jasonhorner · September 10, 2024 03:23 · jasonhorner · Aug 30, 2024
diff --git a/assign-roles.sh b/assign-roles.sh
 #!/bin/bash

 # Input parameters
 userPrincipalName=$1
 tenantId=$2

 # Check if both parameters are provided
 if [ -z "$userPrincipalName" ] || [ -z "$tenantId" ]; then
    echo "Usage: $0 <userPrincipalName> <tenantId>"
    exit 1
 fi

 # Login to the tenant
 az account set --tenant $tenantId

 # Get user object ID
 userId=$(az ad user show --id $userPrincipalName --query objectId --output tsv)

 # Assign Fabric Administrator role
 az role assignment create --assignee $userId --role "Fabric Administrator" --scope "/"
 echo "Assigned Fabric Administrator role to $userPrincipalName"

 # Assign Application Administrator role
 az role assignment create --assignee $userId --role "Application Administrator" --scope "/"
 echo "Assigned Application Administrator role to $userPrincipalName"

 # Assign Directory Reader role
 az role assignment create --assignee $userId --role "Directory Reader" --scope "/"
 echo "Assigned Directory Reader role to $userPrincipalName"

 echo "All roles have been assigned to the user $userPrincipalName"
diff --git a/assign-security.sh b/assign-security.sh
 #!/bin/bash

 # Variables
 group_name="sg-alliant-amu-administrators"
 adf_name="adf-alliant-amu-dev"
 resource_group_name="rg-alliant-amu-dev"
 key_vault_name="kv-alliant-amu-dev"
 storage_account_name="stalliantamudev"

 # Get the group ID (using 'id' instead of 'objectId')
 group_id=$(az ad group show --group "$group_name" --query id -o tsv)

 # Check if the group exists
 if [ -z "$group_id" ]; then
  echo "Group $group_name not found in Azure AD."
  exit 1
 fi

 # Get the managed identity (MSI) object ID of the Data Factory
 adf_identity=$(az resource show --name "$adf_name" --resource-group "$resource_group_name" --resource-type "Microsoft.DataFactory/factories" --query identity.principalId -o tsv)

 # Check if the managed identity was found
 if [ -z "$adf_identity" ]; then
  echo "Managed Identity for Data Factory $adf_name not found."
  exit 1
 fi

 # Get the resource IDs for the Key Vault and Storage Account
 key_vault_id=$(az keyvault show --name "$key_vault_name" --resource-group "$resource_group_name" --query id -o tsv)
 storage_account_id=$(az storage account show --name "$storage_account_name" --resource-group "$resource_group_name" --query id -o tsv)

 # Ensure both resources exist
 if [ -z "$key_vault_id" ]; then
  echo "Key Vault $key_vault_name not found in resource group $resource_group_name."
  exit 1
 fi

 if [ -z "$storage_account_id" ]; then
  echo "Storage Account $storage_account_name not found in resource group $resource_group_name."
  exit 1
 fi

 # Assign roles to the group 'sg-alliant-amu-administrators'

 # Assign the "Key Vault Administrator" role to the group for the Key Vault
 echo "Assigning 'Key Vault Administrator' role to group '$group_name' for Key Vault '$key_vault_name'..."
 az role assignment create --assignee "$group_id" --role "Key Vault Administrator" --scope "$key_vault_id" --assignee-principal-type "Group"
 if [ $? -eq 0 ]; then
  echo "Successfully assigned 'Key Vault Administrator' role to group '$group_name'."
 else
  echo "Failed to assign 'Key Vault Administrator' role to group '$group_name'."
  exit 1
 fi

 # Assign the "Storage Blob Data Owner" role to the group for the Storage Account
 echo "Assigning 'Storage Blob Data Owner' role to group '$group_name' for Storage Account '$storage_account_name'..."
 az role assignment create --assignee "$group_id" --role "Storage Blob Data Owner" --scope "$storage_account_id" --assignee-principal-type "Group"
 if [ $? -eq 0 ]; then
  echo "Successfully assigned 'Storage Blob Data Owner' role to group '$group_name'."
 else
  echo "Failed to assign 'Storage Blob Data Owner' role to group '$group_name'."
  exit 1
 fi

 # Assign roles to the managed identity 'adf-alliant-amu-dev'

 # Assign the "Key Vault Secrets User" role to the managed identity for the Key Vault
 echo "Assigning 'Key Vault Secrets User' role to managed identity '$adf_name' for Key Vault '$key_vault_name'..."
 az role assignment create --assignee "$adf_identity" --role "Key Vault Secrets User" --scope "$key_vault_id" --assignee-principal-type "ServicePrincipal"
 if [ $? -eq 0 ]; then
  echo "Successfully assigned 'Key Vault Secrets User' role to managed identity '$adf_name'."
 else
  echo "Failed to assign 'Key Vault Secrets User' role to managed identity."
  exit 1
 fi

