From c5afbfae9ae89d6fde595fd3b389fac104cb1569 Mon Sep 17 00:00:00 2001 From: Antony Natale Date: Tue, 7 May 2024 10:26:39 -0400 Subject: [PATCH] enables creation of multiple workload identities via loop and arrays --- .../configurations/mgmt-cluster.bicepparam | 1 + .../configurations/svc-cluster.bicepparam | 7 +++ .../modules/aks-cluster-base.bicep | 29 +++++++++++ .../templates/mgmt-cluster.bicep | 4 ++ .../templates/svc-cluster.bicep | 48 +++++++------------ 5 files changed, 59 insertions(+), 30 deletions(-) diff --git a/dev-infrastructure/configurations/mgmt-cluster.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.bicepparam index db8d02bab..6631f4d72 100644 --- a/dev-infrastructure/configurations/mgmt-cluster.bicepparam +++ b/dev-infrastructure/configurations/mgmt-cluster.bicepparam @@ -6,6 +6,7 @@ param subnetPrefix = enablePrivateCluster ? '10.132.8.0/21' : '10.128.8.0/21' param podSubnetPrefix = enablePrivateCluster ? '10.132.64.0/18' : '10.128.64.0/18' param enablePrivateCluster = false param persist = false +param workloadIdentities = [] // This parameter is always overriden in the Makefile param currentUserId = '' diff --git a/dev-infrastructure/configurations/svc-cluster.bicepparam b/dev-infrastructure/configurations/svc-cluster.bicepparam index c60f15149..d18e0e1b4 100644 --- a/dev-infrastructure/configurations/svc-cluster.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.bicepparam @@ -8,6 +8,13 @@ param enablePrivateCluster = false param persist = false param disableLocalAuth = false param deployFrontendCosmos = false +param workloadIdentities = items({ + frontend_wi: { + uamiName: 'frontend' + namespace: 'aro-hcp' + serviceAccountName: 'frontend' + } +}) // This parameter is always overriden in the Makefile param currentUserId = '' diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep index 894a977ec..5072cb536 100644 --- a/dev-infrastructure/modules/aks-cluster-base.bicep +++ b/dev-infrastructure/modules/aks-cluster-base.bicep @@ -19,6 +19,8 @@ param vnetAddressPrefix string param subnetPrefix string param podSubnetPrefix string param clusterType string +param workloadIdentities array + // Local Params @description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.') @@ -338,7 +340,34 @@ resource currentUserAksRbacClusterAdmin 'Microsoft.Authorization/roleAssignments } } +resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [ +for wi in workloadIdentities: { + location: location + name: '${wi.value.uamiName}-${location}' +}] + +resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [ +for i in range(0, length(workloadIdentities)): { + parent: uami[i] + name: '${workloadIdentities[i].value.uamiName}-${location}-fedcred' + properties: { + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: aksCluster.properties.oidcIssuerProfile.issuerURL + subject: 'system:serviceaccount:${workloadIdentities[i].value.namespace}:${workloadIdentities[i].value.serviceAccountName}' + } +}] + // Outputs +output userAssignedIdentities array = [ + for i in range(0, length(workloadIdentities)): { + uamiID: uami[i].id + uamiName: workloadIdentities[i].value.uamiName + uamiClientID: uami[i].properties.clientId + uamiPrincipalID: uami[i].properties.principalId + } +] output aksVnetId string = vnet.id output aksNodeSubnetId string = aksNodeSubnet.id output aksOidcIssuerUrl string = aksCluster.properties.oidcIssuerProfile.issuerURL diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep index 734b3f68b..853e5c5c1 100644 --- a/dev-infrastructure/templates/mgmt-cluster.bicep +++ b/dev-infrastructure/templates/mgmt-cluster.bicep @@ -22,6 +22,9 @@ param enablePrivateCluster bool @description('Kuberentes version to use with AKS') param kubernetesVersion string +@description('List of workload identities to create and their required values') +param workloadIdentities array + module mgmtCluster '../modules/aks-cluster-base.bicep' = { name: 'aks_base_cluster' scope: resourceGroup() @@ -35,5 +38,6 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = { subnetPrefix: subnetPrefix podSubnetPrefix: podSubnetPrefix clusterType: 'mgmt' + workloadIdentities: workloadIdentities } } diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index 56abd6061..452fd9213 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -29,8 +29,11 @@ param disableLocalAuth bool @description('Deploy ARO HCP RP Azure Cosmos DB if true') param deployFrontendCosmos bool +@description('List of workload identities to create and their required values') +param workloadIdentities array + module svcCluster '../modules/aks-cluster-base.bicep' = { - name: 'aks_base_cluster' + name: 'svc-cluster' scope: resourceGroup() params: { location: location @@ -42,38 +45,23 @@ module svcCluster '../modules/aks-cluster-base.bicep' = { subnetPrefix: subnetPrefix podSubnetPrefix: podSubnetPrefix clusterType: 'svc' + workloadIdentities: workloadIdentities } } +var frontendMI = filter(svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'frontend')[0] -module rpCosmosDb '../modules/rp-cosmos.bicep' = - if (deployFrontendCosmos) { - name: 'rp_cosmos_db' - scope: resourceGroup() - params: { - location: location - aksNodeSubnetId: svcCluster.outputs.aksNodeSubnetId - vnetId: svcCluster.outputs.aksVnetId - disableLocalAuth: disableLocalAuth - userAssignedMI: frontend_mi.id - uamiPrincipalId: frontend_mi.properties.principalId - } - } - -resource frontend_mi 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - location: location - name: 'frontend-${location}' -} - -resource frontend_mi_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = { - name: 'frontend-${location}-fedcred' - parent: frontend_mi - properties: { - audiences: [ - 'api://AzureADTokenExchange' - ] - issuer: svcCluster.outputs.aksOidcIssuerUrl - subject: 'system:serviceaccount:aro-hcp:frontend' +module rpCosmosDb '../modules/rp-cosmos.bicep' = +if (deployFrontendCosmos) { + name: 'rp_cosmos_db' + scope: resourceGroup() + params: { + location: location + aksNodeSubnetId: svcCluster.outputs.aksNodeSubnetId + vnetId: svcCluster.outputs.aksVnetId + disableLocalAuth: disableLocalAuth + userAssignedMI: frontendMI.uamiID + uamiPrincipalId: frontendMI.uamiPrincipalID } } -output frontend_mi_client_id string = frontend_mi.properties.clientId +output frontend_mi_client_id string = frontendMI.uamiClientID