From 44db16b42ec5e47ec1ca22fc38b029505f2db441 Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Tue, 21 Mar 2023 10:00:13 +0100
Subject: [PATCH] cli: give Azure uami all perms previously given to app
 registration (#1334)

This is the first step for deprecating app registrations on Azure.
The user-assigned managed identity (uami) should first gain all permissions that are currently held by the app registration.

* cli: give Azure uami all permissions previously given to app registratio
* docs: document required owner role for user-assigned managed identity on Azure
---
 cli/internal/terraform/terraform/iam/azure/main.tf | 12 +++++++++++-
 docs/docs/workflows/config.md                      |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/cli/internal/terraform/terraform/iam/azure/main.tf b/cli/internal/terraform/terraform/iam/azure/main.tf
index 73586eee3..5e32c26df 100644
--- a/cli/internal/terraform/terraform/iam/azure/main.tf
+++ b/cli/internal/terraform/terraform/iam/azure/main.tf
@@ -59,6 +59,16 @@ resource "azurerm_role_assignment" "application_insights_component_contributor_r
   principal_id         = azurerm_user_assigned_identity.identity_uami.principal_id
 }
 
+resource "azurerm_role_assignment" "uami_owner_role" {
+  scope                = azurerm_resource_group.base_resource_group.id
+  role_definition_name = "Owner"
+  principal_id         = azurerm_user_assigned_identity.identity_uami.principal_id
+}
+
+# the app registration, application secrets
+# and role assignments below will be removed in the future
+# TODO(malt3): remove app registration as planned by AB#2961
+
 # Create application registration
 resource "azuread_application" "base_application" {
   display_name = "${var.resource_group_name}-application"
@@ -72,7 +82,7 @@ resource "azuread_service_principal" "application_principal" {
 }
 
 # Set identity as base resource group owner
-resource "azurerm_role_assignment" "owner_role" {
+resource "azurerm_role_assignment" "app_registration_owner_role" {
   scope                = azurerm_resource_group.base_resource_group.id
   role_definition_name = "Owner"
   principal_id         = azuread_service_principal.application_principal.object_id
diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md
index 571a1fca6..91747c9d4 100644
--- a/docs/docs/workflows/config.md
+++ b/docs/docs/workflows/config.md
@@ -169,7 +169,7 @@ The following describes the configuration fields and how you obtain the required
 
 * **userAssignedIdentity**: [Create a new managed identity in Azure](https://portal.azure.com/#create/Microsoft.ManagedIdentity). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination.
 
-  Add two role assignments to the identity: `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of both should refer to the previously created cluster resource group.
+  Add three role assignments to the identity: `Owner`, `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of all three should refer to the previously created cluster resource group.
 
   Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity.