From 164fbccf00357dda58e945155057875f06090905 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Fri, 22 Nov 2024 17:26:32 +0100 Subject: [PATCH] fix CS MI resource ID reference uses the CS MI resource ID to lookup the MI to extract the real principal ID for role assignments. Signed-off-by: Gerd Oberlechner --- config/config.msft.yaml | 2 +- config/config.schema.json | 4 ++-- config/config.yaml | 2 +- config/public-cloud-cs-pr.json | 2 +- config/public-cloud-dev.json | 2 +- config/public-cloud-msft-int.json | 2 +- config/public-cloud-personal-dev.json | 2 +- .../mgmt-cluster.tmpl.bicepparam | 2 +- .../templates/mgmt-cluster.bicep | 23 +++++++++++++------ 9 files changed, 25 insertions(+), 16 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 1d46567e6..6ca8c9b0d 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -32,7 +32,7 @@ defaults: # MGMT cluster specifics mgmt: - clusterServicePrincipalId: 'todo' + clusterServiceResourceId: 'todo' subscription: hcp-{{ .ctx.region }} rg: hcp-underlay-{{ .ctx.region }}-mgmt-{{ .ctx.stamp }} etcd: diff --git a/config/config.schema.json b/config/config.schema.json index d734856b9..a12598003 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -325,7 +325,7 @@ "subscription": { "type": "string" }, - "clusterServicePrincipalId": { + "clusterServiceResourceId": { "type": "string" }, "systemAgentPool": { @@ -383,7 +383,7 @@ }, "additionalProperties": false, "required": [ - "clusterServicePrincipalId", + "clusterServiceResourceId", "etcd", "rg", "systemAgentPool", diff --git a/config/config.yaml b/config/config.yaml index ccc41b05e..356f04416 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -32,7 +32,7 @@ defaults: # MGMT cluster specifics mgmt: - clusterServicePrincipalId: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-{{ .ctx.regionShort }}-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service + clusterServiceResourceId: /subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-{{ .ctx.regionShort }}-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service subscription: hcp-{{ .ctx.region }} rg: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }} etcd: diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 4a35dff7c..00a90eab5 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -75,7 +75,7 @@ "serverMqttClientName": "maestro-server-cspr-cs" }, "mgmt": { - "clusterServicePrincipalId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-cspr-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service", + "clusterServiceResourceId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-cspr-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service", "etcd": { "kvName": "arohcp-etcd-cspr-1", "kvSoftDelete": false diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index 9c71d444c..ccffefeaf 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -75,7 +75,7 @@ "serverMqttClientName": "maestro-server-dev-dev" }, "mgmt": { - "clusterServicePrincipalId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-dev-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service", + "clusterServiceResourceId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-dev-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service", "etcd": { "kvName": "arohcp-etcd-dev-1", "kvSoftDelete": false diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 64e1fe688..e49ea3bed 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -75,7 +75,7 @@ "serverMqttClientName": "maestro-server" }, "mgmt": { - "clusterServicePrincipalId": "todo", + "clusterServiceResourceId": "todo", "etcd": { "kvName": "arohcp-etcd-int-1", "kvSoftDelete": true diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index a715c0d8d..62a703a5c 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -75,7 +75,7 @@ "serverMqttClientName": "maestro-server-usw3tst" }, "mgmt": { - "clusterServicePrincipalId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-usw3tst-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service", + "clusterServiceResourceId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourcegroups/hcp-underlay-usw3tst-svc/providers/Microsoft.ManagedIdentity/userAssignedIdentities/clusters-service", "etcd": { "kvName": "arohcp-etcd-usw3tst-1", "kvSoftDelete": false diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam index 316d93108..0a76a89c7 100644 --- a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam @@ -54,7 +54,7 @@ param mgmtKeyVaultSoftDelete = {{ .mgmtKeyVault.softDelete }} // Cluster Service identity // used for Key Vault access -param clusterServicePrincipalId = '{{ .mgmt.clusterServicePrincipalId }}' +param clusterServiceMIResourceId = '{{ .mgmt.clusterServiceResourceId }}' // MI for deployment scripts param aroDevopsMsiId = '{{ .aroDevopsMsiId }}' diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep index 2a31f4f9f..3670dcb5f 100644 --- a/dev-infrastructure/templates/mgmt-cluster.bicep +++ b/dev-infrastructure/templates/mgmt-cluster.bicep @@ -110,8 +110,8 @@ param mgmtKeyVaultPrivate bool @description('Defines if the MGMT KeyVault has soft delete enabled') param mgmtKeyVaultSoftDelete bool -@description('Cluster user assigned identity principal id, used to grant KeyVault access') -param clusterServicePrincipalId string +@description('Cluster user assigned identity resource id, used to grant KeyVault access') +param clusterServiceMIResourceId string @description('MSI that will be used to run deploymentScripts') param aroDevopsMsiId string @@ -248,17 +248,26 @@ module mgmtKeyVault '../modules/keyvault/keyvault.bicep' = { } } +var clusterServiceMISplit = split(clusterServiceMIResourceId, '/') +var clusterServiceMIResourceGroup = clusterServiceMISplit[4] +var clusterServiceMIName = last(clusterServiceMISplit) + +resource clusterServiceMI 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { + scope: resourceGroup(clusterServiceMIResourceGroup) + name: clusterServiceMIName +} + module cxClusterServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = [ for role in [ 'Key Vault Secrets Officer' 'Key Vault Certificate User' 'Key Vault Certificates Officer' ]: { - name: guid(cxKeyVaultName, clusterServicePrincipalId, role) + name: guid(cxKeyVaultName, clusterServiceMIResourceId, role) params: { keyVaultName: cxKeyVaultName roleName: role - managedIdentityPrincipalId: clusterServicePrincipalId + managedIdentityPrincipalId: clusterServiceMI.properties.principalId } dependsOn: [ cxKeyVault @@ -272,11 +281,11 @@ module msiClusterServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-acce 'Key Vault Certificate User' 'Key Vault Certificates Officer' ]: { - name: guid(msiKeyVaultName, clusterServicePrincipalId, role) + name: guid(msiKeyVaultName, clusterServiceMIResourceId, role) params: { keyVaultName: msiKeyVaultName roleName: role - managedIdentityPrincipalId: clusterServicePrincipalId + managedIdentityPrincipalId: clusterServiceMI.properties.principalId } dependsOn: [ msiKeyVault @@ -284,7 +293,7 @@ module msiClusterServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-acce } ] -// +// // E V E N T G R I D P R I V A T E E N D P O I N T C O N N E C T I O N //