use the devops MSI to manage postgres

... instead of introducing new MSIs Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Dec 6, 2024 · fdcbc10 · fdcbc10
1 parent c84097c
commit fdcbc10
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 33 deletions.
diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep
@@ -1,6 +1,3 @@
-@description('The location for the PostGres DB')
-param location string
-
 @description('The managed identity name CS will use to interact with Azure resources')
 param clusterServiceManagedIdentityName string
 
@@ -43,25 +40,23 @@ param regionalResourceGroup string
 @description('The names of the ACR resource groups / will be refactored soon into dedicated ACR Resource IDs')
 param acrResourceGroupNames array = []
 
+@description('The resource ID of the managed identity used to manage the Postgres server')
+param postgresAdministrationManagedIdentityId string
+
 //
 //   P O S T G R E S
 //
 
-resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: '${postgresServerName}-db-admin-msi'
-  location: location
-}
+import * as res from 'resource.bicep'
 
 module postgres 'postgres/postgres.bicep' = if (deployPostgres) {
   name: '${deployment().name}-postgres'
   params: {
     name: postgresServerName
     databaseAdministrators: [
-      // add the dedicated admin managed identity as administrator
-      // this one is going to be used to manage DB access
       {
-        principalId: postgresAdminManagedIdentity.properties.principalId
-        principalName: postgresAdminManagedIdentity.name
+        principalId: reference(postgresAdministrationManagedIdentityId, '2023-01-31').principalId
+        principalName: res.msiRefFromId(postgresAdministrationManagedIdentityId).name
         principalType: 'ServicePrincipal'
       }
     ]
@@ -108,7 +103,7 @@ module csManagedIdentityDatabaseAccess 'postgres/postgres-access.bicep' = if (de
   name: '${deployment().name}-cs-db-access'
   params: {
     postgresServerName: postgresServerName
-    postgresAdminManagedIdentityName: postgresAdminManagedIdentity.name
+    postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId
     databaseName: csDatabaseName
     newUserName: clusterServiceManagedIdentityName
     newUserPrincipalId: clusterServiceManagedIdentityPrincipalId

diff --git a/dev-infrastructure/modules/maestro/maestro-server.bicep b/dev-infrastructure/modules/maestro/maestro-server.bicep
@@ -60,16 +60,14 @@ param maestroServerManagedIdentityName string
 @description('The principal ID of the Managed Identity for the Maestro cluster service')
 param maestroServerManagedIdentityPrincipalId string
 
-param location string
+@description('The resource ID of the managed identity used to manage the Postgres server')
+param postgresAdministrationManagedIdentityId string
 
 //
 //   P O S T G R E S
 //
 
-resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
-  name: '${postgresServerName}-db-admin-msi'
-  location: location
-}
+import * as res from '../resource.bicep'
 
 module postgres '../postgres/postgres.bicep' = if (deployPostgres) {
   name: '${deployment().name}-postgres'
@@ -80,8 +78,8 @@ module postgres '../postgres/postgres.bicep' = if (deployPostgres) {
       // add the dedicated admin managed identity as administrator
       // this one is going to be used to manage DB access
       {
-        principalId: postgresAdminManagedIdentity.properties.principalId
-        principalName: postgresAdminManagedIdentity.name
+        principalId: reference(postgresAdministrationManagedIdentityId, '2023-01-31').principalId
+        principalName: res.msiRefFromId(postgresAdministrationManagedIdentityId).name
         principalType: 'ServicePrincipal'
       }
     ]
@@ -121,7 +119,7 @@ module csManagedIdentityDatabaseAccess '../postgres/postgres-access.bicep' = if
   name: '${deployment().name}-maestro-db-access'
   params: {
     postgresServerName: postgresServerName
-    postgresAdminManagedIdentityName: postgresAdminManagedIdentity.name
+    postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId
     databaseName: maestroDatabaseName
     newUserName: maestroServerManagedIdentityName
     newUserPrincipalId: maestroServerManagedIdentityPrincipalId

diff --git a/dev-infrastructure/modules/postgres/postgres-access.bicep b/dev-infrastructure/modules/postgres/postgres-access.bicep
@@ -6,8 +6,8 @@ The user will also be enabled for entra authentication.
 @description('The name of the postgres server that will be managed')
 param postgresServerName string
 
