Skip to content

Commit

Permalink
Update Entra App Reg create script; add template files
Browse files Browse the repository at this point in the history
  • Loading branch information
deltadan committed Jul 26, 2024
1 parent 0f43840 commit 692309d
Show file tree
Hide file tree
Showing 12 changed files with 324 additions and 352 deletions.
138 changes: 83 additions & 55 deletions deploy/common/scripts/Create-FllmEntraIdApps.ps1
Original file line number Diff line number Diff line change
@@ -1,30 +1,29 @@
#! /usr/bin/pwsh

Param(
[parameter(Mandatory = $false)][string]$authAppName="FoundationaLLM-Authorization-API",
[parameter(Mandatory = $false)][string]$coreAppName="FoundationaLLM-Core-API",
[parameter(Mandatory = $false)][string]$coreClientAppName="FoundationaLLM-Core-Portal",
[parameter(Mandatory = $false)][string]$mgmtAppName="FoundationaLLM-Management-API",
[parameter(Mandatory = $false)][string]$mgmtClientAppName="FoundationaLLM-Management-Portal"
)

Set-StrictMode -Version 3.0
$ErrorActionPreference = "Stop"

<#
.SYNOPSIS
Generates a set of FLLM EntraID API apps and their respective client apps in the Azure AD tenant.
Generates a set of FLLM EntraID App Registrations and their respective client apps in the Entra ID tenant.
See the following link for more information: https://docs.foundationallm.ai/deployment/authentication-authorization/index.html
**These app names are mandatory, you can't change the names or the scopes.**
.DESCRIPTION
The script will create the following apps:
- FoundationaLLM
- FoundationaLLM-Client
- FoundationaLLM-Management
- FoundationaLLM-ManagementClient
- FoundationaLLM-Authorization
-
- FoundationaLLM-Authorization-API
- FoundationaLLM-Core-API
- FoundationaLLM-Core-Portal
- FoundationaLLM-Management-API
- FoundationaLLM-Management-Portal
The script will also assign the required permissions to the client apps and the required API permissions to the API apps.
URLs for the client apps are optional and can be set using the appUrl and appUrlLocal parameters.
.REQUIREMENTS
- The user must be a Global Administrator in the Entra ID tenant or have RBAC rights to create App Registrations and Service Principals.
- The Azure CLI must be installed and authenticated to the Entra ID tenant.
- Scaffolding JSON files must be present in the same directory as the script.
- foundationallm-authorization-api.template.json
- foundationallm-core-api.template.json
- foundationallm-core-portal.template.json
- foundationallm-management-api.template.json
- foundationallm-management-portal.template.json
.PARAMETER appPermissionsId
The GUID of the permission to assign to the client app.
Expand All @@ -36,24 +35,53 @@ The URL of the client app.
The local URL of the client app.
.PARAMETER createClientApp
Whether to create the client app or not. Default is true. False will only create the API app.
If set to $true, the script will create a client app. If set to $false, the script will not create a client app.
.PARAMETER fllmApi
The name of the API app.
.PARAMETER fllmApiConfigPath
The path to the API app configuration file.
.PARAMETER fllmApiUri
The URI of the API app.
.PARAMETER fllmClient
The name of the client app.
.PARAMETER fllmClientConfigPath
The path to the client app configuration file.
.EXAMPLE
The following example creates the FoundationaLLM API and client apps.
# Create FoundationaLLM Core App Registrations
$params = @{
fllmApi = "FoundationaLLM"
fllmClient = "FoundationaLLM-Client"
fllmApiConfigPath = "foundationalllm.json"
fllmClientConfigPath = "foundationalllm-client.json"
appPermissionsId = "6da07102-bb6a-421d-a71e-dfdb6031d3d8"
appUrl = ""
appUrlLocal = "http://localhost:3000/signin-oidc"
fllmApi = $coreAppName
fllmApiConfigPath = "foundationallm-core-api.json"
fllmApiUri = "api://FoundationaLLM-Core"
fllmClient = $coreClientAppName
fllmClientConfigPath = "foundationallm-core-portal.json"
}
New-FllmEntraIdApps @params
$($fllmAppRegs).Core = New-FllmEntraIdApps @params
#>

Param(
[parameter(Mandatory = $false)][string]$authAppName="FoundationaLLM-Authorization-API",
[parameter(Mandatory = $false)][string]$coreAppName="FoundationaLLM-Core-API",
[parameter(Mandatory = $false)][string]$coreClientAppName="FoundationaLLM-Core-Portal",
[parameter(Mandatory = $false)][string]$mgmtAppName="FoundationaLLM-Management-API",
[parameter(Mandatory = $false)][string]$mgmtClientAppName="FoundationaLLM-Management-Portal"
)

