terraform deployment - base in place

Author: brown9804

README.md

@@ -101,14 +101,18 @@ $env:AZDO_ORG_SERVICE_URL = "https://dev.azure.com/<your-org>"
 $env:AZDO_PERSONAL_ACCESS_TOKEN = "<your-pat>"
 ```
 
-3) In `terraform-infrastructure/terraform.tfvars`, set:
+3) Enable the Azure DevOps resources in Terraform.
 
-```hcl
-ado_enabled = true
-ado_org_service_url = "https://dev.azure.com/<your-org>"
+Preferred: use the provided var-file:
+
+```pwsh
+cd terraform-infrastructure
+terraform apply -auto-approve -var-file=terraform.tfvars -var-file=terraform.ado.tfvars
 ```
 
-4) Apply. Terraform will:
+Alternative: set `ado_enabled = true` and `ado_org_service_url` in `terraform.tfvars`.
+
+4) Terraform will:
 - create the Azure DevOps project + repo + YAML pipeline
 - create the AzureRM service connection using Workload Identity Federation (WIF)
 - read the generated WIF Issuer/Subject and create the Entra federated credential

azure-pipelines.yml

@@ -1,36 +1,63 @@
+# This pipeline:
+# 1) Builds/publishes an unsigned .NET executable
+# 2) Optionally loads signing inputs from Azure Key Vault
+# 3) Ensures the Trusted Signing certificate profile exists (creates it if needed)
+# 4) Signs the binary with SignTool + Artifact Signing dlib
+# 5) Verifies and publishes the signed artifact
+
 trigger:
 - main
 
 pool:
   vmImage: 'windows-latest'
 
 variables:
+  # Build settings for the demo app.
   buildConfiguration: 'Release'
   runtimeIdentifier: 'win-x64'
 
-  # Update if your service connection name differs.
+  # AzureRM service connection name in Azure DevOps.
+  # Terraform defaults this to 'sc-artifact-signing'.
   azureServiceConnection: 'sc-artifact-signing'
 
-  # Set these as pipeline variables or in a variable group.
-  # If you set keyVaultName (or Terraform provides it via variable group),
-  # the AzureKeyVault@2 task below will populate the artifactSigning* variables.
+  # Key Vault integration:
+  # - If keyVaultName is non-empty, AzureKeyVault@2 will pull the secrets below
+  #   and populate the corresponding pipeline variables at runtime.
+  # - If keyVaultName is empty, you must set the artifactSigning* variables
+  #   via pipeline variables or a variable group.
   keyVaultName: ''
+
+  # Trusted Signing inputs (usually sourced from Key Vault):
   artifactSigningEndpoint: ''
   artifactSigningAccountName: ''
   artifactSigningCertificateProfileName: ''
+
+  # Identity validation is portal-only; when the profile does not exist yet,
+  # set this (preferably as a Key Vault secret) so the pipeline can create it.
   artifactSigningIdentityValidationId: ''
+
+  # Resource group that contains the Code Signing account.
   artifactSigningResourceGroupName: ''
+
+  # Certificate profile type to create if missing.
+  # This must match the Microsoft.CodeSigning API allowed values.
   artifactSigningCertificateProfileType: 'PublicTrust'
+
+  # Optional: object id of the Azure DevOps service principal.
+  # If provided, the pipeline will attempt to ensure the signer RBAC role assignment.
+  # (Terraform can also handle RBAC; this is a best-effort helper.)
   adoServicePrincipalObjectId: ''
 
 steps:
+# Build the demo app, producing an unsigned SigningDemo.exe.
 - task: DotNetCoreCLI@2
   displayName: Publish (unsigned)
   inputs:
     command: publish
     projects: '**/SigningDemo.csproj'
     arguments: '-c $(buildConfiguration) -r $(runtimeIdentifier) --self-contained false'
 
+# Load signing inputs from Key Vault (only if keyVaultName is set).
 - task: AzureKeyVault@2
   displayName: Load signing variables from Key Vault
   condition: and(succeeded(), ne(variables['keyVaultName'], ''))
@@ -40,6 +67,11 @@ steps:
     SecretsFilter: 'artifactSigningEndpoint,artifactSigningAccountName,artifactSigningCertificateProfileName,artifactSigningIdentityValidationId'
     RunAsPreJob: false
 
+# Sign the binary.
+# Notes:
+# - If the certificate profile doesn't exist yet, this step creates it via ARM (az rest).
+# - To create the profile, the service connection identity typically needs permission at RG/account scope.
+# - To sign, the identity needs the appropriate Artifact Signing signer role.
 - task: AzureCLI@2
   displayName: Sign with Azure Artifact Signing (SignTool + dlib)
   inputs:
@@ -74,6 +106,7 @@ steps:
       $profileResourceId = "/subscriptions/$subId/resourceGroups/$rg/providers/Microsoft.CodeSigning/codeSigningAccounts/$accountName/certificateProfiles/$profileName"
       $profileUrl = "https://management.azure.com$profileResourceId?api-version=2025-10-13"
 
+      # If the profile doesn't exist yet (first run), create it using the identity validation ID.
       Write-Host "Ensuring certificate profile exists: $profileResourceId"
 
       $profileExists = $false
@@ -102,6 +135,8 @@ steps:
         Write-Host "Created certificate profile: $profileName"
       }
 
