fixing deployment issues

Author: brown9804

README.md

@@ -41,22 +41,28 @@ Last updated: 2026-02-19
 
 - Resource group
 - Artifact Signing account (`Microsoft.CodeSigning/codeSigningAccounts`)
-- (Optional, Terraform-deployed) Certificate profile (`.../certificateProfiles`) once you provide an **Identity validation Id**
+- Key Vault (RBAC-enabled) for pipeline variables/secrets
+- (Optional) Certificate profile (`.../certificateProfiles`) can be created either:
+   - by Terraform (if you set `identity_validation_id` and re-apply), or
+   - by the Azure DevOps pipeline automatically (after you set a Key Vault secret; no Terraform re-run)
 - (Optional, Terraform-deployed) Microsoft Entra app registration + service principal for an Azure DevOps **Workload Identity Federation** service connection
 - (Optional, Terraform-deployed) Azure DevOps resources (when `ado_enabled = true`):
    - Project
    - Git repo
    - YAML pipeline
    - AzureRM service connection (Workload Identity Federation)
    - Pipeline authorizations for the service connection + variable group
-- (Optional, Terraform-deployed) RBAC assignment: `Artifact Signing Certificate Profile Signer` at the certificate profile scope
+- (Optional) RBAC assignment(s) for the Azure DevOps service principal
+   - `Artifact Signing Certificate Profile Signer` at the certificate profile scope (required for signing)
+   - `Contributor` at the resource group scope (only required if you want the pipeline to create the certificate profile)
 
 <img width="451" height="622" alt="image" src="https://github.com/user-attachments/assets/1306d110-be8f-49a8-96dc-c0354a2a6404" />
 
 From [What is Artifact Signing?](https://learn.microsoft.com/en-us/azure/artifact-signing/overview)
 
 > [!NOTE]
-> - **Identity validation** itself is **portal-only** (service requirement). Terraform can’t complete that workflow; you paste the resulting `identity_validation_id` into `terraform.tfvars`.
+> - **Identity validation** itself is **portal-only** (service requirement). Terraform can’t complete that workflow.
+> - After you complete it, you can avoid a second `terraform apply` by setting the Key Vault secret `artifactSigningIdentityValidationId` and letting the pipeline create the certificate profile.
 > - If Terraform creates the Azure DevOps service connection (`ado_enabled = true`), it can also read the generated WIF **Issuer** and **Subject** and create the Entra **federated credential** automatically (no copy/paste).
 
 ## Deploy with Terraform
@@ -76,21 +82,20 @@ terraform apply -auto-approve
 
 3) In Azure portal, open the Artifact Signing account and complete **Identity validation** (portal-only).
 
-4) Copy the **Identity validation Id** from the portal and add it to `terraform-infrastructure/terraform.tfvars`:
+4) Copy the **Identity validation Id** from the portal and set it in Key Vault (no Terraform re-run required):
 
