From fdcbc1037221d21aaab6bab0b5b0ee9fc861bbdd Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Thu, 28 Nov 2024 14:42:27 +0100 Subject: [PATCH] use the devops MSI to manage postgres ... instead of introducing new MSIs Signed-off-by: Gerd Oberlechner --- .../modules/cluster-service.bicep | 19 ++++++-------- .../modules/maestro/maestro-server.bicep | 14 +++++------ .../modules/postgres/postgres-access.bicep | 6 ++--- .../modules/postgres/postgres-sql.bicep | 14 +++++------ dev-infrastructure/modules/resource.bicep | 25 +++++++++++++++++++ .../templates/svc-cluster.bicep | 4 +-- 6 files changed, 49 insertions(+), 33 deletions(-) create mode 100644 dev-infrastructure/modules/resource.bicep diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep index 569f6699e..62bea8077 100644 --- a/dev-infrastructure/modules/cluster-service.bicep +++ b/dev-infrastructure/modules/cluster-service.bicep @@ -1,6 +1,3 @@ -@description('The location for the PostGres DB') -param location string - @description('The managed identity name CS will use to interact with Azure resources') param clusterServiceManagedIdentityName string @@ -43,25 +40,23 @@ param regionalResourceGroup string @description('The names of the ACR resource groups / will be refactored soon into dedicated ACR Resource IDs') param acrResourceGroupNames array = [] +@description('The resource ID of the managed identity used to manage the Postgres server') +param postgresAdministrationManagedIdentityId string + // // P O S T G R E S // -resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: '${postgresServerName}-db-admin-msi' - location: location -} +import * as res from 'resource.bicep' module postgres 'postgres/postgres.bicep' = if (deployPostgres) { name: '${deployment().name}-postgres' params: { name: postgresServerName databaseAdministrators: [ - // add the dedicated admin managed identity as administrator - // this one is going to be used to manage DB access { - principalId: postgresAdminManagedIdentity.properties.principalId - principalName: postgresAdminManagedIdentity.name + principalId: reference(postgresAdministrationManagedIdentityId, '2023-01-31').principalId + principalName: res.msiRefFromId(postgresAdministrationManagedIdentityId).name principalType: 'ServicePrincipal' } ] @@ -108,7 +103,7 @@ module csManagedIdentityDatabaseAccess 'postgres/postgres-access.bicep' = if (de name: '${deployment().name}-cs-db-access' params: { postgresServerName: postgresServerName - postgresAdminManagedIdentityName: postgresAdminManagedIdentity.name + postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId databaseName: csDatabaseName newUserName: clusterServiceManagedIdentityName newUserPrincipalId: clusterServiceManagedIdentityPrincipalId diff --git a/dev-infrastructure/modules/maestro/maestro-server.bicep b/dev-infrastructure/modules/maestro/maestro-server.bicep index ebfda3ab3..a070e264b 100644 --- a/dev-infrastructure/modules/maestro/maestro-server.bicep +++ b/dev-infrastructure/modules/maestro/maestro-server.bicep @@ -60,16 +60,14 @@ param maestroServerManagedIdentityName string @description('The principal ID of the Managed Identity for the Maestro cluster service') param maestroServerManagedIdentityPrincipalId string -param location string +@description('The resource ID of the managed identity used to manage the Postgres server') +param postgresAdministrationManagedIdentityId string // // P O S T G R E S // -resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: '${postgresServerName}-db-admin-msi' - location: location -} +import * as res from '../resource.bicep' module postgres '../postgres/postgres.bicep' = if (deployPostgres) { name: '${deployment().name}-postgres' @@ -80,8 +78,8 @@ module postgres '../postgres/postgres.bicep' = if (deployPostgres) { // add the dedicated admin managed identity as administrator // this one is going to be used to manage DB access { - principalId: postgresAdminManagedIdentity.properties.principalId - principalName: postgresAdminManagedIdentity.name + principalId: reference(postgresAdministrationManagedIdentityId, '2023-01-31').principalId + principalName: res.msiRefFromId(postgresAdministrationManagedIdentityId).name principalType: 'ServicePrincipal' } ] @@ -121,7 +119,7 @@ module csManagedIdentityDatabaseAccess '../postgres/postgres-access.bicep' = if name: '${deployment().name}-maestro-db-access' params: { postgresServerName: postgresServerName - postgresAdminManagedIdentityName: postgresAdminManagedIdentity.name + postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId databaseName: maestroDatabaseName newUserName: maestroServerManagedIdentityName newUserPrincipalId: maestroServerManagedIdentityPrincipalId diff --git a/dev-infrastructure/modules/postgres/postgres-access.bicep b/dev-infrastructure/modules/postgres/postgres-access.bicep index 617bff66d..a9520d314 100644 --- a/dev-infrastructure/modules/postgres/postgres-access.bicep +++ b/dev-infrastructure/modules/postgres/postgres-access.bicep @@ -6,8 +6,8 @@ The user will