diff --git a/Utilities/AzureSetup/AzureSetup.postman_collection.json b/Utilities/AzureSetup/AzureSetup.postman_collection.json new file mode 100644 index 0000000..d42b59c --- /dev/null +++ b/Utilities/AzureSetup/AzureSetup.postman_collection.json @@ -0,0 +1,464 @@ +{ + "info": { + "_postman_id": "92aa972e-8f3a-4984-84fd-84c1c5ca4d4a", + "name": "Eco Azure Onboarding", + "description": "The list of APIs Rest Endpoints for completing onboarding to the Eco Azure product. Includes tasks like the following:\n\n- Create an App Registration\n \n- Create an App Registration Secret\n \n- Create an App Registration Service Principal\n \n- Create Role Assignments to the Registered App\n \n - Role for Reading Reservations\n \n - Role for Reading Savings Plans\n \n - Role for Tenanat Cost and Billing Reader\n \n - Role for Billing account Read (for EA customers)\n \n - Role for Billing profiles Read (for MCA customers)\n \n - Role for managing existing Reservations (for paying customers)\n \n - Role for managing existing Savings Plans (for paying customers)\n \n - Role for purchasing new Reservations (for paying customers)\n \n - Role for purchasing new Savings Plans (for paying customers)", + "schema": "https://schema.getpostman.com/json/collection/v2.0.0/collection.json", + "_exporter_id": "2995178" + }, + "item": [ + { + "name": "Create App Registration", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{graph_bearer_token}}" + } + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + } + ], + "body": { + "mode": "raw", + "raw": "{\"displayName\": \"{{app_display_name}}\"}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": "{{graph_api}}/v1.0/applications" + }, + "response": [] + }, + { + "name": "Create Service Principal", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{graph_bearer_token}}" + } + }, + "method": "POST", + "header": [], + "body": { + "mode": "raw", + "raw": "{\"appId\": \"{{app_id}}\"}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": "{{graph_api}}/v1.0/servicePrincipals" + }, + "response": [] + }, + { + "name": "Create Secret Key", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{graph_bearer_token}}" + } + }, + "method": "POST", + "header": [], + "body": { + "mode": "raw", + "raw": "{\"passwordCredential\": {}}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": "{{graph_api}}/v1.0/applications(appId='{{app_id}}')/addPassword" + }, + "response": [] + }, + { + "name": "Assign Cost Management Reader", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"properties\": {\n \"roleDefinitionId\": \"providers/Microsoft.Management/managementGroups/{{tenant_id}}/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3\",\n \"principalId\": \"{{service_principal_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Management/managementGroups/{{tenant_id}}/providers/Microsoft.Authorization/roleAssignments/{{$guid}}?api-version=2022-04-01", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Management", + "managementGroups", + "{{tenant_id}}", + "providers", + "Microsoft.Authorization", + "roleAssignments", + "{{$guid}}" + ], + "query": [ + { + "key": "api-version", + "value": "2022-04-01" + } + ] + } + }, + "response": [] + }, + { + "name": "Assign Reservation Reader", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"properties\": {\n \"roleDefinitionId\": \"providers/Microsoft.Capacity/providers/Microsoft.Authorization/roleDefinitions/582fc458-8989-419f-a480-75249bc5db7e\",\n \"principalId\": \"{{service_principal_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Capacity/providers/Microsoft.Authorization/roleAssignments/{{$guid}}?api-version=2022-04-01", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Capacity", + "providers", + "Microsoft.Authorization", + "roleAssignments", + "{{$guid}}" + ], + "query": [ + { + "key": "api-version", + "value": "2022-04-01" + } + ] + } + }, + "response": [] + }, + { + "name": "Assign Reservation Purchaser (Paying Customers Only)", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"properties\": {\n \"roleDefinitionId\": \"providers/Microsoft.Management/managementGroups/{{tenant_id}}/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689\",\n \"principalId\": \"{{service_principal_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Management/managementGroups/{{tenant_id}}/providers/Microsoft.Authorization/roleAssignments/{{$guid}}?api-version=2022-04-01", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Management", + "managementGroups", + "{{tenant_id}}", + "providers", + "Microsoft.Authorization", + "roleAssignments", + "{{$guid}}" + ], + "query": [ + { + "key": "api-version", + "value": "2022-04-01" + } + ] + } + }, + "response": [] + }, + { + "name": "Assign Savings Plan Purchaser (Paying Customers Only)", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"properties\": {\n \"roleDefinitionId\": \"providers/Microsoft.Management/managementGroups/{{tenant_id}}/providers/Microsoft.Authorization/roleDefinitions/3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74\",\n \"principalId\": \"{{service_principal_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Management/managementGroups/{{tenant_id}}/providers/Microsoft.Authorization/roleAssignments/{{$guid}}?api-version=2022-04-01", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Management", + "managementGroups", + "{{tenant_id}}", + "providers", + "Microsoft.Authorization", + "roleAssignments", + "{{$guid}}" + ], + "query": [ + { + "key": "api-version", + "value": "2022-04-01" + } + ] + } + }, + "response": [] + }, + { + "name": "Assign Billing Reader (MCA and CSP Customers Only)", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "POST", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"Properties\": {\n \"RoleDefinitionId\": \"providers/Microsoft.Billing/billingAccounts/{{billing_account_id}}/billingRoleDefinitions/50000000-aaaa-bbbb-cccc-100000000002\",\n \"PrincipalId\": \"{{service_principal_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Billing/billingAccounts/{{billing_account_id}}/createBillingRoleAssignment?api-version=2019-10-01-preview", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Billing", + "billingAccounts", + "{{billing_account_id}}", + "createBillingRoleAssignment" + ], + "query": [ + { + "key": "api-version", + "value": "2019-10-01-preview" + } + ] + } + }, + "response": [] + }, + { + "name": "Assign Enrollment Reader (EA Customers Only)", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"properties\": {\n \"roleDefinitionId\": \"providers/Microsoft.Billing/billingAccounts/{{billing_account_id}}/billingRoleDefinitions/24f8edb6-1668-4659-b5e2-40bb5f3a7d7e\",\n \"principalId\": \"{{service_principal_id}}\",\n \"principalTenantId\": \"{{tenant_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Billing/billingAccounts/{{billing_account_id}}/billingRoleAssignments/{{$guid}}?api-version=2019-10-01-preview", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Billing", + "billingAccounts", + "{{billing_account_id}}", + "billingRoleAssignments", + "{{$guid}}" + ], + "query": [ + { + "key": "api-version", + "value": "2019-10-01-preview" + } + ] + } + }, + "response": [] + }, + { + "name": "Assign Reservation Administrator (Paying Customers Only)", + "request": { + "auth": { + "type": "bearer", + "bearer": { + "token": "{{management_bearer_token}}" + } + }, + "method": "PUT", + "header": [], + "body": { + "mode": "raw", + "raw": "{\n \"properties\": {\n \"roleDefinitionId\": \"providers/Microsoft.Capacity/providers/Microsoft.Authorization/roleDefinitions/a8889054-8d42-49c9-bc1c-52486c10e7cd\",\n \"principalId\": \"{{service_principal_id}}\"\n }\n}", + "options": { + "raw": { + "language": "json" + } + } + }, + "url": { + "raw": "{{management_api}}/providers/Microsoft.Capacity/providers/Microsoft.Authorization/roleAssignments/{{$guid}}?api-version=2022-04-01", + "host": [ + "{{management_api}}" + ], + "path": [ + "providers", + "Microsoft.Capacity", + "providers", + "Microsoft.Authorization", + "roleAssignments", + "{{$guid}}" + ], + "query": [ + { + "key": "api-version", + "value": "2022-04-01" + } + ] + } + }, + "response": [] + } + ], + "event": [ + { + "listen": "prerequest", + "script": { + "type": "text/javascript", + "packages": {}, + "exec": [ + "" + ] + } + }, + { + "listen": "test", + "script": { + "type": "text/javascript", + "packages": {}, + "exec": [ + "" + ] + } + } + ], + "variable": [ + { + "key": "management_bearer_token", + "value": "", + "type": "string" + }, + { + "key": "graph_bearer_token", + "value": "", + "type": "string" + }, + { + "key": "graph_api", + "value": "https://graph.microsoft.com", + "type": "string" + }, + { + "key": "management_api", + "value": "https://management.azure.com", + "type": "string" + }, + { + "key": "app_display_name", + "value": "EcoAzureConnection", + "type": "string" + }, + { + "key": "app_id", + "value": "", + "type": "string" + }, + { + "key": "service_principal_id", + "value": "", + "type": "string" + }, + { + "key": "tenant_id", + "value": "", + "type": "string" + }, + { + "key": "billing_account_id", + "value": "", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Utilities/AzureSetup/CSP/eco_azure_full_access.ps1 b/Utilities/AzureSetup/CSP/eco_azure_full_access.ps1 index 4577210..bcb6018 100644 --- a/Utilities/AzureSetup/CSP/eco_azure_full_access.ps1 +++ b/Utilities/AzureSetup/CSP/eco_azure_full_access.ps1 @@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId # Register the app $app = New-AzADApplication -DisplayName $appName -# Create a service principal -New-AzADServicePrincipal -ApplicationId $app.AppId +# Create a service