-
Notifications
You must be signed in to change notification settings - Fork 1
/
list_service_connections.ps1
127 lines (117 loc) · 5.28 KB
/
list_service_connections.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env pwsh
<#
.SYNOPSIS
List Azure DevOps Service Connections
.DESCRIPTION
Use the Azure CLI to find Azure DevOps Service Connections by organization & project
#>
#Requires -Version 7.2
[CmdletBinding(DefaultParameterSetName = 'name')]
param (
[parameter(Mandatory=$false,ParameterSetName="app")]
[guid[]]
$AppId,
[parameter(Mandatory=$false,ParameterSetName="name",HelpMessage="Name of the Service Connection")]
[string]
$ServiceConnectionName,
[parameter(Mandatory=$false,HelpMessage="Name of the Azure DevOps Project")]
[string]
[ValidateNotNullOrEmpty()]
$Project=$env:SYSTEM_TEAMPROJECT,
[parameter(Mandatory=$false,HelpMessage="Url of the Azure DevOps Organization")]
[uri]
[ValidateNotNullOrEmpty()]
$OrganizationUrl=($env:AZDO_ORG_SERVICE_URL ?? $env:SYSTEM_COLLECTIONURI),
[parameter(Mandatory=$false)]
[ValidateSet('List', 'Table')]
[string]
$Format='List'
)
Write-Verbose $MyInvocation.line
. (Join-Path $PSScriptRoot .. functions.ps1)
$apiVersion = "7.1"
if ($AppId) {
$AppId | Foreach-Object {$_.ToString().ToLower()} | Set-Variable AppId
}
#-----------------------------------------------------------
# Log in to Azure
if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
Write-Error "Azure CLI is not installed. You can get it here: http://aka.ms/azure-cli"
exit 1
}
az account show -o json 2>$null | ConvertFrom-Json | Set-Variable account
if (!$account) {
az login --allow-no-subscriptions -o json | ConvertFrom-Json | Set-Variable account
}
# Log in to Azure & Azure DevOps
$OrganizationUrl = $OrganizationUrl.ToString().Trim('/')
az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 `
--query "accessToken" `
--output tsv `
| Set-Variable accessToken
if (!$accessToken) {
Write-Error "$(account.user.name) failed to get access token for Azure DevOps"
exit 1
}
if (!(az extension list --query "[?name=='azure-devops'].version" -o tsv)) {
Write-Host "Adding Azure CLI extension 'azure-devops'..."
az extension add -n azure-devops -y -o none
}
$accessToken | az devops login --organization $OrganizationUrl
if ($lastexitcode -ne 0) {
Write-Error "$($account.user.name) failed to log in to Azure DevOps organization '${OrganizationUrl}'"
exit $lastexitcode
}
#-----------------------------------------------------------
# Check parameters
az devops project show --project "${Project}" --organization $OrganizationUrl --query id -o tsv | Set-Variable projectId
if (!$projectId) {
Write-Error "Project '${Project}' not found in organization '${OrganizationUrl}"
exit 1
}
#-----------------------------------------------------------
# Retrieve the service connection
$getApiUrl = "${OrganizationUrl}/${Project}/_apis/serviceendpoint/endpoints?type=azurerm&includeFailed=true&includeDetails=true&api-version=${apiVersion}"
$query = "sort_by(value[?!(isShared && serviceEndpointProjectReferences[0].projectReference.name!='${Project}')],&name)"
az rest --resource 499b84ac-1321-427f-aa17-267ca6975798 -u "${getApiUrl} " -m GET --query "${query}" -o json `
| Tee-Object -Variable rawResponse `
| ConvertFrom-Json `
| Tee-Object -Variable serviceEndpoints `
| Format-List | Out-String | Write-Debug
if (!$serviceEndpoints -or ($serviceEndpoints.count-eq 0)) {
Write-Warning "No service connections found"
exit 1
}
$serviceEndpoints | ForEach-Object {
"https://portal.azure.com/{0}/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Overview/appId/{1}" -f $_.authorization.parameters.tenantId, $_.authorization.parameters.servicePrincipalId | Set-Variable applicationPortalLink
$_ | Add-Member -NotePropertyName appId -NotePropertyValue $_.authorization.parameters.servicePrincipalId?.ToLower()
$_ | Add-Member -NotePropertyName applicationPortalLink -NotePropertyValue $applicationPortalLink
$_ | Add-Member -NotePropertyName authorizationScheme -NotePropertyValue $_.authorization.scheme
$_ | Add-Member -NotePropertyName creationMode -NotePropertyValue $_.data.creationMode
"{0}/{1}/_settings/adminservices?resourceId={2}" -f $OrganizationUrl, $_.serviceEndpointProjectReferences[0].projectReference.id, $_.id | Set-Variable serviceConnectionPortalLink
$_ | Add-Member -NotePropertyName serviceConnectionPortalLink -NotePropertyValue $serviceConnectionPortalLink
$_ | Add-Member -NotePropertyName tenantId -NotePropertyValue $_.authorization.parameters.tenantId?.ToLower()
$_
} | Where-Object {
# We already check federation on organization/project, so we can ignore it here
!$AppId -or ($_.appId -in $AppId)
} | Set-Variable filteredServiceEndpoints
switch ($Format) {
'List' {
$filteredServiceEndpoints | Format-List
}
'Table' {
$filteredServiceEndpoints | Format-Table -AutoSize -Property name, authorizationScheme, creationMode, appId, tenantId
}
}
$filteredServiceEndpoints | ForEach-Object {
$_.appId
} | Set-Variable matchedAppIds
Write-Host "Matched AppIds: $($matchedAppIds -join ', ')"
$AppId | Where-Object {
$_ -notin $matchedAppIds
}
| Set-Variable unmatchedAppIds
if ($unmatchedAppIds) {
Write-Warning "Unmatched AppIds: $($unmatchedAppIds -join ', ')"
}