fallback to built-in role for token mgmt

Signed-off-by: Gerd Oberlechner <[email protected]>

config/config.msft.yaml

@@ -8,7 +8,7 @@ defaults:
   global:
     rg: b-gerdo-global-shared-resources
     subscription: hcp-{{ .ctx.region }}
-    manageTokenCustomRole: true
+    manageTokenCustomRole: false
     region: uksouth
 
   # General AKS config

dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam

@@ -43,6 +43,7 @@ param serviceKeyVaultPrivate = {{ .serviceKeyVault.private }}
 
 param acrPullResourceGroups = ['{{ .global.rg }}']
 param clustersServiceAcrResourceGroupNames = ['{{ .clusterService.acrRG }}']
+param useCustomACRTokenManagementRole = {{ .global.manageTokenCustomRole }}
 
 param oidcStorageAccountName = '{{ .oidcStorageAccountName }}'
 param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'

dev-infrastructure/modules/acr/acr-permissions.bicep

@@ -7,24 +7,42 @@ param grantPushAccess bool = false
 @description('Whether to grant manage token access to the ACR')
 param grantManageTokenAccess bool = false
 
+@description(
+  '''
+  The custom token management role might not be available in an environment due to quota limitations.
+  In such cases, the default ACR Contributor and Data Access Configuration Administrator role will
+  be used for token management permissions.
+  '''
+)
+param useCustomManageTokenRole bool = false
+
 @description('ACR Namespace Resource Group Id')
 param acrResourceGroupid string
 
+// https://www.azadvertizer.net/azrolesadvertizer/7f951dda-4ed3-4680-a7ca-43fe172d538d.html
 var acrPullRoleDefinitionId = subscriptionResourceId(
   'Microsoft.Authorization/roleDefinitions',
   '7f951dda-4ed3-4680-a7ca-43fe172d538d'
 )
 
+// https://www.azadvertizer.net/azrolesadvertizer/8311e382-0749-4cb8-b61a-304f252e45ec.html
 var acrPushRoleDefinitionId = subscriptionResourceId(
   'Microsoft.Authorization/roleDefinitions',
   '8311e382-0749-4cb8-b61a-304f252e45ec'
 )
 
+// https://www.azadvertizer.net/azrolesadvertizer/c2f4ef07-c644-48eb-af81-4b1b4947fb11.html
 var acrDeleteRoleDefinitionId = subscriptionResourceId(
   'Microsoft.Authorization/roleDefinitions',
   'c2f4ef07-c644-48eb-af81-4b1b4947fb11'
 )
 
+// https://www.azadvertizer.net/azrolesadvertizer/3bc748fc-213d-45c1-8d91-9da5725539b9.html
+var acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId = subscriptionResourceId(
+  'Microsoft.Authorization/roleDefinitions',
+  '3bc748fc-213d-45c1-8d91-9da5725539b9'
+)
+
 resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!grantPushAccess) {
   name: guid(acrResourceGroupid, principalId, acrPullRoleDefinitionId)
   properties: {
@@ -52,17 +70,34 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
+//
+// Custom role for token management permissions
+//
+
 import * as tmr from 'token-role-name.bicep'
 
-resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess) {
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess && useCustomManageTokenRole) {
   name: guid(tmr.tokenManagementRoleName)
 }
 
-resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
+resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && useCustomManageTokenRole) {
   name: guid(acrResourceGroupid, principalId, 'token-creation-role')
   properties: {
     roleDefinitionId: tokenManagementRole.id
     principalId: principalId
     principalType: 'ServicePrincipal'
   }
 }
+
+//
+// Build-in wider role for token management permissions
+//
+
+resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && !useCustomManageTokenRole) {
+  name: guid(acrResourceGroupid, principalId, acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId)
+  properties: {
+    roleDefinitionId: acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}

dev-infrastructure/modules/cluster-service.bicep

@@ -43,6 +43,14 @@ param regionalResourceGroup string
 @description('The names of the ACR resource groups / will be refactored soon into dedicated ACR Resource IDs')
 param acrResourceGroupNames array = []
 
+@description(
+  '''
+  Defines if the custom ACR token management role should be used to grant
+  CS token management permissions on the OCP ACR
+  '''
+)
+param useCustomACRTokenManagementRole bool
+
 //
 //   P O S T G R E S
 //
@@ -165,6 +173,7 @@ module acrManageTokenRole '../modules/acr/acr-permissions.bicep' = [
     params: {
       principalId: clusterServiceManagedIdentityPrincipalId
       grantManageTokenAccess: true
+      useCustomManageTokenRole: useCustomACRTokenManagementRole
       acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
     }
   }

dev-infrastructure/templates/svc-cluster.bicep

@@ -134,6 +134,14 @@ param oidcStorageAccountSku string = 'Standard_ZRS'
 @description('Clusters Service ACR RG names')
 param clustersServiceAcrResourceGroupNames array = []
 
+@description(
+  '''
+  Defines if the custom ACR token management role should be used to grant
+  CS token management permissions on the OCP ACR
+  '''
+)
+param useCustomACRTokenManagementRole bool
+
 @description('MSI that will be used to run the deploymentScript')
 param aroDevopsMsiId string
 
@@ -321,6 +329,7 @@ module cs '../modules/cluster-service.bicep' = {
     regionalDNSZoneName: regionalDNSZoneName
     regionalResourceGroup: regionalResourceGroup
     acrResourceGroupNames: clustersServiceAcrResourceGroupNames
+    useCustomACRTokenManagementRole: useCustomACRTokenManagementRole
   }
   dependsOn: [
     maestroServer