principal and get its ID +$sp = New-AzADServicePrincipal -ApplicationId $app.AppId +$principalId = $sp.Id # Delete all secret keys $secretKeys = Get-AzADAppCredential -ApplicationId $appId @@ -43,8 +44,26 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Adm # assign cost management reader role New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId" -# assign billing reader role -New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Billing Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId" +# assign billing reader role via REST API +$ROLE_DEF_ID = "50000000-aaaa-bbbb-cccc-100000000002" +$API_VERSION = "2019-10-01-preview" +$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId" +$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv +$DATA = @{ + Properties = @{ + RoleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID" + PrincipalId = $principalId + } +} | ConvertTo-Json +$headers = @{ + "Content-Type" = "application/json" + "Authorization" = "Bearer $ACCESS_TOKEN" +} +Invoke-RestMethod -Method Post ` + -Uri "https://management.azure.com/$SCOPE/createBillingRoleAssignment?api-version=$API_VERSION" ` + -Headers $headers ` + -Body $DATA + # Output app details Write-Host "App ID:" $app.AppId diff --git a/Utilities/AzureSetup/CSP/eco_azure_full_access.py b/Utilities/AzureSetup/CSP/eco_azure_full_access.py index 8c3e202..44b22f3 100644 --- a/Utilities/AzureSetup/CSP/eco_azure_full_access.py +++ b/Utilities/AzureSetup/CSP/eco_azure_full_access.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -39,7 +40,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -52,7 +53,7 @@ # assign reservation purchaser role role_definition_id = "f7b75c60-3036-4b75-91c3-6b41c27c1689" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -65,7 +66,7 @@ # assign reservation administrator role role_definition_id = "a8889054-8d42-49c9-bc1c-52486c10e7cd" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -78,7 +79,7 @@ # assign savings plan purchaser role role_definition_id = "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -91,7 +92,7 @@ # assign savings plan administrator role role_definition_id = "433febaf-a31d-4d4f-8dc8-b4593b39bda5" scope = "providers/Microsoft.BillingBenefits" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -104,7 +105,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -117,14 +118,14 @@ # assign billing reader role role_definition_id = "50000000-aaaa-bbbb-cccc-100000000002" scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment?api-version=2019-10-01-preview" data = { - "properties": { - "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", - "principalId": object_id + "Properties": { + "RoleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}", + "PrincipalId": object_id } } -resp = requests.put(url=role_assignments_url, headers=management_header, json=data) +resp = requests.post(url=role_assignments_url, headers=management_header, json=data) resp.raise_for_status() diff --git a/Utilities/AzureSetup/CSP/eco_azure_full_access.sh b/Utilities/AzureSetup/CSP/eco_azure_full_access.sh index b883de3..b9965da 100644 --- a/Utilities/AzureSetup/CSP/eco_azure_full_access.sh +++ b/Utilities/AzureSetup/CSP/eco_azure_full_access.sh @@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw SECRET_KEY=$(echo $SECRET_KEY | tr -d '"') # Create service principal -az ad sp create --id $APP_ID +PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"') # Role assignments # assign reservation reader role @@ -37,8 +37,17 @@ az role assignment create --assignee $APP_ID --role "Savings plan Administrator" # assign cost management reader role az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}" -# assign billing reader role -az role assignment create --assignee $APP_ID --role "Billing Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +# assign Billing Reader role using REST API +ROLE_DEF_ID="50000000-aaaa-bbbb-cccc-100000000002" +API_VERSION="2019-10-01-preview" +SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv) +DATA='{\"Properties\": {\"RoleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"PrincipalId\": \"${PRINCIPAL_ID}\"}}' +curl -X POST \ + "https://management.azure.com/${SCOPE}/createBillingRoleAssignment?api-version=${API_VERSION}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -d "${DATA}" # Print registered app info diff --git a/Utilities/AzureSetup/CSP/eco_azure_readonly.ps1 b/Utilities/AzureSetup/CSP/eco_azure_readonly.ps1 index c347182..4aec719 100644 --- a/Utilities/AzureSetup/CSP/eco_azure_readonly.ps1 +++ b/Utilities/AzureSetup/CSP/eco_azure_readonly.ps1 @@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId # Register the app $app = New-AzADApplication -DisplayName $appName -# Create a service principal -New-AzADServicePrincipal -ApplicationId $app.AppId +# Create a service principal