+      # Optional best-effort RBAC helper: assign signer role at the profile scope.
+      # If Terraform already assigned roles, this is usually unnecessary.
       $spObjectId = Get-Trimmed "$(adoServicePrincipalObjectId)"
       if (-not [string]::IsNullOrWhiteSpace($spObjectId)) {
         $roleName = "Artifact Signing Certificate Profile Signer"
@@ -115,6 +150,10 @@ steps:
 
       az account show --output table
 
+      # Download tooling via NuGet extraction:
+      # - nuget.exe (for pulling packages)
+      # - Microsoft.Windows.SDK.BuildTools (signtool.exe)
+      # - Microsoft.ArtifactSigning.Client (Azure.CodeSigning.Dlib.dll)
       $tempRoot = Join-Path "$(Agent.TempDirectory)" "artifact-signing"
       New-Item -ItemType Directory -Force -Path $tempRoot | Out-Null
 
@@ -140,6 +179,7 @@ steps:
       if (-not $dlib) { throw "Azure.CodeSigning.Dlib.dll not found after extracting Microsoft.ArtifactSigning.Client" }
 
       $metadataPath = Join-Path $tempRoot "metadata.json"
+      # metadata.json is consumed by the dlib and tells it which account/profile to use.
       $metadata = @{
         Endpoint               = "$(artifactSigningEndpoint)"
         CodeSigningAccountName = "$(artifactSigningAccountName)"
@@ -160,14 +200,17 @@ steps:
       Write-Host "Using signtool: $($signtool.FullName)"
       Write-Host "Using dlib: $($dlib.FullName)"
 
+      # Sign in-place using the official SignTool + /dlib flow.
       & $signtool.FullName sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "$($dlib.FullName)" /dmdf "$metadataPath" "$signed"
 
+# Verify that Windows considers the resulting file authenticode-signed.
 - powershell: |
     $ErrorActionPreference = 'Stop'
     $signed = "$(Build.ArtifactStagingDirectory)\SigningDemo.signed.exe"
     Get-AuthenticodeSignature $signed | Format-List
   displayName: Verify signature
 
+# Publish the signed binary as a build artifact.
 - task: PublishBuildArtifacts@1
   displayName: Publish signed artifact
   inputs:

terraform-infrastructure/terraform.ado.tfvars

@@ -0,0 +1,30 @@
+# Azure DevOps provisioning (optional)
+# Use with:
+#   terraform apply -var-file=terraform.tfvars -var-file=terraform.ado.tfvars
+#
+# Required environment variables for the azuredevops provider:
+#   $env:AZDO_ORG_SERVICE_URL = "https://dev.azure.com/<your-org>"
+#   $env:AZDO_PERSONAL_ACCESS_TOKEN = "<your-pat>"
+#
+# NOTE: Terraform can create the ADO project/repo/pipeline/service-connection,
+# but it does not push this repo's contents into the new ADO repo.
+
+ado_enabled = true
+
+# If you prefer setting the org URL as a variable instead of env var, uncomment:
+# ado_org_service_url = "https://dev.azure.com/<your-org>"
+
+# Names (safe defaults)
+ado_project_name   = "ArtifactSigningDemo"
+ado_repo_name      = "Azure-ArtifactSigning-DevOps"
+ado_pipeline_name  = "artifact-signing-demo"
+
+# Service connection name MUST match azureServiceConnection in azure-pipelines.yml
+ado_service_connection_name = "sc-artifact-signing"
+
+# Default: secretless auth (requires org feature enabled)
+ado_service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
+
+# If your org can't use WIF yet, switch to ServicePrincipal and provide the secret via:
+#   $env:TF_VAR_ado_service_principal_client_secret = "..."
+# ado_service_endpoint_authentication_scheme = "ServicePrincipal"

terraform-infrastructure/terraform.tfvars

@@ -3,7 +3,7 @@
 
 location                  = "eastus"
 resource_group_name       = "RG-artifact-signing-demo"
-code_signing_account_name = "aasdemoREPLACE_ME"
+code_signing_account_name = "aasdemo-replace-me"
 
 # After you complete Identity validation in the Azure portal, paste the Identity validation Id here.
 identity_validation_id = null

terraform-infrastructure/variables.tf

@@ -13,6 +13,15 @@ variable "resource_group_name" {
 variable "code_signing_account_name" {
   type        = string
   description = "Artifact Signing (Trusted Signing) account name. Must be globally unique, 3-24 characters."
+
+  validation {
+    condition = (
+      length(var.code_signing_account_name) >= 3 &&
+      length(var.code_signing_account_name) <= 24 &&
+      can(regex("^[A-Za-z][A-Za-z0-9]*(?:-[A-Za-z0-9]+)*$", var.code_signing_account_name))
+    )
+    error_message = "code_signing_account_name must be 3-24 chars, start with a letter, contain only letters/numbers/hyphens, and not contain underscores. Example: aasdemo-abc123."
+  }
 }
 
 variable "code_signing_sku" {
@@ -85,8 +94,14 @@ variable "ado_org_service_url" {
   nullable    = true
 
   validation {
-    condition     = var.ado_enabled == false || (var.ado_org_service_url != null && length(trimspace(var.ado_org_service_url)) > 0)
-    error_message = "When ado_enabled=true you must set ado_org_service_url (or AZDO_ORG_SERVICE_URL)."
+    condition = (
+      var.ado_enabled == false || (
+        length(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)) > 0 &&
+        can(regex("^https://dev\\.azure\\.com/[^\\s/]+$", trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url))) &&
+        !strcontains(upper(trimspace(var.ado_org_service_url == null ? "" : var.ado_org_service_url)), "REPLACE_ME")
+      )
+    )
+    error_message = "When ado_enabled=true you must set ado_org_service_url to a real org URL like https://dev.azure.com/your-org (not REPLACE_ME)."
   }
 }