ARO-RP/cmd/aro/update_role_sets.go

package main

// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.

import (
	"context"
	"fmt"
	"os"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"
	"github.com/sirupsen/logrus"

	"github.com/Azure/ARO-RP/pkg/api"
	"github.com/Azure/ARO-RP/pkg/database"
	"github.com/Azure/ARO-RP/pkg/env"
	"github.com/Azure/ARO-RP/pkg/metrics/statsd"
	"github.com/Azure/ARO-RP/pkg/util/encryption"
	"github.com/Azure/ARO-RP/pkg/util/keyvault"
)

// 1 - Get env data from agent VMs (with getEnvironmentData)
func getRoleSetsFromEnv() ([]api.PlatformWorkloadIdentityRoleSet, error) {
	const envKey = envPlatformWorkloadIdentityRoleSets
	var roleSets []api.PlatformWorkloadIdentityRoleSet

	// Unmarshal env data into type api.PlatformWorkloadIdentityRoleSet
	if err := getEnvironmentData(envKey, &roleSets); err != nil {
		return nil, err
	}

	return roleSets, nil
}

func getPlatformWorkloadIdentityRoleSetDatabase(ctx context.Context, log *logrus.Entry) (database.PlatformWorkloadIdentityRoleSets, error) {
	_env, err := env.NewCore(ctx, log, env.COMPONENT_UPDATE_ROLE_SETS)
	if err != nil {
		return nil, err
	}

	msiToken, err := _env.NewMSITokenCredential()
	if err != nil {
		return nil, fmt.Errorf("MSI Authorizer failed with: %s", err.Error())
	}

	msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope)
	if err != nil {
		return nil, fmt.Errorf("MSI KeyVault Authorizer failed with: %s", err.Error())
	}

	m := statsd.New(ctx, log.WithField("component", "update-role-sets"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET"))

	keyVaultPrefix := os.Getenv(envKeyVaultPrefix)
	serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
	serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)

	aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)
	if err != nil {
		return nil, err
	}

	if err := env.ValidateVars(envDatabaseAccountName); err != nil {
		return nil, err
	}
	dbAccountName := os.Getenv(envDatabaseAccountName)
	clientOptions := &policy.ClientOptions{
		ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,
	}

	logrusEntry := log.WithField("component", "database")
	dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, logrusEntry, msiToken, clientOptions, _env.SubscriptionID(), _env.ResourceGroup(), dbAccountName)
	if err != nil {
		return nil, err
	}

	dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, aead, dbAccountName)
	if err != nil {
		return nil, err
	}

	dbName, err := DBName(_env.IsLocalDevelopmentMode())
	if err != nil {
		return nil, err
	}
	dbPlatformWorkloadIdentityRoleSets, err := database.NewPlatformWorkloadIdentityRoleSets(ctx, dbc, dbName)
	if err != nil {
		return nil, err
	}

	return dbPlatformWorkloadIdentityRoleSets, nil
}

func updatePlatformWorkloadIdentityRoleSetsInCosmosDB(ctx context.Context, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, log *logrus.Entry) error {
	// 2 - Get the existing role set documents, if existing
	// Mostly copied from update_ocp_versions.go
	existingRoleSets, err := dbPlatformWorkloadIdentityRoleSets.ListAll(ctx)
	if err != nil {
		return nil
	}

	incomingRoleSets, err := getRoleSetsFromEnv()
	if err != nil {
		return err
	}

	newRoleSets := make(map[string]api.PlatformWorkloadIdentityRoleSet)
	for _, doc := range incomingRoleSets {
		newRoleSets[doc.Properties.OpenShiftVersion] = doc
	}

	// 3 - Put/patch the new role sets to the doc, overwriting whatever is there for that version, or adding if new
	// Mostly copied from update_ocp_versions.go
	for _, doc := range existingRoleSets.PlatformWorkloadIdentityRoleSetDocuments {
		existing, found := newRoleSets[doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion]
		if found {
			log.Printf("Found Version %q, patching", existing.Properties.OpenShiftVersion)
			_, err := dbPlatformWorkloadIdentityRoleSets.Patch(ctx, doc.ID, func(inFlightDoc *api.PlatformWorkloadIdentityRoleSetDocument) error {
				inFlightDoc.PlatformWorkloadIdentityRoleSet = &existing
				return nil
			})
			if err != nil {
				return err
			}
			log.Printf("Version %q found", existing.Properties.OpenShiftVersion)
			delete(newRoleSets, existing.Properties.OpenShiftVersion)
			continue
		}

