From 82570069e175e8f56c6283af65129d695d6ec386 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Mon, 8 Jul 2024 11:23:39 +0300 Subject: [PATCH] add aks managed identity permissions --- azure_jumpstart_arcbox/ARM/azuredeploy.json | 30 +++++++++++++++++-- .../bicep/kubernetes/aks.bicep | 20 +++++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/azure_jumpstart_arcbox/ARM/azuredeploy.json b/azure_jumpstart_arcbox/ARM/azuredeploy.json index be47b32bff..74d7468dba 100644 --- a/azure_jumpstart_arcbox/ARM/azuredeploy.json +++ b/azure_jumpstart_arcbox/ARM/azuredeploy.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.28.1.47646", - "templateHash": "4648116851621429118" + "templateHash": "5764046023032759632" } }, "parameters": { @@ -8410,7 +8410,7 @@ "_generator": { "name": "bicep", "version": "0.28.1.47646", - "templateHash": "9258770347731613696" + "templateHash": "16902719430194420979" } }, "parameters": { @@ -8621,6 +8621,30 @@ } } } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName')), 'Microsoft.Authorization/roleAssignments', 'Owner')]", + "properties": { + "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName')), '2023-10-02-preview', 'full').identity.principalId]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]" + ] + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('drClusterName')), 'Microsoft.Authorization/roleAssignments', 'Owner')]", + "properties": { + "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('drClusterName')), '2023-10-02-preview', 'full').identity.principalId]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.ContainerService/managedClusters', parameters('drClusterName'))]" + ] } ] } @@ -8638,4 +8662,4 @@ "value": "[if(equals(parameters('flavor'), 'DataOps'), format('{0}@{1}', parameters('windowsAdminUsername'), parameters('addsDomainName')), '')]" } } -} \ No newline at end of file +}s \ No newline at end of file diff --git a/azure_jumpstart_arcbox/bicep/kubernetes/aks.bicep b/azure_jumpstart_arcbox/bicep/kubernetes/aks.bicep index e9906c8ac1..235a98b4fc 100644 --- a/azure_jumpstart_arcbox/bicep/kubernetes/aks.bicep +++ b/azure_jumpstart_arcbox/bicep/kubernetes/aks.bicep @@ -149,3 +149,23 @@ resource drClusterName_resource 'Microsoft.ContainerService/managedClusters@2023 } } } + +// Add role assignment for the AKS cluster: Owner role +resource aksRoleAssignment_Owner 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(aksClusterName_resource.id, 'Microsoft.Authorization/roleAssignments', 'Owner') + scope: resourceGroup() + properties: { + principalId: aksClusterName_resource.identity.principalId + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + } +} + +// Add role assignment for the AKS DR cluster: Owner role +resource aksDRRoleAssignment_Owner 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(drClusterName_resource.id, 'Microsoft.Authorization/roleAssignments', 'Owner') + scope: resourceGroup() + properties: { + principalId: drClusterName_resource.identity.principalId + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + } +}