Merge pull request #38 from Azure/gb-subwideperms

AAD group params
2022-05-16 21:06:44 +01:00 · 2022-05-16 21:06:44 +01:00 · 01e1189214
--- a/.github/workflows/IaC-bicep-AKS.yml
+++ b/.github/workflows/IaC-bicep-AKS.yml
@ -12,7 +12,14 @@ on:
        description: 'The Azure region to deploy to'
        required: true
        default: eastus
-
+      clusterAdminAadGroupObjectId:
+        description: 'K8S Admin Azure AAD Group ObjectID'
+        required: true
+        type: text
+      a0008NamespaceReaderAadGroupObjectId:
+        description: 'K8S Reader Azure AAD Group ObjectID'
+        required: true
+        type: text
 env:
  event_sha: +refs/pull/${{ github.event.issue.number }}/merge

@ -126,8 +133,7 @@ jobs:
          region: ${{ github.event.inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/rg-spoke/cluster.bicep
-          parameters: ./IaC/bicep/rg-spoke/cluster.parameters.json targetVnetResourceId=${{ steps.spoke.outputs.clusterVnetResourceId }}
-          #clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }}
+          parameters: ./IaC/bicep/rg-spoke/cluster.parameters.json targetVnetResourceId=${{ steps.spoke.outputs.clusterVnetResourceId }} clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }}
          failOnStdErr: false

      - name: "Deploy Registry"
--- a/IaC/bicep/rg-spoke/cluster.parameters.json
+++ b/IaC/bicep/rg-spoke/cluster.parameters.json
@ -6,10 +6,10 @@
            "value": "eastus"
        },
        "clusterAdminAadGroupObjectId":{
-            "value": "029fadf4-0d6f-4ff0-87c4-0284244b9b3b"
+            "value": ""
        },
        "a0008NamespaceReaderAadGroupObjectId":{
-            "value": "029fadf4-0d6f-4ff0-87c4-0284244b9b3b"
+            "value": ""
        }
        ,
        "domainName":{
--- a/IaC/bicep/rg-spoke/createCert.bicep.old
+++ b/IaC/bicep/rg-spoke/createCert.bicep.old
@ -1,67 +0,0 @@
-targetScope = 'resourceGroup'
-
-param location string = resourceGroup().location
-param date string = utcNow()
-param KeyVaultName string
-
-var kvAdminRoleDefinitionId = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483'
-
-resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
-  name: 'testCertCreationMI'
-  location: location
-}
-
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = {
-  name: guid('AdminAccessToKV')
-  properties: {
-    roleDefinitionId: kvAdminRoleDefinitionId
-    principalId: reference(managedIdentity.id, '2018-11-30').principalId
-    scope: resourceGroup().id
-    principalType: 'ServicePrincipal'
-  }
-}
-
-resource createAddCertificate 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
-  name: 'createAddCertificate'
-  location: location
-  identity: {
-    type: 'UserAssigned'
-    userAssignedIdentities: {
-      '${managedIdentity.id}': {}
-    }
-  }
-  kind: 'AzureCLI'
-  properties: {
-    forceUpdateTag: date
-    azCliVersion: '2.0.80'
-    timeout: 'PT30M'
-    environmentVariables: [
-      {
-        name: 'akvname'
-        value: KeyVaultName
-      }
-    ]
-    scriptContent: '''
-      #!/bin/bash
-      set -e
-
-      echo "Adding certificates to $akvname"
-
-      certnamebackend="appgw-ingress-internal-aks-ingress-tls"
-      certnamefrontend="gateway-public-cert"
-
-      echo "creating akv cert $certnamebackend";
-      az keyvault certificate create --vault-name $akvname -n $certnamebackend -p "$(az keyvault certificate get-default-policy | sed -e s/CN=CLIGetDefaultPolicy/CN=${certnamebackend}/g )";
-
-      echo "creating akv cert $certnamefrontend";
-      az keyvault certificate create --vault-name $akvname -n $certnamefrontend -p "$(az keyvault certificate get-default-policy | sed -e s/CN=CLIGetDefaultPolicy/CN=${certnamefrontend}/g )";
-
-      sleep 1m
-    '''
-    cleanupPreference: 'OnSuccess'
-    retentionInterval: 'P1D'
-  }
-  dependsOn: [
-    roleAssignment
-  ]
-}
--- a/docs/oidc-federated-credentials.md
+++ b/docs/oidc-federated-credentials.md
@ -7,7 +7,7 @@ Please follow [this guide](https://docs.microsoft.com/azure/developer/github/con

 This repository uses a script to provide a simple way to create a GitHub OIDC federated credential, it is based on the steps outlined here: [https://docs.microsoft.com/azure/developer/github/connect-from-azure](https://docs.microsoft.com/azure/developer/github/connect-from-azure).

-The script will create a new application, assign the correct Azure RBAC permissions for the Resource Group containing your AKS cluster, and create Federated Identity Credentials for both an environment and branch.
+The script will create a new application, assign the correct Azure RBAC permissions for the Subscription **OR** Resource Group containing your AKS cluster, and create Federated Identity Credentials for both an environment and branch.

 ```bash
 #Set up user specific variables
@ -25,9 +25,14 @@ applicationObjectId=$(echo $APP | jq -r ".objectId")
 SP=$(az ad sp create --id $appId)
 assigneeObjectId=$(echo $SP | jq -r ".objectId"); echo $assigneeObjectId

-#Create Role Assignment (Azure RG RBAC)
-az role assignment create --role Owner --resource-group $RG  --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal
-az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --resource-group $RG  --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal
+#Create Role Assignments (Azure Subscription RBAC)
+subscriptionId=$(az account show --query id -o tsv)
+az role assignment create --role Owner --scope "/subscriptions/$subscriptionId" --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
+az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --scope "/subscriptions/$subscriptionId" --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
+
+#Create Role Assignments (Azure Resource Group RBAC)
+az role assignment create --role Owner --resource-group $RG --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
+az role assignment create --role "Azure Kubernetes Service RBAC Cluster Admin" --resource-group $RG --assignee-object-id  $assigneeObjectId --assignee-principal-type ServicePrincipal

 #Create federated identity credentials for use from a GitHub Branch
 fedReqUrl="https://graph.microsoft.com/beta/applications/$applicationObjectId/federatedIdentityCredentials"
@ -48,7 +53,6 @@ echo $fedReqBody | jq -r
 az rest --method POST --uri $fedReqUrl --body "$fedReqBody"

 #Retrieving values needed for GitHub secret creation
-subscriptionId=$(az account show --query id -o tsv)
 clientId=$appId
 tenantId=$(az account show --query tenantId -o tsv)