		log.Printf("Version %q not found, deleting", doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion)
		// Delete via changefeed
		_, err := dbPlatformWorkloadIdentityRoleSets.Patch(ctx, doc.ID,
			func(d *api.PlatformWorkloadIdentityRoleSetDocument) error {
				d.PlatformWorkloadIdentityRoleSet.Deleting = true
				d.TTL = 60
				return nil
			})
		if err != nil {
			return err
		}
	}

	for _, doc := range newRoleSets {
		log.Printf("Version %q not found in database, creating", doc.Properties.OpenShiftVersion)
		newDoc := api.PlatformWorkloadIdentityRoleSetDocument{
			ID:                              dbPlatformWorkloadIdentityRoleSets.NewUUID(),
			PlatformWorkloadIdentityRoleSet: &doc,
		}
		_, err := dbPlatformWorkloadIdentityRoleSets.Create(ctx, &newDoc)
		if err != nil {
			return err
		}
	}

	return nil
}

func updatePlatformWorkloadIdentityRoleSets(ctx context.Context, log *logrus.Entry) error {
	if err := env.ValidateVars("PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS"); err != nil {
		return err
	}

	if !env.IsLocalDevelopmentMode() {
		if err := env.ValidateVars("MDM_ACCOUNT", "MDM_NAMESPACE"); err != nil {
			return err
		}
	}

	dbRoleSets, err := getPlatformWorkloadIdentityRoleSetDatabase(ctx, log)
	if err != nil {
		return err
	}

	err = updatePlatformWorkloadIdentityRoleSetsInCosmosDB(ctx, dbRoleSets, log)
	if err != nil {
		return err
	}

	return nil
}
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`package main`

			`// Copyright (c) Microsoft Corporation.`
			`// Licensed under the Apache License 2.0.`

			`import (`
			`"context"`
			`"fmt"`
			`"os"`

			`"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy"`
			`"github.com/sirupsen/logrus"`

			`"github.com/Azure/ARO-RP/pkg/api"`
			`"github.com/Azure/ARO-RP/pkg/database"`
			`"github.com/Azure/ARO-RP/pkg/env"`
			`"github.com/Azure/ARO-RP/pkg/metrics/statsd"`
			`"github.com/Azure/ARO-RP/pkg/util/encryption"`
			`"github.com/Azure/ARO-RP/pkg/util/keyvault"`
			`)`

Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`// 1 - Get env data from agent VMs (with getEnvironmentData)`
			`func getRoleSetsFromEnv() ([]api.PlatformWorkloadIdentityRoleSet, error) {`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`const envKey = envPlatformWorkloadIdentityRoleSets`
Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`var roleSets []api.PlatformWorkloadIdentityRoleSet`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00
Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`// Unmarshal env data into type api.PlatformWorkloadIdentityRoleSet`
			`if err := getEnvironmentData(envKey, &roleSets); err != nil {`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`return nil, err`
			`}`

Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`return roleSets, nil`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`}`

			`func getPlatformWorkloadIdentityRoleSetDatabase(ctx context.Context, log *logrus.Entry) (database.PlatformWorkloadIdentityRoleSets, error) {`
Fix a few nits 2024-06-17 23:34:39 +03:00			`_env, err := env.NewCore(ctx, log, env.COMPONENT_UPDATE_ROLE_SETS)`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`if err != nil {`
			`return nil, err`
			`}`

			`msiToken, err := _env.NewMSITokenCredential()`
			`if err != nil {`
			`return nil, fmt.Errorf("MSI Authorizer failed with: %s", err.Error())`
			`}`

			`msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope)`
			`if err != nil {`
			`return nil, fmt.Errorf("MSI KeyVault Authorizer failed with: %s", err.Error())`
			`}`

			`m := statsd.New(ctx, log.WithField("component", "update-role-sets"), _env, os.Getenv("MDM_ACCOUNT"), os.Getenv("MDM_NAMESPACE"), os.Getenv("MDM_STATSD_SOCKET"))`

			`keyVaultPrefix := os.Getenv(envKeyVaultPrefix)`
			`serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)`
			`serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)`

			`aead, err := encryption.NewMulti(ctx, serviceKeyvault, env.EncryptionSecretV2Name, env.EncryptionSecretName)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := env.ValidateVars(envDatabaseAccountName); err != nil {`
			`return nil, err`
			`}`
			`dbAccountName := os.Getenv(envDatabaseAccountName)`
			`clientOptions := &policy.ClientOptions{`
			`ClientOptions: _env.Environment().ManagedIdentityCredentialOptions().ClientOptions,`
			`}`

			`logrusEntry := log.WithField("component", "database")`
			`dbAuthorizer, err := database.NewMasterKeyAuthorizer(ctx, logrusEntry, msiToken, clientOptions, _env.SubscriptionID(), _env.ResourceGroup(), dbAccountName)`
			`if err != nil {`
			`return nil, err`
			`}`