 # Assign the "Storage Blob Data Contributor" role to the managed identity for the Storage Account
 echo "Assigning 'Storage Blob Data Contributor' role to managed identity '$adf_name' for Storage Account '$storage_account_name'..."
 az role assignment create --assignee "$adf_identity" --role "Storage Blob Data Contributor" --scope "$storage_account_id" --assignee-principal-type "ServicePrincipal"
 if [ $? -eq 0 ]; then
  echo "Successfully assigned 'Storage Blob Data Contributor' role to managed identity '$adf_name'."
 else
  echo "Failed to assign 'Storage Blob Data Contributor' role to managed identity."
  exit 1
 fi

 echo "All role assignments completed."
diff --git a/create-groups.sh b/create-groups.sh
 #!/bin/bash

 # Group names
 group_developers="sg-alliant-amu-developers"
 group_users="sg-alliant-amu-users"
 admin_group="sg-alliant-amu-administrators"

 # Get the members of 'sg-alliant-amu-administrators' group that are users
 user_ids=$(az ad group member list --group "$admin_group" --query "[?userPrincipalName].id" -o tsv)

 # Check if any users were found
 if [ -z "$user_ids" ]; then
  echo "No users found in group '$admin_group'."
  exit 1
 fi

 # Function to create group and assign users as owners
 create_group_and_assign_owners() {
  local group_name=$1
  # Check if the group already exists
  if az ad group show --group "$group_name" > /dev/null 2>&1; then
    echo "Group '$group_name' already exists."
  else
    echo "Creating group '$group_name'..."
    # Create the group
    az ad group create --display-name "$group_name" --mail-nickname "$group_name"
    if [ $? -eq 0 ]; then
      echo "Successfully created group '$group_name'."
    else
      echo "Failed to create group '$group_name'."
      exit 1
    fi
  fi

  # Assign each user as the owner of the group
  echo "Assigning users as owners of group '$group_name'..."
  group_id=$(az ad group show --group "$group_name" --query id -o tsv)
  for user_id in $user_ids; do
    echo "Assigning user with ID $user_id as an owner of group '$group_name'..."
    az ad group owner add --group "$group_id" --owner-object-id "$user_id"
    if [ $? -eq 0 ]; then
      echo "Successfully assigned user $user_id as an owner."
    else
      echo "Failed to assign user $user_id as an owner."
      exit 1
    fi
  done
 }

 # Create the developers group and assign users as owners
 create_group_and_assign_owners "$group_developers"

 # Create the users group and assign users as owners
 create_group_and_assign_owners "$group_users"

 echo "Script completed."
	#!/bin/bash

	# Input parameters
	userPrincipalName=$1
	tenantId=$2

	# Check if both parameters are provided
	if [ -z "$userPrincipalName" ] \|\| [ -z "$tenantId" ]; then
	echo "Usage: $0 <userPrincipalName> <tenantId>"
	exit 1
	fi

	# Login to the tenant
	az account set --tenant $tenantId

	# Get user object ID
	userId=$(az ad user show --id $userPrincipalName --query objectId --output tsv)

	# Assign Fabric Administrator role
	az role assignment create --assignee $userId --role "Fabric Administrator" --scope "/"
	echo "Assigned Fabric Administrator role to $userPrincipalName"

	# Assign Application Administrator role
	az role assignment create --assignee $userId --role "Application Administrator" --scope "/"
	echo "Assigned Application Administrator role to $userPrincipalName"

	# Assign Directory Reader role
	az role assignment create --assignee $userId --role "Directory Reader" --scope "/"
	echo "Assigned Directory Reader role to $userPrincipalName"

	echo "All roles have been assigned to the user $userPrincipalName"
	#!/bin/bash

	# Variables
	group_name="sg-alliant-amu-administrators"
	adf_name="adf-alliant-amu-dev"
	resource_group_name="rg-alliant-amu-dev"
	key_vault_name="kv-alliant-amu-dev"
	storage_account_name="stalliantamudev"

	# Get the group ID (using 'id' instead of 'objectId')
	group_id=$(az ad group show --group "$group_name" --query id -o tsv)

	# Check if the group exists
	if [ -z "$group_id" ]; then
	echo "Group $group_name not found in Azure AD."
	exit 1
	fi

	# Get the managed identity (MSI) object ID of the Data Factory
	adf_identity=$(az resource show --name "$adf_name" --resource-group "$resource_group_name" --resource-type "Microsoft.DataFactory/factories" --query identity.principalId -o tsv)

	# Check if the managed identity was found
	if [ -z "$adf_identity" ]; then
	echo "Managed Identity for Data Factory $adf_name not found."
	exit 1
	fi

	# Get the resource IDs for the Key Vault and Storage Account
	key_vault_id=$(az keyvault show --name "$key_vault_name" --resource-group "$resource_group_name" --query id -o tsv)
	storage_account_id=$(az storage account show --name "$storage_account_name" --resource-group "$resource_group_name" --query id -o tsv)

