Merge pull request #1374 from jim-minter/fixupBillingRoleAssignment

Remove the existing billing DB role assignment so that it can be re-PUT with the correct GUID.

pkg/deploy/deploy.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/compute"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/dns"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/features"
@@ -46,6 +47,7 @@ type deployer struct {
 	providers              features.ProvidersClient
 	publicipaddresses      network.PublicIPAddressesClient
 	resourceskus           compute.ResourceSkusClient
+	roleassignments        authorization.RoleAssignmentsClient
 	vmss                   compute.VirtualMachineScaleSetsClient
 	vmssvms                compute.VirtualMachineScaleSetVMsClient
 	zones                  dns.ZonesClient
@@ -86,6 +88,7 @@ func New(ctx context.Context, log *logrus.Entry, env env.Core, config *RPConfig,
 		groups:                 features.NewResourceGroupsClient(env.Environment(), config.SubscriptionID, authorizer),
 		userassignedidentities: msi.NewUserAssignedIdentitiesClient(env.Environment(), config.SubscriptionID, authorizer),
 		providers:              features.NewProvidersClient(env.Environment(), config.SubscriptionID, authorizer),
+		roleassignments:        authorization.NewRoleAssignmentsClient(env.Environment(), config.SubscriptionID, authorizer),
 		resourceskus:           compute.NewResourceSkusClient(env.Environment(), config.SubscriptionID, authorizer),
 		publicipaddresses:      network.NewPublicIPAddressesClient(env.Environment(), config.SubscriptionID, authorizer),
 		vmss:                   compute.NewVirtualMachineScaleSetsClient(env.Environment(), config.SubscriptionID, authorizer),

pkg/deploy/deploy_rp.go

@@ -18,6 +18,25 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/arm"
 )
 
+func (d *deployer) fixupBillingRoleAssignment(ctx context.Context) error {
+	roleassignments, err := d.roleassignments.ListForResource(ctx, d.config.RPResourceGroupName, "Microsoft.CosmosDB", "", "databaseAccounts", *d.config.Configuration.DatabaseAccountName, "")
+	if err != nil {
+		return err
+	}
+
+	for _, roleassignment := range roleassignments {
+		if strings.EqualFold(*roleassignment.PrincipalID, *d.config.Configuration.BillingServicePrincipalID) {
+			d.log.Infof("deleting role assignment %s", *roleassignment.Name)
+			_, err = d.roleassignments.Delete(ctx, *roleassignment.Scope, *roleassignment.Name)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 func (d *deployer) DeployRP(ctx context.Context) error {
 	encryptionAtHostSupported, err := d.encryptionAtHostSupported(ctx)
 	if err != nil {
@@ -27,6 +46,13 @@ func (d *deployer) DeployRP(ctx context.Context) error {
 		d.log.Warn("encryption at host not supported")
 	}
 
+	// TODO: must remove this after one RP rollout.  Remove the existing billing
+	// DB role assignment so that it can be re-PUT with the correct GUID.
+	err = d.fixupBillingRoleAssignment(ctx)
+	if err != nil {
+		return err
+	}
+
 	rpMSI, err := d.userassignedidentities.Get(ctx, d.config.RPResourceGroupName, "aro-rp-"+d.config.Location)
 	if err != nil {
 		return err

pkg/util/azureclient/mgmt/authorization/roleassignments_addons.go

@@ -11,9 +11,27 @@ import (
 
 // RoleAssignmentsClientAddons contains addons for RoleAssignmentsClient
 type RoleAssignmentsClientAddons interface {
+	ListForResource(ctx context.Context, resourceGroupName string, resourceProviderNamespace string, parentResourcePath string, resourceType string, resourceName string, filter string) ([]mgmtauthorization.RoleAssignment, error)
 	ListForResourceGroup(ctx context.Context, resourceGroupName string, filter string) ([]mgmtauthorization.RoleAssignment, error)
 }
 
+func (c *roleAssignmentsClient) ListForResource(ctx context.Context, resourceGroupName string, resourceProviderNamespace string, parentResourcePath string, resourceType string, resourceName string, filter string) (result []mgmtauthorization.RoleAssignment, err error) {
+	page, err := c.RoleAssignmentsClient.ListForResource(ctx, resourceGroupName, resourceProviderNamespace, parentResourcePath, resourceType, resourceName, filter)
+	if err != nil {
+		return nil, err
+	}
+
+	for page.NotDone() {
+		result = append(result, page.Values()...)
+		err = page.Next()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return result, nil
+}
+
 func (c *roleAssignmentsClient) ListForResourceGroup(ctx context.Context, resourceGroupName string, filter string) (result []mgmtauthorization.RoleAssignment, err error) {
 	page, err := c.RoleAssignmentsClient.ListForResourceGroup(ctx, resourceGroupName, filter)
 	if err != nil {

pkg/util/mocks/azureclient/mgmt/authorization/authorization.go

@@ -118,6 +118,21 @@ func (mr *MockRoleAssignmentsClientMockRecorder) Delete(arg0, arg1, arg2 interfa
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Delete", reflect.TypeOf((*MockRoleAssignmentsClient)(nil).Delete), arg0, arg1, arg2)
 }
 
+// ListForResource mocks base method
+func (m *MockRoleAssignmentsClient) ListForResource(arg0 context.Context, arg1, arg2, arg3, arg4, arg5, arg6 string) ([]authorization.RoleAssignment, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ListForResource", arg0, arg1, arg2, arg3, arg4, arg5, arg6)
+	ret0, _ := ret[0].([]authorization.RoleAssignment)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ListForResource indicates an expected call of ListForResource
+func (mr *MockRoleAssignmentsClientMockRecorder) ListForResource(arg0, arg1, arg2, arg3, arg4, arg5, arg6 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListForResource", reflect.TypeOf((*MockRoleAssignmentsClient)(nil).ListForResource), arg0, arg1, arg2, arg3, arg4, arg5, arg6)
+}
+
 // ListForResourceGroup mocks base method
 func (m *MockRoleAssignmentsClient) ListForResourceGroup(arg0 context.Context, arg1, arg2 string) ([]authorization.RoleAssignment, error) {
 	m.ctrl.T.Helper()