From b729af02d536e648c262b2c05233691371b4834a Mon Sep 17 00:00:00 2001
From: Dario Brozovic <dario.brozovic@whiteduck.de>
Date: Fri, 6 Sep 2024 15:02:12 +0200
Subject: [PATCH 1/5] adding scaffolding for oidc method

---
 oidc/.env                      |  12 ++++
 oidc/Readme.md                 | 127 +++++++++++++++++++++++++++++++++
 oidc/federated_credential.json |   9 +++
 oidc/resources.bicep           |  61 ++++++++++++++++
 oidc/up.sh                     | 120 +++++++++++++++++++++++++++++++
 5 files changed, 329 insertions(+)
 create mode 100644 oidc/.env
 create mode 100644 oidc/Readme.md
 create mode 100644 oidc/federated_credential.json
 create mode 100644 oidc/resources.bicep
 create mode 100755 oidc/up.sh

diff --git a/oidc/.env b/oidc/.env
new file mode 100644
index 0000000..a6e2b1e
--- /dev/null
+++ b/oidc/.env
@@ -0,0 +1,12 @@
+# change values as needed
+name="tfscaffold"
+suffix="dev"
+location="northeurope"
+
+spName="sp-$name-$suffix"
+rg="rg-$name-$suffix"
+tag="$suffix"
+saName="stac0${name}0${suffix}"
+scName="blob0${name}0${suffix}"
+
+saSku="Standard_ZRS"
diff --git a/oidc/Readme.md b/oidc/Readme.md
new file mode 100644
index 0000000..03471d7
--- /dev/null
+++ b/oidc/Readme.md
@@ -0,0 +1,127 @@
+# Terraform scaffold for Azure
+
+This repo contains everything to get started with Terraform on Azure.
+
+## What you will get
+
+After executing the below steps you will get:
+
+- a service principal used to run Terraform on behalf
+- a Storage Container used to store the Terraform state file
+
+## Requirements
+
+This project requires the following:
+
+- Bash or PowerShell (you can use [Azure Cloud Shell](http://shell.azure.com/))
+- for Bash you need to have [jq](https://stedolan.github.io/jq/) installed
+- Azure CLI (authenticated)
+- the executing user needs Subscription owner access (to give owner access to the Service Principal for creating managed identities and assigning roles) as well as the Application Developer role in AAD (to create the Service Principal)
+
+## Get started with Bash
+
+Execute the following steps to get started:
+
+1. Authenticate against Azure by executing `az login`
+1. Optional: Export your Tenant (`tenantId`) and Subscription ID (`subscriptionId`) if you don't like to deploy with your `az` defaults.
+1. Customize `.env` based on your needs and naming conventions (Make sure you met all [Azure naming rules and restrictions](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules)).
+1. Update the \<tokens> in `federated_credential.json`.
+1. Execute `up.sh` to deploy everything needed
+1. Grant admin consent for the created app registrations (Terraform will then be allowed to create app registrations and groups in Azure AD). This needs Azure Active Directory global admin access. Find more details on how to grant consent [here](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent).
+
+#TODO
+## Get started with PowerShell
+
+Execute the following steps to get started:
+
+1. Authenticate against Azure by executing `az login`
+2. Optional: Create environment variables for Tenant (`tenantId`) and Subscription ID (`subscriptionId`) or call the script with the parameters `-tenantId` and `-subscriptionId` if you don't like to deploy with your `az` defaults.
+3. Customize `.env.powershell` based on your needs and naming conventions (Make sure you met all [Azure naming rules and restrictions](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules)).
+4. Execute `up.ps1` to deploy everything needed
+5. Grant admin consent for the created app registrations (Terraform will then be allowed to create app registrations and groups in Azure AD). This needs Azure Active Directory global admin access. Find more details on how to grant consent [here](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent).
+
+## Scaffold a Terraform project
+
+You will need to tell Terraform where to store its state file. To do so, you need to customize your `main.tf` file based on the below example:
+
+```
+terraform {
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+      version = "3.77.0"
