Include all Azure config in the INI file.

Adds all the new config items to the INI file and adjusts some naming
conventions so that these values sort together. Also adds defaults for
some values where they're known.
This commit is contained in:
dandds 2020-02-04 16:12:45 -05:00
parent ece4b20bcf
commit b754f1384f
4 changed files with 28 additions and 12 deletions

View File

@ -3,7 +3,7 @@
"files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
"lines": null
},
"generated_at": "2020-01-27T19:24:43Z",
"generated_at": "2020-02-04T21:00:49Z",
"plugins_used": [
{
"base64_limit": 4.5,
@ -82,7 +82,7 @@
"hashed_secret": "afc848c316af1a89d49826c5ae9d00ed769415f3",
"is_secret": false,
"is_verified": false,
"line_number": 32,
"line_number": 43,
"type": "Secret Keyword"
}
],

View File

@ -97,10 +97,14 @@ class AzureCloudProvider(CloudProviderInterface):
self.secret_key = config["AZURE_SECRET_KEY"]
self.tenant_id = config["AZURE_TENANT_ID"]
self.vault_url = config["AZURE_VAULT_URL"]
self.ps_client_id = config["POWERSHELL_CLIENT_ID"]
self.owner_role_def_id = config["AZURE_OWNER_ROLE_DEF_ID"]
self.ps_client_id = config["AZURE_POWERSHELL_CLIENT_ID"]
self.graph_resource = config["AZURE_GRAPH_RESOURCE"]
self.default_aadp_qty = config["AZURE_AADP_QTY"]
self.roles = {
"owner": config["AZURE_ROLE_DEF_ID_OWNER"],
"contributor": config["AZURE_ROLE_DEF_ID_CONTRIBUTOR"],
"billing": config["AZURE_ROLE_DEF_ID_BILLING_READER"],
}
if azure_sdk_provider is None:
self.sdk = AzureSDKProvider()
@ -602,7 +606,7 @@ class AzureCloudProvider(CloudProviderInterface):
def create_tenant_admin_ownership(self, payload: TenantAdminOwnershipCSPPayload):
mgmt_token = self._get_elevated_management_token(payload.tenant_id)
role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
request_body = {
"properties": {
@ -630,7 +634,7 @@ class AzureCloudProvider(CloudProviderInterface):
mgmt_token = self._get_elevated_management_token(payload.tenant_id)
# NOTE: the tenant_id is also the id of the root management group, once it is created
role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.owner_role_def_id}"
role_definition_id = f"/providers/Microsoft.Management/managementGroups/{payload.tenant_id}/providers/Microsoft.Authorization/roleDefinitions/{self.roles['owner']}"
request_body = {
"properties": {

View File

@ -1,9 +1,19 @@
[default]
ASSETS_URL
AZURE_AADP_QTY=5
AZURE_ACCOUNT_NAME
AZURE_STORAGE_KEY
AZURE_TO_BUCKET_NAME
AZURE_CLIENT_ID
AZURE_GRAPH_RESOURCE="https://graph.microsoft.com/"
AZURE_POLICY_LOCATION=policies
AZURE_POWERSHELL_CLIENT_ID
AZURE_ROLE_DEF_ID_BILLING_READER="fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64"
AZURE_ROLE_DEF_ID_CONTRIBUTOR="b24988ac-6180-42a0-ab88-20f7382dd24c"
AZURE_ROLE_DEF_ID_OWNER="8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
AZURE_SECRET_KEY
AZURE_STORAGE_KEY
AZURE_TENANT_ID
AZURE_TO_BUCKET_NAME
AZURE_VAULT_URL
BLOB_STORAGE_URL=http://localhost:8000/
CAC_URL = http://localhost:8000/login-redirect
CA_CHAIN = ssl/server-certs/ca-chain.pem
@ -42,10 +52,10 @@ REDIS_TLS=False
REDIS_USER
SECRET_KEY = change_me_into_something_secret
SERVER_NAME
SESSION_COOKIE_NAME=atat
SESSION_COOKIE_DOMAIN
SESSION_KEY_PREFIX=session:
SESSION_COOKIE_NAME=atat
SESSION_COOKIE_SECURE=false
SESSION_KEY_PREFIX=session:
SESSION_TYPE = redis
SESSION_USE_SIGNER = True
SQLALCHEMY_ECHO = False

View File

@ -9,8 +9,10 @@ AZURE_CONFIG = {
"AZURE_TENANT_ID": "MOCK",
"AZURE_POLICY_LOCATION": "policies",
"AZURE_VAULT_URL": "http://vault",
"POWERSHELL_CLIENT_ID": "MOCK",
"AZURE_OWNER_ROLE_DEF_ID": "MOCK",
"AZURE_POWERSHELL_CLIENT_ID": "MOCK",
"AZURE_ROLE_DEF_ID_OWNER": "MOCK",
"AZURE_ROLE_DEF_ID_CONTRIBUTOR": "MOCK",
"AZURE_ROLE_DEF_ID_BILLING_READER": "MOCK",
"AZURE_GRAPH_RESOURCE": "MOCK",
"AZURE_AADP_QTY": 5,
}