On branch edburns/o-669-add-improved-setup-credentials

.github/resource/azure-credential-setup.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+#############################################################
+# Unified Azure credential setup script.
+# Replaces the need to run both azure-credential-setup-wls-aks.sh
+# and azure-credential-setup-wls-vm.sh when using the unified flow.
+#
+# Behavior:
+# - Creates ONE Azure Service Principal.
+# - Assigns Contributor + User Access Administrator roles.
+# - Stores credentials JSON in AZURE_CREDENTIALS secret.
+# - Exposes unified name via SERVICE_PRINCIPAL_NAME variable.
+# - For backward compatibility also sets legacy variables
+#   SERVICE_PRINCIPAL_NAME_WLS_AKS and SERVICE_PRINCIPAL_NAME_WLS_VM
+#   to the same value so downstream workflows keep working.
+#
+# NOTE: Leaves the original per-target scripts untouched for users
+# still invoking them directly.
+#############################################################
+
+echo "Execute unified azure-credential-setup.sh - Start-----------------------------"
+
+# Derive repo name if not provided
+REPO_NAME=${REPO_NAME:-$(basename "$(git rev-parse --show-toplevel 2>/dev/null || echo repo)")}
+SUBSCRIPTION_ID=$(az account show --query id -o tsv | tr -d '\r\n')
+
+SERVICE_PRINCIPAL_NAME="sp-${REPO_NAME}-wls-unified-$(date +%s)"
+echo "Creating Azure Service Principal with name: ${SERVICE_PRINCIPAL_NAME}" >&2
+
+AZURE_CREDENTIALS=$(az ad sp create-for-rbac \
+  --name "${SERVICE_PRINCIPAL_NAME}" \
+  --role "Contributor" \
+  --scopes "/subscriptions/${SUBSCRIPTION_ID}" \
+  --sdk-auth \
+  --only-show-errors)
+
+SP_ID=$(az ad sp list --display-name "${SERVICE_PRINCIPAL_NAME}" --query '[0].id' -o tsv | tr -d '\r\n') || true
+if [[ -n "${SP_ID}" ]]; then
+  az role assignment create --assignee "${SP_ID}" --scope "/subscriptions/${SUBSCRIPTION_ID}" --role "User Access Administrator" >/dev/null 2>&1 || \
+    echo "Warning: secondary role assignment may have failed" >&2
+else
+  echo "Warning: could not resolve SP ID for secondary role assignment" >&2
+fi
+
+# Best-effort detection of existing secret
+if gh secret list 2>/dev/null | grep -q '^AZURE_CREDENTIALS\b'; then
+  echo "Notice: Overwriting existing AZURE_CREDENTIALS secret" >&2
+fi
+
+gh secret --repo $(gh repo set-default --view) set "AZURE_CREDENTIALS" -b"${AZURE_CREDENTIALS}" >/dev/null
+
+gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true
+gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME_WLS_AKS -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true
+gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME_WLS_VM -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true
+
+echo "Execute unified azure-credential-setup.sh - End-------------------------------"

.github/resource/credentials-params.yaml

@@ -0,0 +1,49 @@
+# Unified credentials parameters for AKS and VM flows.
+# Populate required values before running setup-credentials.sh.
+# Optional ELK_* entries may be left blank to skip.
+
+- name: ORC_SSOUSER
+  value: ""
+  description: Oracle SSO user (AKS flow)
+- name: ORC_SSOPSW
+  value: ""
+  description: Oracle SSO password (AKS flow)
+- name: WDT_RUNTIMEPSW
+  value: ""
+  description: WDT encryption/password (AKS)
+- name: WLS_PSW
+  value: ""
+  description: WebLogic admin password (fallback to WDT_RUNTIMEPSW if blank)
+- name: WLS_USERNAME
+  value: "weblogic"
+  description: WebLogic admin username (AKS)
+- name: DB_PASSWORD
+  value: "Secret123!"
+  description: Sample database password (AKS)
+- name: OTN_USERID
+  value: ""
+  description: Oracle SSO user (VM flow naming)
+- name: OTN_PASSWORD
+  value: ""
+  description: Oracle SSO password (VM flow naming)
+- name: USER_EMAIL
+  value: ""
+  description: Git user email (VM)
+- name: USER_NAME
+  value: ""
+  description: Git user name (VM)
+- name: GIT_TOKEN
+  value: ""
+  description: GitHub personal access token (VM)
+- name: LOCATION
+  value: "eastus"
+  description: Azure region (common)
+- name: ELK_URI
+  value: ""
+  description: Elastic server URI (optional VM)
+- name: ELK_USER_NAME
+  value: ""
+  description: Elastic user name (optional VM)
+- name: ELK_PSW
+  value: ""
+  description: Elastic password (optional VM)

.github/workflows/setup-credentials.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+################################################
+# This script is invoked by a human who:
+# - has done az login.
+# - can create repository secrets in the github repo from which this file was cloned.
+# - has the gh client >= 2.0.0 installed.
+# - has yq 4.x installed.
+#
+# This script initializes the repo from which this file was cloned
+# with the necessary secrets to run the workflows.
+# Steps to run the Script:
+# 1. Run az login.
+# 2. Run gh auth login.
+# 3. Clone the repository.
+# 4. Prepare the .github/resource/credentials-params.yaml file with the required parameters.
+# 5. Run the script with the following command:
+#    ```
+#    cd .github/workflows
+#    bash setup-credentials.sh
+#    ```
+# 6. The script will set the required secrets in the repository.
+# 7. Check the repository secrets to verify that the secrets are set.
+################################################
+
+set -Eeuo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RESOURCE_DIR="${SCRIPT_DIR}/../resource"
+export param_file="${RESOURCE_DIR}/credentials-params.yaml"
+
+source "${RESOURCE_DIR}/pre-check.sh"
+
+if [[ ! -f "${param_file}" ]]; then
+  echo "Parameter file not found: ${param_file}" >&2
+  exit 1
+fi
+
+source "${RESOURCE_DIR}/credentials-params-setup.sh"
+source "${RESOURCE_DIR}/azure-credential-setup.sh"
+
+exit 0