and get its ID +$sp = New-AzADServicePrincipal -ApplicationId $app.AppId +$principalId = $sp.Id # Delete all secret keys $secretKeys = Get-AzADAppCredential -ApplicationId $appId @@ -31,9 +32,25 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Rea # assign cost management reader role New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId" -# assign billing reader role -New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Billing Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId " - +# assign billing reader role via REST API +$ROLE_DEF_ID = "50000000-aaaa-bbbb-cccc-100000000002" +$API_VERSION = "2019-10-01-preview" +$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId" +$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv +$DATA = @{ + Properties = @{ + RoleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID" + PrincipalId = $principalId + } +} | ConvertTo-Json +$headers = @{ + "Content-Type" = "application/json" + "Authorization" = "Bearer $ACCESS_TOKEN" +} +Invoke-RestMethod -Method Post ` + -Uri "https://management.azure.com/$SCOPE/createBillingRoleAssignment?api-version=$API_VERSION" ` + -Headers $headers ` + -Body $DATA # Output app details Write-Host "App ID:" $app.AppId diff --git a/Utilities/AzureSetup/CSP/eco_azure_readonly.py b/Utilities/AzureSetup/CSP/eco_azure_readonly.py index ed15958..4cda430 100644 --- a/Utilities/AzureSetup/CSP/eco_azure_readonly.py +++ b/Utilities/AzureSetup/CSP/eco_azure_readonly.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid from Utilities.AzureSetup.CSP.eco_azure_full_access import BILLING_ACCOUNT_ID @@ -41,7 +42,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -54,7 +55,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -67,14 +68,14 @@ # assign billing reader role role_definition_id = "50000000-aaaa-bbbb-cccc-100000000002" scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment?api-version=2019-10-01-preview" data = { - "properties": { - "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", - "principalId": object_id + "Properties": { + "RoleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}", + "PrincipalId": object_id } } -resp = requests.put(url=role_assignments_url, headers=management_header, json=data) +resp = requests.post(url=role_assignments_url, headers=management_header, json=data) resp.raise_for_status() diff --git a/Utilities/AzureSetup/CSP/eco_azure_readonly.sh b/Utilities/AzureSetup/CSP/eco_azure_readonly.sh index f5ed213..1002ee8 100644 --- a/Utilities/AzureSetup/CSP/eco_azure_readonly.sh +++ b/Utilities/AzureSetup/CSP/eco_azure_readonly.sh @@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw SECRET_KEY=$(echo $SECRET_KEY | tr -d '"') # Create service principal -az ad sp create --id $APP_ID +PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"') # Role assignments # assign reservation reader role @@ -25,8 +25,17 @@ az role assignment create --assignee $APP_ID --role "Savings plan Reader" --scop # assign cost management reader role az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}" -# assign billing reader role -az role assignment create --assignee $APP_ID --role "Billing Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +# assign Billing Reader role using REST API +ROLE_DEF_ID="50000000-aaaa-bbbb-cccc-100000000002" +API_VERSION="2019-10-01-preview" +SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv) +DATA='{\"Properties\": {\"RoleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"PrincipalId\": \"${PRINCIPAL_ID}\"}}' +curl -X POST \ + "https://management.azure.com/${SCOPE}/createBillingRoleAssignment?api-version=${API_VERSION}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -d "${DATA}" # Print registered app info diff --git a/Utilities/AzureSetup/EA/eco_azure_full_access.ps1 b/Utilities/AzureSetup/EA/eco_azure_full_access.ps1 index c6a11bd..56815f3 100644 --- a/Utilities/AzureSetup/EA/eco_azure_full_access.ps1 +++ b/Utilities/AzureSetup/EA/eco_azure_full_access.ps1 @@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId # Register the app $app = New-AzADApplication -DisplayName $appName -# Create a service principal -New-AzADServicePrincipal -ApplicationId $app.AppId +# Create a service principal and get its ID +$sp = New-AzADServicePrincipal -ApplicationId $app.AppId +$principalId = $sp.Id # Delete all secret keys $secretKeys = Get-AzADAppCredential -ApplicationId $appId @@ -43,8 +44,27 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Adm # assign cost management reader role New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId" -# assign enrollment reader role -New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Enrollment Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId" +# Generate a UUID for the role assignment ID +$ROLE_ASSIGNMENT_ID = [guid]::NewGuid().ToString().ToLower() +$ROLE_DEF_ID = "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" +$API_VERSION = "2019-10-01-preview" +$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId" +$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv +$DATA = @{ + properties = @{ + roleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID" + principalTenantId = $tenantId + principalId = $principalId + } +} | ConvertTo-Json +$headers = @{ + "Content-Type" = "application/json" + "Authorization" = "Bearer $ACCESS_TOKEN" +} +Invoke-RestMethod -Method Put ` + -Uri "https://management.azure.com/$SCOPE/billingRoleAssignments/$ROLE_ASSIGNMENT_ID?api-version=$API_VERSION" ` + -Headers $headers ` + -Body $DATA # Output app details diff --git a/Utilities/AzureSetup/EA/eco_azure_full_access.py b/Utilities/AzureSetup/EA/eco_azure_full_access.py index cc13584..90c3537 100644 --- a/Utilities/AzureSetup/EA/eco_azure_full_access.py +++ b/Utilities/AzureSetup/EA/eco_azure_full_access.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -39,7 +40,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -52,7 +53,7 @@ # assign reservation purchaser role role_definition_id = "f7b75c60-3036-4b75-91c3-6b41c27c1689" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -65,7 +66,7 @@ # assign reservation administrator role role_definition_id = "a8889054-8d42-49c9-bc1c-52486c10e7cd" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -78,7 +79,7 @@ # assign savings plan purchaser role role_definition_id = "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -91,7 +92,7 @@ # assign savings plan administrator role role_definition_id = "433febaf-a31d-4d4f-8dc8-b4593b39bda5" scope = "providers/Microsoft.BillingBenefits" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -104,7 +105,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -117,16 +118,16 @@ # assign enrollment reader role role_definition_id = "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/billingRoleAssignments/{str(uuid.uuid4())}?api-version=2019-10-01-preview" data = { "properties": { - "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", - "principalId": object_id + "roleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}", + "principalId": object_id, + "principalTenantId": TENANT_ID, } } resp = requests.put(url=role_assignments_url, headers=management_header, json=data) resp.raise_for_status() - print(f"App ID: {app_id}") print(f"Secret Key: {secret_key}") diff --git a/Utilities/AzureSetup/EA/eco_azure_full_access.sh b/Utilities/AzureSetup/EA/eco_azure_full_access.sh index f03f8f7..3ee88a2 100644 --- a/Utilities/AzureSetup/EA/eco_azure_full_access.sh +++ b/Utilities/AzureSetup/EA/eco_azure_full_access.sh @@ -14,7 +14,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw SECRET_KEY=$(echo $SECRET_KEY | tr -d '"') # Create service principal -az ad sp create --id $APP_ID +PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"') # Role assignments # assign reservation reader role @@ -38,8 +38,18 @@ az role assignment create --assignee $APP_ID --role "Savings plan Administrator" # assign cost management reader role az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}" -# assign enrollment reader role -az role assignment create --assignee $APP_ID --role "Enrollment Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +# assign Enrollment Reader role using REST API +ROLE_ASSIGNMENT_ID=$(uuidgen | tr 'A-F' 'a-f') +ROLE_DEF_ID="24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" +API_VERSION="2019-10-01-preview" +SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv) +DATA='{\"properties\": {\"roleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"principalTenantId\": \"${TENANT_ID}\", \"principalId\": \"${PRINCIPAL_ID}\"}}' +curl -X PUT \ + "https://management.azure.com/${SCOPE}/billingRoleAssignments/${ROLE_ASSIGNMENT_ID}?api-version=${API_VERSION}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -d "${DATA}" # Print registered app info diff --git a/Utilities/AzureSetup/EA/eco_azure_readonly.ps1 b/Utilities/AzureSetup/EA/eco_azure_readonly.ps1 index a0e8f78..f2ad388 100644 --- a/Utilities/AzureSetup/EA/eco_azure_readonly.ps1 +++ b/Utilities/AzureSetup/EA/eco_azure_readonly.ps1 @@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId # Register the app $app = New-AzADApplication -DisplayName $appName -# Create a service principal -New-AzADServicePrincipal -ApplicationId $app.AppId +# Create a service principal and get its ID +$sp = New-AzADServicePrincipal -ApplicationId $app.AppId +$principalId = $sp.Id # Delete all secret keys $secretKeys = Get-AzADAppCredential -ApplicationId $appId @@ -31,8 +32,27 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Rea # assign cost management reader role New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId" -# assign enrollment reader role -New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Enrollment Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId" +# Generate a UUID for the role assignment ID +$ROLE_ASSIGNMENT_ID = [guid]::NewGuid().ToString().ToLower() +$ROLE_DEF_ID = "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" +$API_VERSION = "2019-10-01-preview" +$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId" +$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv +$DATA = @{ + properties = @{ + roleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID" + principalTenantId = $tenantId + principalId = $principalId + } +} | ConvertTo-Json +$headers = @{ + "Content-Type" = "application/json" + "Authorization" = "Bearer $ACCESS_TOKEN" +} +Invoke-RestMethod -Method Put ` + -Uri "https://management.azure.com/$SCOPE/billingRoleAssignments/$ROLE_ASSIGNMENT_ID?api-version=$API_VERSION" ` + -Headers $headers ` + -Body $DATA # Output app details diff --git a/Utilities/AzureSetup/EA/eco_azure_readonly.py b/Utilities/AzureSetup/EA/eco_azure_readonly.py index 3de574f..45f3c93 100644 --- a/Utilities/AzureSetup/EA/eco_azure_readonly.py +++ b/Utilities/AzureSetup/EA/eco_azure_readonly.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -39,7 +40,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -52,7 +53,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -65,11 +66,12 @@ # assign enrollment reader role role_definition_id = "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/billingRoleAssignments/{str(uuid.uuid4())}?api-version=2019-10-01-preview" data = { "properties": { - "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", - "principalId": object_id + "roleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}", + "principalId": object_id, + "principalTenantId": TENANT_ID, } } resp = requests.put(url=role_assignments_url, headers=management_header, json=data) diff --git a/Utilities/AzureSetup/EA/eco_azure_readonly.sh b/Utilities/AzureSetup/EA/eco_azure_readonly.sh index 920602c..8606866 100644 --- a/Utilities/AzureSetup/EA/eco_azure_readonly.sh +++ b/Utilities/AzureSetup/EA/eco_azure_readonly.sh @@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw SECRET_KEY=$(echo $SECRET_KEY | tr -d '"') # Create service principal -az ad sp create --id $APP_ID +PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"') # Role assignments # assign reservation reader role @@ -25,8 +25,18 @@ az role assignment create --assignee $APP_ID --role "Savings plan Reader" --scop # assign cost management reader role az role assignment create --assignee "{{app_id}}" --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}" -# assign enrollment reader role -az role assignment create --assignee "{{app_id}}" --role "Enrollment Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +# assign Enrollment Reader role using REST API +ROLE_ASSIGNMENT_ID=$(uuidgen | tr 'A-F' 'a-f') +ROLE_DEF_ID="24f8edb6-1668-4659-b5e2-40bb5f3a7d7e" +API_VERSION="2019-10-01-preview" +SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv) +DATA='{\"properties\": {\"roleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"principalTenantId\": \"${TENANT_ID}\", \"principalId\": \"${PRINCIPAL_ID}\"}}' +curl -X PUT \ + "https://management.azure.com/${SCOPE}/billingRoleAssignments/${ROLE_ASSIGNMENT_ID}?api-version=${API_VERSION}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -d "${DATA}" # Print registered app info diff --git a/Utilities/AzureSetup/MCA/eco_azure_full_access.ps1 b/Utilities/AzureSetup/MCA/eco_azure_full_access.ps1 index ffd6e1d..bcb6018 100644 --- a/Utilities/AzureSetup/MCA/eco_azure_full_access.ps1 +++ b/Utilities/AzureSetup/MCA/eco_azure_full_access.ps1 @@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId # Register the app $app = New-AzADApplication -DisplayName $appName -# Create a service principal -New-AzADServicePrincipal -ApplicationId $app.AppId +# Create a service principal and get its ID +$sp = New-AzADServicePrincipal -ApplicationId $app.AppId +$principalId = $sp.Id # Delete all secret keys $secretKeys = Get-AzADAppCredential -ApplicationId $appId @@ -43,8 +44,25 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Adm # assign cost management reader role New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId" -# assign billing reader role -New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Billing Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId" +# assign billing reader role via REST API +$ROLE_DEF_ID = "50000000-aaaa-bbbb-cccc-100000000002" +$API_VERSION = "2019-10-01-preview" +$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId" +$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv +$DATA = @{ + Properties = @{ + RoleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID" + PrincipalId = $principalId + } +} | ConvertTo-Json +$headers = @{ + "Content-Type" = "application/json" + "Authorization" = "Bearer $ACCESS_TOKEN" +} +Invoke-RestMethod -Method Post ` + -Uri "https://management.azure.com/$SCOPE/createBillingRoleAssignment?api-version=$API_VERSION" ` + -Headers $headers ` + -Body $DATA # Output app details diff --git a/Utilities/AzureSetup/MCA/eco_azure_full_access.py b/Utilities/AzureSetup/MCA/eco_azure_full_access.py index 8c3e202..44b22f3 100644 --- a/Utilities/AzureSetup/MCA/eco_azure_full_access.py +++ b/Utilities/AzureSetup/MCA/eco_azure_full_access.