[src] SF-23264: Update Eco Azure setup scripts

Utilities/AzureSetup/CSP/eco_azure_full_access.ps1

@@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId
 # Register the app
 $app = New-AzADApplication -DisplayName $appName
 
-# Create a service principal
-New-AzADServicePrincipal -ApplicationId $app.AppId
+# Create a service principal and get its ID
+$sp = New-AzADServicePrincipal -ApplicationId $app.AppId
+$principalId = $sp.Id
 
 # Delete all secret keys
 $secretKeys = Get-AzADAppCredential -ApplicationId $appId
@@ -43,8 +44,26 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Adm
 # assign cost management reader role
 New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId"
 
-# assign billing reader role
-New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Billing Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId"
+# assign billing reader role via REST API
+$ROLE_DEF_ID = "50000000-aaaa-bbbb-cccc-100000000002"
+$API_VERSION = "2019-10-01-preview"
+$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId"
+$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv
+$DATA = @{
+    Properties = @{
+        RoleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID"
+        PrincipalId      = $principalId
+    }
+} | ConvertTo-Json
+$headers = @{
+    "Content-Type"  = "application/json"
+    "Authorization" = "Bearer $ACCESS_TOKEN"
+}
+Invoke-RestMethod -Method Post `
+    -Uri "https://management.azure.com/$SCOPE/createBillingRoleAssignment?api-version=$API_VERSION" `
+    -Headers $headers `
+    -Body $DATA
+
 
 # Output app details
 Write-Host "App ID:" $app.AppId

Utilities/AzureSetup/CSP/eco_azure_full_access.py

@@ -1,5 +1,6 @@
 import requests
 from azure.identity import DefaultAzureCredential
+import uuid
 
 # Set up the necessary variables
 TENANT_ID = "{{tenant_id}}"
@@ -39,7 +40,7 @@
 # assign reservation reader role
 role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e"
 scope = "providers/Microsoft.Capacity"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -52,7 +53,7 @@
 # assign reservation purchaser role
 role_definition_id = "f7b75c60-3036-4b75-91c3-6b41c27c1689"
 scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -65,7 +66,7 @@
 # assign reservation administrator role
 role_definition_id = "a8889054-8d42-49c9-bc1c-52486c10e7cd"
 scope = "providers/Microsoft.Capacity"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -78,7 +79,7 @@
 # assign savings plan purchaser role
 role_definition_id = "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74"
 scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -91,7 +92,7 @@
 # assign savings plan administrator role
 role_definition_id = "433febaf-a31d-4d4f-8dc8-b4593b39bda5"
 scope = "providers/Microsoft.BillingBenefits"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -104,7 +105,7 @@
 # assign cost management reader role
 role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3"
 scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -117,14 +118,14 @@
 # assign billing reader role
 role_definition_id = "50000000-aaaa-bbbb-cccc-100000000002"
 scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}"
-role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment?api-version=2019-10-01-preview"
 data = {
-    "properties": {
-        "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
-        "principalId": object_id
+    "Properties": {
+        "RoleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}",
+        "PrincipalId": object_id
     }
 }
-resp = requests.put(url=role_assignments_url, headers=management_header, json=data)
+resp = requests.post(url=role_assignments_url, headers=management_header, json=data)
 resp.raise_for_status()
 
 

Utilities/AzureSetup/CSP/eco_azure_full_access.sh

@@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw
 SECRET_KEY=$(echo $SECRET_KEY | tr -d '"')
 
 # Create service principal
-az ad sp create --id $APP_ID
+PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"')
 
 # Role assignments
 # assign reservation reader role
@@ -37,8 +37,17 @@ az role assignment create --assignee $APP_ID --role "Savings plan Administrator"
 # assign cost management reader role
 az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}"
 