+    }
+  }
+  backend "azurerm" {
+    key = "azure.tfstate"
+  }
+}
+
+provider "azurerm" {
+  # Configuration options
+}
+```
+
+[Terraform Backend Docs for azurerm](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm)
+
+[Azure Provider Docs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
+
+We do not recommend to store any secrets and credentials in code. Therefore everything needed will be requested from Key Vault as needed. To init you project run the following script:
+
+```Bash
+#!/bin/bash
+
+# customize your subscription id and resource group name
+export subscriptionId="00000000-0000-0000-0000-000000000000"
+export rg="my-rg"
+
+# sets subscription;
+az account set --subscription $subscriptionId
+
+# get vault
+export vaultName=$(az keyvault list --subscription=$subscriptionId -g $rg --query '[0].{name:name}' -o tsv)
+
+## extracts and exports secrets
+export saKey=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sa-key --query value -o tsv)
+export saName=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sa-name --query value -o tsv)
+export scName=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sc-name --query value -o tsv)
+export spSecret=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sp-secret --query value -o tsv)
+export spId=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sp-id --query value -o tsv)
+
+# exports secrets
+export ARM_SUBSCRIPTION_ID=$subscriptionId
+export ARM_TENANT_ID=$tenantId
+export ARM_CLIENT_ID=$spId
+export ARM_CLIENT_SECRET=$spSecret
+
+# runs Terraform init
+terraform init -input=false \
+  -backend-config="access_key=$saKey" \
+  -backend-config="storage_account_name=$saName" \
+  -backend-config="container_name=$scName"
+```
+
+## Azuread provider configuration
+
+```
+terraform {
+  required_providers {
+    azuread = {
+      source = "hashicorp/azuread"
+      version = "2.44.1"
+    }
+  }
+}
+
+provider "azuread" {
+  # Configuration options
+}
+```
+
+[Azure Active Directory Provider Docs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs)
+
+## Disclaimer
+
+The `up.sh` script asks you whether you would like to map our Partner ID to the created Service Principal. Feel free to opt-out or remove the marked lines if you don't like to support us.
+
+> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/oidc/federated_credential.json b/oidc/federated_credential.json
new file mode 100644
index 0000000..7491406
--- /dev/null
+++ b/oidc/federated_credential.json
@@ -0,0 +1,9 @@
+{
+    "name": "Dev service connection",
+    "issuer": "https://vstoken.dev.azure.com/<organizationId>",
+    "subject": "sc://<organizationName>/<projectName>/<serviceConnectionName>",
+    "description": "Terraform pipeline",
+    "audiences": [
+        "api://AzureADTokenExchange"
+    ]
+}
\ No newline at end of file
diff --git a/oidc/resources.bicep b/oidc/resources.bicep
new file mode 100644
index 0000000..e9db47b
--- /dev/null
+++ b/oidc/resources.bicep
@@ -0,0 +1,61 @@
+param sa_name string
+param sa_sku string
+param sc_name string
+param tag string
+param location string
+
+resource tf_sa 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: sa_name
+  location: location
+  tags: {
+    environment: tag
+    managedBy: 'tfScaffolding'
+  }
+  sku: {
+    name: sa_sku
+  }
+  kind: 'StorageV2'
+  properties: {
+    networkAcls: {
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+      defaultAction: 'Allow'
+    }
+    supportsHttpsTrafficOnly: true
+    minimumTlsVersion: 'TLS1_2'
+    encryption: {
+      services: {
+        file: {
+          enabled: true
+        }
+        blob: {
+          enabled: true
+        }
+      }
+      keySource: 'Microsoft.Storage'
+    }
+  }
+}
+
+resource tf_sb 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
+  parent: tf_sa
+  name: 'default'
+  properties: {
+    deleteRetentionPolicy: {
+      enabled: true
+      days: 30
+      allowPermanentDelete: false
+    }
+    containerDeleteRetentionPolicy: {
+      enabled: true
+      days: 30
+      allowPermanentDelete: false
+    }
+  }
+}
+
+resource tf_sc 'Microsoft.Storage/storageAccounts/blobServices/containers@2023-01-01' = {
+  parent: tf_sb
+  name: sc_name
+}
diff --git a/oidc/up.sh b/oidc/up.sh
new file mode 100755
index 0000000..e420bf2
--- /dev/null
+++ b/oidc/up.sh
@@ -0,0 +1,120 @@
+#!/bin/bash
+# Used to bootstrap infrastructure required by Terraform
+
+set -e  # Exit on error
+set -o pipefail  # Exit on pipeline failure
+
+# Check for jq installation
+if ! command -v jq >/dev/null; then
+    echo "Error: jq is not installed."
+    exit 1
+fi
+
+# Central error handling
+error_handler() {
+    echo "Error on line $1"
+    exit 1
+}
+
+trap 'error_handler $LINENO' ERR
+
+# Check and export subscription/tenant if needed
+if [[ -z "$subscriptionId" ]]; then
+    export subscriptionId=$(az account show --query id -o tsv)
+    [[ -n "$subscriptionId" ]] && echo "Subscription exported..." || exit 1
+else
+    echo "Subscription details are set..."
+fi
+
+if [[ -z "$tenantId" ]]; then
+    export tenantId=$(az account show --query homeTenantId -o tsv)
+    [[ -n "$tenantId" ]] && echo "Tenant exported..." || exit 1
+else
+    echo "Tenant details are set..."
+fi
+
+# Sources variables
+if [[ -f ".env" ]]; then
+    source .env
+fi
+
+# Set subscription
+az account set --subscription "$subscriptionId"
+
+# Creates resource group
+az group create --name "$rg" \
+    --location "$location" \
+    --tags environment="$tag" \
+    --subscription "$subscriptionId"
+echo "Resources group created..."
+
+# create service principal if  not exists already
+# Needs to be owner to create managed identities and assign roles
+if  [[ $(az ad sp list --display-name $spName --query "[].displayName" -o tsv) = "$spName" ]];  then
+echo "Service principal already exists..."
+export spId=$(az ad sp list --display-name $spName --query "[].appId" -o tsv)
+else
+   export sp=$(az ad sp create-for-rbac \
+    --name "$spName" \
+    --role="Owner" \
+    --scopes="/subscriptions/$subscriptionId" \
+    --years 99)
+echo "Service principal created..."
+# Set service principal id variable
+export spId=$(echo "$sp" | jq -r '.appId')
+# Create federated credential
+az ad app federated-credential create --id "$spId" --parameters ./federated_credential.json
+echo "Federated credential created..."
+fi
+
+# Add ADD API permissions - Group.ReadWrite.All, GroupMember.ReadWrite.All, User.Read.All
+az ad app permission add \
+    --id "$spId" \
+    --api 00000003-0000-0000-c000-000000000000 \
+    --api-permissions \
+    62a82d76-70ea-41e2-9197-370581804d09=Role \
+    dbaae8cf-10b5-4b86-a4a1-f871c94c6695=Role \
+    df021288-bdef-4463-88db-98f22de89214=Role 
+echo "Service principal authorized..."
+
+# Update roles
+az role assignment create \
+    --assignee "$spId" \
+    --scope "/subscriptions/$subscriptionId" \
+    --role "Monitoring Metrics Publisher"
+echo "Service principal role updated..."
+
+# Creates resources
+az deployment group create \
+    --name "$name" \
+    --resource-group "$rg" \
+    --template-file ./resources.bicep \
+    --subscription "$subscriptionId" \
+    --mode Incremental \
+    --parameters "sa_name=$saName" \
+                 "sa_sku=$saSku" \
+                 "sc_name=$scName" \
+                 "tag=$tag" \
+                 "location=$location"
+echo "Deployment created..."
+
+
+# Add Storage Blob Data Owner role assignment
+az role assignment create \
+    --assignee "$spId" \
+    --role "Storage Blob Data Owner" \
+    --scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$saName"
+echo "Role for Service Principal created..."
+
+# Map Partner ID (optional)
+echo "---"
+read -r -p "Do you like to map our Partner ID? [y/N] " response
+if [[ "$response" =~ ^([yY][eE][sS]|[yY])$ ]]; then
+    az extension add --name managementpartner
+    az login --tenant "$tenantId" --service-principal -u "$spId" -p "$spSecret"
+    az managementpartner create --partner-id 3699617
+    az logout
+    echo "---"
+    echo "Please login."
+    az login
+fi
\ No newline at end of file

