post-infra creation task for local CS development permissions (#918)

the `local-cs-permissions` task in `dev-infrastructure/Makefile` will set up permissions into OIDC storage accounts, SVC KVs and MC KVs Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Dec 4, 2024 · 7f10a13 · 7f10a13
1 parent 748afb6
commit 7f10a13
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 2 deletions.
diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile
@@ -248,13 +248,18 @@ svc.aks.kubeconfigfile:
 .PHONY: svc.aks.kubeconfigfile
 
 svc.oidc.storage.permissions:
-	STORAGEACCOUNTID=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${SVC_RESOURCEGROUP} --query id -o tsv) && \
+	@STORAGEACCOUNTID=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${SVC_RESOURCEGROUP} --query id -o tsv) && \
 	az role assignment create \
 	--role "Storage Blob Data Contributor" \
 	--assignee ${PRINCIPAL_ID} \
-	--scope "$${STORAGEACCOUNTID}"
+	--scope "$${STORAGEACCOUNTID}" \
+	--only-show-errors
 .PHONY: svc.oidc.storage.permissions
 
+svc.kv.permission:
+	@scripts/kv-permissions.sh $(PRINCIPAL_ID) $(SVC_KV_RESOURCEGROUP) $(SVC_KV_NAME)
+.PHONY: svc.kv.permission
+
 svc.init: region svc svc.aks.admin-access svc.aks.kubeconfig metrics-infra svc.enable-aks-metrics svc.oidc.storage.permissions
 .PHONY: svc.init
 
@@ -356,6 +361,12 @@ mgmt.clean:
 	fi
 .PHONY: mgmt.clean
 
+mgmt.kv.permission:
+	@scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(CX_KV_NAME)
+	@scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(MSI_KV_NAME)
+	@scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(MGMT_KV_NAME)
+.PHONY: mgmt.kv.permission
+
 # ACR
 
 global.rg:
@@ -501,3 +512,10 @@ infra: region svc.init mgmt.init
 
 clean: svc.clean mgmt.clean region.clean
 .PHONY: clean
+
+#
+# Local CS Development
+#
+
+local-cs-permissions: svc.oidc.storage.permissions svc.kv.permission mgmt.kv.permission
+.PHONY: local-cs-permissions
diff --git a/dev-infrastructure/config.tmpl.mk b/dev-infrastructure/config.tmpl.mk
@@ -4,6 +4,7 @@ MGMT_RESOURCEGROUP ?= {{ .mgmt.rg }}
 REGIONAL_RESOURCEGROUP ?= {{ .regionRG }}
 SVC_KV_RESOURCEGROUP ?= {{ .serviceKeyVault.rg }}
 GLOBAL_RESOURCEGROUP ?= {{ .globalRG }}
+SVC_KV_NAME ?= {{ .serviceKeyVault.name }}
 IMAGE_SYNC_RESOURCEGROUP ?= {{ .imageSync.rg }}
 IMAGE_SYNC_ENVIRONMENT ?= {{ .imageSync.environmentName }}
 ARO_HCP_IMAGE_ACR ?= {{ .svcAcrName }}
@@ -12,3 +13,6 @@ AKS_NAME ?= {{ .aksName }}
 CS_PG_NAME ?= {{ .clusterService.postgres.name }}
 MAESTRO_PG_NAME ?= {{ .maestro.postgres.name }}
 OIDC_STORAGE_ACCOUNT ?= {{ .oidcStorageAccountName }}
+CX_KV_NAME ?= {{ .cxKeyVault.name }}
+MSI_KV_NAME ?= {{ .msiKeyVault.name }}
+MGMT_KV_NAME ?= {{ .mgmtKeyVault.name }}
diff --git a/dev-infrastructure/scripts/kv-permissions.sh b/dev-infrastructure/scripts/kv-permissions.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+PRINCIPAL_ID=$1
+RG_NAME=$2
+KV_NAME=$3
+
+KV_RESOURCE_ID=$(az keyvault show --name ${KV_NAME} --resource-group ${RG_NAME} --query id -o tsv 2>/dev/null)
+
+if [ -z "${KV_RESOURCE_ID}" ]; then
+    echo "Error: Key Vault resource ID for ${KV_NAME} in ${RG_NAME} could not be retrieved."
+    exit 0
+fi
+
+az role assignment create \
+    --role "Key Vault Secrets Officer" \
+    --assignee ${PRINCIPAL_ID} \
+    --scope ${KV_RESOURCE_ID} \
+    --only-show-errors
+
+az role assignment create \
+    --role "Key Vault Certificates Officer" \
+    --assignee ${PRINCIPAL_ID} \
+    --scope ${KV_RESOURCE_ID} \
+    --only-show-errors
+
+az role assignment create \
+    --role "Key Vault Certificate User" \
+    --assignee ${PRINCIPAL_ID} \
+    --scope ${KV_RESOURCE_ID} \
+    --only-show-errors