Removes Radix CR Reader (#1569)

* Removes Radix CR Reader

* Removes Radix CR Reader

scripts/radix-zone/base-infrastructure/bootstrap.sh

@@ -160,7 +160,6 @@ echo -e "   -  AZ_IPPRE_INBOUND_LENGTH                     : $AZ_IPPRE_INBOUND_L
 echo -e "   -  AZ_RESOURCE_CONTAINER_REGISTRY              : $AZ_RESOURCE_CONTAINER_REGISTRY"
 echo -e "   -  AZ_RESOURCE_DNS                             : $AZ_RESOURCE_DNS"
 echo -e ""
-echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER    : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD      : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 echo -e "   -  APP_REGISTRATION_WEB_CONSOLE                : $APP_REGISTRATION_WEB_CONSOLE"
 echo -e "   -  APP_REGISTRATION_GRAFANA                    : $APP_REGISTRATION_GRAFANA"
@@ -232,7 +231,7 @@ function create_common_resources() {
             --tag "issue" \
             --value "letsencrypt.org" \
             --output none
-        
+
         az network dns record-set caa add-record \
             --resource-group "${AZ_RESOURCE_GROUP_COMMON}" \
             --zone-name "${AZ_RESOURCE_DNS}" \
@@ -242,7 +241,7 @@ function create_common_resources() {
             --tag "issue" \
             --value "digicert.com" \
             --output none
-        
+
         az network dns record-set caa add-record \
             --resource-group "${AZ_RESOURCE_GROUP_COMMON}" \
             --zone-name "${AZ_RESOURCE_DNS}" \
@@ -425,7 +424,6 @@ EOF
 
 # Create service principals
 function create_base_system_users_and_store_credentials() {
-    create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Service principal that provide read-only access to container registry"
     create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Service principal that provide push, pull, build in container registry"
     create_service_principal_and_store_credentials "$APP_REGISTRATION_GRAFANA" "Grafana OAuth"
     create_service_principal_and_store_credentials "$APP_REGISTRATION_WEB_CONSOLE" "Used by web console for login and other AD information"
@@ -441,9 +439,9 @@ function create_servicenow_proxy_server_app_registration() {
         "value":"Application.Read",
         "type":"User",
         "isEnabled":true,
-        "userConsentDescription":"Allows the app to read ServiceNow applications", 
+        "userConsentDescription":"Allows the app to read ServiceNow applications",
         "userConsentDisplayName":"Read applications from ServiceNow",
-        "adminConsentDescription":"Allows the app to read ServiceNow applications", 
+        "adminConsentDescription":"Allows the app to read ServiceNow applications",
         "adminConsentDisplayName":"Read applications from ServiceNow"
     }
 ]

scripts/radix-zone/base-infrastructure/lib_acr.sh

@@ -3,7 +3,7 @@
 
 #######################################################################################
 ### PURPOSE
-### 
+###
 
 # Library for often used ACR functions.
 
@@ -68,13 +68,6 @@ function set_permissions_on_acr() {
     local id
     printf "Working on container registry \"${AZ_RESOURCE_CONTAINER_REGISTRY}\": "
 
