From cccd8aef8fc8022048bb2ea46543fd6aa2892d84 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 19 Dec 2024 12:36:19 +0100 Subject: [PATCH 1/2] Remove outdated AppRegistrations --- scripts/radix-zone/radix_zone_c2.env | 2 - scripts/radix-zone/radix_zone_dev.env | 3 - scripts/radix-zone/radix_zone_playground.env | 2 - scripts/radix-zone/radix_zone_prod.env | 2 - .../bootstrap.sh | 67 ------------------- 5 files changed, 76 deletions(-) diff --git a/scripts/radix-zone/radix_zone_c2.env b/scripts/radix-zone/radix_zone_c2.env index 321e9dd33..364daa8c4 100644 --- a/scripts/radix-zone/radix_zone_c2.env +++ b/scripts/radix-zone/radix_zone_c2.env @@ -101,8 +101,6 @@ AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}" # App registrations APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" -APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" -APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}" # Managed identities: id--- # MI_AKS="id-radix-aks-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" diff --git a/scripts/radix-zone/radix_zone_dev.env b/scripts/radix-zone/radix_zone_dev.env index 458be2511..c03d0ee1c 100644 --- a/scripts/radix-zone/radix_zone_dev.env +++ b/scripts/radix-zone/radix_zone_dev.env @@ -106,14 +106,11 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}" APP_REGISTRATION_GRAFANA="radix-ar-grafana-${CLUSTER_TYPE}" APP_REGISTRATION_NETWORKPOLICY_CANARY="radix-ar-networkpolicy-canary" APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}" -APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" -APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}" # Managed identities: id--- MI_AKS="id-radix-aks-${CLUSTER_TYPE}-${AZ_LOCATION}" MI_AKSKUBELET="id-radix-akskubelet-${CLUSTER_TYPE}-${AZ_LOCATION}" # MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-${AZ_LOCATION}" -MI_GITHUB_MAINTENANCE="radix-github-maintenance" ####################################################################################### ### Key vault secrets diff --git a/scripts/radix-zone/radix_zone_playground.env b/scripts/radix-zone/radix_zone_playground.env index b9bf4f757..15a8b24c9 100644 --- a/scripts/radix-zone/radix_zone_playground.env +++ b/scripts/radix-zone/radix_zone_playground.env @@ -104,8 +104,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}" # App registrations APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}" -APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" -APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}" # Managed identities: id--- MI_AKS="id-radix-aks-${CLUSTER_TYPE}-northeurope" diff --git a/scripts/radix-zone/radix_zone_prod.env b/scripts/radix-zone/radix_zone_prod.env index 487068c26..a20d9684e 100644 --- a/scripts/radix-zone/radix_zone_prod.env +++ b/scripts/radix-zone/radix_zone_prod.env @@ -104,8 +104,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}" # App registrations APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}" -APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" -APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}" # Managed identities: id--- MI_AKS="id-radix-aks-${CLUSTER_TYPE}-northeurope" diff --git a/scripts/service-principals-and-aad-apps/bootstrap.sh b/scripts/service-principals-and-aad-apps/bootstrap.sh index 9f28d6713..b6b5548af 100755 --- a/scripts/service-principals-and-aad-apps/bootstrap.sh +++ b/scripts/service-principals-and-aad-apps/bootstrap.sh @@ -121,10 +121,6 @@ echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" -if [[ "$RADIX_ENVIRONMENT" == "dev" ]]; then - echo -e " - MI_GITHUB_MAINTENANCE : ${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" -fi -echo -e " - RESOURCE-LOCK-OPERATOR : ${APP_REGISTRATION_RESOURCE_LOCK_OPERATOR}" echo -e "" echo -e " > WHO:" echo -e " -------------------------------------------------------------------" @@ -157,69 +153,6 @@ fi create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Provide read-only access to container registry" create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Provide push, pull, build in container registry" -####################################################################################### -### Create managed identity -### - -create_github_maintenance_mi() { - permission=( - "Microsoft.Authorization/roleAssignments/write" - "Microsoft.ContainerService/managedClusters/write" - "Microsoft.Insights/dataCollectionRuleAssociations/write" - "Microsoft.Insights/dataCollectionRules/read" - "Microsoft.Insights/dataCollectionRules/write" - "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action" - "Microsoft.Network/dnszones/A/read" - "Microsoft.Network/dnszones/A/write" - "Microsoft.Network/publicIPAddresses/join/action" - "Microsoft.Network/virtualNetworks/subnets/join/action" - "Microsoft.OperationalInsights/workspaces/read" - "Microsoft.OperationalInsights/workspaces/sharedKeys/action" - "Microsoft.OperationalInsights/workspaces/sharedkeys/read" - "Microsoft.OperationsManagement/solutions/read" - "Microsoft.OperationsManagement/solutions/write" - ) - permission_json=$(jq -c -n '$ARGS.positional' --args "${permission[@]}") - - scopes=( - "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}" - "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}" - "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_LOGS}" - ) - scopes_json=$(jq -c -n '$ARGS.positional' --args "${scopes[@]}") - - role_name="radix-maintenance" - - create-az-role "${role_name}" "Permission needed for cluster