also be enabled for entra authentication. @description('The name of the postgres server that will be managed') param postgresServerName string -@description('The name of the managed identity that will be used to manage access in the database') -param postgresAdminManagedIdentityName string +@description('The resource ID of the managed identity that will be used to manage access in the database') +param postgresAdministrationManagedIdentityId string @description('The principal ID / object ID of the managed identity that will be granted access to') param newUserPrincipalId string @@ -42,7 +42,7 @@ module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = { params: { postgresServerName: postgres.properties.fullyQualifiedDomainName databaseName: 'postgres' // access configuration is managed in the postgres DB - postgresAdminManagedIdentityName: postgresAdminManagedIdentityName + postgresAdministrationManagedIdentityId: postgresAdministrationManagedIdentityId sqlScript: string(join(sqlScriptLines, '\n')) } } diff --git a/dev-infrastructure/modules/postgres/postgres-sql.bicep b/dev-infrastructure/modules/postgres/postgres-sql.bicep index 9744f8cdf..7935948d8 100644 --- a/dev-infrastructure/modules/postgres/postgres-sql.bicep +++ b/dev-infrastructure/modules/postgres/postgres-sql.bicep @@ -8,17 +8,15 @@ param postgresServerName string @description('The database name where an SQL script will be executed') param databaseName string -@description('The name of the user-assigned managed identity that will be used to execute the SQL script') -param postgresAdminManagedIdentityName string +@description('The resource ID of the user-assigned managed identity that will be used to execute the SQL script') +param postgresAdministrationManagedIdentityId string @description('The SQL script to execute on the PostgreSQL server') param sqlScript string -param forceUpdateTag string = guid('${sqlScript}/${postgresServerName}/${databaseName}+${postgresAdminManagedIdentityName}') +param forceUpdateTag string = guid('${sqlScript}/${postgresServerName}/${databaseName}/${postgresAdministrationManagedIdentityId}') -resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = { - name: postgresAdminManagedIdentityName -} +import * as res from '../resource.bicep' resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { name: deployment().name @@ -27,7 +25,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { identity: { type: 'UserAssigned' userAssignedIdentities: { - '${postgresAdminManagedIdentity.id}': {} + '${postgresAdministrationManagedIdentityId}': {} } } @@ -58,7 +56,7 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = { } { name: 'PGUSER' - value: postgresAdminManagedIdentity.name + value: res.msiRefFromId(postgresAdministrationManagedIdentityId).name } ] timeout: 'PT30M' diff --git a/dev-infrastructure/modules/resource.bicep b/dev-infrastructure/modules/resource.bicep new file mode 100644 index 000000000..38879bbb4 --- /dev/null +++ b/dev-infrastructure/modules/resource.bicep @@ -0,0 +1,25 @@ +// bicep func to extract subscription, resourcegroup from a resource id + +@export() +type resourceGroupReference = { + subscriptionId: string + name: string +} + +@export() +type msiRef = { + resourceGroup: resourceGroupReference + name: string +} + +@export() +func resourceGroupFromResourceId(resourceId string) resourceGroupReference => { + subscriptionId: split(resourceId, '/')[2] + name: split(resourceId, '/')[4] +} + +@export() +func msiRefFromId(msiResourceId string) msiRef => { + resourceGroup: resourceGroupFromResourceId(msiResourceId) + name: last(split(msiResourceId, '/')) +} diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index fa7d51306..114ddc952 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -250,6 +250,7 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = { privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId privateEndpointVnetId: svcCluster.outputs.aksVnetId postgresServerPrivate: maestroPostgresPrivate + postgresAdministrationManagedIdentityId: aroDevopsMsiId maestroServerManagedIdentityPrincipalId: filter( svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'maestro-server' @@ -258,7 +259,6 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = { svcCluster.outputs.userAssignedIdentities, id => id.uamiName == 'maestro-server' )[0].uamiName - location: location } dependsOn: [ serviceKeyVault @@ -307,7 +307,6 @@ var csManagedIdentityPrincipalId = filter( module cs '../modules/cluster-service.bicep' = { name: 'cluster-service' params: { - location: location postgresServerName: csPostgresServerName postgresServerMinTLSVersion: csPostgresServerMinTLSVersion privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId @@ -321,6 +320,7 @@ module cs '../modules/cluster-service.bicep' = { regionalDNSZoneName: regionalDNSZoneName regionalResourceGroup: regionalResourceGroup acrResourceGroupNames: clustersServiceAcrResourceGroupNames + postgresAdministrationManagedIdentityId: aroDevopsMsiId } dependsOn: [ maestroServer