Add deployment for CS Integration MSI

Azure · Sep 6, 2024 · 672a220 · 672a220
1 parent 59f2664
commit 672a220
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/.github/workflows/cs-integration-env-cd.yml b/.github/workflows/cs-integration-env-cd.yml
@@ -140,6 +140,13 @@
                 --parameters kvNames="['${SVC_KV_NAME}']" \
                 --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }}
 
+              # CS Integration MSI
+              az deployment group create \
+                --name "cs-integ-msi-${GITHUB_RUN_ID}" \
+                --resource-group "${SC_RESOURCEGROUP}" \
+                --template-file templates/cs-integration-msi.bicep \
+                --parameters configurations/cs-integ-msi.bicepparam
+
               # enable aks metrics
               AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value)
               GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value)

diff --git a/dev-infrastructure/configurations/cs-integ-msi.bicepparam b/dev-infrastructure/configurations/cs-integ-msi.bicepparam
@@ -0,0 +1,7 @@
+using '../templates/cs-integration-msi.bicep'
+
+param namespaceFormatString = 'sandbox-jenkins-{0}-aro-hcp'
+
+param clusterServiceManagedIdentityName = 'cs-integ-mgmt-cluster'
+
+param clusterName = take('cs-integ-svc-cluster-${uniqueString('svc-cluster')}', 63)
diff --git a/dev-infrastructure/templates/cs-integration-msi.bicep b/dev-infrastructure/templates/cs-integration-msi.bicep
@@ -0,0 +1,34 @@
+@description('The location for the resources')
+param location string = resourceGroup().location
+
+@description('The format string for the namespace')
+param namespaceFormatString string
+
+@description('The name of the user-assigned managed identity to create')
+param clusterServiceManagedIdentityName string
+
+@description('The name of the cluster to integrate with')
+param clusterName string
+
+resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  location: location
+  name: clusterServiceManagedIdentityName
+}
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-04-02-preview' existing = {
+  name: clusterName
+}
+
+resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [
+  for i in range(0, 20): {
+    parent: uami
+    name: 'fedcred-${i}'
+    properties: {
+      audiences: [
+        'api://AzureADTokenExchange'
+      ]
+      issuer: aksCluster.properties.oidcIssuerProfile.issuerURL
+      subject: 'system:serviceaccount:${format(namespaceFormatString, i)}:cluster-service'
+    }
+  }
+]