From 4ae29ea75a47f83b361ce4e84a30684b03cda490 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Wed, 27 Nov 2024 09:18:43 +0100 Subject: [PATCH 1/2] move CS permission setup into CS module Signed-off-by: Gerd Oberlechner --- config/config.msft.yaml | 3 +- .../svc-cluster.tmpl.bicepparam | 2 +- .../modules/cluster-service.bicep | 81 +++++++++++++++++-- .../templates/svc-cluster.bicep | 53 +++--------- 4 files changed, 87 insertions(+), 52 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 6ca8c9b0d..0a442823b 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -68,7 +68,8 @@ defaults: # Cluster Service clusterService: - acrRG: '{{ .ctx.region }}-shared-resources' + #acrRG: '{{ .ctx.region }}-shared-resources' + acrRg: '' postgres: name: arohcp-cs-{{ .ctx.regionShort }} deploy: true diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index d89f00e9d..8dbd8178a 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -30,7 +30,7 @@ param maestroPostgresServerStorageSizeGB = {{ .maestro.postgres.serverStorageSiz param deployMaestroPostgres = {{ .maestro.postgres.deploy }} param maestroPostgresPrivate = {{ .maestro.postgres.private }} -param deployCsInfra = {{ .clusterService.postgres.deploy }} +param csPostgresDeploy = {{ .clusterService.postgres.deploy }} param csPostgresServerName = '{{ .clusterService.postgres.name }}' param csPostgresServerMinTLSVersion = '{{ .clusterService.postgres.minTLSVersion }}' param clusterServicePostgresPrivate = {{ .clusterService.postgres.private }} diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep index 0bb45934e..569f6699e 100644 --- a/dev-infrastructure/modules/cluster-service.bicep +++ b/dev-infrastructure/modules/cluster-service.bicep @@ -7,6 +7,9 @@ param clusterServiceManagedIdentityName string @description('The managed identity CS uses to interact with Azure resources') param clusterServiceManagedIdentityPrincipalId string +@description('Defines if the Postgres server should be deployed') +param deployPostgres bool + @description('The name of the database to create for CS') param csDatabaseName string = 'clusters-service' @@ -16,18 +19,40 @@ param postgresServerName string @description('The minimum TLS version for the Postgres server') param postgresServerMinTLSVersion string +@description('Defines if the Postgres server is private') param postgresServerPrivate bool +@description('The subnet ID for the private endpoint of the Postgres server') param privateEndpointSubnetId string = '' +@description('The VNET ID for the private endpoint of the Postgres server') param privateEndpointVnetId string = '' +@description('The name of the service keyvault') +param serviceKeyVaultName string + +@description('The resource group of the service keyvault') +param serviceKeyVaultResourceGroup string + +@description('The name of the regional DNS zone') +param regionalDNSZoneName string + +@description('The regional resourece group') +param regionalResourceGroup string + +@description('The names of the ACR resource groups / will be refactored soon into dedicated ACR Resource IDs') +param acrResourceGroupNames array = [] + +// +// P O S T G R E S +// + resource postgresAdminManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { name: '${postgresServerName}-db-admin-msi' location: location } -module postgres 'postgres/postgres.bicep' = { +module postgres 'postgres/postgres.bicep' = if (deployPostgres) { name: '${deployment().name}-postgres' params: { name: postgresServerName @@ -79,7 +104,7 @@ module postgres 'postgres/postgres.bicep' = { // Create DB user for the clusters-service managed identity and enable entra authentication // -module csManagedIdentityDatabaseAccess 'postgres/postgres-access.bicep' = { +module csManagedIdentityDatabaseAccess 'postgres/postgres-access.bicep' = if (deployPostgres) { name: '${deployment().name}-cs-db-access' params: { postgresServerName: postgresServerName @@ -94,9 +119,53 @@ module csManagedIdentityDatabaseAccess 'postgres/postgres-access.bicep' = { } // -// output +// K E Y V A U L T A C C E S S // -output postgresHostname string = postgres.outputs.hostname -output csDatabaseName string = csDatabaseName -output csDatabaseUsername string = clusterServiceManagedIdentityName +module csServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = { + name: guid(serviceKeyVaultName, 'cs', 'read') + scope: resourceGroup(serviceKeyVaultResourceGroup) + params: { + keyVaultName: serviceKeyVaultName + roleName: 'Key Vault Secrets User' + managedIdentityPrincipalId: clusterServiceManagedIdentityPrincipalId + } +} + +// +// D N S +// + +module csDnsZoneContributor '../modules/dns/zone-contributor.bicep' = { + name: guid(regionalDNSZoneName, clusterServiceManagedIdentityPrincipalId) + scope: resourceGroup(regionalResourceGroup) + params: { + zoneName: regionalDNSZoneName + zoneContributerManagedIdentityPrincipalId: clusterServiceManagedIdentityPrincipalId + } +} + +// +// O C P A C R P E R M I S S I O N S +// + +resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ + for rg in acrResourceGroupNames: if (rg != '') { + // temp hack for MSFT pipelines + name: rg + scope: subscription() + } +] + +module acrManageTokenRole '../modules/acr-permissions.bicep' = [ + for (_, i) in acrResourceGroupNames: if (acrResourceGroupNames[i] != '') { + // temp hack for MSFT pipelines + name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens') + scope: clustersServiceAcrResourceGroups[i] + params: { + principalId: clusterServiceManagedIdentityPrincipalId + grantManageTokenAccess: true + acrResourceGroupid: clustersServiceAcrResourceGroups[i].id + } + } +] diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index 112d76097..fa7d51306 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -75,8 +75,8 @@ param maestroCertDomain string @description('The name of the eventgrid namespace for Maestro.') param maestroEventGridNamespacesName string -@description('Deploy ARO HCP CS Infrastructure if true') -param deployCsInfra bool +@description('Deploy CS Postgres if true') +param csPostgresDeploy bool @description('The name of the Postgres server for CS') @maxLength(60) @@ -304,7 +304,7 @@ var csManagedIdentityPrincipalId = filter( id => id.uamiName == clusterServiceMIName )[0].uamiPrincipalID -module cs '../modules/cluster-service.bicep' = if (deployCsInfra) { +module cs '../modules/cluster-service.bicep' = { name: 'cluster-service' params: { location: location @@ -312,58 +312,23 @@ module cs '../modules/cluster-service.bicep' = if (deployCsInfra) { postgresServerMinTLSVersion: csPostgresServerMinTLSVersion privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId privateEndpointVnetId: svcCluster.outputs.aksVnetId + deployPostgres: csPostgresDeploy postgresServerPrivate: clusterServicePostgresPrivate clusterServiceManagedIdentityPrincipalId: csManagedIdentityPrincipalId clusterServiceManagedIdentityName: clusterServiceMIName + serviceKeyVaultName: serviceKeyVaultName + serviceKeyVaultResourceGroup: serviceKeyVaultResourceGroup + regionalDNSZoneName: regionalDNSZoneName + regionalResourceGroup: regionalResourceGroup + acrResourceGroupNames: clustersServiceAcrResourceGroupNames } dependsOn: [ maestroServer svcCluster - ] -} - -module csServiceKeyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = { - name: guid(serviceKeyVaultName, 'cs', 'read') - scope: resourceGroup(serviceKeyVaultResourceGroup) - params: { - keyVaultName: serviceKeyVaultName - roleName: 'Key Vault Secrets User' - managedIdentityPrincipalId: csManagedIdentityPrincipalId - } - dependsOn: [ serviceKeyVault - svcCluster ] } -module csDnsZoneContributor '../modules/dns/zone-contributor.bicep' = { - name: guid(regionalDNSZoneName, svcCluster.name, 'cs') - scope: resourceGroup(regionalResourceGroup) - params: { - zoneName: regionalDNSZoneName - zoneContributerManagedIdentityPrincipalId: csManagedIdentityPrincipalId - } -} - -resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ - for rg in clustersServiceAcrResourceGroupNames: { - name: rg - scope: subscription() - } -] - -module acrManageTokenRole '../modules/acr-permissions.bicep' = [ - for (_, i) in clustersServiceAcrResourceGroupNames: { - name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens') - scope: clustersServiceAcrResourceGroups[i] - params: { - principalId: csManagedIdentityPrincipalId - grantManageTokenAccess: true - acrResourceGroupid: clustersServiceAcrResourceGroups[i].id - } - } -] - // oidc module oidc '../modules/oidc/main.bicep' = { From f1ca6c34f3fc4cdd537253cc0da5139790b0fb8a Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Wed, 27 Nov 2024 17:15:00 +0100 Subject: [PATCH 2/2] fix Signed-off-by: Gerd Oberlechner --- config/config.msft.yaml | 2 +- config/public-cloud-msft-int.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 0a442823b..f3d375778 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -69,7 +69,7 @@ defaults: # Cluster Service clusterService: #acrRG: '{{ .ctx.region }}-shared-resources' - acrRg: '' + acrRG: '' postgres: name: arohcp-cs-{{ .ctx.regionShort }} deploy: true diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index e49ea3bed..dc258e0bd 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -5,7 +5,7 @@ "baseDnsZoneName": "aro-hcp.azure-test.net'", "baseDnsZoneRG": "westus3-shared-resources", "clusterService": { - "acrRG": "westus3-shared-resources", + "acrRG": "", "imageRepo": "app-sre/uhc-clusters-service", "imageTag": "aac7623", "postgres": {