maintenance" "$permission_json" "$scopes_json" - create_managed_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" - create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${AKS_COMMAND_RUNNER_ROLE_NAME}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}" - create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${role_name}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}" - create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${role_name}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}" - create_role_assignment_for_identity "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "${role_name}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_LOGS}" - add-federated-gh-credentials "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" "radix-flux" "master" "maintenance-${RADIX_ENVIRONMENT}" - - MI_ID=$(az ad sp list --display-name "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMENT}" --query [].appId --output tsv) - gh_federated_credentials "radix-flux" "${MI_ID}" "${AZ_SUBSCRIPTION_ID}" "maintenance-${RADIX_ENVIRONMENT}" -} - -####################################################################################### -### Create OIDC -### - -create_github_resource_lock_operator() { - create_oidc_and_federated_credentials "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "${AZ_SUBSCRIPTION_ID}" "radix-platform" "lock-operations-${RADIX_ENVIRONMENT}" - assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Omnia Authorization Locks Operator" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}" - assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Reader" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}/providers/Microsoft.KeyVault/vaults/${AZ_RESOURCE_KEYVAULT}" - # set-kv-policy "$(az ad sp list --filter "displayname eq '$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR'" | jq -r .[].id)" "get" -} - -if [[ "$RADIX_ENVIRONMENT" == "dev" ]]; then - create_oidc_and_federated_credentials "$APP_REGISTRATION_GITHUB_MAINTENANCE" "${AZ_SUBSCRIPTION_ID}" "radix-platform" "operations" - create_github_maintenance_mi -fi - -create_github_resource_lock_operator - ####################################################################################### ### END ### From e9017a5c774589b337cfc34c193eebaecf891ce0 Mon Sep 17 00:00:00 2001 From: Richard87 Date: Thu, 19 Dec 2024 12:39:52 +0100 Subject: [PATCH 2/2] Remove Lock Operator --- .../subscriptions/s940/c2/post-clusters/backend.tf | 8 -------- .../subscriptions/s940/c2/post-clusters/rbac.tf | 12 ------------ .../subscriptions/s940/prod/post-clusters/backend.tf | 8 -------- .../subscriptions/s940/prod/post-clusters/rbac.tf | 12 ------------ 4 files changed, 40 deletions(-) delete mode 100644 terraform/subscriptions/s940/c2/post-clusters/rbac.tf delete mode 100644 terraform/subscriptions/s940/prod/post-clusters/rbac.tf diff --git a/terraform/subscriptions/s940/c2/post-clusters/backend.tf b/terraform/subscriptions/s940/c2/post-clusters/backend.tf index 4bf5b562e..33de7962b 100644 --- a/terraform/subscriptions/s940/c2/post-clusters/backend.tf +++ b/terraform/subscriptions/s940/c2/post-clusters/backend.tf @@ -40,14 +40,6 @@ module "clusters" { subscription = module.config.subscription } -data "azuread_service_principal" "this" { - display_name = "ar-radix-resource-lock-operator-prod" -} - -data "azurerm_role_definition" "this" { - name = "Omnia Authorization Locks Operator" -} - data "azurerm_key_vault_secret" "radixowners" { name = "radixowners" key_vault_id = module.config.backend.ip_key_vault_id diff --git a/terraform/subscriptions/s940/c2/post-clusters/rbac.tf b/terraform/subscriptions/s940/c2/post-clusters/rbac.tf deleted file mode 100644 index 07799a351..000000000 --- a/terraform/subscriptions/s940/c2/post-clusters/rbac.tf +++ /dev/null @@ -1,12 +0,0 @@ -data "azurerm_kubernetes_cluster" "this" { - for_each = module.clusters.oidc_issuer_url - name = each.key - resource_group_name = module.config.cluster_resource_group -} - -resource "azurerm_role_assignment" "cluster" { - for_each = module.clusters.oidc_issuer_url - scope = data.azurerm_kubernetes_cluster.this[each.key].id - role_definition_id = "/subscriptions/${module.config.subscription}${data.azurerm_role_definition.this.role_definition_id}" - principal_id = data.azuread_service_principal.this.object_id -} diff --git a/terraform/subscriptions/s940/prod/post-clusters/backend.tf b/terraform/subscriptions/s940/prod/post-clusters/backend.tf index 13f989060..3e6d17f65 100644 --- a/terraform/subscriptions/s940/prod/post-clusters/backend.tf +++ b/terraform/subscriptions/s940/prod/post-clusters/backend.tf @@ -36,14 +36,6 @@ module "clusters" { subscription = module.config.subscription } -data "azuread_service_principal" "this" { - display_name = "ar-radix-resource-lock-operator-prod" -} - -data "azurerm_role_definition" "this" { - name = "Omnia Authorization Locks Operator" -} - data "azurerm_key_vault_secret" "radixowners" { name = "radixowners" key_vault_id = module.config.backend.ip_key_vault_id diff --git a/terraform/subscriptions/s940/prod/post-clusters/rbac.tf b/terraform/subscriptions/s940/prod/post-clusters/rbac.tf deleted file mode 100644 index f9da85246..000000000 --- a/terraform/subscriptions/s940/prod/post-clusters/rbac.tf +++ /dev/null @@ -1,12 +0,0 @@ -data "azurerm_kubernetes_cluster" "this" { - for_each = module.clusters.oidc_issuer_url - name = each.key - resource_group_name = "clusters" #TODO with code below after cluster in new RG module.config.cluster_resource_group -} - -resource "azurerm_role_assignment" "cluster" { - for_each = module.clusters.oidc_issuer_url - scope = data.azurerm_kubernetes_cluster.this[each.key].id - role_definition_id = "/subscriptions/${module.config.subscription}${data.azurerm_role_definition.this.role_definition_id}" - principal_id = data.azuread_service_principal.this.object_id -}