search

nicolgit / whoiswho

azure WhoIsWho engine
MIT License
4 stars 2 forks source link

Define the configuration steps for deploy the Infrastracture and App: AAD App Registrations, GitHub Action instructions #34

Open liguori opened 3 years ago

liguori commented 3 years ago

For the WhoIsWho solution we need at least of 3 App Registrations:

  1. Deployment Identity: must have "contributor" permission over the Resource Group that will be used as destination for the WhoIsWho Azure Resources. We have documented its creation here: https://github.com/nicolgit/whoiswho#create-resource-group-and-a-service-principal-for-deploy-the-resources-deployment-identity.

  2. Backend Identity: it's the app registration that represents the identity used by WhoIsWho backend to discover and index the organization resources to which it has been assigned as a reader. It must be also configured to "Expose an API" that maps the RestAPI used by the frontend. We have documented it's creation here: https://github.com/nicolgit/whoiswho#set-up-the-azure-ad-service-principal-used-by-the-whoiswho-whoiswho-identity, we should integrate the documented script for automatically configure the "Expose an API" part

  3. Frontend Identity: it's the the app registration used for implement the authentication in the Single Page Application with API Permission on the previously exposed API (point 2). Its creation script has to be documented. Moreover after the solution deployment its configuration must be integrated with the final SPA AppService URI in the RedirectURI setting.

NOTE: The first App Registration could be the only one that has to be manually created. The remaining 2 could be automatically created via automation in the deployment pipeline if the "customer" AD Admin grants the Application permission "Application.ReadWrite.OwnedBy" on it. Considering the permissions impact on the AAD tenant, I don't think there are real cases of users willing to do this.

So we must necessarily document the creation of the 3 app registrations and the configuration of the respective parameters in the GitHub Actions for the deployment of the solution.

The final "Readme.md" macrosteps to be documented are:

  1. Create the Deployment Identity App Registration
  2. Create the Backend Identity App Registration
  3. Create the Frontend Identity App Registration
  4. Configure the 3 app registrations parameters (ClientId,ClientSecret,etc) in the GitHub Variables
  5. Run the "Deploy WhoIsWho" GitHub Action
  6. Configure the SPA AppService URI in the RedirectURI setting of the Frontend Identity App Registration (only the first time)
nicolgit commented 3 years ago

In all azure samples I have meet I have always seen app registration(s) procedure documented and not scripted, so I do not see any real advantage to use a different approach for WhoIsWho