infra deploy pipeline

Signed-off-by: Gerd Oberlechner <[email protected]>

Makefile

@@ -29,6 +29,9 @@ fmt: $(GOIMPORTS)
 # Infra
 #
 
+infra.region:
+	cd dev-infrastructure && DEPLOY_ENV=$(DEPLOY_ENV) make region
+
 infra.svc:
 	cd dev-infrastructure && DEPLOY_ENV=$(DEPLOY_ENV) make svc.init
 

config/config.yaml

@@ -101,7 +101,7 @@ clouds:
           clusterServiceImageTag: cf23767
           clusterServiceImageRepo: app-sre/uhc-clusters-service
           # Shared SVC KV
-          serviceKeyVaultName: 'aro-hcp-dev-svc-kv'
+          serviceKeyVaultName: 'aro-hcp-dev-global-kv'
           serviceKeyVaultRG: 'global'
           serviceKeyVaultRegion: 'westus3'
           serviceKeyVaultPrivate: false

dev-infrastructure/.gitignore

@@ -6,4 +6,5 @@ configurations/acr-svc.bicepparam
 configurations/acr-ocp.bicepparam
 configurations/acr.bicepparam
 configurations/image-sync.bicepparam
+configurations/dev-role-assignments.bicepparam
 config.mk

dev-infrastructure/Makefile

@@ -188,7 +188,7 @@ svc.wait:
 	@./ensure-no-running-deployment.sh $(SVC_RESOURCEGROUP) $(SVC_RG_DEPLOYMENT_NAME)
 .PHONY: svc.wait
 
-svc: svc.wait svc.rg cleanup-orphaned-rolebindings region
+svc: svc.wait svc.rg cleanup-orphaned-rolebindings
 	az deployment group create \
 		--name "svc" \
 		--resource-group $(SVC_RESOURCEGROUP) \
@@ -223,7 +223,7 @@ svc.aks.kubeconfigfile:
 	@echo ${SVC_KUBECONFIG_FILE}
 .PHONY: svc.aks.kubeconfigfile
 
-svc.init: svc svc.aks.admin-access svc.aks.kubeconfig svc.enable-aks-metrics
+svc.init: region svc svc.aks.admin-access svc.aks.kubeconfig svc.enable-aks-metrics
 .PHONY: svc.init
 
 svc.what-if: svc.rg
@@ -235,6 +235,15 @@ svc.what-if: svc.rg
 			configurations/svc-cluster.bicepparam
 .PHONY: svc.what-if
 
+svc.dev-role-assignments:
+	@./ensure-no-running-deployment.sh $(SC_RESOURCEGROUP) svc-roleassigns
+	az deployment group create \
+		--name svc-roleassigns \
+		--resource-group "${SC_RESOURCEGROUP}" \
+		--template-file templates/dev-roleassignments.bicep \
+		--parameters configurations/dev-role-assignments.bicepparam
+		--parameters principalID=${PRINCIPAL_ID}
+
 svc.clean:
 	@if [ "$$(az group exists --name $(SVC_RESOURCEGROUP))" = "true" ]; then \
 		az group delete -g $(SVC_RESOURCEGROUP); \
@@ -258,7 +267,7 @@ mgmt.wait:
 	@./ensure-no-running-deployment.sh $(MGMT_RESOURCEGROUP) $(MGMG_RG_DEPLOYMENT_NAME)
 .PHONY: mgmt.wait
 
-mgmt: mgmt.wait mgmt.rg cleanup-orphaned-rolebindings region
+mgmt: mgmt.wait mgmt.rg cleanup-orphaned-rolebindings
 	az deployment group create \
 		--name $(MGMG_RG_DEPLOYMENT_NAME) \
 		--resource-group $(MGMT_RESOURCEGROUP) \
@@ -293,7 +302,7 @@ mgmt.aks.kubeconfigfile:
 	@echo ${MGMT_KUBECONFIG_FILE}
 .PHONY: mgmt.aks.kubeconfigfile
 
-mgmt.init: mgmt mgmt.aks.admin-access mgmt.aks.kubeconfig mgmt.enable-aks-metrics
+mgmt.init: region mgmt mgmt.aks.admin-access mgmt.aks.kubeconfig mgmt.enable-aks-metrics
 .PHONY: mgmt.init
 
 mgmt.what-if: mgmt.rg

dev-infrastructure/configurations/dev-role-assignments.tmpl.bicepparam

@@ -0,0 +1,8 @@
+using '../templates/dev-roleassignments.bicep'
+
+param aksClusterName = '{{ .aksName }}'
+param grantCosmosAccess = true
+param cosmosDBName = '{{ .frontendCosmosDBName }}'
+param sharedKvNames = ['{{ .serviceKeyVaultName }}']
+param sharedKvResourceGroup = '{{ .serviceKeyVaultRG }}'
+param principalID = ''

dev-infrastructure/templates/dev-aks-roleassignments.bicep → dev-infrastructure/templates/dev-roleassignments.bicep

@@ -6,7 +6,7 @@ param cosmosDBName string = 'replaceme'
 param sharedKvNames array = []
 param sharedKvResourceGroup string = 'global'
 param location string = resourceGroup().location
-param githubActionsPrincipalID string
+param principalID string
 
 // https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac#create-role-assignments-for-users-to-access-the-cluster
 // Azure Kubernetes Service RBAC Cluster Admin
@@ -18,7 +18,7 @@ var aksClusterRbacClusterAdminRoleId = subscriptionResourceId(
 
 // Grants Github Actions access to Cosmos data
 param cosmosRoleDefinitionId string = '00000000-0000-0000-0000-000000000002'
-var cosmosRoleAssignmentId = guid(cosmosRoleDefinitionId, githubActionsPrincipalID, cosmosDbAccount.id)
+var cosmosRoleAssignmentId = guid(cosmosRoleDefinitionId, principalID, cosmosDbAccount.id)
 
 // C O S M O S
 
@@ -33,10 +33,10 @@ resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' exis
 // az aks command invoke --resource-group hcp-standalone-mshen --name aro-hcp-cluster-001 --command "kubectl get ns"
 resource currentUserAksClusterAdmin 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   scope: aksCluster
-  name: guid(location, aksClusterName, aksClusterRbacClusterAdminRoleId, githubActionsPrincipalID)
+  name: guid(location, aksClusterName, aksClusterRbacClusterAdminRoleId, principalID)
   properties: {
     roleDefinitionId: aksClusterRbacClusterAdminRoleId
-    principalId: githubActionsPrincipalID
+    principalId: principalID
   }
 }
 
@@ -45,7 +45,7 @@ resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignm
   parent: cosmosDbAccount
   properties: {
     roleDefinitionId: '/${subscription().id}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosDbAccount.name}/sqlRoleDefinitions/${cosmosRoleDefinitionId}'
-    principalId: githubActionsPrincipalID
+    principalId: principalID
     scope: cosmosDbAccount.id
   }
 }
@@ -59,7 +59,7 @@ module keyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = [
     params: {
       keyVaultName: name
       roleName: 'Key Vault Secrets User'
-      managedIdentityPrincipalId: githubActionsPrincipalID
+      managedIdentityPrincipalId: principalID
     }
   }
 ]