../functions/Get-AzOpsSubscription.ps1 | 2 +- src/localized/en-us/Strings.psd1 | 2 + .../managementGroups/deploy/deploy.ps1 | 2 +- 12 files changed, 28 insertions(+), 226 deletions(-) delete mode 100644 scripts/ARMAzOpsSetup.ps1 diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index e565b34e..3d5ca137 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: "Configure" run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c702b691..674d0bfe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout" - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: "Configure" run: | diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 1a548756..1d6a4d5a 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Checkout code" - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d82ddbd9..b6ddb478 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -29,7 +29,7 @@ jobs: # Checkout - name: "Checkout" - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -108,7 +108,7 @@ jobs: # Checkout - name: "Checkout" - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml index 7863f7e5..f13f0a68 100644 --- a/.github/workflows/wiki-sync.yml +++ b/.github/workflows/wiki-sync.yml @@ -22,13 +22,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Source Repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ${{ env.wiki_source_repo }} path: ${{ env.wiki_source_repo }} - name: Checkout Wiki Repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ${{ env.wiki_target_repo }} path: ${{ env.wiki_target_repo }} diff --git a/scripts/ARMAzOpsSetup.ps1 b/scripts/ARMAzOpsSetup.ps1 deleted file mode 100644 index ac6b285a..00000000 --- a/scripts/ARMAzOpsSetup.ps1 +++ /dev/null @@ -1,205 +0,0 @@ -<# - .SYNOPSIS - PowerShell script to bootstrap AzOps into GitHub as part of the Enterprise-Scale landing zone portal deployment experience. - It is designed to run in deploymentScripts invoked from the ESLZ portal experience. - .PARAMETER KeyVault - Name of the Key Vault that stores PAT and SPN secrets - .PARAMETER GitHubUserNameOrOrg - Github Username or Organization, for example Azure - .PARAMETER PATSecretName - Name of Key Vault secret where personal access token is stored - .PARAMETER SPNSecretName - Name of Key Vault secret where Service Principal Secret is stored - .PARAMETER SPNAppId - ApplicationId of the Service Principal to be used - .PARAMETER AzureTenantId - Azure Tenant Id to be used - .PARAMETER AzureSubscriptionId - Azure Subscription Id to be used - .PARAMETER EnterpriseScalePrefix - Prefix of the Enterprise Scale deployment - .PARAMETER NewRepositoryName - Name of the repository to be created -#> -[CmdletBinding()] -param ( - [Parameter(Mandatory = $true)][string]$KeyVault, - [Parameter(Mandatory = $true)][string]$GitHubUserNameOrOrg, - [Parameter(Mandatory = $true)][string]$PATSecretName, - [Parameter(Mandatory = $true)][string]$SPNSecretName, - [Parameter(Mandatory = $true)][string]$SpnAppId, - [Parameter(Mandatory = $true)][string]$AzureTenantId, - [Parameter(Mandatory = $true)][string]$AzureSubscriptionId, - [Parameter(Mandatory = $true)][string]$EnterpriseScalePrefix, - [Parameter(Mandatory = $true)][string]$NewRepositoryName -) -begin { - $DeploymentScriptOutputs = @{} - - $ESLZGitHubOrg = "Azure" - $ESLZRepository = "AzOps-Accelerator" - $NewESLZRepository = $NewRepositoryName - $DeploymentScriptOutputs['New Repository'] = $NewRepositoryName - - Write-Host "The request has been accepted for processing, but the processing has not been completed." - - # Adding sleep so that RBAC can propegate - Start-Sleep -Seconds 500 - - # Install dependencies - $ErrorActionPreference = "Continue" - Install-Module -Name PowerShellForGitHub, PSSodium -Confirm:$false -Force - Import-Module -Name PowerShellForGitHub, PSSodium - Set-GitHubConfiguration -DisableTelemetry - - function Invoke-GHRequest { - param ( - [Parameter(Mandatory = $true)]$PatSecret, - [Parameter(Mandatory = $false)]$Path, - [Parameter(Mandatory = $false)]$RequestBody, - [Parameter(Mandatory = $true)][ValidateSet("Get", "Put", "Post")]$Method, - [Parameter(Mandatory = $true)]$Org, - [Parameter(Mandatory = $true)]$Repo - ) - begin { - $RequestUri = 'https://api.github.com/repos/{0}/{1}' -f $Org, $Repo - if ($Path) { $RequestUri = "$($RequestUri)$($Path)" } - $Request = @{ - Method = $Method - Headers = @{ - Authorization = "Token $($PATSecret)" - 'Content-Type' = "application/json" - Accept = "application/vnd.github.v3+json" - } - Uri = $RequestUri - } - if ($RequestBody) { - $Request.Body = $RequestBody - } - } process { - try { - Write-Verbose -Message "Calling $RequestUri" - Invoke-RestMethod @Request - } - catch { - Write-Error $_ - } - } - } -} -process { - #region Get secrets from Key Vault - try { - Write-Host "Getting secrets from KeyVault" - $PATSecret = Get-AzKeyVaultSecret -VaultName $KeyVault -Name $PATSecretName -AsPlainText - $SPNSecret = Get-AzKeyVaultSecret -VaultName $KeyVault -Name $SPNSecretName -AsPlainText - } - catch { - throw "Failed to retrieve the secret from $($KeyVault).`r`n$_" - } - #endregion Get secrets from Key Vault - - # Create base call with uri - $BaseGHRest = @{ - PatSecret = $PATSecret - Org = $GitHubUserNameOrOrg - Repo = $NewRepositoryName - } - - #region authenticate to GitHub pwsh module using PAT - try { - $ghCred = New-Object System.Management.Automation.PSCredential "ignore", ($PATSecret | ConvertTo-SecureString -AsPlainText -Force) - Write-Host "Authenticating to GitHub using PA token..." - Set-GitHubAuthentication -Credential $ghCred - } - catch { - throw "Failed to authenticate to Git. Ensure you provided the correct PA Token for $($GitHubUserNameOrOrg).`r`n$_" - } - #endregion authenticate to GitHub pwsh module using PAT - - #region Check if target GitHub Repository exists - Write-Host "Checking if repository $NewRepositoryName already exists before continuing..." - $RepoExists = Invoke-GHRequest -Method Get @BaseGHRest -ErrorAction SilentlyContinue - - if ([string]::IsNullOrEmpty($RepoExists)) { - try { - Write-Host "Moving on; creating the repository $NewESLZRepository in $GitHubUserNameOrOrg" - Get-GitHubRepository -OwnerName $ESLZGitHubOrg ` - -RepositoryName $ESLZRepository | New-GitHubRepositoryFromTemplate ` - -TargetRepositoryName $NewESLZRepository ` - -TargetOwnerName $GitHubUserNameOrOrg ` - -Private - } - catch { - throw "Failed to create repository`r`n$_" - } - # Creating secrets for the Service Principal into GitHub - } - else { - throw "Repository $($GitHubUserNameOrOrg)/$($NewESLZRepository) already exists" - } - - #region Get GitHub public key and create new secrets - try { - # Simple retry to handle eventual consistency of the public keys - $keyCount = 0 - do { - Start-Sleep -Seconds 10 - $keyCount++ - Write-host "Attempt $keyCount; Getting GitHub Public Key to create new secrets... " - $GitHubPublicKey = Invoke-GHRequest @BaseGHRest -Path "/actions/secrets/public-key" -Method Get -ErrorAction SilentlyContinue - } until ($GitHubPublicKey.key -or $keyCount -eq 10) - - #Convert secrets to sodium with public key - $Secrets = @{ - ARM_CLIENT_ID = (ConvertTo-SodiumEncryptedString -Text $SpnAppId -PublicKey $GitHubPublicKey.key) - ARM_CLIENT_SECRET = (ConvertTo-SodiumEncryptedString -Text $SPNSecret -PublicKey $GitHubPublicKey.key) - ARM_TENANT_ID = (ConvertTo-SodiumEncryptedString -Text $AzureTenantId -PublicKey $GitHubPublicKey.key) - ARM_SUBSCRIPTION_ID = (ConvertTo-SodiumEncryptedString -Text $AzureSubscriptionId -PublicKey $GitHubPublicKey.key) - } - - # Create secrets - foreach ($Secret in $Secrets.Keys) { - Write-Host "Creating secret $secret" - $SecretBody = @{ - encrypted_value = $Secrets[$Secret] - key_id = $GitHubPublicKey.Key_id - } | ConvertTo-Json - Invoke-GHRequest @BaseGHRest -Path "/actions/secrets/$secret" -RequestBody $SecretBody -Method Put - } - } - catch { - throw "Failed to create secrets $($GitHubUserNameOrOrg).