From 7f10a139de9377cf1f16b1cc17bc9e47b5f6fa82 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Wed, 4 Dec 2024 10:48:38 +0100 Subject: [PATCH] post-infra creation task for local CS development permissions (#918) the `local-cs-permissions` task in `dev-infrastructure/Makefile` will set up permissions into OIDC storage accounts, SVC KVs and MC KVs Signed-off-by: Gerd Oberlechner --- dev-infrastructure/Makefile | 22 ++++++++++++-- dev-infrastructure/config.tmpl.mk | 4 +++ dev-infrastructure/scripts/kv-permissions.sh | 30 ++++++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100755 dev-infrastructure/scripts/kv-permissions.sh diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index 14e3bca82..30b1b6dd7 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -248,13 +248,18 @@ svc.aks.kubeconfigfile: .PHONY: svc.aks.kubeconfigfile svc.oidc.storage.permissions: - STORAGEACCOUNTID=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${SVC_RESOURCEGROUP} --query id -o tsv) && \ + @STORAGEACCOUNTID=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${SVC_RESOURCEGROUP} --query id -o tsv) && \ az role assignment create \ --role "Storage Blob Data Contributor" \ --assignee ${PRINCIPAL_ID} \ - --scope "$${STORAGEACCOUNTID}" + --scope "$${STORAGEACCOUNTID}" \ + --only-show-errors .PHONY: svc.oidc.storage.permissions +svc.kv.permission: + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(SVC_KV_RESOURCEGROUP) $(SVC_KV_NAME) +.PHONY: svc.kv.permission + svc.init: region svc svc.aks.admin-access svc.aks.kubeconfig metrics-infra svc.enable-aks-metrics svc.oidc.storage.permissions .PHONY: svc.init @@ -356,6 +361,12 @@ mgmt.clean: fi .PHONY: mgmt.clean +mgmt.kv.permission: + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(CX_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(MSI_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(MGMT_KV_NAME) +.PHONY: mgmt.kv.permission + # ACR global.rg: @@ -501,3 +512,10 @@ infra: region svc.init mgmt.init clean: svc.clean mgmt.clean region.clean .PHONY: clean + +# +# Local CS Development +# + +local-cs-permissions: svc.oidc.storage.permissions svc.kv.permission mgmt.kv.permission +.PHONY: local-cs-permissions diff --git a/dev-infrastructure/config.tmpl.mk b/dev-infrastructure/config.tmpl.mk index 4593f6e18..b3d60d61e 100644 --- a/dev-infrastructure/config.tmpl.mk +++ b/dev-infrastructure/config.tmpl.mk @@ -4,6 +4,7 @@ MGMT_RESOURCEGROUP ?= {{ .mgmt.rg }} REGIONAL_RESOURCEGROUP ?= {{ .regionRG }} SVC_KV_RESOURCEGROUP ?= {{ .serviceKeyVault.rg }} GLOBAL_RESOURCEGROUP ?= {{ .globalRG }} +SVC_KV_NAME ?= {{ .serviceKeyVault.name }} IMAGE_SYNC_RESOURCEGROUP ?= {{ .imageSync.rg }} IMAGE_SYNC_ENVIRONMENT ?= {{ .imageSync.environmentName }} ARO_HCP_IMAGE_ACR ?= {{ .svcAcrName }} @@ -12,3 +13,6 @@ AKS_NAME ?= {{ .aksName }} CS_PG_NAME ?= {{ .clusterService.postgres.name }} MAESTRO_PG_NAME ?= {{ .maestro.postgres.name }} OIDC_STORAGE_ACCOUNT ?= {{ .oidcStorageAccountName }} +CX_KV_NAME ?= {{ .cxKeyVault.name }} +MSI_KV_NAME ?= {{ .msiKeyVault.name }} +MGMT_KV_NAME ?= {{ .mgmtKeyVault.name }} diff --git a/dev-infrastructure/scripts/kv-permissions.sh b/dev-infrastructure/scripts/kv-permissions.sh new file mode 100755 index 000000000..4da80ecb4 --- /dev/null +++ b/dev-infrastructure/scripts/kv-permissions.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +PRINCIPAL_ID=$1 +RG_NAME=$2 +KV_NAME=$3 + +KV_RESOURCE_ID=$(az keyvault show --name ${KV_NAME} --resource-group ${RG_NAME} --query id -o tsv 2>/dev/null) + +if [ -z "${KV_RESOURCE_ID}" ]; then + echo "Error: Key Vault resource ID for ${KV_NAME} in ${RG_NAME} could not be retrieved." + exit 0 +fi + +az role assignment create \ + --role "Key Vault Secrets Officer" \ + --assignee ${PRINCIPAL_ID} \ + --scope ${KV_RESOURCE_ID} \ + --only-show-errors + +az role assignment create \ + --role "Key Vault Certificates Officer" \ + --assignee ${PRINCIPAL_ID} \ + --scope ${KV_RESOURCE_ID} \ + --only-show-errors + +az role assignment create \ + --role "Key Vault Certificate User" \ + --assignee ${PRINCIPAL_ID} \ + --scope ${KV_RESOURCE_ID} \ + --only-show-errors