Merge pull request #274345 from KimForss/main

ttorble · web-flow · commit fd4918d45f66 · 2024-05-06T10:38:14.000+01:00
Add MSI support sample
diff --git a/articles/sap/automation/extensibility.md b/articles/sap/automation/extensibility.md
@@ -145,7 +145,6 @@ custom_scs_virtual_hostname:   "myscshostname"
 custom_ers_virtual_hostname:   "myershostname"
 custom_db_virtual_hostname:    "mydbhostname"
 custom_pas_virtual_hostname:   "mypashostname"
-custom_app_virtual_hostname:   "myapphostname"
 ```
 
 You can use the `configuration_settings` variable to let Terraform add them to sap-parameters.yaml file.
@@ -155,8 +154,8 @@ configuration_settings = {
   custom_scs_virtual_hostname        = "myscshostname",
   custom_ers_virtual_hostname        = "myershostname",
   custom_db_virtual_hostname         = "mydbhostname",
-  custom_pas_virtual_hostname        = "mypashostname",
-  custom_app_virtual_hostname        = "myapphostname"
+  custom_pas_virtual_hostname        = "mypashostname"
+
 }
 
 ```
diff --git a/articles/sap/automation/get-started.md b/articles/sap/automation/get-started.md
@@ -27,61 +27,11 @@ To get started with SAP Deployment Automation Framework, you need:
 
 Some of the prerequisites might already be installed in your deployment environment. Both Azure Cloud Shell and the deployer come with Terraform and the Azure CLI installed.
 
-### Create a service principal
-
-The SAP automation deployment framework uses service principals for deployment.
-
-When you choose a name for your service principal, make sure that the name is unique within your Azure tenant. Make sure to use an account with service principals creation permissions when running the script.
-
-1. Create the service principal with Contributor permissions.
-
-    ```cloudshell-interactive
-    export    ARM_SUBSCRIPTION_ID="<subscriptionId>"
-    export control_plane_env_code="LAB"
-
-    az ad sp create-for-rbac --role="Contributor"  --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID"   --name="$control_plane_env_code-Deployment-Account"
-    ```
-
-    Review the output. For example:
-
-    ```json
-    {
-        "appId": "<AppId>",
-        "displayName": "<environment>-Deployment-Account ",
-        "name": "<AppId>",
-        "password": "<AppSecret>",
-        "tenant": "<TenantId>"
-    }
-    ```
-
-1. Copy the output details. Make sure to save the values for `appId`, `password`, and `Tenant`.
-
-    The output maps to the following parameters. You use these parameters in later steps, with automation commands.
-
-    | Parameter input name | Output name |
-    |--------------------------|-----------------|
-    | `spn_id`                 | `appId`         |
-    | `spn_secret`             | `password`      |
-    | `tenant_id`              | `tenant`        |
-
-1. Optionally, assign the User Access Administrator role to the service principal.
-
-    ```cloudshell-interactive
-    export appId="<appId>"
-
-    az role assignment create --assignee $appId --role "User Access Administrator"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
-    ```
-
-
-> [!IMPORTANT]
-> If you don't assign the User Access Administrator role to the service principal, you can't assign permissions using the automation framework.
 
 ### Create a user assigned Identity
 
-
 The SAP automation deployment framework can also use a user assigned identity (MSI) for the deployment. Make sure to use an account with permissions to create managed identities when running the script that creates the identity.
 
-
 1. Create the managed identity.
 
     ```cloudshell-interactive
@@ -116,39 +66,132 @@ The SAP automation deployment framework can also use a user assigned identity (M
     |--------------------------|-----------------|
     | `app_id`                 | `appId`         |
     | `msi_id`                 | `armId`         |
+    | `msi_objectid`           | `objectId`      |
 
 
 1. Assign the Contributor role to the identity.
 
     ```cloudshell-interactive
     export appId="<appId>"
 
-    az role assignment create --assignee $appId  --role "Contributor"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
+    az role assignment create --assignee $msi_objectid  --role "Contributor"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
     ```
 
 1. Optionally, assign the User Access Administrator role to the identity.
 
     ```cloudshell-interactive
     export appId="<appId>"
 
-    az role assignment create --assignee $appId  --role "User Access Administrator"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
+    az role assignment create --assignee $msi_objectid --role "User Access Administrator"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
     ```
 
 
 > [!IMPORTANT]
 > If you don't assign the User Access Administrator role to the managed identity, you can't assign permissions using the automation framework.
 
