diff --git a/.github/resource/azure-credential-setup.sh b/.github/resource/azure-credential-setup.sh new file mode 100644 index 000000000..38190c1cb --- /dev/null +++ b/.github/resource/azure-credential-setup.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash + +set -Eeuo pipefail + +############################################################# +# Unified Azure credential setup script. +# Replaces the need to run both azure-credential-setup-wls-aks.sh +# and azure-credential-setup-wls-vm.sh when using the unified flow. +# +# Behavior: +# - Creates ONE Azure Service Principal. +# - Assigns Contributor + User Access Administrator roles. +# - Stores credentials JSON in AZURE_CREDENTIALS secret. +# - Exposes unified name via SERVICE_PRINCIPAL_NAME variable. +# - For backward compatibility also sets legacy variables +# SERVICE_PRINCIPAL_NAME_WLS_AKS and SERVICE_PRINCIPAL_NAME_WLS_VM +# to the same value so downstream workflows keep working. +# +# NOTE: Leaves the original per-target scripts untouched for users +# still invoking them directly. +############################################################# + +echo "Execute unified azure-credential-setup.sh - Start-----------------------------" + +# Derive repo name if not provided +REPO_NAME=${REPO_NAME:-$(basename "$(git rev-parse --show-toplevel 2>/dev/null || echo repo)")} +SUBSCRIPTION_ID=$(az account show --query id -o tsv | tr -d '\r\n') + +SERVICE_PRINCIPAL_NAME="sp-${REPO_NAME}-wls-unified-$(date +%s)" +echo "Creating Azure Service Principal with name: ${SERVICE_PRINCIPAL_NAME}" >&2 + +AZURE_CREDENTIALS=$(az ad sp create-for-rbac \ + --name "${SERVICE_PRINCIPAL_NAME}" \ + --role "Contributor" \ + --scopes "/subscriptions/${SUBSCRIPTION_ID}" \ + --sdk-auth \ + --only-show-errors) + +SP_ID=$(az ad sp list --display-name "${SERVICE_PRINCIPAL_NAME}" --query '[0].id' -o tsv | tr -d '\r\n') || true +if [[ -n "${SP_ID}" ]]; then + az role assignment create --assignee "${SP_ID}" --scope "/subscriptions/${SUBSCRIPTION_ID}" --role "User Access Administrator" >/dev/null 2>&1 || \ + echo "Warning: secondary role assignment may have failed" >&2 +else + echo "Warning: could not resolve SP ID for secondary role assignment" >&2 +fi + +# Best-effort detection of existing secret +if gh secret list 2>/dev/null | grep -q '^AZURE_CREDENTIALS\b'; then + echo "Notice: Overwriting existing AZURE_CREDENTIALS secret" >&2 +fi + +gh secret --repo $(gh repo set-default --view) set "AZURE_CREDENTIALS" -b"${AZURE_CREDENTIALS}" >/dev/null + +gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true +gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME_WLS_AKS -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true +gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME_WLS_VM -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true + +echo "Execute unified azure-credential-setup.sh - End-------------------------------" diff --git a/.github/resource/azure-credential-teardown.sh b/.github/resource/azure-credential-teardown.sh new file mode 100644 index 000000000..602d8a375 --- /dev/null +++ b/.github/resource/azure-credential-teardown.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +set -Eeuo pipefail + +############################################################# +# Unified Azure credential teardown script. +# Mirrors the unified setup (azure-credential-setup.sh) and +# replaces the need to run both azure-credential-teardown-wls-aks.sh +# and azure-credential-teardown-wls-vm.sh when using the unified flow. +# +# Behavior: +# - Deletes AZURE_CREDENTIALS secret if present. +# - Retrieves any of SERVICE_PRINCIPAL_NAME, SERVICE_PRINCIPAL_NAME_WLS_AKS, +# SERVICE_PRINCIPAL_NAME_WLS_VM (variables) and deletes the *single* SP +# they reference (they all point to the same name in unified setup). +# - Ignores missing items gracefully. +############################################################# + +echo "Execute unified azure-credential-teardown.sh - Start----------------------------------" + +# Delete the AZURE_CREDENTIALS secret (ignore errors if it doesn't exist) +if gh secret list 2>/dev/null | grep -q '^AZURE_CREDENTIALS\b'; then + gh