Updated service principle script and federated identity

Author: nullchimp

.github/workflows/deploy-azure.yml

@@ -31,7 +31,7 @@ jobs:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          auth-type: service_principal
+          auth-type: oidc
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2

scripts/setup_azure.sh

@@ -0,0 +1,37 @@
+#!/bin/zsh
+
+# Check if AZURE_CLIENT_ID was provided as a parameter
+if [ -z "$1" ]; then
+    echo "Error: AZURE_CLIENT_ID is required as a parameter."
+    echo "Usage: $0 <AZURE_CLIENT_ID>"
+    exit 1
+fi
+
+AZURE_CLIENT_ID=$1
+CREDENTIAL_NAME="GitHubActionsFederatedCredential"
+
+# Check if the federated credential already exists
+echo "Checking if federated credential '$CREDENTIAL_NAME' already exists..."
+EXISTING_CREDENTIAL=$(az ad app federated-credential list --id $AZURE_CLIENT_ID --query "[?name=='$CREDENTIAL_NAME']" -o json)
+
+if [ "$(echo $EXISTING_CREDENTIAL | jq 'length')" -gt "0" ]; then
+    echo "Federated credential '$CREDENTIAL_NAME' already exists. Skipping creation."
+else
+    echo "Creating federated credential '$CREDENTIAL_NAME'..."
+    az ad app federated-credential create --id $AZURE_CLIENT_ID \
+      --parameters '{
+        "name": "GitHubActionsFederatedCredential",
+        "issuer": "https://token.actions.githubusercontent.com",
+        "subject": "repo:nullchimp/ai-agent:ref:refs/heads/RAG",
+        "audiences": [
+          "api://AzureADTokenExchange"
+        ]
+      }'
+    
+    if [ $? -eq 0 ]; then
+        echo "Federated credential created successfully."
+    else
+        echo "Failed to create federated credential."
+        exit 1
+    fi
+fi

scripts/setup_feterated_identity.sh

@@ -0,0 +1,55 @@
+#!/bin/zsh
+
+# Set up Azure credentials for GitHub Actions
+# This script creates a service principal with Contributor access to the GitHub resource group
+# If the service principal already exists, it will retrieve it instead of creating a new one
+
+# Login to Azure
+echo "Logging in to Azure..."
+az login
+
+# Service principal name
+SP_NAME="ai-agent-github"
+SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+RESOURCE_GROUP="GitHub"
+
+# Check if service principal already exists
+echo "Checking if service principal '$SP_NAME' already exists..."
+SP_ID=$(az ad sp list --display-name "$SP_NAME" --query "[0].appId" -o tsv)
+
+if [ -n "$SP_ID" ]; then
+    echo "Service principal '$SP_NAME' already exists."
+    
+    # Get existing service principal information without resetting credentials
+    # Create JSON output in the format expected by GitHub Actions
+    CLIENT_ID=$SP_ID
+    TENANT_ID=$(az account show --query tenantId -o tsv)
+    SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+    
+    echo "Using existing service principal."
+    echo "Important: To use this service principal, ensure your GitHub repository has"
+    echo "the correct credentials already configured as AZURE_CREDENTIALS secret."
+    echo "If you need to reset credentials, you can do so manually with:"
+    echo "az ad sp credential reset --id $SP_ID --sdk-auth"
+    
+    # Display service principal information (without secret)
+    echo "Service Principal Information:"
+    echo "- Client ID: $CLIENT_ID"
+    echo "- Tenant ID: $TENANT_ID"
+    echo "- Subscription ID: $SUBSCRIPTION_ID"
+    
+    # Set SERVICE_PRINCIPAL to empty to avoid displaying sensitive info
+    SERVICE_PRINCIPAL='{}'
+else
+    # Create service principal
+    echo "Creating service principal for GitHub Actions..."
+    SERVICE_PRINCIPAL=$(az ad sp create-for-rbac \
+      --name "$SP_NAME" \
+      --role contributor \
+      --scopes /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP \
+      --sdk-auth)
+    
+    echo "Service principal created. Add the following secret to your GitHub repository as AZURE_CREDENTIALS:"
+fi
+
+echo $SERVICE_PRINCIPAL