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -39,7 +40,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -52,7 +53,7 @@ # assign reservation purchaser role role_definition_id = "f7b75c60-3036-4b75-91c3-6b41c27c1689" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -65,7 +66,7 @@ # assign reservation administrator role role_definition_id = "a8889054-8d42-49c9-bc1c-52486c10e7cd" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -78,7 +79,7 @@ # assign savings plan purchaser role role_definition_id = "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -91,7 +92,7 @@ # assign savings plan administrator role role_definition_id = "433febaf-a31d-4d4f-8dc8-b4593b39bda5" scope = "providers/Microsoft.BillingBenefits" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -104,7 +105,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -117,14 +118,14 @@ # assign billing reader role role_definition_id = "50000000-aaaa-bbbb-cccc-100000000002" scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment?api-version=2019-10-01-preview" data = { - "properties": { - "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", - "principalId": object_id + "Properties": { + "RoleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}", + "PrincipalId": object_id } } -resp = requests.put(url=role_assignments_url, headers=management_header, json=data) +resp = requests.post(url=role_assignments_url, headers=management_header, json=data) resp.raise_for_status() diff --git a/Utilities/AzureSetup/MCA/eco_azure_full_access.sh b/Utilities/AzureSetup/MCA/eco_azure_full_access.sh index b883de3..b9965da 100644 --- a/Utilities/AzureSetup/MCA/eco_azure_full_access.sh +++ b/Utilities/AzureSetup/MCA/eco_azure_full_access.sh @@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw SECRET_KEY=$(echo $SECRET_KEY | tr -d '"') # Create service principal -az ad sp create --id $APP_ID +PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"') # Role assignments # assign reservation reader role @@ -37,8 +37,17 @@ az role assignment create --assignee $APP_ID --role "Savings plan Administrator" # assign cost management reader role az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}" -# assign billing reader role -az role assignment create --assignee $APP_ID --role "Billing Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +# assign Billing Reader role using REST API +ROLE_DEF_ID="50000000-aaaa-bbbb-cccc-100000000002" +API_VERSION="2019-10-01-preview" +SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv) +DATA='{\"Properties\": {\"RoleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"PrincipalId\": \"${PRINCIPAL_ID}\"}}' +curl -X POST \ + "https://management.azure.com/${SCOPE}/createBillingRoleAssignment?api-version=${API_VERSION}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -d "${DATA}" # Print registered app info diff --git a/Utilities/AzureSetup/MCA/eco_azure_readonly.ps1 b/Utilities/AzureSetup/MCA/eco_azure_readonly.ps1 index 3551ebb..55e5a0c 100644 --- a/Utilities/AzureSetup/MCA/eco_azure_readonly.ps1 +++ b/Utilities/AzureSetup/MCA/eco_azure_readonly.ps1 @@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId # Register the app $app = New-AzADApplication -DisplayName $appName -# Create a service principal -New-AzADServicePrincipal -ApplicationId $app.AppId +# Create a service principal and get its ID +$sp = New-AzADServicePrincipal -ApplicationId $app.AppId +$principalId = $sp.Id # Delete all secret keys $secretKeys = Get-AzADAppCredential -ApplicationId $appId @@ -31,8 +32,25 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Rea # assign cost management reader role New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId" -# assign billing reader role -New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Billing Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId" +# assign billing reader role via REST API +$ROLE_DEF_ID = "50000000-aaaa-bbbb-cccc-100000000002" +$API_VERSION = "2019-10-01-preview" +$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId" +$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv +$DATA = @{ + Properties = @{ + RoleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID" + PrincipalId = $principalId + } +} | ConvertTo-Json +$headers = @{ + "Content-Type" = "application/json" + "Authorization" = "Bearer $ACCESS_TOKEN" +} +Invoke-RestMethod -Method Post ` + -Uri "https://management.azure.com/$SCOPE/createBillingRoleAssignment?api-version=$API_VERSION" ` + -Headers $headers ` + -Body $DATA # Output app details diff --git a/Utilities/AzureSetup/MCA/eco_azure_readonly.py b/Utilities/AzureSetup/MCA/eco_azure_readonly.py index 9d1cb47..ecb3c28 100644 --- a/Utilities/AzureSetup/MCA/eco_azure_readonly.py +++ b/Utilities/AzureSetup/MCA/eco_azure_readonly.