
# <copyright file="Assert-AzureServicePrincipalForRbac.ps1" company="Endjin Limited">
# Copyright (c) Endjin Limited. All rights reserved.
# </copyright>

Ensures that an Azure AD service principal exists, creating if necessary. Optionally storing the credential
in Azure Key Vault.

Ensures that a suitable Azure AD application & service principal exists. Optionally storing the credential
in Azure Key Vault.

The display name of the Azure AD service principal.

The key vault where that service principal password will be stored.

.PARAMETER KeyVaultSecretName
The key vault secret name that service principal password will be stored in.

.PARAMETER RotateSecret
When specified, the service principal secret will be regenerated.

Returns a tuple containing a hashtable representing the object describing the Azure AD service principal and
it's client secret. Where the client secret is not avilable (e.g. the service principal aleady exists) or the
Key Vault functionality is used, '$null' will be returned for this element.

    @{ <service-principal-definition> },


function Assert-AzureServicePrincipalForRbac
    param (
        [Parameter(Mandatory = $true)]
        [string] $Name,

        [int] $PasswordLifetimeDays = 365,
        [Parameter(ParameterSetName = 'KeyVault',
                    Mandatory = $true)]
        [string] $KeyVaultName,

        [Parameter(ParameterSetName = 'KeyVault',
                    Mandatory = $true)]
        [string] $KeyVaultSecretName,

        [Parameter(ParameterSetName = 'KeyVault')]
        [switch] $RotateSecret

    #region internal helper functions
    function _handleCredential {
        param (

        # Generate a new service principal secret
        $spCred = $ServicePrincipal | New-AzADServicePrincipalCredential -EndDate ([DateTime]::Now.AddDays($PasswordLifetimeDays))

        # Get the secret from the credential object, based on which graph API we're using
        $spAddId = $useMsGraph ? $ServicePrincipal.AppId : $ServicePrincipal.ApplicationId
        $spPassword = $useMsGraph `
                            ? $spCred.SecretText `
                            : ($spCred.Secret | ConvertFrom-SecureString -AsPlainText)

        if ($useKeyVault) {
            $spLoginDetails = @{
                appId = $spAddId
                password = $spPassword
                tenant = (Get-AzContext).Tenant.Id
            Write-Host "Storing service principal secret in key vault [VaultName=$KeyVaultName, SecretName=$KeyVaultSecretName]"
            Set-AzKeyVaultSecret -VaultName $KeyVaultName `
                                 -Name $KeyVaultSecretName `
                                 -SecretValue ($spLoginDetails | ConvertTo-Json | ConvertTo-SecureString -AsPlainText -Force) `
                                 -ContentType "application/json" `
                | Out-Null

            return $null
        else {
            return (ConvertFrom-SecureString $spCredential -AsPlainText)

    # Check whether we have a valid AzPowerShell connection
    if ($PSCmdlet.ParameterSetName -eq "KeyVault") {
        # Subscription access required for key vault integration
        _EnsureAzureConnection -AzPowerShell -ErrorAction Stop | Out-Null
    else {
        # No subscription-level access is required
        _EnsureAzureConnection -AzPowerShell -TenantOnly -ErrorAction Stop | Out-Null

    $useKeyVault = ($PSCmdlet.ParameterSetName -eq "KeyVault")

    # Handle Azure Graph -> MS Graph transition
    # Breaking change to property names between v4 and v5 of the module
    $useMsGraph = $true
    $azResourcesModule = Import-Module Az.Resources -PassThru -Verbose:$false
    if ($azResourcesModule.Version.Major -gt 4) {
        Write-Verbose "Using Microsoft Graph"
        $appIdPropertyName = "AppId"
    else {
        Write-Verbose "Using Azure Graph"
        $appIdPropertyName = "ApplicationId"
        $useMsGraph = $false

    $spSecret = $null
    $existingSp = Get-AzADServicePrincipal -DisplayName $Name

    if (!$existingSp) {
        if ($PSCmdlet.ShouldProcess($Name, "Create Service Principal")) {

            # Create a new service principal
            $createParams = @{
                DisplayName = $Name
            if (!$useMsGraph) {
                $createParams += @{ SkipAssignment = $true }
            $newSp = New-AzADServicePrincipal @createParams
            Write-Host ("Created service principal [ObjectId={0}, ApplicationId={1}]" -f $newSp.Id, $newSp.$appIdPropertyName)
            # Delete the default credential
            Get-AzADServicePrincipalCredential -DisplayName $Name | Remove-AzADServicePrincipalCredential
            # Setup the credential and store it in key vault, if necessary
            $spSecret = _handleCredential $newSp
    else {
        Write-Host ("Service Principal '{0}' already exists [ObjectId={1}, ApplicationId={2}]" -f `

        if ($useKeyVault) {
            # if using key vault, check whether the specified secret is available
            $existingSecret = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $KeyVaultSecretName

        # rotate the secret
        if (($useKeyVault -and !$existingSecret) -or $RotateSecret) {
            if ($PSCmdlet.ShouldProcess($Name, "Rotate Service Principal Secret")) {
                Write-Host "Rotating service principal credential [UseKeyVault=$useKeyVault, KeyVaultSecretMissing=$(!$existingSecret), RotateFlag=$RotateSecret]"
                $spSecret = _handleCredential $existingSp

    return ($existingSp ? $existingSp : $newSp),$spSecret