-```hcl
-identity_validation_id = "00000000-0000-0000-0000-000000000000"
-certificate_profile_name = "demo-code-signing"
-certificate_profile_type = "PublicTrustTest"
+```pwsh
+az keyvault secret set \
+   --vault-name <your-keyvault-name> \
+   --name artifactSigningIdentityValidationId \
+   --value "00000000-0000-0000-0000-000000000000"
 ```
 
-5) Apply again to create the certificate profile:
+5) Run the Azure DevOps pipeline. The `AzureCLI@2` step will:
+- create the certificate profile if it doesn't exist yet
+- ensure the `Artifact Signing Certificate Profile Signer` role assignment exists
 
-```pwsh
-cd terraform-infrastructure
-terraform validate
-terraform apply -auto-approve
-```
+Optional: If you prefer Terraform to manage the certificate profile instead, set `identity_validation_id` in `terraform-infrastructure/terraform.tfvars` and run `terraform apply` again.
 
 ## Azure DevOps (Terraform-managed)
 
@@ -128,21 +133,26 @@ Notes:
   - `artifactSigningEndpoint` (Terraform output `artifact_signing_endpoint`)
   - `artifactSigningAccountName` (Terraform output `artifact_signing_account_name`)
   - `artifactSigningCertificateProfileName` (your profile name)
+   - `artifactSigningResourceGroupName` (Terraform `resource_group_name`)
+   - `artifactSigningIdentityValidationId` (only required until the profile exists; best sourced from Key Vault)
+   - `artifactSigningCertificateProfileType` (defaults to `PublicTrust` if unset)
+   - `adoServicePrincipalObjectId` (optional; enables the pipeline to ensure RBAC assignment automatically)
   - Service connection name in YAML: update `azureSubscription` if you didn't name it `sc-artifact-signing`.
 
-### Optional: use Azure Key Vault for pipeline variables
+### Azure Key Vault for pipeline variables
 
-If you enable Key Vault (`keyvault_enabled=true`) Terraform will:
+Terraform creates a Key Vault by default. It will:
 - create an RBAC-enabled Key Vault
 - grant your current identity **Key Vault Secrets Officer** (so you can set secrets)
 - grant the Azure DevOps service principal **Key Vault Secrets User** (so the pipeline can read secrets)
 
-Then create secrets in Key Vault with these names:
+Terraform also populates these Key Vault secrets during `terraform apply`:
 - `artifactSigningEndpoint`
 - `artifactSigningAccountName`
 - `artifactSigningCertificateProfileName`
+- `artifactSigningIdentityValidationId` (placeholder until you set it after portal validation)
 
-The pipeline will automatically load them (it runs `AzureKeyVault@2` when `keyVaultName` is non-empty).
+The pipeline automatically loads them (it runs `AzureKeyVault@2` when `keyVaultName` is non-empty).
 
 If signing fails with 403, validate:
 - Endpoint matches region

azure-pipelines.yml

@@ -18,6 +18,10 @@ variables:
   artifactSigningEndpoint: ''
   artifactSigningAccountName: ''
   artifactSigningCertificateProfileName: ''
+  artifactSigningIdentityValidationId: ''
+  artifactSigningResourceGroupName: ''
+  artifactSigningCertificateProfileType: 'PublicTrust'
+  adoServicePrincipalObjectId: ''
 
 steps:
 - task: DotNetCoreCLI@2
@@ -33,7 +37,7 @@ steps:
   inputs:
     azureSubscription: '$(azureServiceConnection)'
     KeyVaultName: '$(keyVaultName)'
-    SecretsFilter: 'artifactSigningEndpoint,artifactSigningAccountName,artifactSigningCertificateProfileName'
+    SecretsFilter: 'artifactSigningEndpoint,artifactSigningAccountName,artifactSigningCertificateProfileName,artifactSigningIdentityValidationId'
     RunAsPreJob: false
 
 - task: AzureCLI@2
@@ -45,9 +49,69 @@ steps:
     inlineScript: |
       $ErrorActionPreference = 'Stop'
 
+      function Get-Trimmed([string]$value) {
+        if ($null -eq $value) { return '' }
+        return $value.Trim()
+      }
+
+      $rg = Get-Trimmed "$(artifactSigningResourceGroupName)"
+      if ([string]::IsNullOrWhiteSpace($rg)) { throw "Missing variable: artifactSigningResourceGroupName" }
+
+      $accountName = Get-Trimmed "$(artifactSigningAccountName)"
+      $profileName = Get-Trimmed "$(artifactSigningCertificateProfileName)"
+      $profileType = Get-Trimmed "$(artifactSigningCertificateProfileType)"
+      if ([string]::IsNullOrWhiteSpace($profileType)) { $profileType = 'PublicTrust' }
+
       if ([string]::IsNullOrWhiteSpace("$(artifactSigningEndpoint)")) { throw "Missing variable: artifactSigningEndpoint" }
-      if ([string]::IsNullOrWhiteSpace("$(artifactSigningAccountName)")) { throw "Missing variable: artifactSigningAccountName" }
-      if ([string]::IsNullOrWhiteSpace("$(artifactSigningCertificateProfileName)")) { throw "Missing variable: artifactSigningCertificateProfileName" }
+      if ([string]::IsNullOrWhiteSpace($accountName)) { throw "Missing variable: artifactSigningAccountName" }
+      if ([string]::IsNullOrWhiteSpace($profileName)) { throw "Missing variable: artifactSigningCertificateProfileName" }
+
+      $identityValidationId = Get-Trimmed "$(artifactSigningIdentityValidationId)"
+
+      $subId = (az account show --query id -o tsv)
+      if ([string]::IsNullOrWhiteSpace($subId)) { throw "Unable to determine subscription id from AzureCLI context." }
+
+      $profileResourceId = "/subscriptions/$subId/resourceGroups/$rg/providers/Microsoft.CodeSigning/codeSigningAccounts/$accountName/certificateProfiles/$profileName"
+      $profileUrl = "https://management.azure.com$profileResourceId?api-version=2025-10-13"
+
+      Write-Host "Ensuring certificate profile exists: $profileResourceId"
+
+      $profileExists = $false
+      try {
+        az rest --method get --url $profileUrl --only-show-errors | Out-Null
+        $profileExists = $true
+      } catch {
+        $profileExists = $false
+      }
+
+      if (-not $profileExists) {
+        if ([string]::IsNullOrWhiteSpace($identityValidationId)) {
+          throw "Certificate profile is missing. Complete identity validation in the portal and set Key Vault secret 'artifactSigningIdentityValidationId' (or set pipeline variable artifactSigningIdentityValidationId)."
+        }
+
+        $body = @{
+          properties = @{
+            identityValidationId   = $identityValidationId
+            profileType           = $profileType
+            includeStreetAddress  = $false
+            includePostalCode     = $false
+          }
+        } | ConvertTo-Json -Depth 10
+
+        az rest --method put --url $profileUrl --body $body --only-show-errors | Out-Null
+        Write-Host "Created certificate profile: $profileName"
+      }
+
+      $spObjectId = Get-Trimmed "$(adoServicePrincipalObjectId)"
+      if (-not [string]::IsNullOrWhiteSpace($spObjectId)) {
+        $roleName = "Artifact Signing Certificate Profile Signer"
+        Write-Host "Ensuring RBAC role '$roleName' on profile for SP object id $spObjectId"
+        try {
+          az role assignment create --assignee-object-id $spObjectId --assignee-principal-type ServicePrincipal --role $roleName --scope $profileResourceId --only-show-errors | Out-Null
+        } catch {
+          Write-Host "Role assignment may already exist; continuing."
+        }
+      }
 
       az account show --output table