	# Ensure both resources exist
	if [ -z "$key_vault_id" ]; then
	echo "Key Vault $key_vault_name not found in resource group $resource_group_name."
	exit 1
	fi

	if [ -z "$storage_account_id" ]; then
	echo "Storage Account $storage_account_name not found in resource group $resource_group_name."
	exit 1
	fi

	# Assign roles to the group 'sg-alliant-amu-administrators'

	# Assign the "Key Vault Administrator" role to the group for the Key Vault
	echo "Assigning 'Key Vault Administrator' role to group '$group_name' for Key Vault '$key_vault_name'..."
	az role assignment create --assignee "$group_id" --role "Key Vault Administrator" --scope "$key_vault_id" --assignee-principal-type "Group"
	if [ $? -eq 0 ]; then
	echo "Successfully assigned 'Key Vault Administrator' role to group '$group_name'."
	else
	echo "Failed to assign 'Key Vault Administrator' role to group '$group_name'."
	exit 1
	fi

	# Assign the "Storage Blob Data Owner" role to the group for the Storage Account
	echo "Assigning 'Storage Blob Data Owner' role to group '$group_name' for Storage Account '$storage_account_name'..."
	az role assignment create --assignee "$group_id" --role "Storage Blob Data Owner" --scope "$storage_account_id" --assignee-principal-type "Group"
	if [ $? -eq 0 ]; then
	echo "Successfully assigned 'Storage Blob Data Owner' role to group '$group_name'."
	else
	echo "Failed to assign 'Storage Blob Data Owner' role to group '$group_name'."
	exit 1
	fi

	# Assign roles to the managed identity 'adf-alliant-amu-dev'

	# Assign the "Key Vault Secrets User" role to the managed identity for the Key Vault
	echo "Assigning 'Key Vault Secrets User' role to managed identity '$adf_name' for Key Vault '$key_vault_name'..."
	az role assignment create --assignee "$adf_identity" --role "Key Vault Secrets User" --scope "$key_vault_id" --assignee-principal-type "ServicePrincipal"
	if [ $? -eq 0 ]; then
	echo "Successfully assigned 'Key Vault Secrets User' role to managed identity '$adf_name'."
	else
	echo "Failed to assign 'Key Vault Secrets User' role to managed identity."
	exit 1
	fi

	# Assign the "Storage Blob Data Contributor" role to the managed identity for the Storage Account
	echo "Assigning 'Storage Blob Data Contributor' role to managed identity '$adf_name' for Storage Account '$storage_account_name'..."
	az role assignment create --assignee "$adf_identity" --role "Storage Blob Data Contributor" --scope "$storage_account_id" --assignee-principal-type "ServicePrincipal"
	if [ $? -eq 0 ]; then
	echo "Successfully assigned 'Storage Blob Data Contributor' role to managed identity '$adf_name'."
	else
	echo "Failed to assign 'Storage Blob Data Contributor' role to managed identity."
	exit 1
	fi

	echo "All role assignments completed."
	#!/bin/bash

	# Group names
	group_developers="sg-alliant-amu-developers"
	group_users="sg-alliant-amu-users"
	admin_group="sg-alliant-amu-administrators"

	# Get the members of 'sg-alliant-amu-administrators' group that are users
	user_ids=$(az ad group member list --group "$admin_group" --query "[?userPrincipalName].id" -o tsv)

	# Check if any users were found
	if [ -z "$user_ids" ]; then
	echo "No users found in group '$admin_group'."
	exit 1
	fi

	# Function to create group and assign users as owners
	create_group_and_assign_owners() {
	local group_name=$1
	# Check if the group already exists
	if az ad group show --group "$group_name" > /dev/null 2>&1; then
	echo "Group '$group_name' already exists."
	else
	echo "Creating group '$group_name'..."
	# Create the group
	az ad group create --display-name "$group_name" --mail-nickname "$group_name"
	if [ $? -eq 0 ]; then
	echo "Successfully created group '$group_name'."
	else
	echo "Failed to create group '$group_name'."
	exit 1
	fi
	fi

	# Assign each user as the owner of the group
	echo "Assigning users as owners of group '$group_name'..."
	group_id=$(az ad group show --group "$group_name" --query id -o tsv)
	for user_id in $user_ids; do
	echo "Assigning user with ID $user_id as an owner of group '$group_name'..."
	az ad group owner add --group "$group_id" --owner-object-id "$user_id"
	if [ $? -eq 0 ]; then
	echo "Successfully assigned user $user_id as an owner."
	else
	echo "Failed to assign user $user_id as an owner."
	exit 1
	fi
	done
	}

	# Create the developers group and assign users as owners
	create_group_and_assign_owners "$group_developers"

	# Create the users group and assign users as owners
	create_group_and_assign_owners "$group_users"

	echo "Script completed."