From 0aab8457d6de32645fb0e9d11d2d71f6c6444e6c Mon Sep 17 00:00:00 2001
From: Dario Brozovic <dario.brozovic@whiteduck.de>
Date: Tue, 10 Sep 2024 16:02:56 +0200
Subject: [PATCH 2/5] adding powershell oidc version

---
 oidc/.env.powershell           |   5 ++
 oidc/Readme.md                 |   9 +-
 oidc/federated_credential.json |   2 +-
 oidc/up.ps1                    | 152 +++++++++++++++++++++++++++++++++
 oidc/up.sh                     |   1 -
 5 files changed, 163 insertions(+), 6 deletions(-)
 create mode 100644 oidc/.env.powershell
 create mode 100644 oidc/up.ps1

diff --git a/oidc/.env.powershell b/oidc/.env.powershell
new file mode 100644
index 0000000..7d74521
--- /dev/null
+++ b/oidc/.env.powershell
@@ -0,0 +1,5 @@
+# change values as needed
+name=tfscaffold
+suffix=dev
+location=northeurope
+saSku=Standard_ZRS
diff --git a/oidc/Readme.md b/oidc/Readme.md
index 03471d7..3ad489e 100644
--- a/oidc/Readme.md
+++ b/oidc/Readme.md
@@ -35,10 +35,11 @@ Execute the following steps to get started:
 Execute the following steps to get started:
 
 1. Authenticate against Azure by executing `az login`
-2. Optional: Create environment variables for Tenant (`tenantId`) and Subscription ID (`subscriptionId`) or call the script with the parameters `-tenantId` and `-subscriptionId` if you don't like to deploy with your `az` defaults.
-3. Customize `.env.powershell` based on your needs and naming conventions (Make sure you met all [Azure naming rules and restrictions](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules)).
-4. Execute `up.ps1` to deploy everything needed
-5. Grant admin consent for the created app registrations (Terraform will then be allowed to create app registrations and groups in Azure AD). This needs Azure Active Directory global admin access. Find more details on how to grant consent [here](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent).
+1. Optional: Create environment variables for Tenant (`tenantId`) and Subscription ID (`subscriptionId`) or call the script with the parameters `-tenantId` and `-subscriptionId` if you don't like to deploy with your `az` defaults.
+1. Customize `.env.powershell` based on your needs and naming conventions (Make sure you met all [Azure naming rules and restrictions](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-name-rules)).
+1. Update the \<tokens> in `federated_credential.json`.
+1. Execute `up.ps1` to deploy everything needed
+1. Grant admin consent for the created app registrations (Terraform will then be allowed to create app registrations and groups in Azure AD). This needs Azure Active Directory global admin access. Find more details on how to grant consent [here](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent).
 
