From 913c7fa67cad5c28d79e1de7abdb00b22d3a79e4 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Thu, 12 Dec 2024 08:56:49 +0100 Subject: [PATCH] grant devops msi cluster admin permission during cluster creation the devops msi is used in EV2 to deploy services onto the cluster Signed-off-by: Gerd Oberlechner --- .../modules/aks-cluster-base.bicep | 27 +++++++++++++++++++ .../templates/mgmt-cluster.bicep | 1 + .../templates/svc-cluster.bicep | 2 +- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep index b16f513a1..431251e59 100644 --- a/dev-infrastructure/modules/aks-cluster-base.bicep +++ b/dev-infrastructure/modules/aks-cluster-base.bicep @@ -47,16 +47,31 @@ param userOsDiskSizeGB int param acrPullResourceGroups array = [] +@description('MSI that will take actions on the AKS cluster during service deployment time') +param aroDevopsMsiId string + @description('Perform cryptographic operations using keys. Only works for key vaults that use the Azure role-based access control permission model.') var keyVaultCryptoUserId = subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424' ) +// Azure Kubernetes Service Cluster Admin Role +// https://www.azadvertizer.net/azrolesadvertizer/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8.html var aksClusterAdminRoleId = subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' ) + +// Azure Kubernetes Service RBAC Cluster Admin Role +// https://www.azadvertizer.net/azrolesadvertizer/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b.html +var aksClusterAdminRBACRoleId = subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions/', + 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' +) + +// Network Contributor Role +// https://www.azadvertizer.net/azrolesadvertizer/4d97b98b-1d4f-4787-a291-c67834d212e7.html var networkContributorRoleId = subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7' @@ -454,6 +469,18 @@ resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federate } ] +// grant aroDevopsMsi the aksClusterAdmin role on the aksCluster so it can +// deploy services to the cluster +resource aroDevopsMSIClusterAdmin 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(aksCluster.id, aroDevopsMsiId, aksClusterAdminRBACRoleId) + scope: aksCluster + properties: { + principalId: reference(aroDevopsMsiId, '2023-01-31').principalId + principalType: 'ServicePrincipal' + roleDefinitionId: aksClusterAdminRBACRoleId + } +} + // Outputs output userAssignedIdentities array = [ for i in range(0, length(workloadIdentities)): { diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep index 2f851bdd8..de559db74 100644 --- a/dev-infrastructure/templates/mgmt-cluster.bicep +++ b/dev-infrastructure/templates/mgmt-cluster.bicep @@ -148,6 +148,7 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = { systemAgentVMSize: systemAgentVMSize systemOsDiskSizeGB: aksSystemOsDiskSizeGB userOsDiskSizeGB: aksUserOsDiskSizeGB + aroDevopsMsiId: aroDevopsMsiId } } diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index c9d81cb75..c723c0125 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -206,6 +206,7 @@ module svcCluster '../modules/aks-cluster-base.bicep' = { }) aksKeyVaultName: aksKeyVaultName acrPullResourceGroups: acrPullResourceGroups + aroDevopsMsiId: aroDevopsMsiId } } @@ -313,7 +314,6 @@ module cs '../modules/cluster-service.bicep' = { } dependsOn: [ maestroServer - svcCluster ] }