+### Create an application registration for the web application
+
+The SAP automation deployment framework can leverage an Azure App Service for configuring the tfvars parameter files.
+
+1. Create the application registration.
+
+    ```powershell
+       $ApplicationName="<App Registration Name>"
+       $MSI_objectId="<msi_objectid>"
+        
+        Write-Host "Creating an App Registration for" $ApplicationName -ForegroundColor Green
+        
+        if (Test-Path $manifestPath) { Write-Host "Removing manifest.json" ; Remove-Item $manifestPath }
+        Add-Content -Path manifest.json -Value '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4683d","type":"Scope"}]}]'
+        
+        $APP_REGISTRATION_ID = $(az ad app create --display-name $ApplicationName --enable-id-token-issuance true --sign-in-audience AzureADMyOrg --required-resource-access $manifestPath --query "appId" --output tsv)
+        
+        Write-Host "App Registration created with App ID: $APP_REGISTRATION_ID"
+        
+        Write-Host "Waiting for the App Registration to be created" -ForegroundColor Green
+        Start-Sleep -s 20
+        
+        $ExistingData = $(az ad app list --all --filter "startswith(displayName, '$ApplicationName')" --query  "[?displayName=='$ApplicationName']| [0]" --only-show-errors) | ConvertFrom-Json
+        
+        $APP_REGISTRATION_OBJECTID = $ExistingData.id
+        
+        if (Test-Path $manifestPath) { Write-Host "Removing manifest.json" ; Remove-Item $manifestPath }
+        
+        Write-Host "Configuring authentication for the App Registration" -ForegroundColor Green
+        az rest --method POST --uri "https://graph.microsoft.com/beta/applications/$APP_REGISTRATION_OBJECTID/federatedIdentityCredentials\" --body "{'name': 'ManagedIdentityFederation', 'issuer': 'https://login.microsoftonline.com/$ARM_TENANT_ID/v2.0', 'subject': '$MSI_objectId', 'audiences': [ 'api://AzureADTokenExchange' ]}"
+        
+        $API_URL="https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/ProtectAnAPI/appId/$APP_REGISTRATION_ID/isMSAApp~/false"
+        
+        Write-Host "The browser will now open, Please Add a new scope, by clicking the '+ Add a new scope link', accept the default name and click 'Save and Continue'"
+        Write-Host "In the Add a scope page enter the scope name 'user_impersonation'. Choose 'Admins and Users' in the who can consent section, next provide the Admin consent display name 'Access the SDAF web application' and 'Use SDAF' as the Admin consent description, accept the changes by clicking the 'Add scope' button"
+        
+        Start-Process $API_URL
+        Read-Host -Prompt "Once you have created and validated the scope, Press any key to continue"
+
+
+    ```
+    
+
+
+### Create a service principal
+
+The SAP automation deployment framework can use service principals for deployment.
+
+When you choose a name for your service principal, make sure that the name is unique within your Azure tenant. Make sure to use an account with service principals creation permissions when running the script.
+
+1. Create the service principal with Contributor permissions.
+
+    ```cloudshell-interactive
+    export    ARM_SUBSCRIPTION_ID="<subscriptionId>"
+    export control_plane_env_code="LAB"
+
+    az ad sp create-for-rbac --role="Contributor"  --scopes="/subscriptions/$ARM_SUBSCRIPTION_ID"   --name="$control_plane_env_code-Deployment-Account"
+    ```
+
+    Review the output. For example:
+
+    ```json
+    {
+        "appId": "<AppId>",
+        "displayName": "<environment>-Deployment-Account ",
+        "name": "<AppId>",
+        "password": "<AppSecret>",
+        "tenant": "<TenantId>"
+    }
+    ```
+
+1. Copy the output details. Make sure to save the values for `appId`, `password`, and `Tenant`.
+
+    The output maps to the following parameters. You use these parameters in later steps, with automation commands.
+
+    | Parameter input name | Output name |
+    |--------------------------|-----------------|
+    | `spn_id`                 | `appId`         |
+    | `spn_secret`             | `password`      |
+    | `tenant_id`              | `tenant`        |
+
+1. Optionally, assign the User Access Administrator role to the service principal.
+
+    ```cloudshell-interactive
+    export appId="<appId>"
+
+    az role assignment create --assignee $appId --role "User Access Administrator"  --scope /subscriptions/$ARM_SUBSCRIPTION_ID
+    ```
+
+
+> [!IMPORTANT]
+> If you don't assign the User Access Administrator role to the service principal, you can't assign permissions using the automation framework.
 
 ## Pre-flight checks
 
 You can use the following script to perform pre-flight checks. The script performs the following checks and tests:
 
 - Checks if the service principal has the correct permissions to create resources in the subscription.
 - Checks if the service principal has user Access Administrator permissions.
-- Create a Azure Virtual Network.   
-- Create a Azure Virtual Key Vault with private end point.   
-- Create a Azure Files NSF share.   
-- Create a Azure Virtual Virtual Machine with data disk using Premium Storage v2.   
+- Create an Azure Virtual Network.   
+- Create an Azure Virtual Key Vault with private end point.   
+- Create an Azure Files NSF share.   
+- Create an Azure Virtual Machine with data disk using Premium Storage v2.   
 - Check access to the required URLs using the deployed virtual machine.
 
 ```powershell