 ## Scaffold a Terraform project
 
diff --git a/oidc/federated_credential.json b/oidc/federated_credential.json
index 7491406..9e91661 100644
--- a/oidc/federated_credential.json
+++ b/oidc/federated_credential.json
@@ -1,5 +1,5 @@
 {
-    "name": "Dev service connection",
+    "name": "<stage>-service-connection",
     "issuer": "https://vstoken.dev.azure.com/<organizationId>",
     "subject": "sc://<organizationName>/<projectName>/<serviceConnectionName>",
     "description": "Terraform pipeline",
diff --git a/oidc/up.ps1 b/oidc/up.ps1
new file mode 100644
index 0000000..d1c6eec
--- /dev/null
+++ b/oidc/up.ps1
@@ -0,0 +1,152 @@
+[CmdletBinding()]
+param (
+    [Parameter()]
+    [string]
+    $subscriptionId = $env:subscriptionId,
+
+    [Parameter()]
+    [string]
+    $tenantId = $env:tenantId
+)
+
+# Error trapping
+trap {
+    Write-Host "Error on line $($($_.InvocationInfo.ScriptLineNumber)): $($_.Exception.Message)"
+    exit 1
+}
+
+# If $subscriptionId is not set, try to set it using the az CLI
+# If $subscriptionId is still not set after that, throw an error
+if (-not $subscriptionId) {
+    $subscriptionId = az account show --query id -o tsv
+    if (-not $subscriptionId) {
+        throw "Failed to obtain subscription ID"
+    }
+}
+Write-Host "Subscription ID set to $subscriptionId"
+
+# If $tenantId is not set, try to set it using the az CLI
+# If $tenantId is still not set after that, throw an error
+if (-not $tenantId) {
+    $tenantId = az account show --query homeTenantId -o tsv
+    if (-not $tenantId) {
+        throw "Failed to obtain tenant ID"
+    }
+}
+Write-Host "Tenant ID set to $tenantId"
+
+# Load independent variables from .env.powershell file
+$envVars = Get-Content .env.powershell | Out-String | ConvertFrom-StringData
+
+# Declare dependent variables
+$spName = "sp-$($envVars['name'])-$($envVars['suffix'])"
+$rg = "rg-$($envVars['name'])-$($envVars['suffix'])"
+$tag = $envVars['suffix']
+$saName = "stac0$($envVars['name'])0$($envVars['suffix'])"
+$scName = "blob0$($envVars['name'])0$($envVars['suffix'])"
+
+# Set subscription
+az account set --subscription "$subscriptionId"
+
+# Creates resource group
+az group create `
+    --name $rg `
+    --location "$($envVars['location'])" `
+    --tags environment="$tag" `
+    --subscription "$subscriptionId"
+if (-not $?) {
+    throw "Failed to create resource group"
+}
+Write-Host "Resource group created..."
+
+# Creates a service principal if it doesn't exist
+# Needs to be owner to create managed identities and assign roles
+$sp = az ad sp list --display-name $spName --query "[].displayName" -o tsv
+if ($sp -eq $spName) {
+    Write-Host "Service principal already exists..."
+    $spId = az ad sp list --display-name $spName --query "[].appId" -o tsv
+}
+else {
+    $sp = az ad sp create-for-rbac `
+        --name $spName `
+        --role "Owner" `
+        --scopes "/subscriptions/$subscriptionId" `
+        --years 99 | ConvertFrom-Json
+    Write-Host "Service principal created..."
+    # Set service principal id variable
+    $spId = $sp.appId
+    $parametersPath = "./federated_credential.json"
+    az ad app federated-credential create --id $spId --parameters $parametersPath
+    Write-Host "Federated credential created..."
+}
+
+# Add ADD API permissions - Group.ReadWrite.All, GroupMember.ReadWrite.All, User.Read.All
+az ad app permission add `
+    --id "$spId" `
+    --api 00000003-0000-0000-c000-000000000000 `
+    --api-permissions `
+    62a82d76-70ea-41e2-9197-370581804d09=Role `
+    dbaae8cf-10b5-4b86-a4a1-f871c94c6695=Role `
+    df021288-bdef-4463-88db-98f22de89214=Role
+if (-not $?) {
+    throw "Failed to add ADD API permissions"
+}
+Write-Host "ADD API permissions added..."
+
+# Update roles
+az role assignment create `
+    --assignee "$spId" `
+    --scope "/subscriptions/$subscriptionId" `
+    --role "Monitoring Metrics Publisher"
+if (-not $?) {
+    throw "Failed to update roles"
+}
+Write-Host "Roles updated..."
+
+# Get local user
+$userId = az ad signed-in-user show --query id -o tsv
+if (-not $?) {
+    throw "Failed to get local user"
+}
+Write-Host "Local user fetched..."
+
+# Creates resources
+az deployment group create `
+    --name "$($envVars['name'])" `
+    --resource-group "$rg" `
+    --template-file ./resources.bicep `
+    --subscription "$subscriptionId" `
+    --mode Incremental `
+    --parameters `
+    sa_name="$saName" `
+    sa_sku="$($envVars['saSku'])" `
+    sc_name="$scName" `
+    tag="$tag" `
+    location="$($envVars['location'])"
+if (-not $?) {
+    throw "Failed to create deployment"
+}
+Write-Host "Deployment created..."
+
+# Update roles
+az role assignment create `
+    --assignee "$spId" `
+    --scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$saName" `
+    --role "Storage Blob Data Owner"
+if (-not $?) {
+    throw "Failed to update roles"
+}
+Write-Host "Roles updated..."
+
+# Map Partner ID (optional)
+Write-Host "---"
+$response = Read-Host "Do you like to map our Partner ID? [y/N]"
+if ($response -imatch "^(y|yes)$") {
+    az extension add --name managementpartner
+    az login --tenant "$tenantId" --service-principal -u "$spId" -p "$spSecret"
+    az managementpartner create --partner-id 3699617
+    az logout
+    Write-Host "---"
+    Write-Host "Please login."
+    az login
+}
diff --git a/oidc/up.sh b/oidc/up.sh
index e420bf2..2ec1a42 100755
--- a/oidc/up.sh
+++ b/oidc/up.sh
@@ -98,7 +98,6 @@ az deployment group create \
                  "location=$location"
 echo "Deployment created..."
 
