Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixup a situation where Azure RBAC role ID was mis-identified #306

Merged
merged 1 commit into from
May 2, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 27 additions & 10 deletions cluster-stamp.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ param domainName string = 'contoso.com'
@minLength(9)
param gitOpsBootstrappingRepoHttpsUrl string = 'https://github.com/mspnp/aks-baseline'

@description('You cluster will be bootstrapped from this branch in the identifed git repo.')
@description('You cluster will be bootstrapped from this branch in the identified git repo.')
@minLength(1)
param gitOpsBootstrappingRepoBranch string = 'main'

Expand All @@ -63,9 +63,6 @@ var acrPullRole = '${subscription().id}/providers/Microsoft.Authorization/roleDe
var managedIdentityOperatorRole = '${subscription().id}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any desire to replicate the same design for this one and others?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not in this pass, as these didn't seem to have problems (still don't really know why) - and I'm keeping the changes scope to just those that I know had the issue. But yes, I think it would make sense to see if we can do this with the rest of them.

var keyVaultReader = '${subscription().id}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2'
var keyVaultSecretsUserRole = '${subscription().id}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6'
var clusterAdminRole = '${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b'
var serviceClusterUserRole = '${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f'
var clusterReaderRole = '${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db'
var subRgUniqueString = uniqueString('aks', subscription().subscriptionId, resourceGroup().id)

var clusterName = 'aks-${subRgUniqueString}'
Expand All @@ -92,6 +89,26 @@ var policyAssignmentNameEnforceImageSource = guid(policyResourceIdEnforceImageSo
var policyAssignmentNameEnforceDefenderInCluster = guid(policyResourceIdEnforceDefenderInCluster, resourceGroup().name, clusterName)
var isUsingAzureRBACasKubernetesRBAC = (subscription().tenantId == k8sControlPlaneAuthorizationTenantId)

/*** EXISTING SUBSCRIPTION RESOURCES ***/

// Built-in Azure RBAC role that is applied to a cluster to indicate they can be considered a user/group of the cluster, subject to additional RBAC permissions
resource serviceClusterUserRole 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
name: '4abbcc35-e782-43d8-92c5-2d3f1bd2253f'
scope: subscription()
}

// Built-in Azure RBAC role that can be applied to a cluster or a namespace to grant read and write privileges to that scope for a user or group
resource clusterAdminRole 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
name: 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b'
scope: subscription()
}

// Built-in Azure RBAC role that can be applied to a cluster or a namespace to grant read privileges to that scope for a user or group
resource clusterReaderRole 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
name: '7f6c6a51-bcf8-42ba-9220-52d62157d7db'
scope: subscription()
}

/*** EXISTING HUB RESOURCES ***/

resource acr 'Microsoft.ContainerRegistry/registries@2021-12-01-preview' existing = {
Expand Down Expand Up @@ -1458,7 +1475,7 @@ resource mcAadAdminGroupClusterAdminRole_roleAssignment 'Microsoft.Authorization
scope: mc
name: guid('aad-admin-group', mc.id, clusterAdminAadGroupObjectId)
properties: {
roleDefinitionId: clusterAdminRole
roleDefinitionId: clusterAdminRole.id
description: 'Members of this group are cluster admins of this cluster.'
principalId: clusterAdminAadGroupObjectId
principalType: 'Group'
Expand All @@ -1470,7 +1487,7 @@ resource mcAadAdminGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authori
scope: mc
name: guid('aad-admin-group-sc', mc.id, clusterAdminAadGroupObjectId)
properties: {
roleDefinitionId: serviceClusterUserRole
roleDefinitionId: serviceClusterUserRole.id
description: 'Members of this group are cluster users of this cluster.'
principalId: clusterAdminAadGroupObjectId
principalType: 'Group'
Expand All @@ -1482,9 +1499,9 @@ resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Author
scope: nsA0008
name: guid('aad-a0008-reader-group', mc.id, a0008NamespaceReaderAadGroupObjectId)
properties: {
roleDefinitionId: clusterReaderRole
roleDefinitionId: clusterReaderRole.id
description: 'Members of this group are readers of the a0008 namespace in this cluster.'
principalId: a0008NamespaceReaderAadGroupObjectId
description: 'Members of this group are cluster admins of the a0008 namespace in this cluster.'
principalType: 'Group'
}
dependsOn: []
Expand All @@ -1494,9 +1511,9 @@ resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.A
scope: mc
name: guid('aad-a0008-reader-group-sc', mc.id, a0008NamespaceReaderAadGroupObjectId)
properties: {
roleDefinitionId: serviceClusterUserRole
principalId: a0008NamespaceReaderAadGroupObjectId
roleDefinitionId: serviceClusterUserRole.id
description: 'Members of this group are cluster users of this cluster.'
principalId: a0008NamespaceReaderAadGroupObjectId
principalType: 'Group'
}
dependsOn: []
Expand Down