-@description('The name of the managed identity that will be used to manage access in the database')
-param postgresAdminManagedIdentityName string
+@description('The resource ID of the managed identity that will be used to manage access in the database')
+param postgresAdministrationManagedIdentityId string
 
 @description('The principal ID / object ID of the managed identity that will be granted access to')
 param newUserPrincipalId string
@@ -42,7 +42,7 @@ module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = {
   params: {
     postgresServerName: postgres.properties.fullyQualifiedDomainName
     databaseName: 'postgres' // access configuration is managed in the postgres DB
-    postgresAdminManagedIdentityName: postgresAdminManagedIdentityName
+    postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId
     sqlScript: string(join(sqlScriptLines, '\n'))
   }
 }
diff --git a/dev-infrastructure/modules/postgres/postgres-sql.bicep b/dev-infrastructure/modules/postgres/postgres-sql.bicep
@@ -8,17 +8,15 @@ param postgresServerName string
 @description('The database name where an SQL script will be executed')
 param databaseName string
 
-@description('The name of the user-assigned managed identity that will be used to execute the SQL script')
-param postgresAdminManagedIdentityName string
+@description('The resource ID of the user-assigned managed identity that will be used to execute the SQL script')
+param postgresAdministrationManagedIdentityId string
 
 @description('The SQL script to execute on the PostgreSQL server')
 param sqlScript string
 
-param forceUpdateTag string = guid('${sqlScript}/${postgresServerName}/${databaseName}+${postgresAdminManagedIdentityName}')
+param forceUpdateTag string = guid('${sqlScript}/${postgresServerName}/${databaseName}/${postgresAdministrationManagedIdentityId}')
 
-resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
-  name: postgresAdminManagedIdentityName
-}
+import * as res from '../resource.bicep'
 
 resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
   name: deployment().name
@@ -27,7 +25,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: {
-      '${postgresAdminManagedIdentity.id}': {}
+      '${postgresAdministrationManagedIdentityId}': {}
     }
   }
 
@@ -58,7 +56,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
       }
       {
         name: 'PGUSER'
-        value: postgresAdminManagedIdentity.name
+        value: res.msiRefFromId(postgresAdministrationManagedIdentityId).name
       }
     ]
     timeout: 'PT30M'

diff --git a/dev-infrastructure/modules/resource.bicep b/dev-infrastructure/modules/resource.bicep
@@ -0,0 +1,25 @@
+// bicep func to extract subscription, resourcegroup from a resource id
+
+@export()
+type resourceGroupReference = {
+  subscriptionId: string
+  name: string
+}
+
+@export()
+type msiRef = {
+  resourceGroup: resourceGroupReference
+  name: string
+}
+
+@export()
+func resourceGroupFromResourceId(resourceId string) resourceGroupReference => {
+  subscriptionId: split(resourceId, '/')[2]
+  name: split(resourceId, '/')[4]
+}
+
+@export()
+func msiRefFromId(msiResourceId string) msiRef => {
+  resourceGroup: resourceGroupFromResourceId(msiResourceId)
+  name: last(split(msiResourceId, '/'))
+}
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -250,6 +250,7 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = {
     privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId
     privateEndpointVnetId: svcCluster.outputs.aksVnetId
     postgresServerPrivate: maestroPostgresPrivate
+    postgresAdministrationManagedIdentityId: aroDevopsMsiId
     maestroServerManagedIdentityPrincipalId: filter(
       svcCluster.outputs.userAssignedIdentities,
       id => id.uamiName == 'maestro-server'
@@ -258,7 +259,6 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = {
       svcCluster.outputs.userAssignedIdentities,
       id => id.uamiName == 'maestro-server'
     )[0].uamiName
-    location: location
   }
   dependsOn: [
     serviceKeyVault
@@ -307,7 +307,6 @@ var csManagedIdentityPrincipalId = filter(
 module cs '../modules/cluster-service.bicep' = {
   name: 'cluster-service'
   params: {
-    location: location
     postgresServerName: csPostgresServerName
     postgresServerMinTLSVersion: csPostgresServerMinTLSVersion
     privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId
@@ -321,6 +320,7 @@ module cs '../modules/cluster-service.bicep' = {
     regionalDNSZoneName: regionalDNSZoneName
     regionalResourceGroup: regionalResourceGroup
     acrResourceGroupNames: clustersServiceAcrResourceGroupNames
+    postgresAdministrationManagedIdentityId: aroDevopsMsiId
   }
   dependsOn: [
     maestroServer