remove custom ACR role for token management

geoberle · geoberle · commit f8e8c97951c9 · 2025-01-10T14:00:23.000+01:00
custom roles are heavily limited in MSFT tenants, therefore we will leverage the built-in `Container Registry Contributor and Data Access Configuration Administrator` role consistently in all environments instead.

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
@@ -8,7 +8,6 @@ defaults:
   global:
     rg: global-shared-resources
     subscription: hcp-{{ .ctx.region }}
-    manageTokenCustomRole: false
     region: uksouth
     globalMSIName: "global-ev2-identity"
 
diff --git a/config/config.schema.json b/config/config.schema.json
@@ -221,9 +221,6 @@
           "subscription": {
             "type": "string"
           },
-          "manageTokenCustomRole": {
-            "type": "boolean"
-          },
           "region": {
             "type": "string"
           },
@@ -235,7 +232,6 @@
         "required": [
           "rg",
           "subscription",
-          "manageTokenCustomRole",
           "region"
         ]
       },
diff --git a/config/config.yaml b/config/config.yaml
@@ -6,7 +6,6 @@ defaults:
   global:
     rg: global
     subscription: ARO Hosted Control Planes (EA Subscription 1)
-    manageTokenCustomRole: true
     region: westus3
     globalMSIName: "global-rollout-identity"
 
diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
-    "manageTokenCustomRole": true,
     "region": "westus3",
     "rg": "global",
     "subscription": "ARO Hosted Control Planes (EA Subscription 1)"
diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
-    "manageTokenCustomRole": true,
     "region": "westus3",
     "rg": "global",
     "subscription": "ARO Hosted Control Planes (EA Subscription 1)"
diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-ev2-identity",
-    "manageTokenCustomRole": false,
     "region": "uksouth",
     "rg": "global-shared-resources",
     "subscription": "hcp-westus3"
diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
-    "manageTokenCustomRole": true,
     "region": "westus3",
     "rg": "global",
     "subscription": "ARO Hosted Control Planes (EA Subscription 1)"
diff --git a/dev-infrastructure/.gitignore b/dev-infrastructure/.gitignore
@@ -12,7 +12,6 @@ configurations/cs-integ-msi.bicepparam
 configurations/output-region.bicepparam
 configurations/mock-identities.bicepparam
 configurations/global-acr.bicepparam
-configurations/global-roles.bicepparam
 configurations/global-infra.bicepparam
 config.mk
 
diff --git a/dev-infrastructure/configurations/global-roles.tmpl.bicepparam b/dev-infrastructure/configurations/global-roles.tmpl.bicepparam
diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam
@@ -40,7 +40,6 @@ param serviceKeyVaultResourceGroup = '{{ .serviceKeyVault.rg }}'
 
 param acrPullResourceGroups = ['{{ .global.rg }}']
 param clustersServiceAcrResourceGroupNames = ['{{ .clusterService.acrRG }}']
-param useCustomACRTokenManagementRole = {{ .global.manageTokenCustomRole }}
 
 param oidcStorageAccountName = '{{ .oidcStorageAccountName }}'
 param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
diff --git a/dev-infrastructure/global-acr-pipeline.yaml b/dev-infrastructure/global-acr-pipeline.yaml
@@ -11,12 +11,6 @@ resourceGroups:
     template: templates/global-acr.bicep
     parameters: configurations/global-acr.tmpl.bicepparam
     deploymentLevel: ResourceGroup
-  # deploys the custom roles at subscription level
-  - name: global-roles
-    action: ARM
-    template: templates/global-roles.bicep
-    parameters: configurations/global-roles.tmpl.bicepparam
-    deploymentLevel: Subscription
   # imagesync
   - name: imagesync
     action: ARM
diff --git a/dev-infrastructure/modules/acr/acr-permissions.bicep b/dev-infrastructure/modules/acr/acr-permissions.bicep
@@ -7,13 +7,6 @@ param grantPushAccess bool = false
 @description('Whether to grant manage token access to the ACR')
 param grantManageTokenAccess bool = false
 
-@description('''
-  The custom token management role might not be available in an environment due to quota limitations.
-  In such cases, the default ACR Contributor and Data Access Configuration Administrator role will
-  be used for token management permissions.
-  ''')
-param useCustomManageTokenRole bool = false
-
 @description('ACR Namespace Resource Group Id')
 param acrResourceGroupid string
 
@@ -68,30 +61,7 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-//
-// Custom role for token management permissions
-//
-
-import * as tmr from 'token-role-name.bicep'
-
-resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess && useCustomManageTokenRole) {
-  name: guid(tmr.tokenManagementRoleName)
-}
-
-resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && useCustomManageTokenRole) {
-  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
-  properties: {
-    roleDefinitionId: tokenManagementRole.id
-    principalId: principalId
-    principalType: 'ServicePrincipal'
-  }
-}
-
-//
-// Built-in wider role for token management permissions
-//
-
-resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && !useCustomManageTokenRole) {
+resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
   name: guid(acrResourceGroupid, principalId, acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId)
   properties: {
     roleDefinitionId: acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId
diff --git a/dev-infrastructure/modules/acr/token-role-name.bicep b/dev-infrastructure/modules/acr/token-role-name.bicep
diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep
@@ -43,12 +43,6 @@ param acrResourceGroupNames array = []
 @description('The resource ID of the managed identity used to manage the Postgres server')
 param postgresAdministrationManagedIdentityId string
 
-@description('''
-  Defines if the custom ACR token management role should be used to grant
-  CS token management permissions on the OCP ACR
-  ''')
-param useCustomACRTokenManagementRole bool
-
 //
 //   P O S T G R E S
 //
@@ -166,7 +160,6 @@ module acrManageTokenRole '../modules/acr/acr-permissions.bicep' = [
     params: {
       principalId: clusterServiceManagedIdentityPrincipalId
       grantManageTokenAccess: true
-      useCustomManageTokenRole: useCustomACRTokenManagementRole
       acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
     }
   }
diff --git a/dev-infrastructure/templates/global-roles.bicep b/dev-infrastructure/templates/global-roles.bicep
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -125,12 +125,6 @@ param oidcStorageAccountSku string = 'Standard_ZRS'
 @description('Clusters Service ACR RG names')
 param clustersServiceAcrResourceGroupNames array = []
 
-@description('''
-  Defines if the custom ACR token management role should be used to grant
-  CS token management permissions on the OCP ACR
-  ''')
-param useCustomACRTokenManagementRole bool
-
 @description('MSI that will be used to run the deploymentScript')
 param aroDevopsMsiId string
 
@@ -302,7 +296,6 @@ module cs '../modules/cluster-service.bicep' = {
     regionalResourceGroup: regionalResourceGroup
     acrResourceGroupNames: clustersServiceAcrResourceGroupNames
     postgresAdministrationManagedIdentityId: aroDevopsMsiId
-    useCustomACRTokenManagementRole: useCustomACRTokenManagementRole
   }
   dependsOn: [
     maestroServer
