Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

cli: give Azure uami all perms previously given to app registration (#1334)

Browse Source 
This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.

* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
This commit is contained in:
Malte Poll 2023-03-21 10:00:13 +01:00 committed by GitHub
parent 88340ba4cb
commit 44db16b42e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cli/internal/terraform/terraform/iam/azure/main.tf
View File

@ -59,6 +59,16 @@ resource "azurerm_role_assignment" "application_insights_component_contributor_r
principal_id = azurerm_user_assigned_identity.identity_uami.principal_id
}
resource "azurerm_role_assignment" "uami_owner_role" {
scope = azurerm_resource_group.base_resource_group.id
role_definition_name = "Owner"
principal_id = azurerm_user_assigned_identity.identity_uami.principal_id
}
# the app registration, application secrets
# and role assignments below will be removed in the future
# TODO(malt3): remove app registration as planned by AB#2961
# Create application registration
resource "azuread_application" "base_application" {
display_name = "${var.resource_group_name}-application"
@ -72,7 +82,7 @@ resource "azuread_service_principal" "application_principal" {
}
# Set identity as base resource group owner
resource "azurerm_role_assignment" "owner_role" {
resource "azurerm_role_assignment" "app_registration_owner_role" {
scope = azurerm_resource_group.base_resource_group.id
role_definition_name = "Owner"
principal_id = azuread_service_principal.application_principal.object_id

2
docs/docs/workflows/config.md
View File

@ -169,7 +169,7 @@ The following describes the configuration fields and how you obtain the required
* **userAssignedIdentity**: [Create a new managed identity in Azure](https://portal.azure.com/#create/Microsoft.ManagedIdentity). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination.
Add two role assignments to the identity: `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of both should refer to the previously created cluster resource group.
Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group.
Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity.