From 672a22041a0c775e53739fbcca092b02d56c1e02 Mon Sep 17 00:00:00 2001 From: Jan-Hendrik Boll Date: Fri, 6 Sep 2024 10:26:55 +0200 Subject: [PATCH] Add deployment for CS Integration MSI --- .github/workflows/cs-integration-env-cd.yml | 7 ++++ .../configurations/cs-integ-msi.bicepparam | 7 ++++ .../templates/cs-integration-msi.bicep | 34 +++++++++++++++++++ 3 files changed, 48 insertions(+) create mode 100644 dev-infrastructure/configurations/cs-integ-msi.bicepparam create mode 100644 dev-infrastructure/templates/cs-integration-msi.bicep diff --git a/.github/workflows/cs-integration-env-cd.yml b/.github/workflows/cs-integration-env-cd.yml index 03d29907d..4adce279f 100644 --- a/.github/workflows/cs-integration-env-cd.yml +++ b/.github/workflows/cs-integration-env-cd.yml @@ -140,6 +140,13 @@ --parameters kvNames="['${SVC_KV_NAME}']" \ --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} + # CS Integration MSI + az deployment group create \ + --name "cs-integ-msi-${GITHUB_RUN_ID}" \ + --resource-group "${SC_RESOURCEGROUP}" \ + --template-file templates/cs-integration-msi.bicep \ + --parameters configurations/cs-integ-msi.bicepparam + # enable aks metrics AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) diff --git a/dev-infrastructure/configurations/cs-integ-msi.bicepparam b/dev-infrastructure/configurations/cs-integ-msi.bicepparam new file mode 100644 index 000000000..c67a07a14 --- /dev/null +++ b/dev-infrastructure/configurations/cs-integ-msi.bicepparam @@ -0,0 +1,7 @@ +using '../templates/cs-integration-msi.bicep' + +param namespaceFormatString = 'sandbox-jenkins-{0}-aro-hcp' + +param clusterServiceManagedIdentityName = 'cs-integ-mgmt-cluster' + +param clusterName = take('cs-integ-svc-cluster-${uniqueString('svc-cluster')}', 63) diff --git a/dev-infrastructure/templates/cs-integration-msi.bicep b/dev-infrastructure/templates/cs-integration-msi.bicep new file mode 100644 index 000000000..3796cfd7f --- /dev/null +++ b/dev-infrastructure/templates/cs-integration-msi.bicep @@ -0,0 +1,34 @@ +@description('The location for the resources') +param location string = resourceGroup().location + +@description('The format string for the namespace') +param namespaceFormatString string + +@description('The name of the user-assigned managed identity to create') +param clusterServiceManagedIdentityName string + +@description('The name of the cluster to integrate with') +param clusterName string + +resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + location: location + name: clusterServiceManagedIdentityName +} + +resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-04-02-preview' existing = { + name: clusterName +} + +resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [ + for i in range(0, 20): { + parent: uami + name: 'fedcred-${i}' + properties: { + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: aksCluster.properties.oidcIssuerProfile.issuerURL + subject: 'system:serviceaccount:${format(namespaceFormatString, i)}:cluster-service' + } + } +]