From 62a40603548742bc872e400e7e154f377b97d6af Mon Sep 17 00:00:00 2001
From: Gerd Oberlechner <goberlec@redhat.com>
Date: Mon, 28 Oct 2024 14:54:53 +0100
Subject: [PATCH] grant cluster admin to the gh action principal

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
---
 .github/workflows/aro-hcp-dev-env-cd.yml       | 12 ++++++------
 dev-infrastructure/scripts/aks-admin-access.sh |  6 +++++-
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/aro-hcp-dev-env-cd.yml b/.github/workflows/aro-hcp-dev-env-cd.yml
index 41efd6ebf..59a8971ed 100644
--- a/.github/workflows/aro-hcp-dev-env-cd.yml
+++ b/.github/workflows/aro-hcp-dev-env-cd.yml
@@ -150,10 +150,10 @@
         - name: 'Deploy'
           run: |
             cd dev-infrastructure/
-            make svc svc.aks.admin-access svc.enable-aks-metrics
+            PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make svc svc.aks.admin-access svc.enable-aks-metrics
 
             # grant GH action user access to resources
-            PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make dev-role-assignments
+            PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make svc.dev-role-assignments
 
     deploy_management_cluster_rg:
       #if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
@@ -181,7 +181,7 @@
         - name: 'Deploy or Update'
           run: |
             cd dev-infrastructure/
-            make mgmt mgmt.aks.admin-access mgmt.enable-aks-metrics
+            PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make mgmt mgmt.aks.admin-access mgmt.enable-aks-metrics
 
     build_push_frontend:
       permissions:
@@ -293,6 +293,9 @@
           with:
             fetch-depth: 1
 
+        - name: Install Azure CLI
+          uses: ./.github/actions/install-azure-cli
+
         - name: Build image-sync container image
           run: |
             cd tooling/image-sync
@@ -306,9 +309,6 @@
             tenant-id: ${{ secrets.AZURE_TENANT_ID }}
             subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-        - name: Install Azure CLI
-          uses: ./.github/actions/install-azure-cli
-
         - name: Push image-sync container image
           #if: github.event.pull_request.merged == true
           run: |
diff --git a/dev-infrastructure/scripts/aks-admin-access.sh b/dev-infrastructure/scripts/aks-admin-access.sh
index 40000a091..9f37f3f4e 100755
--- a/dev-infrastructure/scripts/aks-admin-access.sh
+++ b/dev-infrastructure/scripts/aks-admin-access.sh
@@ -2,7 +2,11 @@
 set -e
 
 RESOURCEGROUP=$1
-CURRENTUSER_CLIENT_ID=$(az ad signed-in-user show -o json | jq -r '.id')
+if [ -z "$PRINCIPAL_ID" ]; then
+    CURRENTUSER_CLIENT_ID=$(az ad signed-in-user show -o json | jq -r '.id')
+else
+    CURRENTUSER_CLIENT_ID=$PRINCIPAL_ID
+fi
 CLUSTER_ID=$(az aks list -g $RESOURCEGROUP -o json | jq -r .[0].id)
 
 az role assignment create --assignee $CURRENTUSER_CLIENT_ID --role "Azure Kubernetes Service RBAC Cluster Admin" --scope $CLUSTER_ID