Remove outdated AppRegistrations (#1566)

* Remove outdated AppRegistrations

* Remove Lock Operator

scripts/radix-zone/radix_zone_c2.env

@@ -101,8 +101,6 @@ AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"
 
 # App registrations
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
-APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"
-APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}"
 
 # Managed identities: id-<appname>-<production|playground|development>-<region name>
 # MI_AKS="id-radix-aks-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"

scripts/radix-zone/radix_zone_dev.env

@@ -106,14 +106,11 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 APP_REGISTRATION_GRAFANA="radix-ar-grafana-${CLUSTER_TYPE}"
 APP_REGISTRATION_NETWORKPOLICY_CANARY="radix-ar-networkpolicy-canary"
 APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}"
-APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"
-APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}"
 
 # Managed identities: id-<appname>-<production|playground|development>-<region name>
 MI_AKS="id-radix-aks-${CLUSTER_TYPE}-${AZ_LOCATION}"
 MI_AKSKUBELET="id-radix-akskubelet-${CLUSTER_TYPE}-${AZ_LOCATION}"
 # MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-${AZ_LOCATION}"
-MI_GITHUB_MAINTENANCE="radix-github-maintenance"
 
 #######################################################################################
 ### Key vault secrets

scripts/radix-zone/radix_zone_playground.env

@@ -104,8 +104,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 # App registrations
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
 APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}"
-APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"
-APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}"
 
 # Managed identities: id-<appname>-<production|playground|development>-<region name>
 MI_AKS="id-radix-aks-${CLUSTER_TYPE}-northeurope"

scripts/radix-zone/radix_zone_prod.env

@@ -104,8 +104,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 # App registrations
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
 APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}"
-APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"
-APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}"
 
 # Managed identities: id-<appname>-<production|playground|development>-<region name>
 MI_AKS="id-radix-aks-${CLUSTER_TYPE}-northeurope"

scripts/service-principals-and-aad-apps/bootstrap.sh

@@ -121,10 +121,6 @@ echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
 echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
 echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD   : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
-if [[ "$RADIX_ENVIRONMENT" == "dev" ]]; then
-    echo -e "   -  MI_GITHUB_MAINTENANCE                    : ${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}"
-fi
-echo -e "   -  RESOURCE-LOCK-OPERATOR                   : ${APP_REGISTRATION_RESOURCE_LOCK_OPERATOR}"
 echo -e ""
 echo -e "   > WHO:"
 echo -e "   -------------------------------------------------------------------"
@@ -157,69 +153,6 @@ fi
 create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Provide read-only access to container registry"
 create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Provide push, pull, build in container registry"
 
-#######################################################################################
-### Create managed identity
-###
-
-create_github_maintenance_mi() {
-    permission=(
-        "Microsoft.Authorization/roleAssignments/write"
-        "Microsoft.ContainerService/managedClusters/write"
-        "Microsoft.Insights/dataCollectionRuleAssociations/write"
-        "Microsoft.Insights/dataCollectionRules/read"
-        "Microsoft.Insights/dataCollectionRules/write"
-        "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
-        "Microsoft.Network/dnszones/A/read"
-        "Microsoft.Network/dnszones/A/write"
-        "Microsoft.Network/publicIPAddresses/join/action"
-        "Microsoft.Network/virtualNetworks/subnets/join/action"
-        "Microsoft.OperationalInsights/workspaces/read"
-        "Microsoft.OperationalInsights/workspaces/sharedKeys/action"
-        "Microsoft.OperationalInsights/workspaces/sharedkeys/read"
-        "Microsoft.OperationsManagement/solutions/read"
-        "Microsoft.OperationsManagement/solutions/write"
-    )
-    permission_json=$(jq -c -n '$ARGS.positional' --args "${permission[@]}")
-
-    scopes=(
-        "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}"
-        "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}"
-        "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_LOGS}"
-    )
-    scopes_json=$(jq -c -n '$ARGS.positional' --args "${scopes[@]}")
-
-    role_name="radix-maintenance"
-
-    create-az-role "${role_name}" "Permission needed for cluster maintenance" "$permission_json" "$scopes_json"
-    create_managed_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}"
-    create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${AKS_COMMAND_RUNNER_ROLE_NAME}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}"
-    create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${role_name}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}"
-    create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${role_name}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}"
-    create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${role_name}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_LOGS}"
-    add-federated-gh-credentials "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "radix-flux" "master" "maintenance-${RADIX_ENVIRONMENT}"
-
-    MI_ID=$(az ad sp list --display-name "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" --query [].appId --output tsv)
-    gh_federated_credentials "radix-flux" "${MI_ID}" "${AZ_SUBSCRIPTION_ID}" "maintenance-${RADIX_ENVIRONMENT}"
-}
-
-#######################################################################################
-### Create OIDC
-###
-
-create_github_resource_lock_operator() {
-    create_oidc_and_federated_credentials "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "${AZ_SUBSCRIPTION_ID}" "radix-platform" "lock-operations-${RADIX_ENVIRONMENT}"
-    assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Omnia Authorization Locks Operator" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}"
-    assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Reader" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}/providers/Microsoft.KeyVault/vaults/${AZ_RESOURCE_KEYVAULT}"
-    # set-kv-policy "$(az ad sp list --filter "displayname eq '$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR'" | jq -r .[].id)" "get"
-}
-
-if [[ "$RADIX_ENVIRONMENT" == "dev" ]]; then
-    create_oidc_and_federated_credentials "$APP_REGISTRATION_GITHUB_MAINTENANCE" "${AZ_SUBSCRIPTION_ID}" "radix-platform" "operations"
-    create_github_maintenance_mi
-fi
-
-create_github_resource_lock_operator
-
 #######################################################################################
 ### END
 ###

terraform/subscriptions/s940/c2/post-clusters/backend.tf

@@ -40,14 +40,6 @@ module "clusters" {
   subscription        = module.config.subscription
 }
 
-data "azuread_service_principal" "this" {
-  display_name = "ar-radix-resource-lock-operator-prod"
-}
-
-data "azurerm_role_definition" "this" {
-  name = "Omnia Authorization Locks Operator"
-}
-
 data "azurerm_key_vault_secret" "radixowners" {
   name         = "radixowners"
   key_vault_id = module.config.backend.ip_key_vault_id

terraform/subscriptions/s940/prod/post-clusters/backend.tf

@@ -36,14 +36,6 @@ module "clusters" {
   subscription        = module.config.subscription
 }
 
-data "azuread_service_principal" "this" {
-  display_name = "ar-radix-resource-lock-operator-prod"
-}
-
-data "azurerm_role_definition" "this" {
-  name = "Omnia Authorization Locks Operator"
-}
-
 data "azurerm_key_vault_secret" "radixowners" {
   name         = "radixowners"
   key_vault_id = module.config.backend.ip_key_vault_id