!TODO: update to generate generic entities and not ( uncompatible!) "system" data.
What does it do:
- Gets fresh item data from the list
- Updates local
system-scores/xxx.json
and computes the score - Merges all scores to
system-scores/all.json
- uploads the score to azure storage account (if runs during PR it uploads to DEV, from master to LIVE)
- pushes the changes to the git
To test it locally go to ./tools/azure-devops-pipelines/scripts
and run ./Sync-Sharepoint.ps1 -action download -systemScoreFolder '../../sample-data' -listId '12345678-1234-aaaa-bbbb-1234567890aa' -siteURL 'https://yourOffice365Account.sharepoint.com/teams/some-site' -interactive
.
You need to configure Azure ARM connection to create a service principal in Azure DevOps project "Service connection" settings. It will be created with "contributor" role for either subscription or resource group. Since it does not need such permissions please remove those permissions.
You need to add rights for the service principal in the sharepoint like described here. That is, you need to open https://yourOffice365Account.sharepoint.com/teams/some-site/_layouts/15/appinv.aspx and enter application id, lookup for it and grant following rights:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="https://yourOffice365Account.sharepoint.com/teams/some-site" Right="Read" />
</AppPermissionRequests>
You may also need to assign permissions for the sharepoint list to the service principal:
# see also https://www.sharepointdiary.com/2016/05/sharepoint-online-grant-permission-to-list-library-using-powershell.html
Install-Module -Name PnP.PowerShell -RequiredVersion 1.9.0 -Repository PSGallery -Scope CurrentUser -Force;
$listId = '12345678-1234-aaaa-bbbb-1234567890aa'; # list ID
$appId = '12345678-1234-aaaa-bbbb-1234567890bb'; # application id, see above
$appDisplayName = 'BackstageCatalogSharepointIntegration'; # could be anything, but please keep it aligned with the name of the app
$siteURL = "https://yourOffice365Account.sharepoint.com/teams/some-site";
Connect-PnPOnline -Url $SiteURL -DeviceLogin;
Grant-PnPAzureADAppSitePermission -AppId $appId -DisplayName $appDisplayName -Site $siteURL -Permissions Read
You need to assign permissions for the Azure Storage account:
Go to the Azure Portal, open desired storage accounts, go to the AIM blade and assign "Storage Blob Data Contributor" role for the above mentioned service principal.
Also consider assigning a condition to allow editing only system-scores:
(
(
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.Read.WithTagConditions'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'} AND SubOperationMatches{'Blob.Write.WithTagHeaders'})
AND
!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'name-of-the-folder'
)
)
To prepare all fields in the Sharepoint list use Update-SharepointSelfAssessmentList.ps1 script.
It will use @template.json to generate fields and possible values.