Merge pull request #5 from devopsabcs-engineering/main

Additional changes for workshop

Author: emmanuel-knafo

.github/workflows/deploy-aks-construction.yml

@@ -4,12 +4,32 @@ on:
   workflow_dispatch:
 
 permissions:
-  id-token: write
-  contents: read
+  id-token: write #This is required for requesting the JWT
+  contents: write # This is required to create/push the new git tag
 
 jobs:
+  create_resource_group_job:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Create Resource Group
+        id: create_rg
+        run: |
+          az group create --name ${{ env.RESOURCE_GROUP_NAME }} --location ${{ env.LOCATION }}
+        env:
+          RESOURCE_GROUP_NAME: rg-k8s-pygoat-dev-001
+          LOCATION: canadacentral
   reusable_workflow_job:
     uses: Azure/AKS-Construction/.github/workflows/AKSC_Deploy.yml@0.10.5
+    needs: create_resource_group_job
     with:
       templateVersion: 0.10.5
       rg: rg-k8s-pygoat-dev-001

.github/workflows/oss_pygoat-devsecops-basic.yml

@@ -4,6 +4,19 @@ on:
   #   branches:
   #     - main
   workflow_dispatch:
+    inputs:
+      DEFECTDOJO_URL:
+        description: 'DefectDojo URL'
+        required: true
+        default: 'https://defectdojo.cad4devops.com:8443/api/v2'
+      DEFECTDOJO_COMMONUSER:
+        description: 'DefectDojo Common User'
+        required: true
+        default: 'Student000'
+      DEFECTDOJO_COMMONPRODUCTNAME:
+        description: 'DefectDojo Common Product Name'
+        required: true
+        default: 'GitHub-OSS-pygoat-devsecops-workshop-002-product-000'
 
 permissions:
   # The permissions for azure federation
@@ -26,10 +39,10 @@ env:
   doImageScanWithDockerHubScout: false
   adjustDNS: false
   listArtifacts: true
-  DEFECTDOJO_URL: https://defectdojo-002.cad4devops.com:8443/api/v2
-  DEFECTDOJO_COMMONUSER: Student000
-  DEFECTDOJO_COMMONPRODUCTNAME: GitHub-OSS-pygoat-devsecops-workshop-001-product-000
-  DEFECTDOJO_TOKEN: ${{ secrets.DEFECTDOJO_TOKEN }}
+  DEFECTDOJO_URL: ${{ inputs.DEFECTDOJO_URL }} #https://defectdojo-002.cad4devops.com:8443/api/v2
+  DEFECTDOJO_COMMONUSER: ${{ inputs.DEFECTDOJO_COMMONUSER }} #Student000
+  DEFECTDOJO_COMMONPRODUCTNAME: ${{ inputs.DEFECTDOJO_COMMONPRODUCTNAME }} #GitHub-OSS-pygoat-devsecops-workshop-001-product-000
+  DEFECTDOJO_TOKEN: ${{ secrets.DEFECTDOJO_TOKEN }} # 8116113b49d62b5affe822be7cf260778c5f62b1
   appUrl: http://gh-pygoat-test.cad4devops.com
   containerName: owaspzapproxy
   doActiveScan: false

.gitignore

@@ -10,3 +10,4 @@ bin
 pygoatvenv/
 /.vs
 wrkshp-001-student-*
+__azurite_db_table__.json

New-Deployment.ps1

@@ -0,0 +1,28 @@
+param (
+    [Parameter()]
+    [string]$nameSuffix = "ek005",
+    [Parameter()]
+    [string]$deploymentName = "deploy-rg-fnapp-$nameSuffix",
+    [Parameter()]
+    [string]$location = "canadacentral",
+    [Parameter()]
+    [string]$templateFile = "infra/main.bicep",    
+    [Parameter()]
+    [string]$resourceGroupName = "rg-fnapp-$nameSuffix"
+)
+
+# echo parameters
+Write-Host "deploymentName: $deploymentName"
+Write-Host "location: $location"
+Write-Host "templateFile: $templateFile"
+Write-Host "nameSuffix: $nameSuffix"
+Write-Host "resourceGroupName: $resourceGroupName"
+
+# create resource group
+az group create --name $resourceGroupName `
+    --location $location
+
+az deployment group create --name $deploymentName `
+    --resource-group $resourceGroupName `
+    --template-file $templateFile `
+    --parameters nameSuffix="$nameSuffix"

New-GitHubFederatedIdentity.ps1

@@ -0,0 +1,112 @@
+param (    
+    [Parameter()]
+    [string]
+    $githubRepo = "devopsabcs-engineering/devsecops-workshop", #"<your-github-username>/<your-repo-name>"
+    [Parameter()]
+    [string]
+    $subscriptionName = "IT Test", #"<your-subscription-id>"
+    [Parameter()]
+    [string]
+    $tenantName = "devopsabcs.com" #"<your-tenant-id>"
+)
+
+# get the display name from the repo name replacing the forward slash with a double underscore
+$displayName = "GH__" + $githubRepo -replace "/", "__"
+
+Write-Output "Creating federated identity for $displayName in $githubRepo"
+
+$subscriptionsWithTenants = az account list --query "[].{SubscriptionName:name, TenantId:tenantId}" -o json | ConvertFrom-Json
+$subscription = $subscriptionsWithTenants | Where-Object { $_.SubscriptionName -eq $subscriptionName }
+$tenantId = $subscription.TenantId
+
+# get tenant id from tenant name
+Write-Output "Tenant ID: $tenantId"
+
+# Login to Azure
+#az login --service-principal -u "<your-service-principal-id>" -p "<your-service-principal-secret>" --tenant $tenantId
+az login --tenant $tenantId
+
+# set the default subscription
+az account set --subscription $subscriptionName
+
+# get subscription id from subscription name
+$subscriptionId = az account show --query id -o tsv
+Write-Output "Subscription ID: $subscriptionId"
+
+# echo parameters
+Write-Output "displayName: $displayName"
+Write-Output "githubRepo: $githubRepo"
+Write-Output "subscriptionName: $subscriptionName"
+Write-Output "subscriptionId: $subscriptionId"
+Write-Output "tenantName: $tenantName"
+Write-Output "tenantId: $tenantId"
+Write-Output "clientId: $clientId"
+
+
+# create azure credentials for the pipeline in github actions
+
+# Create the federated service principal
+$sp = az ad sp create-for-rbac --name $displayName --role Contributor `
+    --scopes /subscriptions/$subscriptionId `
+    --query "{clientId: appId, clientSecret: password}" -o json | ConvertFrom-Json
+$clientId = $sp.clientId
+
+# get object id from app registration
+$objectId = az ad app show --id $clientId --query id -o tsv
+Write-Output "Service principal object ID: $objectId"
+
+
+Write-Output "Service principal created."
+Write-Output "Client ID: $clientId"
+
+# read credentials.json from file
+#$credentialRaw = Get-Content -Path "credential.json" -Raw
+$credentialRaw = 
+@'
+{
+    "name": "__CREDENTIAL_NAME__",
+    "issuer": "https://token.actions.githubusercontent.com",
+    "subject": "__SUBJECT__",
+    "audiences": [
+        "api://AzureADTokenExchange"
+    ]
+}
+'@
+
+# find and replace the placeholders with the actual values
+$credential = $credentialRaw -replace "__CREDENTIAL_NAME__", $displayName -replace "__SUBJECT__", "repo:${githubRepo}:ref:refs/heads/main"
+
+$appRegistrationJson = az ad app list --display-name "$displayName" -o json
+Write-Output "App Registration: $appRegistrationJson"
+$appRegistration = $appRegistrationJson | ConvertFrom-Json
+Write-Output "App Registration: $appRegistration"
+
+
+
+#$appId = "<Your-App-Id>"
+$credential = $credential | ConvertFrom-Json
+Write-Output "Credential: $credential"
+az ad app show --id $objectId
+$command = "New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Name $($credential.name) -Issuer $($credential.issuer) -Subject $($credential.subject) -Audience $($credential.audiences)"
+
+Write-Output "Command: $command"
+
+gh auth login
+
+# Push secrets to GitHub
+$secrets = @{
+    AZURE_CLIENT_ID       = $clientId
+    AZURE_TENANT_ID       = $tenantId
+    AZURE_SUBSCRIPTION_ID = $subscriptionId
+}
+
+# use gh cli to push secrets to github
+foreach ($secret in $secrets.GetEnumerator()) {
+    $value = $secret.Value
+    $name = $secret.Key
+    Write-Output "Setting secret $name"
+    Write-Output "gh secret set $name -b $value -R $githubRepo"
+    gh secret set $name -b $value -R $githubRepo
+}
+
+Write-Output "Federated service principal created and secrets pushed to GitHub."

Validate-Deployment.ps1

@@ -0,0 +1,45 @@
+param (
+    [Parameter()]
+    [string]$nameSuffix = "ek002",
+    [Parameter()]
+    [string]$deploymentName = "deploy-rg-fnapp-$nameSuffix",
+    [Parameter()]
+    [string]$resourceGroupName = "rg-fnapp-$nameSuffix"
+)
+
+# echo parameters
+Write-Host "deploymentName: $deploymentName"
+Write-Host "nameSuffix: $nameSuffix"
+Write-Host "resourceGroupName: $resourceGroupName"
+
+#az account show                      
+# get functionAppName
+$functionAppName = az deployment group show --resource-group $resourceGroupName `
+    --name $deploymentName `
+    --query properties.outputs.azureFunctionName.value `
+    -o tsv
+Write-Host "functionAppName: $functionAppName"
+
+# get testUrl with function key
+$functionKey = az functionapp keys list --name $functionAppName `
+    --resource-group $resourceGroupName `
+    --query functionKeys.default `
+    -o tsv
+
+Write-Host "functionKey: $functionKey"
+
+$addNameParameter = $true
+
+if ($addNameParameter) {
+    Write-Host "Adding name parameter to testUrl"
+    $testUrl = "https://$functionAppName.azurewebsites.net/api/HttpExample?name=AzureDevOpsSmokeTest&code=$functionKey"
+}
+else {
+    $testUrl = "https://$functionAppName.azurewebsites.net/api/HttpExample?code=$functionKey"
+}
+
+Write-Host "testUrl: $testUrl"
+
+# test function
+$testResult = Invoke-RestMethod -Uri $testUrl
+Write-Host "testResult: $testResult"

