Create oic storage account in dev (#3404)

* create oic storage account in dev
* split oic resources into new template for reuse
* add roleassignment, dev script
* parameterize, add documentation
* create new cmd for full env, doc change

docs/deploy-full-rp-service-in-dev.md

@@ -202,6 +202,12 @@
 
 1. Run `make deploy`
 
+1. Create storage account and role assignment required for workload identity clusters
+    ```
+    source ./hack/devtools/deploy-shared-env.sh
+    deploy_oic_for_dedicated_rp
+    ```
+
 ## SSH to RP VMSS Instance
 
 1. Update the RP NSG to allow SSH

docs/prepare-a-shared-rp-development-environment.md

@@ -444,6 +444,8 @@ each of the bash functions below.
    deploy_env_dev
    # Deploy AKS resources for Hive
    deploy_aks_dev
+   # Deploy storage account and role assignment required for workload identity clusters
+   deploy_oic_dev
    ```
 
    If you encounter a "VirtualNetworkGatewayCannotUseStandardPublicIP" error

hack/devtools/deploy-shared-env.sh

@@ -49,6 +49,16 @@ deploy_env_dev() {
             "vpnCACertificate=$(base64 -w0 <secrets/vpn-ca.crt)" >/dev/null
 }
 
+deploy_oic_dev() {
+    echo "########## Deploying storage account and role assignment in RG $RESOURCEGROUP ##########"
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n rp-oic \
+        --template-file pkg/deploy/assets/rp-oic.json \
+        --parameters \
+            "rpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_RP_CLIENT_ID'" --query '[].id' -o tsv)" >/dev/null 
+}
+
 deploy_aks_dev() {
     echo "########## Deploying aks-development in RG $RESOURCEGROUP ##########"
     az deployment group create \
@@ -71,6 +81,16 @@ deploy_vpn_for_dedicated_rp() {
              "vpnCACertificate=$(base64 -w0 <secrets/vpn-ca.crt)" >/dev/null
 }
 
+deploy_oic_for_dedicated_rp() {
+    echo "########## Deploying storage account and role assignment in RG $RESOURCEGROUP ##########"
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n rp-oic \
+        --template-file pkg/deploy/assets/rp-oic.json \
+        --parameters \
+            "rpServicePrincipalId=$(az identity show -g $RESOURCEGROUP -n aro-rp-$LOCATION | jq -r '.["principalId"]')"
+}
+
 deploy_env_dev_override() {
     echo "########## Deploying env-development in RG $RESOURCEGROUP ##########"
     az deployment group create \

pkg/deploy/assets/rp-oic.json

@@ -0,0 +1,41 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "rpServicePrincipalId": {
+            "type": "string"
+        }
+    },
+    "resources": [
+        {
+            "sku": {
+                "name": "Standard_LRS"
+            },
+            "kind": "StorageV2",
+            "properties": {
+                "accessTier": "Hot",
+                "supportsHttpsTrafficOnly": true,
+                "allowBlobPublicAccess": true,
+                "minimumTlsVersion": "TLS1_2"
+            },
+            "location": "[resourceGroup().location]",
+            "name": "[concat(take(replace(resourceGroup().name, '-', ''), 21), 'oic')]",
+            "type": "Microsoft.Storage/storageAccounts",
+            "apiVersion": "2019-06-01"
+        },
+        {
+            "name": "[concat(concat(take(replace(resourceGroup().name, '-', ''), 21), 'oic'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Storage/storageAccounts', concat(take(replace(resourceGroup().name, '-', ''), 21), 'oic'))))]",
+            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
+            "properties": {
+                "scope": "[resourceId('Microsoft.Storage/storageAccounts', concat(take(replace(resourceGroup().name, '-', ''), 21), 'oic'))]",
+                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]",
+                "principalId": "[parameters('rpServicePrincipalId')]",
+                "principalType": "ServicePrincipal"
+            },
+            "apiVersion": "2018-09-01-preview",
+            "dependsOn": [
+                "[resourceId('Microsoft.Storage/storageAccounts', concat(take(replace(resourceGroup().name, '-', ''), 21), 'oic'))]"
+            ]
+        }
+    ]
+}