			`dbc, err := database.NewDatabaseClient(log.WithField("component", "database"), _env, dbAuthorizer, m, aead, dbAccountName)`
			`if err != nil {`
			`return nil, err`
			`}`

			`dbName, err := DBName(_env.IsLocalDevelopmentMode())`
			`if err != nil {`
			`return nil, err`
			`}`
Fix a few nits 2024-06-17 23:34:39 +03:00			`dbPlatformWorkloadIdentityRoleSets, err := database.NewPlatformWorkloadIdentityRoleSets(ctx, dbc, dbName)`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`if err != nil {`
			`return nil, err`
			`}`

Fix a few nits 2024-06-17 23:34:39 +03:00			`return dbPlatformWorkloadIdentityRoleSets, nil`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`}`

			`func updatePlatformWorkloadIdentityRoleSetsInCosmosDB(ctx context.Context, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, log *logrus.Entry) error {`
Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`// 2 - Get the existing role set documents, if existing`
			`// Mostly copied from update_ocp_versions.go`
Fix a few nits 2024-06-17 23:34:39 +03:00			`existingRoleSets, err := dbPlatformWorkloadIdentityRoleSets.ListAll(ctx)`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`if err != nil {`
			`return nil`
			`}`

Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`incomingRoleSets, err := getRoleSetsFromEnv()`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`if err != nil {`
			`return err`
			`}`

			`newRoleSets := make(map[string]api.PlatformWorkloadIdentityRoleSet)`
Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`for _, doc := range incomingRoleSets {`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`newRoleSets[doc.Properties.OpenShiftVersion] = doc`
			`}`

Tweak script to read in a list of role sets from env var (as opposed to just one role set) Also removed a function I found to be unnecessary and tweaked some of the documentation comments. 2024-06-18 00:12:17 +03:00			`// 3 - Put/patch the new role sets to the doc, overwriting whatever is there for that version, or adding if new`
			`// Mostly copied from update_ocp_versions.go`
Fix a few nits 2024-06-17 23:34:39 +03:00			`for _, doc := range existingRoleSets.PlatformWorkloadIdentityRoleSetDocuments {`
new cmd to populate role sets in prod 2024-05-31 16:09:53 +03:00			`existing, found := newRoleSets[doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion]`
			`if found {`
			`log.Printf("Found Version %q, patching", existing.Properties.OpenShiftVersion)`
			`_, err := dbPlatformWorkloadIdentityRoleSets.Patch(ctx, doc.ID, func(inFlightDoc *api.PlatformWorkloadIdentityRoleSetDocument) error {`
			`inFlightDoc.PlatformWorkloadIdentityRoleSet = &existing`
			`return nil`
			`})`
			`if err != nil {`
			`return err`
			`}`
			`log.Printf("Version %q found", existing.Properties.OpenShiftVersion)`
			`delete(newRoleSets, existing.Properties.OpenShiftVersion)`
			`continue`
			`}`

			`log.Printf("Version %q not found, deleting", doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion)`
			`// Delete via changefeed`
			`_, err := dbPlatformWorkloadIdentityRoleSets.Patch(ctx, doc.ID,`
			`func(d *api.PlatformWorkloadIdentityRoleSetDocument) error {`
			`d.PlatformWorkloadIdentityRoleSet.Deleting = true`
			`d.TTL = 60`
			`return nil`
			`})`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`for _, doc := range newRoleSets {`
			`log.Printf("Version %q not found in database, creating", doc.Properties.OpenShiftVersion)`
			`newDoc := api.PlatformWorkloadIdentityRoleSetDocument{`
			`ID: dbPlatformWorkloadIdentityRoleSets.NewUUID(),`
			`PlatformWorkloadIdentityRoleSet: &doc,`
			`}`
			`_, err := dbPlatformWorkloadIdentityRoleSets.Create(ctx, &newDoc)`
			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

			`func updatePlatformWorkloadIdentityRoleSets(ctx context.Context, log *logrus.Entry) error {`
			`if err := env.ValidateVars("PLATFORM_WORKLOAD_IDENTITY_ROLE_SETS"); err != nil {`
			`return err`
			`}`

			`if !env.IsLocalDevelopmentMode() {`
			`if err := env.ValidateVars("MDM_ACCOUNT", "MDM_NAMESPACE"); err != nil {`
			`return err`
			`}`
			`}`

			`dbRoleSets, err := getPlatformWorkloadIdentityRoleSetDatabase(ctx, log)`
			`if err != nil {`
			`return err`
			`}`

			`err = updatePlatformWorkloadIdentityRoleSetsInCosmosDB(ctx, dbRoleSets, log)`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`