use the devops MSI to manage postgres

... instead of introducing new MSIs Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Nov 28, 2024 · 1e00fd9 · 1e00fd9
1 parent a50d8dc
commit 1e00fd9
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 36 deletions.
diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep
@@ -1,6 +1,3 @@
-@description('The location for the PostGres DB')
-param location string
-
 @description('The managed identity name CS will use to interact with Azure resources')
 param clusterServiceManagedIdentityName string
 
@@ -43,25 +40,21 @@ param regionalResourceGroup string
 @description('The names of the ACR resource groups / will be refactored soon into dedicated ACR Resource IDs')
 param acrResourceGroupNames array = []
 
+@description('The resource ID of the managed identity used to manage the Postgres server')
+param postgresAdministrationManagedIdentityId string
+
 //
 //   P O S T G R E S
 //
 
-resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: '${postgresServerName}-db-admin-msi'
-  location: location
-}
-
 module postgres 'postgres/postgres.bicep' = if (deployPostgres) {
   name: '${deployment().name}-postgres'
   params: {
     name: postgresServerName
     databaseAdministrators: [
-      // add the dedicated admin managed identity as administrator
-      // this one is going to be used to manage DB access
       {
-        principalId: postgresAdminManagedIdentity.properties.principalId
-        principalName: postgresAdminManagedIdentity.name
+        principalId: reference(postgresAdministrationManagedIdentityId, '2023-01-31').principalId
+        principalName: reference(postgresAdministrationManagedIdentityId, '2023-01-31').name
         principalType: 'ServicePrincipal'
       }
     ]
@@ -108,7 +101,7 @@ module csManagedIdentityDatabaseAccess 'postgres/postgres-access.bicep' = if (de
   name: '${deployment().name}-cs-db-access'
   params: {
     postgresServerName: postgresServerName
-    postgresAdminManagedIdentityName: postgresAdminManagedIdentity.name
+    postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId
     databaseName: csDatabaseName
     newUserName: clusterServiceManagedIdentityName
     newUserPrincipalId: clusterServiceManagedIdentityPrincipalId

diff --git a/dev-infrastructure/modules/maestro/maestro-server.bicep b/dev-infrastructure/modules/maestro/maestro-server.bicep
@@ -60,17 +60,13 @@ param maestroServerManagedIdentityName string
 @description('The principal ID of the Managed Identity for the Maestro cluster service')
 param maestroServerManagedIdentityPrincipalId string
 
-param location string
+@description('The resource ID of the managed identity used to manage the Postgres server')
+param postgresAdministrationManagedIdentityId string
 
 //
 //   P O S T G R E S
 //
 
-resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: '${postgresServerName}-db-admin-msi'
-  location: location
-}
-
 module postgres '../postgres/postgres.bicep' = if (deployPostgres) {
   name: '${deployment().name}-postgres'
   params: {
@@ -80,8 +76,8 @@ module postgres '../postgres/postgres.bicep' = if (deployPostgres) {
       // add the dedicated admin managed identity as administrator
       // this one is going to be used to manage DB access
       {
-        principalId: postgresAdminManagedIdentity.properties.principalId
-        principalName: postgresAdminManagedIdentity.name
+        principalId: reference(postgresAdministrationManagedIdentityId, '2023-01-31').principalId
+        principalName: reference(postgresAdministrationManagedIdentityId, '2023-01-31').name
         principalType: 'ServicePrincipal'
       }
     ]
@@ -121,7 +117,7 @@ module csManagedIdentityDatabaseAccess '../postgres/postgres-access.bicep' = if
   name: '${deployment().name}-maestro-db-access'
   params: {
     postgresServerName: postgresServerName
-    postgresAdminManagedIdentityName: postgresAdminManagedIdentity.name
+    postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId
     databaseName: maestroDatabaseName
     newUserName: maestroServerManagedIdentityName
     newUserPrincipalId: maestroServerManagedIdentityPrincipalId

diff --git a/dev-infrastructure/modules/postgres/postgres-access.bicep b/dev-infrastructure/modules/postgres/postgres-access.bicep
@@ -6,8 +6,8 @@ The user will also be enabled for entra authentication.
 @description('The name of the postgres server that will be managed')
 param postgresServerName string
 