secret --repo $(gh repo set-default --view) delete "AZURE_CREDENTIALS" || echo "Warning: failed to delete AZURE_CREDENTIALS" >&2 +else + echo "AZURE_CREDENTIALS secret not found (already removed)" +fi + +# Try variables in priority order: unified then legacy aliases +VAR_CANDIDATES=(SERVICE_PRINCIPAL_NAME SERVICE_PRINCIPAL_NAME_WLS_AKS SERVICE_PRINCIPAL_NAME_WLS_VM) +SP_NAME="" +for var in "${VAR_CANDIDATES[@]}"; do + if gh variable list 2>/dev/null | grep -q "^${var}\b"; then + # Capture the value; gh variable get prints value only + value=$(gh variable --repo $(gh repo set-default --view) get "$var" 2>/dev/null || true) + if [[ -n "$value" ]]; then + SP_NAME="$value" + echo "Found service principal name via $var: $SP_NAME" + break + fi + fi +done + +if [[ -n "$SP_NAME" ]]; then + APP_ID=$(az ad sp list --display-name "$SP_NAME" --query "[0].appId" -o tsv | tr -d '\r\n' || true) + if [[ -n "$APP_ID" ]]; then + echo "Deleting service principal appId=$APP_ID name=$SP_NAME" >&2 + az ad sp delete --id "$APP_ID" || echo "Warning: failed to delete service principal $APP_ID" >&2 + else + echo "Service principal '$SP_NAME' not found in Azure (already deleted?)" + fi +else + echo "No service principal name variables found; skip SP deletion." +fi + +# Optionally remove the variables themselves (clean slate) +for var in "${VAR_CANDIDATES[@]}"; do + if gh variable list 2>/dev/null | grep -q "^${var}\b"; then + gh variable --repo $(gh repo set-default --view) delete "$var" || echo "Warning: failed to delete variable $var" >&2 + fi +done + +echo "Execute unified azure-credential-teardown.sh - End------------------------------------" diff --git a/.github/resource/credentials-params-setup.sh b/.github/resource/credentials-params-setup.sh index b30bd6e11..a0957cb95 100644 --- a/.github/resource/credentials-params-setup.sh +++ b/.github/resource/credentials-params-setup.sh @@ -28,7 +28,7 @@ check_parameters() { else echo "Name: $name, Value: $value" fi - done < <(yq eval -o=json '.[]' "$param_file" | jq -c '.') + done < <(yq '.[]' "$param_file" | jq -c '.') echo "return $has_empty_value" return $has_empty_value @@ -37,7 +37,7 @@ check_parameters() { # Function to set values from YAML set_values() { echo "Setting values..." - yq eval -o=json '.[]' "$param_file" | jq -c '.' | while read -r line; do + yq '.[]' "$param_file" | jq -c '.' | while read -r line; do name=$(echo "$line" | jq -r '.name') value=$(echo "$line" | jq -r '.value') gh secret --repo $(gh repo set-default --view) set "$name" -b"${value}" diff --git a/.github/resource/credentials-params-teardown.sh b/.github/resource/credentials-params-teardown.sh index a014c4761..f31f76f6e 100644 --- a/.github/resource/credentials-params-teardown.sh +++ b/.github/resource/credentials-params-teardown.sh @@ -3,8 +3,8 @@ set -Eeuo pipefail echo "teardown-credentials.sh - Start" -# remove param the json -yq eval -o=json '.[]' "$param_file" | jq -c '.' | while read -r line; do + # remove param the json + yq '.[]' "$param_file" | jq -c '.' | while read -r line; do name=$(echo "$line" | jq -r '.name') value=$(echo "$line" | jq -r '.value') gh secret --repo $(gh repo set-default --view) delete "$name" diff --git a/.github/resource/credentials-params.yaml b/.github/resource/credentials-params.yaml new file mode 100644 index 000000000..9e6b22ab5 --- /dev/null +++ b/.github/resource/credentials-params.yaml @@ -0,0 +1,40 @@ +# Unified credentials parameters for AKS and VM flows. +# Populate required values before running setup-credentials.sh. +# Optional ELK_* entries may be left blank to skip. + +- name: ORC_SSOUSER + value: "" + description: Oracle SSO user (AKS flow) +- name: ORC_SSOPSW + value: "" + description: Oracle SSO password (AKS flow) +- name: WDT_RUNTIMEPSW + value: "" + description: WDT encryption/password (AKS) +- name: WLS_PSW + value: "" + description: WebLogic admin password (fallback to WDT_RUNTIMEPSW if blank) +- name: WLS_USERNAME + value: "" + description: WebLogic admin username (AKS) +- name: DB_PASSWORD + value: "" + description: Sample database password (AKS) +- name: OTN_USERID + value: "" + description: Oracle SSO user (VM flow naming) +- name: OTN_PASSWORD + value: "" + description: Oracle SSO password (VM flow naming) +- name: USER_EMAIL + value: "" + description: Git user email (VM) +- name: USER_NAME + value: "" + description: Git user name (VM) +- name: GIT_TOKEN + value: "" + description: GitHub personal access token (VM) +- name: LOCATION + value: "" + description: Azure region (common) diff --git a/.github/workflows/setup-credentials.sh b/.github/workflows/setup-credentials.sh new file mode 100755 index 000000000..00d2dc93e --- /dev/null +++ b/.github/workflows/setup-credentials.