`r`n$_" - } - #endregion Get GitHub public key and create new secrets - - #region Grant workflow "Read and write permissions" and "Allow GitHub Actions to create and approve pull requests" permissions - try { - Write-Host "Configure workflow permissions for pull requests and read/write permissions" - $GrantBody = @{ - default_workflow_permissions = 'write' - can_approve_pull_request_reviews = $true - } | ConvertTo-Json - Invoke-GHRequest @BaseGHRest -Method PUT -RequestBody $GrantBody -Path '/actions/permissions/workflow' - } - catch { - throw "Failed to configure workflow permissions for $($GitHubUserNameOrOrg)/$($NewESLZRepository)`r`n$_" - } - #endregion Grant workflow "Read and write permissions" and "Allow GitHub Actions to create and approve pull requests" permissions - - #region Trigger repository dispatch for AzOps-Pull job - try { - Write-Host "Invoking GitHub Action to bootstrap the repository." - $DispatchBody = @{ - event_type = 'Enterprise-Scale Deployment' - } | ConvertTo-Json - Invoke-GHRequest @BaseGHRest -Method Post -RequestBody $DispatchBody -Path '/dispatches' - - } - catch { - throw "Failed to trigger repository dispatch $($GitHubUserNameOrOrg)/$($NewESLZRepository)`r`n$_" - } - #endregion Trigger repository dispatch for AzOps-Pull job - - Write-Host "Successfully bootstrapped $($GitHubUserNameOrOrg)/$($NewESLZRepository) with the $($ESLZRepository)" -} diff --git a/scripts/Dependencies.ps1 b/scripts/Dependencies.ps1 index 66f5733a..9e7beb50 100644 --- a/scripts/Dependencies.ps1 +++ b/scripts/Dependencies.ps1 @@ -6,23 +6,23 @@ param ( # Development Modules Set-PSRepository -Name $Repository -InstallationPolicy Trusted $modules = @("Pester", "PSModuleDevelopment", "PSScriptAnalyzer") -Write-Host "Installing development modules" +Write-Output "Installing development modules" foreach ($module in $modules) { - Write-Host "Installing: $module" + Write-Output "Installing: $module" Install-Module $module -Repository $Repository -Force } # Runtime Modules $data = Import-PowerShellDataFile -Path "$PSScriptRoot/../src/AzOps.psd1" -Write-Host "Installing runtime modules" +Write-Output "Installing runtime modules" foreach ($dependency in $data.RequiredModules) { $module = Get-Module -Name $dependency.ModuleName -ListAvailable if ($module) { foreach ($item in $module) { - Write-Host "Cleanup of: $($item.Name)" - Uninstall-Module -Name $item.Name -Force + Write-Output "Cleanup of: $($item.Name)" + Uninstall-Module -Name $item.Name -Force } } - Write-Host "Installing: $($dependency.ModuleName) $($dependency.RequiredVersion)" + Write-Output "Installing: $($dependency.ModuleName) $($dependency.RequiredVersion)" Install-Module -Name $dependency.ModuleName -RequiredVersion $dependency.RequiredVersion -Repository $Repository } # Download and add bicep to PATH diff --git a/scripts/Remove-AzOpsTestsDeployment.ps1 b/scripts/Remove-AzOpsTestsDeployment.ps1 index 8ff32a1e..6e103e9b 100644 --- a/scripts/Remove-AzOpsTestsDeployment.ps1 +++ b/scripts/Remove-AzOpsTestsDeployment.ps1 @@ -16,7 +16,7 @@ process { if ($CleanupEnvironment) { - function Remove-ManagementGroups { + function Remove-ManagementGroup { param ( [Parameter()] @@ -40,7 +40,7 @@ if ($_.Type -eq "Microsoft.Management/managementGroups") { # Invoke function again with Child resources Write-PSFMessage -Level Verbose -Message "Nested Management Group: $($DisplayName)" -FunctionName "Remove-AzOpsTestsDeployment" - Remove-ManagementGroups -DisplayName $_.DisplayName -Name $_.Name -RootName $RootName + Remove-ManagementGroup -DisplayName $_.DisplayName -Name $_.Name -RootName $RootName } if ($_.Type -eq '/subscriptions') { # Move Subscription resource to Tenant Root Group @@ -60,7 +60,7 @@ # Cleanup managementGroups $script:managementGroups = Get-AzManagementGroup -ErrorAction SilentlyContinue | Where-Object {$_.DisplayName -eq "Test" -or $_.DisplayName -eq "AzOpsMGMTName"} -ErrorAction SilentlyContinue foreach ($script:mgclean in $script:managementGroups) { - Remove-ManagementGroups -DisplayName $script:mgclean.DisplayName -Name $script:mgclean.Name -RootName (Get-AzTenant).TenantId + Remove-ManagementGroup -DisplayName $script:mgclean.DisplayName -Name $script:mgclean.Name -RootName (Get-AzTenant).TenantId } # Collect resources to cleanup Get-AzResourceLock | Remove-AzResourceLock -Force diff --git a/src/internal/functions/Get-AzOpsManagementGroup.ps1 b/src/internal/functions/Get-AzOpsManagementGroup.ps1 index b8eea91e..f143a235 100644 --- a/src/internal/functions/Get-AzOpsManagementGroup.ps1 +++ b/src/internal/functions/Get-AzOpsManagementGroup.ps1 @@ -31,7 +31,6 @@ [CmdletBinding()] param ( [Parameter(Mandatory = $true)] - [ValidateScript( { Get-AzManagementGroup -GroupId $_ -WarningAction SilentlyContinue })] $ManagementGroup, [switch] @@ -39,7 +38,13 @@ ) process { - $groupObject = Get-AzManagementGroup -GroupId $ManagementGroup -Expand -WarningAction SilentlyContinue + try { + $groupObject = Get-AzManagementGroup -GroupId $ManagementGroup -Expand -WarningAction SilentlyContinue + } + catch { + Write-PSFMessage -Level Error -String 'Get-AzOpsManagementGroup.Failed' -StringValues $ManagementGroup + throw + } if ($PartialDiscovery) { if ($groupObject.ParentId -and -not (Get-AzManagementGroup -GroupId $groupObject.ParentName -ErrorAction Ignore -WarningAction SilentlyContinue)) { $script:AzOpsPartialRoot += $groupObject @@ -50,7 +55,7 @@ } } } - $groupObject + return $groupObject } } \ No newline at end of file diff --git a/src/internal/functions/Get-AzOpsSubscription.ps1 b/src/internal/functions/Get-AzOpsSubscription.ps1 index cba8931c..884d00b9 100644 --- a/src/internal/functions/Get-AzOpsSubscription.ps1 +++ b/src/internal/functions/Get-AzOpsSubscription.ps1 @@ -34,7 +34,7 @@ $TenantId, [string] - $ApiVersion = '2020-01-01' + $ApiVersion = '2022-12-01' ) process { diff --git a/src/localized/en-us/Strings.psd1 b/src/localized/en-us/Strings.psd1 index 85816782..aa07491c 100644 --- a/src/localized/en-us/Strings.psd1 +++ b/src/localized/en-us/Strings.psd1 @@ -84,6 +84,8 @@ 'Get-AzOpsCurrentPrincipal.AccountType' = 'Current AccountType is {0}' #$AzContext.Account.Type 'Get-AzOpsCurrentPrincipal.PrincipalId' = 'Current PrincipalId is {0}' #$principalObject.id + 'Get-AzOpsManagementGroup.Failed' = 'Get-AzManagementGroup -GroupId {0} failed' #$ManagementGroup + 'Get-AzOpsPolicyAssignment.ManagementGroup' = 'Retrieving Policy Assignment for Management Group {0} ({1})' # $ScopeObject.ManagementGroupDisplayName, $ScopeObject.ManagementGroup 'Get-AzOpsPolicyAssignment.ResourceGroup' = 'Retrieving Policy Assignment for Resource Group in {0} Subscription objects' # $Subscription.count 'Get-AzOpsPolicyAssignment.Subscription' = 'Retrieving Policy Assignment for {0} Subscription objects' # $Subscription.count diff --git a/src/tests/functional/Microsoft.Management/managementGroups/deploy/deploy.ps1 b/src/tests/functional/Microsoft.Management/managementGroups/deploy/deploy.ps1 index f14c1acb..666749aa 100644 --- a/src/tests/functional/Microsoft.Management/managementGroups/deploy/deploy.ps1 +++ b/src/tests/functional/Microsoft.Management/managementGroups/deploy/deploy.ps1 @@ -14,7 +14,7 @@ try { $script:mgmt = Get-AzManagementGroup $script:testManagementGroup = ($script:mgmt | Where-Object Name -eq "AzOpsMGMTID") - if ($script:testManagementGroup -ne $null) { + if ($null -ne $script:testManagementGroup) { $script:mgmtRun = "Done" } else {