pkg/deploy/generator/const.go

@@ -25,4 +25,6 @@ const (
 	fileDatabaseDevelopment    = "databases-development.json"
 	fileRPDevelopmentPredeploy = "rp-development-predeploy.json"
 	fileRPDevelopment          = "rp-development.json"
+
+	fileOic = "rp-oic.json"
 )

pkg/deploy/generator/generators.go

@@ -104,6 +104,10 @@ func (g *generator) Artifacts() error {
 		if err != nil {
 			return err
 		}
+		err = g.writeTemplate(g.oicTemplate(), fileOic)
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil

pkg/deploy/generator/resouces_oic.go

@@ -0,0 +1,55 @@
+package generator
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"fmt"
+
+	mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
+	"github.com/Azure/go-autorest/autorest/to"
+
+	"github.com/Azure/ARO-RP/pkg/util/arm"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient"
+	"github.com/Azure/ARO-RP/pkg/util/rbac"
+)
+
+var (
+	// Storage accounts must not contain dashes or be more than 24 characters
+	// Name it after the resource group + 'oic'
+	storageAccountName         string = "concat(take(replace(resourceGroup().name, '-', ''), 21), 'oic')"
+	resourceTypeStorageAccount string = "Microsoft.Storage/storageAccounts"
+)
+
+func (g *generator) oicStorageAccount() *arm.Resource {
+	storageAccount := &mgmtstorage.Account{
+		Kind: mgmtstorage.StorageV2,
+		Sku: &mgmtstorage.Sku{
+			Name: "Standard_LRS",
+		},
+		AccountProperties: &mgmtstorage.AccountProperties{
+			AllowBlobPublicAccess:  to.BoolPtr(true),
+			EnableHTTPSTrafficOnly: to.BoolPtr(true),
+			MinimumTLSVersion:      mgmtstorage.TLS12,
+			AccessTier:             mgmtstorage.Hot,
+		},
+		Name:     to.StringPtr(fmt.Sprintf("[%s]", storageAccountName)),
+		Location: to.StringPtr("[resourceGroup().location]"),
+		Type:     to.StringPtr(resourceTypeStorageAccount),
+	}
+
+	return &arm.Resource{
+		Resource:   storageAccount,
+		APIVersion: azureclient.APIVersion("Microsoft.Storage"),
+	}
+}
+
+func (g *generator) oicRoleAssignment() *arm.Resource {
+	return rbac.ResourceRoleAssignmentWithName(
+		rbac.RoleStorageBlobDataContributor,
+		"parameters('rpServicePrincipalId')", // RP MSI
+		resourceTypeStorageAccount,
+		storageAccountName,
+		fmt.Sprintf("concat(%s, '/Microsoft.Authorization/', guid(resourceId('%s', %s)))", storageAccountName, resourceTypeStorageAccount, storageAccountName),
+	)
+}

pkg/deploy/generator/templates_oic.go

@@ -0,0 +1,24 @@
+package generator
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"github.com/Azure/ARO-RP/pkg/util/arm"
+)
+
+func (g *generator) oicTemplate() *arm.Template {
+	t := templateStanza()
+
+	t.Resources = append(t.Resources,
+		g.oicStorageAccount(),
+		g.oicRoleAssignment())
+
+	t.Parameters = map[string]*arm.TemplateParameter{
+		"rpServicePrincipalId": {
+			Type: "string",
+		},
+	}
+
+	return t
+}

pkg/util/rbac/rbac.go

@@ -19,6 +19,7 @@ const (
 	RoleNetworkContributor           = "4d97b98b-1d4f-4787-a291-c67834d212e7"
 	RoleOwner                        = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
 	RoleReader                       = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
+	RoleStorageBlobDataContributor   = "ba92f5b4-2d11-453d-a403-e96b0029c9fe"
 )
 
 // ResourceRoleAssignment returns a Resource granting roleID on the resource of