-# assign billing reader role
-az role assignment create --assignee $APP_ID --role "Billing Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}"
+# assign Billing Reader role using REST API
+ROLE_DEF_ID="50000000-aaaa-bbbb-cccc-100000000002"
+API_VERSION="2019-10-01-preview"
+SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}"
+ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)
+DATA='{\"Properties\": {\"RoleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"PrincipalId\": \"${PRINCIPAL_ID}\"}}'
+curl -X POST \
+  "https://management.azure.com/${SCOPE}/createBillingRoleAssignment?api-version=${API_VERSION}" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  -d "${DATA}"
 
 
 # Print registered app info

Utilities/AzureSetup/CSP/eco_azure_readonly.ps1

@@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId
 # Register the app
 $app = New-AzADApplication -DisplayName $appName
 
-# Create a service principal
-New-AzADServicePrincipal -ApplicationId $app.AppId
+# Create a service principal and get its ID
+$sp = New-AzADServicePrincipal -ApplicationId $app.AppId
+$principalId = $sp.Id
 
 # Delete all secret keys
 $secretKeys = Get-AzADAppCredential -ApplicationId $appId
@@ -31,9 +32,25 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Rea
 # assign cost management reader role
 New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId"
 
-# assign billing reader role
-New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Billing Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId "
-
+# assign billing reader role via REST API
+$ROLE_DEF_ID = "50000000-aaaa-bbbb-cccc-100000000002"
+$API_VERSION = "2019-10-01-preview"
+$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId"
+$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv
+$DATA = @{
+    Properties = @{
+        RoleDefinitionId = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID"
+        PrincipalId      = $principalId
+    }
+} | ConvertTo-Json
+$headers = @{
+    "Content-Type"  = "application/json"
+    "Authorization" = "Bearer $ACCESS_TOKEN"
+}
+Invoke-RestMethod -Method Post `
+    -Uri "https://management.azure.com/$SCOPE/createBillingRoleAssignment?api-version=$API_VERSION" `
+    -Headers $headers `
+    -Body $DATA
 
 # Output app details
 Write-Host "App ID:" $app.AppId

Utilities/AzureSetup/CSP/eco_azure_readonly.py

@@ -1,5 +1,6 @@
 import requests
 from azure.identity import DefaultAzureCredential
+import uuid
 
 from Utilities.AzureSetup.CSP.eco_azure_full_access import BILLING_ACCOUNT_ID
 
@@ -41,7 +42,7 @@
 # assign reservation reader role
 role_definition_id = "582fc458-8989-419f-a480-75249bc5db7e"
 scope = "providers/Microsoft.Capacity"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -54,7 +55,7 @@
 # assign cost management reader role
 role_definition_id = "72fafb9e-0641-4937-9268-a91bfd8191a3"
 scope = f"providers/Microsoft.Management/managementGroups/{TENANT_ID}"
-role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{str(uuid.uuid4())}?api-version=2022-04-01"
 data = {
     "properties": {
         "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
@@ -67,14 +68,14 @@
 # assign billing reader role
 role_definition_id = "50000000-aaaa-bbbb-cccc-100000000002"
 scope = f"providers/Microsoft.Billing/billingAccounts/{BILLING_ACCOUNT_ID}"
-role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment/{role_definition_id}?api-version=2022-04-01"
+role_assignments_url = f"https://management.azure.com/{scope}/createBillingRoleAssignment?api-version=2019-10-01-preview"
 data = {
-    "properties": {
-        "roleDefinitionId": f"{scope}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}",
-        "principalId": object_id
+    "Properties": {
+        "RoleDefinitionId": f"{scope}/billingRoleDefinitions/{role_definition_id}",
+        "PrincipalId": object_id
     }
 }
-resp = requests.put(url=role_assignments_url, headers=management_header, json=data)
+resp = requests.post(url=role_assignments_url, headers=management_header, json=data)
 resp.raise_for_status()
 
 

