the_order/scripts/deploy/create-credential-manifests.sh

#!/bin/bash
# Create Credential Manifests in Entra VerifiedID
# Provides templates and step-by-step instructions for all manifest types

set -euo pipefail

GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[1;33m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
log_warning() { echo -e "${YELLOW}[WARNING]${NC} $1"; }

cd "$(dirname "$0")/../.."

MANIFESTS_DIR="manifests/entra"
mkdir -p "${MANIFESTS_DIR}"

log_info "Credential Manifest Creation Guide"
echo ""

# Create manifest templates
log_info "Creating manifest templates..."

# Default/Identity Manifest Template
cat > "${MANIFESTS_DIR}/default-manifest-template.json" << 'EOF'
{
  "name": "The Order Identity Credential",
  "description": "Identity credential for members of The Order",
  "claims": [
    {
      "claim": "email",
      "type": "String",
      "required": true
    },
    {
      "claim": "name",
      "type": "String",
      "required": true
    },
    {
      "claim": "role",
      "type": "String",
      "required": false
    },
    {
      "claim": "userId",
      "type": "String",
      "required": false
    }
  ],
  "issuer": {
    "name": "The Order",
    "domain": "theorder.org"
  }
}
EOF

# Diplomatic Manifest Template
cat > "${MANIFESTS_DIR}/diplomatic-manifest-template.json" << 'EOF'
{
  "name": "The Order Letters of Credence",
  "description": "Diplomatic credential for Letters of Credence",
  "claims": [
    {
      "claim": "recipientName",
      "type": "String",
      "required": true
    },
    {
      "claim": "recipientTitle",
      "type": "String",
      "required": true
    },
    {
      "claim": "missionCountry",
      "type": "String",
      "required": true
    },
    {
      "claim": "missionType",
      "type": "String",
      "required": true,
      "enum": ["embassy", "consulate", "delegation", "mission"]
    },
    {
      "claim": "appointmentDate",
      "type": "DateTime",
      "required": true
    },
    {
      "claim": "expirationDate",
      "type": "DateTime",
      "required": false
    }
  ],
  "issuer": {
    "name": "The Order",
    "domain": "theorder.org"
  }
}
EOF

# Judicial Manifest Template
cat > "${MANIFESTS_DIR}/judicial-manifest-template.json" << 'EOF'
{
  "name": "The Order Judicial Appointment Credential",
  "description": "Judicial appointment credential",
  "claims": [
    {
      "claim": "role",
      "type": "String",
      "required": true,
      "enum": ["judge", "magistrate", "justice", "prosecutor"]
    },
    {
      "claim": "appointmentAuthority",
      "type": "String",
      "required": true
    },
    {
      "claim": "jurisdiction",
      "type": "String",
      "required": true
    },
    {
      "claim": "appointmentDate",
      "type": "DateTime",
      "required": true
    },
    {
      "claim": "termLength",
      "type": "Number",
      "required": false
    }
  ],
  "issuer": {
    "name": "The Order",
    "domain": "theorder.org"
  }
}
EOF

# Financial Manifest Template
cat > "${MANIFESTS_DIR}/financial-manifest-template.json" << 'EOF'
{
  "name": "The Order Financial Role Credential",
  "description": "Financial role credential",
  "claims": [
    {
      "claim": "role",
      "type": "String",
      "required": true,
      "enum": ["financial-officer", "treasurer", "accountant", "auditor"]
    },
    {
      "claim": "appointmentAuthority",
      "type": "String",
      "required": true
    },
    {
      "claim": "jurisdiction",
      "type": "String",
      "required": true
    },
    {
      "claim": "appointmentDate",
      "type": "DateTime",
      "required": true
    }
  ],
  "issuer": {
    "name": "The Order",
    "domain": "theorder.org"
  }
}
EOF

log_success "Manifest templates created in ${MANIFESTS_DIR}/"
echo ""

# Create step-by-step guide
log_info "Step-by-Step Instructions:"
echo ""
echo "For each manifest type, follow these steps:"
echo ""
echo "1. Go to Azure Portal → Verified ID → Credentials"
echo "   Direct link: https://portal.azure.com/#view/Microsoft_AAD_IAM/VerifiedIDBlade"
echo ""
echo "2. Click 'Add credential' or 'Create new credential'"
echo ""
echo "3. Choose credential type (or use 'Custom credential')"
echo ""
echo "4. Configure the credential using the templates in ${MANIFESTS_DIR}/"
echo ""
echo "5. For each manifest:"
echo "   - Default: Use default-manifest-template.json"
echo "   - Diplomatic: Use diplomatic-manifest-template.json"
echo "   - Judicial: Use judicial-manifest-template.json"
echo "   - Financial: Use financial-manifest-template.json"
echo ""
echo "6. After creating each manifest:"
echo "   - Note the Manifest ID (displayed after creation)"
echo "   - Run: ./scripts/deploy/configure-multi-manifest.sh"
echo "   - Or manually add to ENTRA_MANIFESTS environment variable"
echo ""

# Create automated manifest ID collector
cat > "${MANIFESTS_DIR}/collect-manifest-ids.sh" << 'EOF'
#!/bin/bash
# Collect Manifest IDs after creation
# Run this after creating manifests in Azure Portal

echo "Enter Manifest IDs (press Enter to skip optional ones):"
echo ""

read -p "Default Manifest ID: " DEFAULT_ID
read -p "Diplomatic Manifest ID (optional): " DIPLOMATIC_ID
read -p "Judicial Manifest ID (optional): " JUDICIAL_ID
read -p "Financial Manifest ID (optional): " FINANCIAL_ID

MANIFESTS="{"
MANIFESTS+="\"default\":\"${DEFAULT_ID}\""

[ -n "${DIPLOMATIC_ID}" ] && MANIFESTS+=",\"diplomatic\":\"${DIPLOMATIC_ID}\""
[ -n "${JUDICIAL_ID}" ] && MANIFESTS+=",\"judicial\":\"${JUDICIAL_ID}\""
[ -n "${FINANCIAL_ID}" ] && MANIFESTS+=",\"financial\":\"${FINANCIAL_ID}\""

MANIFESTS+="}"

echo ""
echo "ENTRA_MANIFESTS='${MANIFESTS}'"
echo ""
echo "Add this to your .env file or Kubernetes secrets"
EOF

chmod +x "${MANIFESTS_DIR}/collect-manifest-ids.sh"

log_success "Manifest creation guide complete!"
log_info "Templates saved to: ${MANIFESTS_DIR}/"
log_info "After creating manifests, run: ${MANIFESTS_DIR}/collect-manifest-ids.sh"