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +################################################ +# This script is invoked by a human who: +# - has done az login. +# - can create repository secrets in the github repo from which this file was cloned. +# - has the gh client >= 2.0.0 installed. +# - has yq 4.x installed. +# +# This script initializes the repo from which this file was cloned +# with the necessary secrets to run the workflows. +# Steps to run the Script: +# 1. Run az login. +# 2. Run gh auth login. +# 3. Clone the repository. +# 4. Prepare the .github/resource/credentials-params.yaml file with the required parameters. +# 5. Run the script with the following command: +# ``` +# cd .github/workflows +# bash setup-credentials.sh +# ``` +# 6. The script will set the required secrets in the repository. +# 7. Check the repository secrets to verify that the secrets are set. +################################################ + +set -Eeuo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +RESOURCE_DIR="${SCRIPT_DIR}/../resource" +export param_file="${RESOURCE_DIR}/credentials-params.yaml" + +source "${RESOURCE_DIR}/pre-check.sh" + +if [[ ! -f "${param_file}" ]]; then + echo "Parameter file not found: ${param_file}" >&2 + exit 1 +fi + +source "${RESOURCE_DIR}/credentials-params-setup.sh" +source "${RESOURCE_DIR}/azure-credential-setup.sh" + +exit 0 diff --git a/.github/workflows/setup-for-wls-aks.sh b/.github/workflows/setup-for-wls-aks.sh old mode 100644 new mode 100755 diff --git a/.github/workflows/setup-for-wls-vm.sh b/.github/workflows/setup-for-wls-vm.sh old mode 100644 new mode 100755 diff --git a/.github/workflows/teardown-credentials.sh b/.github/workflows/teardown-credentials.sh new file mode 100755 index 000000000..b5837f021 --- /dev/null +++ b/.github/workflows/teardown-credentials.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +################################################ +# This script is invoked by a human who: +# - can remove repository secrets and variables in the github repo from which this file was cloned. +# - has the gh client >= 2.0.0 installed. +# - has yq 4.x installed. +# +# This script removes all secrets and variables set by setup-credentials.sh. +# Steps to run the Script: +# 1. Run gh auth login. +# 2. Clone the repository. +# 3. Run the script with the following command: +# ``` +# cd .github/workflows +# bash teardown-credentials.sh +# ``` +# 4. The script will remove the required secrets and variables in the repository. +# 5. Check the repository secrets/variables to verify that they are removed. +################################################ + +set -Eeuo pipefail + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +RESOURCE_DIR="${SCRIPT_DIR}/../resource" +export param_file="${RESOURCE_DIR}/credentials-params.yaml" + +source "${RESOURCE_DIR}/pre-check.sh" + +if [[ ! -f "${param_file}" ]]; then + echo "Parameter file not found: ${param_file}" >&2 + exit 1 +fi + +# Remove all secrets set by setup-credentials.sh + +# Remove all secrets set by setup-credentials.sh +# Ensure no jq command uses '-o=json' (jq outputs JSON by default) +source "${RESOURCE_DIR}/credentials-params-teardown.sh" +source "${RESOURCE_DIR}/azure-credential-teardown.sh" + +echo "All unified secrets and variables have been removed." +exit 0 diff --git a/.github/workflows/teardown-for-wls-aks.sh b/.github/workflows/teardown-for-wls-aks.sh old mode 100644 new mode 100755 diff --git a/.github/workflows/teardown-for-wls-vm.sh b/.github/workflows/teardown-for-wls-vm.sh old mode 100644 new mode 100755