Set-StrictMode -Version 3.0
$ErrorActionPreference = "Stop"

function New-FllmEntraIdApps {
param (
[Parameter(Mandatory = $true)][string]$appPermissionsId,
Expand All @@ -69,32 +97,32 @@ function New-FllmEntraIdApps {

$fllmAppRegMetaData = @{}
try {
# Create the FLLM APIApp Registration
# Create the FLLM API App Registration
$($fllmAppRegMetaData).Api = @{
Name = $fllmApi
Uri = $fllmApiUri
}
Write-Host "Creating EntraID Application Registration named $($fllmAppRegMetaData.Api.Name)"
Write-Host -ForegroundColor Yellow "Creating EntraID Application Registration named $($fllmAppRegMetaData.Api.Name)"
$($fllmAppRegMetaData.Api).AppId = $(az ad app create --display-name $($fllmAppRegMetaData.Api.Name) --query appId --output tsv)
$($fllmAppRegMetaData.Api).ObjectId = $(az ad app show --id $($fllmAppRegMetaData.Api.AppId) --query id --output tsv)
az ad sp create --id $($fllmAppRegMetaData.Api.AppId)

# Create the FLLM ClientApp Registration
if ($createClientApp) {
$($fllmAppRegMetaData).Client = @{ Name = $fllmClient }
Write-Host "Creating EntraID Application Registration named $($fllmAppRegMetaData.Client.Name)"
Write-Host -ForegroundColor Yellow "Creating EntraID Application Registration named $($fllmAppRegMetaData.Client.Name)"
$($fllmAppRegMetaData.Client).AppId = $(az ad app create --display-name $($fllmAppRegMetaData.Client.Name) --query appId --output tsv)
$($fllmAppRegMetaData.Client).ObjectId = $(az ad app show --id $($fllmAppRegMetaData.Client.AppId) --query id --output tsv)
az ad sp create --id $($fllmAppRegMetaData.Client.AppId)
}

# Update the APIApp Registration
Write-Host "Lays down scaffolding for the API App Registration $($fllmAppRegMetaData.Api.Name)"
# Update the API App Registration
Write-Host -ForegroundColor Yellow "Laying down scaffolding for the API App Registration $($fllmAppRegMetaData.Api.Name)"
az rest --method PATCH --url "https://graph.microsoft.com/v1.0/applications/$($fllmAppRegMetaData.Api.ObjectId)" --header "Content-Type=application/json" --body "@$fllmApiConfigPath"
Write-host "Sleeping for 10 seconds to allow the API App Registration to be created before updating it."
Write-host -ForegroundColor Yellow "Sleeping for 10 seconds to allow the API App Registration to be created before updating it..."
Start-Sleep -Seconds 10
## Updates the API App Registration
Write-Host "Preparing updates for the API App Registration $($fllmAppRegMetaData.Api.Name)"
Write-Host -ForegroundColor Yellow "Preparing updates for the API App Registration $($fllmAppRegMetaData.Api.Name)"
$appConfig = Get-content $fllmApiConfigPath | ConvertFrom-Json -Depth 20
if ($createClientApp) {
$preAuthorizedApp = @(
Expand All @@ -111,25 +139,25 @@ function New-FllmEntraIdApps {
}
$appConfig.identifierUris = @($($fllmAppRegMetaData.Api.Uri))
$appConfigUpdate = $appConfig | ConvertTo-Json -Depth 20
Write-Host "Final Update to API App Registration $($fllmAppRegMetaData.Api.Name)"
Write-Host -ForegroundColor Yellow "Final Update to API App Registration $($fllmAppRegMetaData.Api.Name)"
Set-Content -Path "$($fllmAppRegMetaData.Api.Name)`.json" $appConfigUpdate
az rest --method PATCH --url "https://graph.microsoft.com/v1.0/applications/$($fllmAppRegMetaData.Api.ObjectId)" --header "Content-Type=application/json" --body "@$($fllmAppRegMetaData.Api.Name)`.json"