-
 # Add Storage Blob Data Owner role assignment
 az role assignment create \
     --assignee "$spId" \

From ebee5aa311c5728fa2deb0bb2a8a42cd9fd20ac0 Mon Sep 17 00:00:00 2001
From: Dario Brozovic <dario.brozovic@whiteduck.de>
Date: Wed, 11 Sep 2024 09:42:31 +0200
Subject: [PATCH 3/5] rework readme

---
 oidc/Readme.md | 84 ++------------------------------------------------
 1 file changed, 3 insertions(+), 81 deletions(-)

diff --git a/oidc/Readme.md b/oidc/Readme.md
index 3ad489e..e9e2034 100644
--- a/oidc/Readme.md
+++ b/oidc/Readme.md
@@ -1,9 +1,10 @@
 # Terraform scaffold for Azure
 
-This repo contains everything to get started with Terraform on Azure.
+This repo contains everything to get started with Terraform on Azure. It sets you up to use the `azurerm` backend with Service Principal authentication via OIDC.
 
-## What you will get
+[Terraform Backend Docs for azurerm](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm#backend-azure-ad-service-principal-or-user-assigned-managed-identity-via-oidc-workload-identity-federation)
 
+## What you will get
 After executing the below steps you will get:
 
 - a service principal used to run Terraform on behalf
@@ -41,85 +42,6 @@ Execute the following steps to get started:
 1. Execute `up.ps1` to deploy everything needed
 1. Grant admin consent for the created app registrations (Terraform will then be allowed to create app registrations and groups in Azure AD). This needs Azure Active Directory global admin access. Find more details on how to grant consent [here](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent).
 
