enables creation of multiple workload identities via loop and arrays

Azure · May 8, 2024 · c5afbfa · c5afbfa
1 parent c86e73a
commit c5afbfa
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 30 deletions.
diff --git a/dev-infrastructure/configurations/mgmt-cluster.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.bicepparam
@@ -6,6 +6,7 @@ param subnetPrefix = enablePrivateCluster ? '10.132.8.0/21' : '10.128.8.0/21'
 param podSubnetPrefix = enablePrivateCluster ? '10.132.64.0/18' : '10.128.64.0/18'
 param enablePrivateCluster = false
 param persist = false
+param workloadIdentities = []
 
 // This parameter is always overriden in the Makefile
 param currentUserId = ''
diff --git a/dev-infrastructure/configurations/svc-cluster.bicepparam b/dev-infrastructure/configurations/svc-cluster.bicepparam
@@ -8,6 +8,13 @@ param enablePrivateCluster = false
 param persist = false
 param disableLocalAuth = false
 param deployFrontendCosmos = false
+param workloadIdentities = items({
+  frontend_wi: {
+      uamiName: 'frontend'
+      namespace: 'aro-hcp'
+      serviceAccountName: 'frontend'
+  }
+})
 
 // This parameter is always overriden in the Makefile
 param currentUserId = ''
diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -19,6 +19,8 @@ param vnetAddressPrefix string
 param subnetPrefix string
 param podSubnetPrefix string
 param clusterType string
+param workloadIdentities array
+
 
 // Local Params
 @description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.')
@@ -338,7 +340,34 @@ resource currentUserAksRbacClusterAdmin 'Microsoft.Authorization/roleAssignments
     }
   }
 
+resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [
+for wi in workloadIdentities: {
+  location: location
+  name: '${wi.value.uamiName}-${location}'
+}]
+
+resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [
+for i in range(0, length(workloadIdentities)): {
+  parent: uami[i]
+  name: '${workloadIdentities[i].value.uamiName}-${location}-fedcred'
+  properties: {
+    audiences: [
+      'api://AzureADTokenExchange'
+    ]
+    issuer: aksCluster.properties.oidcIssuerProfile.issuerURL
+    subject: 'system:serviceaccount:${workloadIdentities[i].value.namespace}:${workloadIdentities[i].value.serviceAccountName}'
+  }
+}]
+
 // Outputs
+output userAssignedIdentities array = [
+  for i in range(0, length(workloadIdentities)): {
+    uamiID: uami[i].id
+    uamiName: workloadIdentities[i].value.uamiName
+    uamiClientID: uami[i].properties.clientId
+    uamiPrincipalID: uami[i].properties.principalId
+  }
+]
 output aksVnetId string = vnet.id
 output aksNodeSubnetId string = aksNodeSubnet.id
 output aksOidcIssuerUrl string = aksCluster.properties.oidcIssuerProfile.issuerURL
diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -22,6 +22,9 @@ param enablePrivateCluster bool
 @description('Kuberentes version to use with AKS')
 param kubernetesVersion string
 
+@description('List of workload identities to create and their required values')
+param workloadIdentities array
+
 module mgmtCluster '../modules/aks-cluster-base.bicep' = {
   name: 'aks_base_cluster'
   scope: resourceGroup()
@@ -35,5 +38,6 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
     subnetPrefix: subnetPrefix
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'mgmt'
+    workloadIdentities: workloadIdentities
   }
 }
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -29,8 +29,11 @@ param disableLocalAuth bool
 @description('Deploy ARO HCP RP Azure Cosmos DB if true')
 param deployFrontendCosmos bool
 
+@description('List of workload identities to create and their required values')
+param workloadIdentities array
+
 module svcCluster '../modules/aks-cluster-base.bicep' = {
-  name: 'aks_base_cluster'
+  name: 'svc-cluster'
   scope: resourceGroup()
   params: {
     location: location
@@ -42,38 +45,23 @@ module svcCluster '../modules/aks-cluster-base.bicep' = {
     subnetPrefix: subnetPrefix
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'svc'
+    workloadIdentities: workloadIdentities
   }
 }
+var frontendMI = filter(svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'frontend')[0]
 
-module rpCosmosDb '../modules/rp-cosmos.bicep' =
-  if (deployFrontendCosmos) {
-    name: 'rp_cosmos_db'
-    scope: resourceGroup()
-    params: {
-      location: location
-      aksNodeSubnetId: svcCluster.outputs.aksNodeSubnetId
-      vnetId: svcCluster.outputs.aksVnetId
-      disableLocalAuth: disableLocalAuth
-      userAssignedMI: frontend_mi.id
-      uamiPrincipalId: frontend_mi.properties.principalId
-    }
-  }
-
-resource frontend_mi 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  location: location
-  name: 'frontend-${location}'
-}
-
-resource frontend_mi_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = {
-  name: 'frontend-${location}-fedcred'
-  parent: frontend_mi
-  properties: {
-    audiences: [
-      'api://AzureADTokenExchange'
-    ]
-    issuer: svcCluster.outputs.aksOidcIssuerUrl
-    subject: 'system:serviceaccount:aro-hcp:frontend'
+module rpCosmosDb '../modules/rp-cosmos.bicep' = 
+if (deployFrontendCosmos) {
+  name: 'rp_cosmos_db'
+  scope: resourceGroup()  
+  params: {
+    location: location
+    aksNodeSubnetId: svcCluster.outputs.aksNodeSubnetId
+    vnetId: svcCluster.outputs.aksVnetId
+    disableLocalAuth: disableLocalAuth
+    userAssignedMI: frontendMI.uamiID
+    uamiPrincipalId: frontendMI.uamiPrincipalID
   }
 }
 
-output frontend_mi_client_id string = frontend_mi.properties.clientId
+output frontend_mi_client_id string = frontendMI.uamiClientID