From bcba7ed90b85037e9a1f25f244669d5c140e8331 Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Boll <jboll@redhat.com>
Date: Tue, 12 Nov 2024 13:53:18 +0100
Subject: [PATCH 1/2] Remove contributer role from CS Managed Identity

Only have permissions to create tokens, contributer is to broad
---
 .../modules/acr-permissions.bicep             | 40 ++++++++++++++-----
 .../templates/svc-cluster.bicep               |  6 +--
 2 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/dev-infrastructure/modules/acr-permissions.bicep b/dev-infrastructure/modules/acr-permissions.bicep
index fa00b03bc..fea621d5f 100644
--- a/dev-infrastructure/modules/acr-permissions.bicep
+++ b/dev-infrastructure/modules/acr-permissions.bicep
@@ -4,10 +4,10 @@ param principalId string
 @description('Whether to grant push access to the ACR')
 param grantPushAccess bool = false
 
-@description('Whether to grant contributor access to the ACR')
-param grantContributorAccess bool = false
+@description('Whether to grant manage token access to the ACR')
+param grantManageTokenAccess bool = true
 
-@description('ACR Namespace Resource Group Name')
+@description('ACR Namespace Resource Group Id')
 param acrResourceGroupid string
 
 var acrPullRoleDefinitionId = subscriptionResourceId(
@@ -25,11 +25,6 @@ var acrDeleteRoleDefinitionId = subscriptionResourceId(
   'c2f4ef07-c644-48eb-af81-4b1b4947fb11'
 )
 
-var contributorRoleDefinitionId = subscriptionResourceId(
-  'Microsoft.Authorization/roleDefinitions/',
-  'b24988ac-6180-42a0-ab88-20f7382dd24c'
-)
-
 resource acrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!grantPushAccess) {
   name: guid(acrResourceGroupid, principalId, acrPullRoleDefinitionId)
   properties: {
@@ -57,10 +52,33 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantContributorAccess) {
-  name: guid(acrResourceGroupid, principalId, contributorRoleDefinitionId)
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (grantManageTokenAccess) {
+  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
+  properties: {
+    assignableScopes: [
+      subscription().id
+      acrResourceGroupid
+    ]
+    description: 'This role allows the management of tokens in the ACR'
+    permissions: [
+      {
+        actions: [
+          'Microsoft.ContainerRegistry/registries/tokens/read'
+          'Microsoft.ContainerRegistry/registries/tokens/write'
+          'Microsoft.ContainerRegistry/registries/tokens/delete'
+          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
+          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
+        ]
+      }
+    ]
+    roleName: 'ACR Manage Tokens'
+  }
+}
+
+resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
+  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
   properties: {
-    roleDefinitionId: contributorRoleDefinitionId
+    roleDefinitionId: tokenManagementRole.id
     principalId: principalId
     principalType: 'ServicePrincipal'
   }
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
index 7f34a0f51..b66bcb422 100644
--- a/dev-infrastructure/templates/svc-cluster.bicep
+++ b/dev-infrastructure/templates/svc-cluster.bicep
@@ -366,13 +366,13 @@ resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@20
   }
 ]
 
-module acrContributorRole '../modules/acr-permissions.bicep' = [
+module acrManageTokenRole '../modules/acr-permissions.bicep' = [
   for (_, i) in clustersServiceAcrResourceGroupNames: {
-    name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'contributor')
+    name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens')
     scope: clustersServiceAcrResourceGroups[i]
     params: {
       principalId: csManagedIdentityPrincipalId
-      grantContributorAccess: true
+      grantManageTokenAccess: true
       acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
     }
   }

From 2dba4a7afc0bce75b6b9dd03d53a250ca76ca2ae Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Boll <jboll@redhat.com>
Date: Wed, 13 Nov 2024 10:29:27 +0100
Subject: [PATCH 2/2] move tole to acr module

---
 .../modules/acr-permissions.bicep             | 23 ++-----------------
 dev-infrastructure/modules/acr/acr.bicep      | 23 +++++++++++++++++++
 2 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/dev-infrastructure/modules/acr-permissions.bicep b/dev-infrastructure/modules/acr-permissions.bicep
index fea621d5f..cce6f1de4 100644
--- a/dev-infrastructure/modules/acr-permissions.bicep
+++ b/dev-infrastructure/modules/acr-permissions.bicep
@@ -52,27 +52,8 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (grantManageTokenAccess) {
-  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
-  properties: {
-    assignableScopes: [
-      subscription().id
-      acrResourceGroupid
-    ]
-    description: 'This role allows the management of tokens in the ACR'
-    permissions: [
-      {
-        actions: [
-          'Microsoft.ContainerRegistry/registries/tokens/read'
-          'Microsoft.ContainerRegistry/registries/tokens/write'
-          'Microsoft.ContainerRegistry/registries/tokens/delete'
-          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
-          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
-        ]
-      }
-    ]
-    roleName: 'ACR Manage Tokens'
-  }
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess) {
+  name: guid(acrResourceGroupid, 'token-creation-role')
 }
 
 resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
diff --git a/dev-infrastructure/modules/acr/acr.bicep b/dev-infrastructure/modules/acr/acr.bicep
index 864562e39..6992e9d59 100644
--- a/dev-infrastructure/modules/acr/acr.bicep
+++ b/dev-infrastructure/modules/acr/acr.bicep
@@ -56,3 +56,26 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleId)
   }
 }
+
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
+  name: guid(resourceGroup().id, 'token-creation-role')
+  properties: {
+    assignableScopes: [
+      subscription().id
+      resourceGroup().id
+    ]
+    description: 'This role allows the management of tokens in the ACR'
+    permissions: [
+      {
+        actions: [
+          'Microsoft.ContainerRegistry/registries/tokens/read'
+          'Microsoft.ContainerRegistry/registries/tokens/write'
+          'Microsoft.ContainerRegistry/registries/tokens/delete'
+          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
+          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
+        ]
+      }
+    ]
+    roleName: 'ACR Manage Tokens'
+  }
+}