-## Scaffold a Terraform project
-
-You will need to tell Terraform where to store its state file. To do so, you need to customize your `main.tf` file based on the below example:
-
-```
-terraform {
-  required_providers {
-    azurerm = {
-      source = "hashicorp/azurerm"
-      version = "3.77.0"
-    }
-  }
-  backend "azurerm" {
-    key = "azure.tfstate"
-  }
-}
-
-provider "azurerm" {
-  # Configuration options
-}
-```
-
-[Terraform Backend Docs for azurerm](https://developer.hashicorp.com/terraform/language/settings/backends/azurerm)
-
-[Azure Provider Docs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
-
-We do not recommend to store any secrets and credentials in code. Therefore everything needed will be requested from Key Vault as needed. To init you project run the following script:
-
-```Bash
-#!/bin/bash
-
-# customize your subscription id and resource group name
-export subscriptionId="00000000-0000-0000-0000-000000000000"
-export rg="my-rg"
-
-# sets subscription;
-az account set --subscription $subscriptionId
-
-# get vault
-export vaultName=$(az keyvault list --subscription=$subscriptionId -g $rg --query '[0].{name:name}' -o tsv)
-
-## extracts and exports secrets
-export saKey=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sa-key --query value -o tsv)
-export saName=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sa-name --query value -o tsv)
-export scName=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sc-name --query value -o tsv)
-export spSecret=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sp-secret --query value -o tsv)
-export spId=$(az keyvault secret show --subscription=$subscriptionId --vault-name="$vaultName" --name sp-id --query value -o tsv)
-
-# exports secrets
-export ARM_SUBSCRIPTION_ID=$subscriptionId
-export ARM_TENANT_ID=$tenantId
-export ARM_CLIENT_ID=$spId
-export ARM_CLIENT_SECRET=$spSecret
-
-# runs Terraform init
-terraform init -input=false \
-  -backend-config="access_key=$saKey" \
-  -backend-config="storage_account_name=$saName" \
-  -backend-config="container_name=$scName"
-```
-
-## Azuread provider configuration
-
-```
-terraform {
-  required_providers {
-    azuread = {
-      source = "hashicorp/azuread"
-      version = "2.44.1"
-    }
-  }
-}
-
-provider "azuread" {
-  # Configuration options
-}
-```
-
-[Azure Active Directory Provider Docs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs)
 
 ## Disclaimer
 

From 44534e2a8e8d59d59a25c0b968c64c68c3852d3b Mon Sep 17 00:00:00 2001
From: Dario Brozovic <dario.brozovic@whiteduck.de>
Date: Fri, 8 Nov 2024 14:23:24 +0100
Subject: [PATCH 4/5] fix setting of partnerid

---
 oidc/up.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/oidc/up.sh b/oidc/up.sh
index 2ec1a42..d8f8553 100755
--- a/oidc/up.sh
+++ b/oidc/up.sh
@@ -57,10 +57,9 @@ else
    export sp=$(az ad sp create-for-rbac \
     --name "$spName" \
     --role="Owner" \
-    --scopes="/subscriptions/$subscriptionId" \
-    --years 99)
+    --scopes="/subscriptions/$subscriptionId")
 echo "Service principal created..."
-# Set service principal id variable
+export spSecret=$(echo "$sp" | jq -r '.password')
 export spId=$(echo "$sp" | jq -r '.appId')
 # Create federated credential
 az ad app federated-credential create --id "$spId" --parameters ./federated_credential.json

From 309ddb5219bcb9bba1db9d4f427c481ca1880b22 Mon Sep 17 00:00:00 2001
From: Dario Brozovic <dario.brozovic@whiteduck.de>
Date: Fri, 8 Nov 2024 14:33:32 +0100
Subject: [PATCH 5/5] fix comment

---
 oidc/up.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oidc/up.sh b/oidc/up.sh
index d8f8553..7be5bac 100755
--- a/oidc/up.sh
+++ b/oidc/up.sh
@@ -66,7 +66,7 @@ az ad app federated-credential create --id "$spId" --parameters ./federated_cred
 echo "Federated credential created..."
 fi
 
-# Add ADD API permissions - Group.ReadWrite.All, GroupMember.ReadWrite.All, User.Read.All
+# Add API permissions - Group.ReadWrite.All, GroupMember.ReadWrite.All, User.Read.All
 az ad app permission add \
     --id "$spId" \
     --api 00000003-0000-0000-c000-000000000000 \