-    printf "Setting permissions for \"${AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER}\"..." # radix-cr-reader-dev
-    id="$(az ad sp list --display-name ${AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD} --query [].appId --output tsv)"
-    # Delete any existing roles
-    az role assignment delete --assignee "${id}" --scope "${scope}" --output none
-    # Configure new roles
-    az role assignment create --assignee "${id}" --role AcrPull --scope "${scope}" --output none
-
     printf "Setting permissions for \"${AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD}\"..." # radix-cr-cicd-dev
     id="$(az ad sp list --filter "displayname eq '${AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD}'" --query [].appId --output tsv)"
     # Delete any existing roles
@@ -253,12 +246,12 @@ stepTimeout: 3600
 steps:
   - cmd: buildx create --use # start buildkit
   - cmd: >-
-      buildx build {{.Values.PUSH}} {{.Values.CACHE}} 
-      {{.Values.TAGS}} 
-      --file {{.Values.DOCKER_FILE_NAME}} 
-      --cache-from=type=registry,ref={{.Values.DOCKER_REGISTRY}}.azurecr.io/{{.Values.REPOSITORY_NAME}}:radix-cache-{{.Values.BRANCH}} {{.Values.CACHE_TO_OPTIONS}} 
-      . 
-      {{.Values.BUILD_ARGS}} 
+      buildx build {{.Values.PUSH}} {{.Values.CACHE}}
+      {{.Values.TAGS}}
+      --file {{.Values.DOCKER_FILE_NAME}}
+      --cache-from=type=registry,ref={{.Values.DOCKER_REGISTRY}}.azurecr.io/{{.Values.REPOSITORY_NAME}}:radix-cache-{{.Values.BRANCH}} {{.Values.CACHE_TO_OPTIONS}}
+      .
+      {{.Values.BUILD_ARGS}}
 EOF
     printf "Create ACR Task for internal use: ${TASK_NAME} in ACR: ${ACR_NAME}..."
     az acr task create \
@@ -299,7 +292,7 @@ function add_task_credential() {
     local TASK_NAME="$1"
     local ACR_NAME="$2"
     printf "Add credentials for system-assigned identity to task: ${TASK_NAME}..."
-    if [[ 
+    if [[
         $(az acr task credential list --registry ${ACR_NAME} --name ${TASK_NAME} | jq '.["'${ACR_NAME}'.azurecr.io"].identity') == null ||
         -z $(az acr task credential list --registry ${ACR_NAME} --name ${TASK_NAME} | jq '.["'${ACR_NAME}'.azurecr.io"].identity')
     ]]; then
@@ -368,4 +361,4 @@ function run_task() {
     echo $? # Exit code of last executed command.
 
     echo "Done."
-}
+}

scripts/radix-zone/base-infrastructure/teardown.sh

@@ -2,14 +2,14 @@
 
 #######################################################################################
 ### PURPOSE
-### 
+###
 
 # Tear down radix zone infrastructure
 
 
 #######################################################################################
 ### INPUTS
-### 
+###
 
 # Required:
 # - RADIX_ZONE_ENV      : Path to *.env file
@@ -20,14 +20,14 @@
 
 #######################################################################################
 ### HOW TO USE
-### 
+###
 
 # RADIX_ZONE_ENV=../radix_zone_playground.env ./teardown.sh
 
 
 #######################################################################################
 ### START
-### 
+###
 
 echo ""
 echo "Start tear down of Radix Zone... "
@@ -111,7 +111,6 @@ printf "\n"
 printf "\n   -  AZ_RESOURCE_AAD_SERVER                      : $AZ_RESOURCE_AAD_SERVER"
 printf "\n   -  AZ_RESOURCE_AAD_CLIENT                      : $AZ_RESOURCE_AAD_CLIENT"
 printf "\n"
-printf "\n   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER    : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 printf "\n   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD      : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 printf "\n   -  AZ_SYSTEM_USER_CLUSTER                      : $AZ_SYSTEM_USER_CLUSTER"
 printf "\n"
@@ -139,7 +138,6 @@ fi
 ### Remove infrastructure
 ###
 
-delete_service_principal_and_stored_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 delete_service_principal_and_stored_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 delete_service_principal_and_stored_credentials "$AZ_SYSTEM_USER_CLUSTER"
 
@@ -155,7 +153,7 @@ printf "...Done.\n"
 
 printf "Working on resource groups: \n"
 printf "Deleting ${AZ_RESOURCE_GROUP_CLUSTERS}...\n"
-az group delete --yes --name "${AZ_RESOURCE_GROUP_CLUSTERS}" --output none 
+az group delete --yes --name "${AZ_RESOURCE_GROUP_CLUSTERS}" --output none
 printf "Deleting ${AZ_RESOURCE_GROUP_COMMON}...\n"
 az group delete --yes --name "${AZ_RESOURCE_GROUP_COMMON}" --output none
 printf "Deleting ${AZ_RESOURCE_GROUP_MONITORING}...\n"
@@ -169,4 +167,4 @@ printf "...Done.\n"
 ###
 
 echo ""
-echo "Teardown done!"
+echo "Teardown done!"

scripts/radix-zone/radix_zone_c2.env

@@ -94,7 +94,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=2
 ### System users
 ###
 
-AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
 AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
 AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
 AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"

scripts/radix-zone/radix_zone_dev.env

@@ -96,7 +96,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=2
 ### System users
 ###
 
-AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
 AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
 AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
 AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"

scripts/radix-zone/radix_zone_playground.env

@@ -95,7 +95,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=2
 ### System users
 ###
 
-AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
 AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
 AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
 AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"

scripts/radix-zone/radix_zone_prod.env

@@ -95,7 +95,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=8
 ### System users
 ###
 
-AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-platform"
 AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-platform"
 AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
 AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"

scripts/radix-zone/radix_zone_test.env

@@ -73,7 +73,6 @@ AZ_RESOURCE_DNS="${RADIX_ZONE}.radix.equinor.com"
 ### System users
 ###
 
-AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
 AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
 AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 

scripts/service-principals-and-aad-apps/bootstrap.sh

@@ -119,7 +119,6 @@ echo -e "   -  RADIX_ENVIRONMENT                        : $RADIX_ENVIRONMENT"
 echo -e ""
 echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
-echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD   : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 echo -e ""
 echo -e "   > WHO:"
@@ -150,7 +149,6 @@ fi
 ### Create service principal
 ###
 
-create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Provide read-only access to container registry"
 create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Provide push, pull, build in container registry"
 
 #######################################################################################

scripts/service-principals-and-aad-apps/teardown.sh

@@ -3,14 +3,14 @@
 
 #######################################################################################
 ### PURPOSE
-### 
+###
 
 # Teardown radix service principals: delete them and delete credentials in az keyvault
 
 
 #######################################################################################
 ### INPUTS
-### 
+###
 
 # Required:
 # - RADIX_ZONE_ENV      : Path to *.env file
@@ -21,14 +21,14 @@
 
 #######################################################################################
 ### HOW TO USE
-### 
+###
 
 # RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env ./teardown.sh
 
 
 #######################################################################################
 ### START
-### 
+###
 
 echo ""
 echo "Start teardown radix service principals... "
@@ -104,7 +104,6 @@ echo -e "   -  RADIX_ENVIRONMENT                        : $RADIX_ENVIRONMENT"
 echo -e ""
 echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
-echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD   : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 echo -e ""
 echo -e "   > WHO:"
@@ -142,7 +141,6 @@ function delete_service_principal() {
     printf "Done.\n"
 }
 
-delete_service_principal "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 delete_service_principal "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 
 
@@ -152,4 +150,4 @@ delete_service_principal "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 
 
 echo ""
-echo "Teardown of radix service principals done!"
+echo "Teardown of radix service principals done!"

terraform/subscriptions/modules/acr/main.tf

@@ -107,12 +107,6 @@ resource "azurerm_role_assignment" "env" {
   principal_id         = var.radix_cr_cicd
 }
 
-resource "azurerm_role_assignment" "env_pull" {
-  scope                = azurerm_container_registry.env.id
-  role_definition_name = "AcrPull"
-  principal_id         = var.radix_cr_reader
-}
-
 resource "azurerm_private_endpoint" "env" {
   name                = var.acr == "c2" ? "pe-radix-acr-c2prod" : "pe-radix-acr-${var.acr}"
   resource_group_name = var.vnet_resource_group

terraform/subscriptions/modules/acr/variables.tf

@@ -162,8 +162,3 @@ variable "radix_cr_cicd" {
   type        = string
   description = "ID of radix-cr Contributor"
 }
-
-variable "radix_cr_reader" {
-  type        = string
-  description = "ID of radix-cr Reader"
-}

terraform/subscriptions/s940/c2/common/main.tf

@@ -89,7 +89,6 @@ module "acr" {
   subnet_id            = data.azurerm_subnet.this.id
   dockercredentials_id = "/subscriptions/${module.config.subscription}/resourceGroups/${module.config.common_resource_group}/providers/Microsoft.ContainerRegistry/registries/radix${module.config.environment}cache/credentialSets/radix-service-account-docker"
   radix_cr_cicd        = module.radix-cr-cicd.azuread_service_principal_id
-  radix_cr_reader      = module.radix-cr-reader.azuread_service_principal_id
 }
 
 module "radix-id-acr-workflows" {
@@ -239,18 +238,6 @@ module "radix-cr-cicd" {
   }
 }
 
-module "radix-cr-reader" {
-  source       = "../../../modules/app_registration"
-  display_name = "radix-cr-reader-${module.config.environment}"
-  service_id   = "110327"
-  owners       = keys(jsondecode(data.azurerm_key_vault_secret.radixowners.value))
-  expose_API   = true
-  implicit_grant = {
-    access_token_issuance_enabled = false
-    id_token_issuance_enabled     = true
-  }
-}
-
 output "workspace_id" {
   value = module.loganalytics.workspace_id
 }