diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 2ffa468..e0a5529 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "Terraform AzureCLI and Kubectl", - "postAttachCommand": "bash .devcontainer/script.sh", + "postAttachCommand": "source .devcontainer/script.sh", "customizations": { "vscode": { "extensions": [ @@ -25,4 +25,4 @@ "ghcr.io/dhoeric/features/stern:1": {}, "ghcr.io/devcontainers-contrib/features/kubectx-kubens:1": {} } -} \ No newline at end of file +} diff --git a/.devcontainer/script.sh b/.devcontainer/script.sh index 9b95c42..7c60600 100644 --- a/.devcontainer/script.sh +++ b/.devcontainer/script.sh @@ -5,9 +5,9 @@ if [ -z "$ARM_CLIENT_ID" ]; then exit 0 fi -# Check if $ARM_CLIENT_SECRET exists -if [ -z "$ARM_CLIENT_SECRET" ]; then - echo "ARM_CLIENT_SECRET is not set" +# Check if either $ARM_CLIENT_SECRET or $ARM_CLIENT_CERTIFICATE is set +if [ -z "$ARM_CLIENT_SECRET" ] && [ -z "$ARM_CLIENT_CERTIFICATE" ]; then + echo "Either ARM_CLIENT_SECRET or ARM_CLIENT_CERTIFICATE should be set" exit 0 fi @@ -23,4 +23,16 @@ if [ -z "$ARM_SUBSCRIPTION_ID" ]; then exit 0 fi -az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID \ No newline at end of file +# If ARM_CLIENT_CERTIFICATE is set, decode it and save to a temp file +if [ -n "$ARM_CLIENT_CERTIFICATE" ]; then + echo "$ARM_CLIENT_CERTIFICATE" | base64 -d > /tmp/certfile.pem + export ARM_CLIENT_CERTIFICATE_PATH="/tmp/certfile.pfx" + export ARM_CLIENT_CERTIFICATE_PASSWORD=$(date '+%s') + echo "$ARM_CLIENT_CERTIFICATE" | base64 -d | openssl pkcs12 -export -password pass:"${ARM_CLIENT_CERTIFICATE_PASSWORD}" -out $ARM_CLIENT_CERTIFICATE_PATH + unset ARM_CLIENT_CERTIFICATE + az login --service-principal -u $ARM_CLIENT_ID --tenant $ARM_TENANT_ID -p /tmp/certfile.pem + +else + # Otherwise, use ARM_CLIENT_SECRET + az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID +fi diff --git a/README.md b/README.md index 2d92f04..f9d6873 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,12 @@ The easiest way to run this sample is to run it creating a new [GitHub Codespace az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/" -o json ``` + Note: If your organization has a policy prohibiting Service Principals with passwords on the tenant, create a Service Principal with a certificate: + + ``` + az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/" --create-cert -o json + + - In your github account go to Codespaces and Create a new Codespace with "Azure-Sample/azure-openai-terraform-deployment-sample" repository and select the main branch. ![codespace_create](./images/codespace-create.png) @@ -32,6 +38,8 @@ The easiest way to run this sample is to run it creating a new [GitHub Codespace ![codespace_secrets](./images/codespace_secrets.png) + Note: if using Service Principal certificate set `ARM_CLIENT_CERTIFICATE` as `ARM_CLIENT_CERTIFICATE=$(cat cert-and-private-key.pem| base64)` + - Follow this link to create a new [GitHub Codespace](https://codespaces.new/Azure-Samples/azure-openai-terraform-deployment-sample). [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/Azure-Samples/azure-openai-terraform-deployment-sample)