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -39,7 +40,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -52,7 +53,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -65,14 +66,14 @@ # assign billing reader role role_definition_id = "50000000-aaaa-bbbb-cccc-100000000002" scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment?api-version=2019-10-01-preview" data = { - "properties": { - "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", - "principalId": object_id + "Properties": { + "RoleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}", + "PrincipalId": object_id } } -resp = requests.put(url=role_assignments_url, headers=management_header, json=data) +resp = requests.post(url=role_assignments_url, headers=management_header, json=data) resp.raise_for_status() diff --git a/Utilities/AzureSetup/MCA/eco_azure_readonly.sh b/Utilities/AzureSetup/MCA/eco_azure_readonly.sh index f5ed213..1002ee8 100644 --- a/Utilities/AzureSetup/MCA/eco_azure_readonly.sh +++ b/Utilities/AzureSetup/MCA/eco_azure_readonly.sh @@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw SECRET_KEY=$(echo $SECRET_KEY | tr -d '"') # Create service principal -az ad sp create --id $APP_ID +PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"') # Role assignments # assign reservation reader role @@ -25,8 +25,17 @@ az role assignment create --assignee $APP_ID --role "Savings plan Reader" --scop # assign cost management reader role az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}" -# assign billing reader role -az role assignment create --assignee $APP_ID --role "Billing Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +# assign Billing Reader role using REST API +ROLE_DEF_ID="50000000-aaaa-bbbb-cccc-100000000002" +API_VERSION="2019-10-01-preview" +SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}" +ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv) +DATA='{\"Properties\": {\"RoleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"PrincipalId\": \"${PRINCIPAL_ID}\"}}' +curl -X POST \ + "https://management.azure.com/${SCOPE}/createBillingRoleAssignment?api-version=${API_VERSION}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${ACCESS_TOKEN}" \ + -d "${DATA}" # Print registered app info diff --git a/Utilities/AzureSetup/PAYG/eco_azure_full_access.py b/Utilities/AzureSetup/PAYG/eco_azure_full_access.py index 0b87b75..2d22290 100644 --- a/Utilities/AzureSetup/PAYG/eco_azure_full_access.py +++ b/Utilities/AzureSetup/PAYG/eco_azure_full_access.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -38,7 +39,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -51,7 +52,7 @@ # assign reservation purchaser role role_definition_id = "f7b75c60-3036-4b75-91c3-6b41c27c1689" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -64,7 +65,7 @@ # assign reservation administrator role role_definition_id = "a8889054-8d42-49c9-bc1c-52486c10e7cd" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -77,7 +78,7 @@ # assign savings plan purchaser role role_definition_id = "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -90,7 +91,7 @@ # assign savings plan administrator role role_definition_id = "433febaf-a31d-4d4f-8dc8-b4593b39bda5" scope = "providers/Microsoft.BillingBenefits" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -103,7 +104,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", diff --git a/Utilities/AzureSetup/PAYG/eco_azure_readonly.py b/Utilities/AzureSetup/PAYG/eco_azure_readonly.py index 1d57a4e..b05ff46 100644 --- a/Utilities/AzureSetup/PAYG/eco_azure_readonly.py +++ b/Utilities/AzureSetup/PAYG/eco_azure_readonly.py @@ -1,5 +1,6 @@ import requests from azure.identity import DefaultAzureCredential +import uuid # Set up the necessary variables TENANT_ID = "{{tenant_id}}" @@ -38,7 +39,7 @@ # assign reservation reader role role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e" scope = "providers/Microsoft.Capacity" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}", @@ -51,7 +52,7 @@ # assign cost management reader role role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3" scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}" -role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01" +role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01" data = { "properties": { "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",