devops MI keyvault cert creation on-demand permissions (#906)

* grant the devops MSI on-demand permissions when creating certs in KV
* move key-vault-cert module to keyvault folder

dev-infrastructure/configurations/mock-identities.tmpl.bicepparam

@@ -0,0 +1,5 @@
+using '../templates/mock-identities.bicep'
+
+param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
+
+param keyVaultName = '{{ .serviceKeyVault.name }}'

dev-infrastructure/modules/key-vault-cert.bicep → dev-infrastructure/modules/keyvault/key-vault-cert.bicep

@@ -2,9 +2,6 @@
 Creating certificates in Azure Key Vault is not supported by Bicep yet.
 This module leverages a deploymentscript to solve this for the time beeing.
 Proudly stolen from https://github.com/Azure/bicep/discussions/8457
-
-We might not need certificates for MQTT authentication altogether if
-Entra autentication can be leveraged: https://redhat-external.slack.com/archives/C03F6AA3HDH/p1713340078776669
 */
 
 param keyVaultName string
@@ -19,6 +16,15 @@ param force bool = false
 var boolstring = force == false ? '$false' : '$true'
 param validityInMonths int = 12
 
+module certificateOfficerAccess 'keyvault-secret-access.bicep' = {
+  name: 'kv-cert-officer-access-${keyVaultName}-${uniqueString(keyVaultManagedIdentityId)}'
+  params: {
+    keyVaultName: keyVaultName
+    roleName: 'Key Vault Certificates Officer'
+    managedIdentityPrincipalId: reference(keyVaultManagedIdentityId, '2023-01-31').principalId
+  }
+}
+
 resource newCertwithRotationKV 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
   name: 'newCertwithRotationKV-${certName}'
   identity: {
@@ -32,7 +38,7 @@ resource newCertwithRotationKV 'Microsoft.Resources/deploymentScripts@2023-08-01
   properties: {
     azPowerShellVersion: '12.0.0'
     arguments: ' -VaultName ${keyVaultName} -ValidityInMonths ${validityInMonths} -IssuerName ${issuerName} -CertName ${certName} -SubjectName ${subjectName} -DnsNames ${join(dnsNames,'_')} -Force ${boolstring}'
-    scriptContent: loadTextContent('../scripts/key-vault-cert.ps1')
+    scriptContent: loadTextContent('../../scripts/key-vault-cert.ps1')
     forceUpdateTag: now
     cleanupPreference: 'Always'
     retentionInterval: 'P1D'

dev-infrastructure/modules/maestro/maestro-access-cert.bicep

@@ -37,7 +37,7 @@ param certificateAccessManagedIdentityPrincipalId string
 
 var clientAuthenticationName = '${clientName}.${certDomain}'
 
-module clientCertificate '../key-vault-cert.bicep' = {
+module clientCertificate '../keyvault/key-vault-cert.bicep' = {
   name: '${clientName}-client-cert'
   params: {
     keyVaultName: keyVaultName

dev-infrastructure/templates/mock-identities.bicep

@@ -1,42 +1,30 @@
 @description('Azure Region Location')
 param location string = resourceGroup().location
 
-@description('Name of the Key Vault Certificate Officer Managed Identity')
-param kvCertOfficerManagedIdentityName string
+@description('The resource ID of the managed identity that will be used for Key Vault operations')
+param aroDevopsMsiId string
 
 @description('The name of the key vault')
 param keyVaultName string
 
 @description('Global resource group name')
 param globalResourceGroupName string = 'global'
 
-module scriptMsi '../modules/keyvault/identity-script-msi.bicep' = {
-  name: 'script-msi'
-  params: {
-    location: location
-    kvCertOfficerManagedIdentityName: kvCertOfficerManagedIdentityName
-    keyVaultName: keyVaultName
-  }
-}
-
 //
 // F I R S T   P A R T Y   I D E N T I T Y
 //
 
-module firstPartyIdentity '../modules/key-vault-cert.bicep' = {
+module firstPartyIdentity '../modules/keyvault/key-vault-cert.bicep' = {
   name: 'first-party-identity'
   params: {
     location: location
-    keyVaultManagedIdentityId: scriptMsi.outputs.kvCertOfficerManagedIdentityId
+    keyVaultManagedIdentityId: aroDevopsMsiId
     keyVaultName: keyVaultName
     certName: 'firstPartyCert'
     subjectName: 'CN=firstparty.hcp.osadev.cloud'
     issuerName: 'Self'
     dnsNames: ['firstparty.hcp.osadev.cloud']
   }
-  dependsOn: [
-    scriptMsi
-  ]
 }
 
 resource customRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
@@ -66,40 +54,34 @@ resource customRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
 // A R M   H E L P E R   I D E N T I T Y
 //
 
-module armHelperIdentity '../modules/key-vault-cert.bicep' = {
+module armHelperIdentity '../modules/keyvault/key-vault-cert.bicep' = {
   name: 'arm-helper-identity'
   params: {
     location: location
-    keyVaultManagedIdentityId: scriptMsi.outputs.kvCertOfficerManagedIdentityId
+    keyVaultManagedIdentityId: aroDevopsMsiId
     keyVaultName: keyVaultName
     certName: 'armHelperCert'
     subjectName: 'CN=armhelper.hcp.osadev.cloud'
     dnsNames: ['armhelper.hcp.osadev.cloud']
     issuerName: 'Self'
     validityInMonths: 1000
   }
-  dependsOn: [
-    scriptMsi
-  ]
 }
 
 //
 // M S I   R P   M O CK   I D E N T I T Y
 //
 
-module msiRPMockIdentity '../modules/key-vault-cert.bicep' = {
+module msiRPMockIdentity '../modules/keyvault/key-vault-cert.bicep' = {
   name: 'msi-mock-identity'
   params: {
     location: location
-    keyVaultManagedIdentityId: scriptMsi.outputs.kvCertOfficerManagedIdentityId
+    keyVaultManagedIdentityId: aroDevopsMsiId
     keyVaultName: keyVaultName
     certName: 'msiMockCert'
     subjectName: 'CN=msimock.hcp.osadev.cloud'
     dnsNames: ['msimock.hcp.osadev.cloud']
     issuerName: 'Self'
     validityInMonths: 1000
   }
-  dependsOn: [
-    scriptMsi
-  ]
 }