# Update the ClientApp Registration
# Update the Client App Registration
if ($createClientApp) {
Write-Host "Lay down scaffolding for the ClientApp Registration $($fllmAppRegMetaData.Client.Name)"
Write-Host -ForegroundColor Yellow "Lay down scaffolding for the Client App Registration $($fllmAppRegMetaData.Client.Name)"
az rest --method PATCH --url "https://graph.microsoft.com/v1.0/applications/$($fllmAppRegMetaData.Client.ObjectId)" --header "Content-Type=application/json" --body "@$fllmClientConfigPath"
Start-Sleep -Seconds 10
Write-host "Sleeping for 10 seconds to allow the API App Registration to be created before updating it."
## Updates the ClientApp Registration
Write-Host "Preparing updates for the API App Registration $($fllmAppRegMetaData.Client.Name)"
Write-host -ForegroundColor Yellow "Sleeping for 10 seconds to allow the API App Registration to be created before updating it..."
## Updates the Client App Registration
Write-Host -ForegroundColor Yellow "Preparing updates for the Client App Registration $($fllmAppRegMetaData.Client.Name)"
$($fllmAppRegMetaData.Client).Uri = @("api://$($fllmAppRegMetaData.Client.Name)")
$apiPermissions = @(@{"resourceAppId" = $($fllmAppRegMetaData.Client.AppId); "resourceAccess" = @(@{"id" = "$($appPermissionsId)"; "type" = "Scope" }) }, @{"resourceAppId" = "00000003-0000-0000-c000-000000000000"; "resourceAccess" = @(@{"id" = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "type" = "Scope" }) })
$appConfig = Get-content $fllmClientConfigPath | ConvertFrom-Json -Depth 20
$appConfig.identifierUris = @($($fllmAppRegMetaData.Client.Uri))
$appConfig.requiredResourceAccess = $apiPermissions
$appConfigUpdate = $appConfig | ConvertTo-Json -Depth 20
Write-Host "Final Update to ClientApp Registration $($fllmAppRegMetaData.Client.Name)"
Write-Host -ForegroundColor Yellow "Final Update to Client App Registration $($fllmAppRegMetaData.Client.Name)"
Set-Content -Path "$($fllmAppRegMetaData.Client.Name)`.json" $appConfigUpdate
az rest --method PATCH --url "https://graph.microsoft.com/v1.0/applications/$($fllmAppRegMetaData.Client.ObjectId)" --header "Content-Type=application/json" --body "@$($fllmAppRegMetaData.Client.Name)`.json"
}
Expand All @@ -144,38 +172,38 @@ function New-FllmEntraIdApps {
$fllmAppRegs = @{}
# Create FoundationaLLM Core App Registrations
$params = @{
fllmApi = $coreAppName
fllmClient = $coreClientAppName
fllmApiConfigPath = "foundationalllm.json"
fllmApiUri = "api://FoundationaLLM-Core"
fllmClientConfigPath = "foundationalllm-client.json"
appPermissionsId = "6da07102-bb6a-421d-a71e-dfdb6031d3d8"
appUrl = ""
appUrlLocal = "http://localhost:3000/signin-oidc"
fllmApi = $coreAppName
fllmApiConfigPath = "foundationallm-core-api.template.json"
fllmApiUri = "api://FoundationaLLM-Core"
fllmClient = $coreClientAppName
fllmClientConfigPath = "foundationallm-core-portal.template.json"
}
$($fllmAppRegs).Core = New-FllmEntraIdApps @params

# Create FoundationaLLM Management App Registrations
$params = @{
fllmApi = $mgmtAppName
fllmClient = $mgmtClientAppName
fllmApiConfigPath = "foundationalllm-management.json"
fllmApiUri = "api://FoundationaLLM-Management"
fllmClientConfigPath = "foundationalllm-managementclient.json"
appPermissionsId = "c57f4633-0e58-455a-8ede-5de815fe6c9c"
appUrl = ""
appUrlLocal = "http://localhost:3001/signin-oidc"
fllmApi = $mgmtAppName
fllmApiConfigPath = "foundationallm-management-api.template.json"
fllmApiUri = "api://FoundationaLLM-Management"
fllmClient = $mgmtClientAppName
fllmClientConfigPath = "foundationallm-management-portal.template.json"
}
$($fllmAppRegs).Management = New-FllmEntraIdApps @params

# Create FoundationaLLM Authorization App Registration
$params = @{
fllmApi = $authAppName
fllmApiConfigPath = "foundationalllm-authorization.json"
fllmApiUri = "api://FoundationaLLM-Authorization"
appPermissionsId = "9e313dd4-51e4-4989-84d0-c713e38e467d"
createClientApp = $false
fllmApi = $authAppName
fllmApiConfigPath = "foundationallm-authorization-api.template.json"
fllmApiUri = "api://FoundationaLLM-Authorization"
}
$($fllmAppRegs).Authorization = New-FllmEntraIdApps @params
$($fllmAppRegs).Authorization = New-FllmEntraIdApps @params

Write-Host $($fllmAppRegs | ConvertTo-Json)
56 changes: 0 additions & 56 deletions deploy/common/scripts/foundationalllm-authorization.json

This file was deleted.

40 changes: 0 additions & 40 deletions deploy/common/scripts/foundationalllm-client.json

This file was deleted.

56 changes: 0 additions & 56 deletions deploy/common/scripts/foundationalllm-management.json

This file was deleted.

Loading

0 comments on commit 692309d

Please sign in to comment.