Utilities/AzureSetup/CSP/eco_azure_readonly.sh

@@ -13,7 +13,7 @@ SECRET_KEY=$(az ad app credential reset --id $APP_ID --output json --query passw
 SECRET_KEY=$(echo $SECRET_KEY | tr -d '"')
 
 # Create service principal
-az ad sp create --id $APP_ID
+PRINCIPAL_ID=$(az ad sp create --id $APP_ID --output json --query id | tr -d '"')
 
 # Role assignments
 # assign reservation reader role
@@ -25,8 +25,17 @@ az role assignment create --assignee $APP_ID --role "Savings plan Reader" --scop
 # assign cost management reader role
 az role assignment create --assignee $APP_ID --role "Cost Management Reader" --scope "/providers/Microsoft.Management/managementGroups/${TENANT_ID}"
 
-# assign billing reader role
-az role assignment create --assignee $APP_ID --role "Billing Reader" --scope "/providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}"
+# assign Billing Reader role using REST API
+ROLE_DEF_ID="50000000-aaaa-bbbb-cccc-100000000002"
+API_VERSION="2019-10-01-preview"
+SCOPE="providers/Microsoft.Billing/billingAccounts/${BILLING_ACCOUNT_ID}"
+ACCESS_TOKEN=$(az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv)
+DATA='{\"Properties\": {\"RoleDefinitionId\": \"/${SCOPE}/billingRoleDefinitions/${ROLE_DEF_ID}\", \"PrincipalId\": \"${PRINCIPAL_ID}\"}}'
+curl -X POST \
+  "https://management.azure.com/${SCOPE}/createBillingRoleAssignment?api-version=${API_VERSION}" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
+  -d "${DATA}"
 
 
 # Print registered app info

Utilities/AzureSetup/EA/eco_azure_full_access.ps1

@@ -8,8 +8,9 @@ Connect-AzAccount -TenantId $tenantId
 # Register the app
 $app = New-AzADApplication -DisplayName $appName
 
-# Create a service principal
-New-AzADServicePrincipal -ApplicationId $app.AppId
+# Create a service principal and get its ID
+$sp = New-AzADServicePrincipal -ApplicationId $app.AppId
+$principalId = $sp.Id
 
 # Delete all secret keys
 $secretKeys = Get-AzADAppCredential -ApplicationId $appId
@@ -43,8 +44,27 @@ New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Savings plan Adm
 # assign cost management reader role
 New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Cost Management Reader" -Scope "/providers/Microsoft.Management/managementGroups/$tenantId"
 
-# assign enrollment reader role
-New-AzRoleAssignment -ApplicationId $appId -RoleDefinitionName "Enrollment Reader" -Scope "/providers/Microsoft.Billing/billingAccounts/$billingAccountId"
+# Generate a UUID for the role assignment ID
+$ROLE_ASSIGNMENT_ID = [guid]::NewGuid().ToString().ToLower()
+$ROLE_DEF_ID = "24f8edb6-1668-4659-b5e2-40bb5f3a7d7e"
+$API_VERSION = "2019-10-01-preview"
+$SCOPE = "providers/Microsoft.Billing/billingAccounts/$billingAccountId"
+$ACCESS_TOKEN = az account get-access-token --resource https://management.azure.com/ --query accessToken -o tsv
+$DATA = @{
+    properties = @{
+        roleDefinitionId    = "/$SCOPE/billingRoleDefinitions/$ROLE_DEF_ID"
+        principalTenantId   = $tenantId
+        principalId         = $principalId
+    }
+} | ConvertTo-Json
+$headers = @{
+    "Content-Type"  = "application/json"
+    "Authorization" = "Bearer $ACCESS_TOKEN"
+}
+Invoke-RestMethod -Method Put `
+    -Uri "https://management.azure.com/$SCOPE/billingRoleAssignments/$ROLE_ASSIGNMENT_ID?api-version=$API_VERSION" `
+    -Headers $headers `
+    -Body $DATA
 
 
 # Output app details