The script is designed to automate the assignment of security groups to environments.

setup.sh

PAT=""
ORG_NAME="ivanporta"
PROJECT_NAME="Sample"
DEFAULT_JSON='{
    "pipeline": {
        "environments": [
            {
                "name": "Connectivity",
                "description": "Connectivity production environment",
                "security_groups_name": [
                    {
                        "name": "Connectivity administators",
                        "role_name": "Administrator"
                    },
                    {
                        "name": "Connectivity users",
                        "role_name": "User"
                    }
                ]
            },
            {
                "name": "Identity",
                "description": "Identity production environment",
                "security_groups_name": [
                    {
                        "name": "Identity administators",
                        "role_name": "Administrator"
                    },
                    {
                        "name": "Identity users",
                        "role_name": "User"
                    }
                ]
            }
        ]
    }
}'
echo "Assign security groups to environments in $PROJECT_NAME project"
for ENVIRONMENT in $(echo "$DEFAULT_JSON" | jq -r '.pipeline.environments[] | @base64'); do
    ENVIRONMENT_JSON=$(echo "$ENVIRONMENT" | base64 --decode | jq -r '.')
    ENVIRONMENT_NAME=$(echo "$ENVIRONMENT_JSON" | jq -r '.name')
    PROJECT_ID=$(az devops project show --project $PROJECT_NAME | jq -r '.id')
    for SECURITY_GROUP in $(echo "${ENVIRONMENT_JSON}" | jq -r '.security_groups_name[] | @base64'); do
        SECURITY_GROUP_JSON=$(echo "${SECURITY_GROUP}" | base64 --decode)
        NAME=$(echo "${SECURITY_GROUP_JSON}" | jq -r '.name')
        ROLE=$(echo "${SECURITY_GROUP_JSON}" | jq -r '.role_name')
        echo "Get security group ID for $NAME"
        SECURITY_GROUP_ID=$(az devops security group list --project $PROJECT_NAME --org https://dev.azure.com/$ORG_NAME --output json | jq -r '.graphGroups[] | select(.displayName == "'"$NAME"'") | .originId')
        echo "Get evnironment ID by $ENVIRONMENT_NAME"
        RESPONSE=$(curl --silent \
            --write-out "\n%{http_code}" \
            --header "Authorization: Basic $(echo -n :$PAT | base64)" \
            --header "Content-Type: application/json" \
            "https://dev.azure.com/$ORG_NAME/$PROJECT_NAME/_apis/distributedtask/environments?api-version=5.0-preview.1")
        HTTP_STATUS=$(tail -n1 <<< "$RESPONSE")
        RESPONSE_BODY=$(sed '$ d' <<< "$RESPONSE") 
        if [ $HTTP_STATUS != 200 ]; then
            echo "Failed to get the $NAME environment ID. $RESPONSE"
            exit 1;
        else
            echo "The ID of the $ENVIRONMENT_NAME environment was succesfully retrieved"
        fi
        ENVIRONMENT_ID=$(echo "$RESPONSE_BODY" | jq '.value[] | select(.name == "'"$ENVIRONMENT_NAME"'") | .id' | tr -d '"')  
        RESPONSE=$(curl --silent \
            --write-out "\n%{http_code}" \
            --request PUT \
            --header "Authorization: Basic $(echo -n :$PAT | base64)" \
            --header "Content-Type: application/json" \
            --data-raw '[{"roleName": "'"$ROLE"'","userId": "'"$SECURITY_GROUP_ID"'"}]' \
            "https://dev.azure.com/$ORG_NAME/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/$PROJECT_ID"_"$ENVIRONMENT_ID?api-version=5.0-preview.1")
        HTTP_STATUS=$(tail -n1 <<< "$RESPONSE")
        RESPONSE_BODY=$(sed '$ d' <<< "$RESPONSE") 
        if [ $HTTP_STATUS != 200 ]; then
            echo "Failed to associate the $NAME security group to the $ENVIRONMENT_NAME environment. $RESPONSE"
            exit 1;
        else
            echo "The $NAME security group was successfully associated to the $ENVIRONMENT_NAME environment"
        fi
    done
done