-@description('The name of the managed identity that will be used to manage access in the database')
-param postgresAdminManagedIdentityName string
+@description('The resource ID of the managed identity that will be used to manage access in the database')
+param postgresAdministrationManagedIdentityId string
 
 @description('The principal ID / object ID of the managed identity that will be granted access to')
 param newUserPrincipalId string
@@ -42,7 +42,7 @@ module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = {
   params: {
     postgresServerName: postgres.properties.fullyQualifiedDomainName
     databaseName: 'postgres' // access configuration is managed in the postgres DB
-    postgresAdminManagedIdentityName: postgresAdminManagedIdentityName
+    postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId
     sqlScript: string(join(sqlScriptLines, '\n'))
   }
 }
diff --git a/dev-infrastructure/modules/postgres/postgres-sql.bicep b/dev-infrastructure/modules/postgres/postgres-sql.bicep
@@ -8,17 +8,13 @@ param postgresServerName string
 @description('The database name where an SQL script will be executed')
 param databaseName string
 
-@description('The name of the user-assigned managed identity that will be used to execute the SQL script')
-param postgresAdminManagedIdentityName string
+@description('The resource ID of the user-assigned managed identity that will be used to execute the SQL script')
+param postgresAdministrationManagedIdentityId string
 
 @description('The SQL script to execute on the PostgreSQL server')
 param sqlScript string
 
-param forceUpdateTag string = guid('${sqlScript}/${postgresServerName}/${databaseName}+${postgresAdminManagedIdentityName}')
-
-resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
-  name: postgresAdminManagedIdentityName
-}
+param forceUpdateTag string = guid('${sqlScript}/${postgresServerName}/${databaseName}/${postgresAdministrationManagedIdentityId}')
 
 resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
   name: deployment().name
@@ -27,7 +23,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: {
-      '${postgresAdminManagedIdentity.id}': {}
+      '${postgresAdministrationManagedIdentityId}': {}
     }
   }
 
@@ -58,7 +54,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
       }
       {
         name: 'PGUSER'
-        value: postgresAdminManagedIdentity.name
+        value: reference(postgresAdministrationManagedIdentityId, '2023-01-31').name
       }
     ]
     timeout: 'PT30M'

diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -250,6 +250,7 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = {
     privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId
     privateEndpointVnetId: svcCluster.outputs.aksVnetId
     postgresServerPrivate: maestroPostgresPrivate
+    postgresAdministrationManagedIdentityId: aroDevopsMsiId
     maestroServerManagedIdentityPrincipalId: filter(
       svcCluster.outputs.userAssignedIdentities,
       id => id.uamiName == 'maestro-server'
@@ -258,7 +259,6 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = {
       svcCluster.outputs.userAssignedIdentities,
       id => id.uamiName == 'maestro-server'
     )[0].uamiName
-    location: location
   }
   dependsOn: [
     serviceKeyVault
@@ -307,7 +307,6 @@ var csManagedIdentityPrincipalId = filter(
 module cs '../modules/cluster-service.bicep' = {
   name: 'cluster-service'
   params: {
-    location: location
     postgresServerName: csPostgresServerName
     postgresServerMinTLSVersion: csPostgresServerMinTLSVersion
     privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId
@@ -321,6 +320,7 @@ module cs '../modules/cluster-service.bicep' = {
     regionalDNSZoneName: regionalDNSZoneName
     regionalResourceGroup: regionalResourceGroup
     acrResourceGroupNames: clustersServiceAcrResourceGroupNames
+    postgresAdministrationManagedIdentityId: aroDevopsMsiId
   }
   dependsOn: [
     maestroServer