infra/defect-dojo/deployDefectDojo.ps1

@@ -0,0 +1,135 @@
+param (
+    [Parameter()]
+    [string]$nameSuffix = "ek005",
+    [Parameter()]
+    [string]$deploymentName = "deploy-rg-defectdojo-$nameSuffix",
+    [Parameter()]
+    [string]$location = "canadacentral",
+    [Parameter()]
+    [string]$templateFile = "main.bicep",    
+    [Parameter()]
+    [string]$resourceGroupName = "rg-defectdojo-$nameSuffix",
+    [Parameter()]
+    [string]$subscriptionId = "IT Test",
+    [Parameter()]
+    [string]$sshKeyPath = "$HOME\.ssh\vm-defectdojo-${nameSuffix}-id_rsa",
+    [Parameter()]
+    [string] $username = "ddadmin",
+    [Parameter()]
+    [string] $password = "booWgDmaYdgNxO5eNWql",
+    [Parameter()]
+    [string] $adminUsername = "azureuser"
+)
+
+# function to generate random password
+function New-Password {
+    param (
+        [int]$length = 32
+    )
+
+    $chars = [char[]]('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=[]{}|;:,.<>?')
+    $password = -join ($chars | Get-Random -Count $length)
+    return $password
+}
+
+# install az cli if not already installed
+if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
+    Write-Output "Installing az cli"
+    Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://aka.ms/installazurecliwindows')
+}
+else {
+    Write-Output "az cli already installed"    
+}
+
+# login
+Write-Output "Logging in to Azure"
+az login
+
+# set subscription
+Write-Output "Setting subscription to $subscriptionId"
+az account set --subscription "$subscriptionId"
+
+# echo parameters
+Write-Output "nameSuffix: $nameSuffix"
+Write-Output "deploymentName: $deploymentName"
+Write-Output "location: $location"
+Write-Output "templateFile: $templateFile"
+Write-Output "resourceGroupName: $resourceGroupName"
+
+# deploy
+# create resource group
+Write-Output "Creating resource group $resourceGroupName in location $location"
+az group create --name $resourceGroupName `
+    --location $location
+
+# generate ssh key pair
+Write-Output "Generating ssh key pair at $sshKeyPath"
+if (-not (Test-Path $sshKeyPath)) {
+    ssh-keygen -t rsa -b 2048 -f $sshKeyPath -q -N ""
+}
+else {
+    Write-Output "ssh key pair already exists"
+}
+
+# echo ssh public key
+Write-Output "Public key:"
+$sshPublicKey = Get-Content "$sshKeyPath.pub"
+Write-Output $sshPublicKey
+
+# # generate random password for postgresql
+# $password = New-Password -length 32
+# Write-Output "Generated password for PostgreSQL: $password"
+
+# deploy bicep
+Write-Output "Deploying bicep template $templateFile to resource group $resourceGroupName"
+az deployment group create `
+    --name $deploymentName `
+    --resource-group $resourceGroupName `
+    --template-file main.bicep `
+    --parameters sshPublicKey="`"$sshPublicKey`"" `
+    --parameters administratorLoginPassword="`"$password`"" `
+    --parameters nameSuffix="`"$nameSuffix`"" `
+    --parameters adminUsername="`"$adminUsername`"" `
+    --parameters administratorLogin="`"$username`"" `
+
+# output vm public ip address from deployment output
+$fqdn = (az deployment group show `
+        --name $deploymentName `
+        --resource-group $resourceGroupName `
+        --query "properties.outputs.fqdn.value" `
+        --output tsv)
+
+Write-Output "DefectDojo is deployed at $fqdn"
+
+# output postgresql fqdn from deployment output
+$fullyQualifiedDomainName = (az deployment group show `
+        --name $deploymentName `
+        --resource-group $resourceGroupName `
+        --query "properties.outputs.fullyQualifiedDomainName.value" `
+        --output tsv)
+
+Write-Output "PostgreSQL is deployed at $fullyQualifiedDomainName"
+
+# output admin username from deployment output
+$adminUsername = (az deployment group show `
+        --name $deploymentName `
+        --resource-group $resourceGroupName `
+        --query "properties.outputs.adminUsername.value" `
+        --output tsv)
+
+Write-Output "Admin username is $adminUsername"
+
+# get psql password from deployment output
+$administratorLogin = (az deployment group show `
+        --name $deploymentName `
+        --resource-group $resourceGroupName `
+        --query "properties.outputs.administratorLogin.value" `
+        --output tsv)
+
+# give ssh instructions
+Write-Output "To ssh into the VM, run the following command:"
+Write-Output "ssh -i $sshKeyPath $adminUsername@$fqdn"
+
+# give psql instructions
+Write-Output "To connect to PostgreSQL, run the following command:"
+Write-Output "psql -h $fullyQualifiedDomainName -U $administratorLogin -P $password"