2021-10-08 20:24:04 +03:00
|
|
|
package cloud
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"time"
|
|
|
|
|
|
2023-05-05 23:52:47 +03:00
|
|
|
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
|
2023-05-04 22:07:35 +03:00
|
|
|
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization"
|
2021-10-08 20:24:04 +03:00
|
|
|
"github.com/google/uuid"
|
|
|
|
|
"github.com/pkg/errors"
|
2023-02-04 11:46:59 +03:00
|
|
|
"monis.app/mlog"
|
2021-10-08 20:24:04 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
roleAssignmentCreateRetryCount = 7
|
|
|
|
|
roleAssignmentCreateRetryDelay = 5 * time.Second
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// CreateRoleAssignment creates a role assignment.
|
2023-05-04 22:07:35 +03:00
|
|
|
func (c *AzureClient) CreateRoleAssignment(ctx context.Context, scope, roleName, principalID string) (armauthorization.RoleAssignment, error) {
|
|
|
|
|
var result armauthorization.RoleAssignment
|
2021-10-20 21:46:00 +03:00
|
|
|
|
|
|
|
|
roleDefinitionID, err := c.GetRoleDefinitionIDByName(ctx, "", roleName)
|
2021-10-08 20:24:04 +03:00
|
|
|
if err != nil {
|
2021-10-20 21:46:00 +03:00
|
|
|
return result, errors.Wrapf(err, "failed to get role definition id for role %s", roleName)
|
2021-10-08 20:24:04 +03:00
|
|
|
}
|
|
|
|
|
|
2023-02-04 11:46:59 +03:00
|
|
|
mlog.Debug("Creating role assignment",
|
|
|
|
|
"principalID", principalID,
|
|
|
|
|
"role", roleName,
|
|
|
|
|
)
|
2023-05-05 23:52:47 +03:00
|
|
|
|
2023-05-04 22:07:35 +03:00
|
|
|
parameters := armauthorization.RoleAssignmentCreateParameters{
|
|
|
|
|
Properties: &armauthorization.RoleAssignmentProperties{
|
2021-10-20 21:46:00 +03:00
|
|
|
RoleDefinitionID: roleDefinitionID.ID,
|
2023-05-05 23:52:47 +03:00
|
|
|
PrincipalID: to.Ptr(principalID),
|
2021-10-08 20:24:04 +03:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Adding retries to handle the propagation delay of the service principal.
|
|
|
|
|
// Trying to create role assignment immediately after service principal is created
|
|
|
|
|
// results in "PrincipalNotFound" error.
|
|
|
|
|
for i := 0; i < roleAssignmentCreateRetryCount; i++ {
|
2023-05-05 23:52:47 +03:00
|
|
|
resp, err := c.roleAssignmentsClient.Create(ctx, scope, uuid.New().String(), parameters, nil)
|
|
|
|
|
if err == nil {
|
2023-05-04 22:07:35 +03:00
|
|
|
return resp.RoleAssignment, nil
|
2021-10-08 20:24:04 +03:00
|
|
|
}
|
2023-05-05 23:52:47 +03:00
|
|
|
|
|
|
|
|
if IsRoleAssignmentExists(err) {
|
2023-02-04 11:46:59 +03:00
|
|
|
mlog.Warning("Role assignment already exists", "principalID", principalID, "role", roleName)
|
2021-10-08 20:24:04 +03:00
|
|
|
return result, err
|
|
|
|
|
}
|
|
|
|
|
time.Sleep(roleAssignmentCreateRetryDelay)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return result, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// DeleteRoleAssignment deletes a role assignment.
|
2023-05-04 22:07:35 +03:00
|
|
|
func (c *AzureClient) DeleteRoleAssignment(ctx context.Context, roleAssignmentID string) (armauthorization.RoleAssignment, error) {
|
2023-02-04 11:46:59 +03:00
|
|
|
mlog.Debug("Deleting role assignment", "id", roleAssignmentID)
|
2023-05-04 22:07:35 +03:00
|
|
|
resp, err := c.roleAssignmentsClient.DeleteByID(ctx, roleAssignmentID, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return armauthorization.RoleAssignment{}, err
|
|
|
|
|
}
|
|
|
|
|
return resp.RoleAssignment, nil
|
2021-10-08 20:24:04 +03:00
|
|
|
}
|
