From 84a18e049069f6127af617048013880908befa0e Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Fri, 10 Jan 2025 13:58:02 +0100 Subject: [PATCH] remove custom ACR role for token management custom roles are heavily limited in MSFT tenants, therefore we will leverage the built-in `Container Registry Contributor and Data Access Configuration Administrator` role consistently in all environments instead. Signed-off-by: Gerd Oberlechner --- config/config.msft.yaml | 1 - config/config.schema.json | 4 --- config/config.yaml | 1 - config/public-cloud-cs-pr.json | 1 - config/public-cloud-dev.json | 1 - config/public-cloud-msft-int.json | 1 - config/public-cloud-personal-dev.json | 1 - dev-infrastructure/.gitignore | 1 - dev-infrastructure/Makefile | 14 -------- .../global-roles.tmpl.bicepparam | 3 -- .../svc-cluster.tmpl.bicepparam | 1 - dev-infrastructure/global-acr-pipeline.yaml | 6 ---- .../modules/acr/acr-permissions.bicep | 32 +------------------ .../modules/acr/token-role-name.bicep | 2 -- .../modules/cluster-service.bicep | 7 ---- .../templates/global-roles.bicep | 30 ----------------- .../templates/svc-cluster.bicep | 7 ---- 17 files changed, 1 insertion(+), 112 deletions(-) delete mode 100644 dev-infrastructure/configurations/global-roles.tmpl.bicepparam delete mode 100644 dev-infrastructure/modules/acr/token-role-name.bicep delete mode 100644 dev-infrastructure/templates/global-roles.bicep diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 9b768c0e08..66e1858855 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -8,7 +8,6 @@ defaults: global: rg: global-shared-resources subscription: hcp-{{ .ctx.region }} - manageTokenCustomRole: false region: uksouth globalMSIName: "global-ev2-identity" diff --git a/config/config.schema.json b/config/config.schema.json index 24dae5e7a8..8e975b35bd 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -221,9 +221,6 @@ "subscription": { "type": "string" }, - "manageTokenCustomRole": { - "type": "boolean" - }, "region": { "type": "string" }, @@ -235,7 +232,6 @@ "required": [ "rg", "subscription", - "manageTokenCustomRole", "region" ] }, diff --git a/config/config.yaml b/config/config.yaml index 818734f67c..38a5c6e72d 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -6,7 +6,6 @@ defaults: global: rg: global subscription: ARO Hosted Control Planes (EA Subscription 1) - manageTokenCustomRole: true region: westus3 globalMSIName: "global-rollout-identity" diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 424cf2dde4..29fabbdd0f 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -61,7 +61,6 @@ }, "global": { "globalMSIName": "global-rollout-identity", - "manageTokenCustomRole": true, "region": "westus3", "rg": "global", "subscription": "ARO Hosted Control Planes (EA Subscription 1)" diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index 7f1d8ef757..b025109d7c 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -61,7 +61,6 @@ }, "global": { "globalMSIName": "global-rollout-identity", - "manageTokenCustomRole": true, "region": "westus3", "rg": "global", "subscription": "ARO Hosted Control Planes (EA Subscription 1)" diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index d86eb90a5f..08b0ddceb8 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -61,7 +61,6 @@ }, "global": { "globalMSIName": "global-ev2-identity", - "manageTokenCustomRole": false, "region": "uksouth", "rg": "global-shared-resources", "subscription": "hcp-westus3" diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index bd5e140bfa..84de326bd8 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -61,7 +61,6 @@ }, "global": { "globalMSIName": "global-rollout-identity", - "manageTokenCustomRole": true, "region": "westus3", "rg": "global", "subscription": "ARO Hosted Control Planes (EA Subscription 1)" diff --git a/dev-infrastructure/.gitignore b/dev-infrastructure/.gitignore index a7199467a8..8c949c7297 100644 --- a/dev-infrastructure/.gitignore +++ b/dev-infrastructure/.gitignore @@ -12,7 +12,6 @@ configurations/cs-integ-msi.bicepparam configurations/output-region.bicepparam configurations/mock-identities.bicepparam configurations/global-acr.bicepparam -configurations/global-roles.bicepparam configurations/global-infra.bicepparam config.mk diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index eb8eb8a0c8..7abf6e66a4 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -418,14 +418,6 @@ acr: global.rg $(PROMPT_TO_CONFIRM) \ --parameters \ configurations/global-acr.bicepparam - @./ensure-no-running-deployment.sh $(GLOBAL_RESOURCEGROUP) ${GLOBAL_RG_DEPLOYMENT_NAME}-roles - az deployment sub create \ - --name ${GLOBAL_RG_DEPLOYMENT_NAME}-roles \ - --template-file templates/global-roles.bicep \ - $(PROMPT_TO_CONFIRM) \ - --parameters \ - configurations/global-roles.bicepparam \ - --location ${GLOBAL_REGION} .PHONY: acr acr.what-if: global.rg @@ -435,12 +427,6 @@ acr.what-if: global.rg --template-file templates/global-acr.bicep \ --parameters \ configurations/global-acr.bicepparam - az deployment sub what-if \ - --name ${GLOBAL_RG_DEPLOYMENT_NAME}-roles \ - --template-file templates/global-roles.bicep \ - --parameters \ - configurations/global-roles.bicepparam \ - --location ${GLOBAL_REGION} .PHONY: acr.what-if acr-svc-cfg: acr diff --git a/dev-infrastructure/configurations/global-roles.tmpl.bicepparam b/dev-infrastructure/configurations/global-roles.tmpl.bicepparam deleted file mode 100644 index 5dc1e39703..0000000000 --- a/dev-infrastructure/configurations/global-roles.tmpl.bicepparam +++ /dev/null @@ -1,3 +0,0 @@ -using '../templates/global-roles.bicep' - -param manageTokenRole = {{ .global.manageTokenCustomRole }} diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index 882f6777c9..535a9cbe48 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -40,7 +40,6 @@ param serviceKeyVaultResourceGroup = '{{ .serviceKeyVault.rg }}' param acrPullResourceGroups = ['{{ .global.rg }}'] param clustersServiceAcrResourceGroupNames = ['{{ .clusterService.acrRG }}'] -param useCustomACRTokenManagementRole = {{ .global.manageTokenCustomRole }} param oidcStorageAccountName = '{{ .oidcStorageAccountName }}' param aroDevopsMsiId = '{{ .aroDevopsMsiId }}' diff --git a/dev-infrastructure/global-acr-pipeline.yaml b/dev-infrastructure/global-acr-pipeline.yaml index 5aef12da61..9567473886 100644 --- a/dev-infrastructure/global-acr-pipeline.yaml +++ b/dev-infrastructure/global-acr-pipeline.yaml @@ -11,12 +11,6 @@ resourceGroups: template: templates/global-acr.bicep parameters: configurations/global-acr.tmpl.bicepparam deploymentLevel: ResourceGroup - # deploys the custom roles at subscription level - - name: global-roles - action: ARM - template: templates/global-roles.bicep - parameters: configurations/global-roles.tmpl.bicepparam - deploymentLevel: Subscription # imagesync - name: imagesync action: ARM diff --git a/dev-infrastructure/modules/acr/acr-permissions.bicep b/dev-infrastructure/modules/acr/acr-permissions.bicep index ff6c386e03..f728db7c20 100644 --- a/dev-infrastructure/modules/acr/acr-permissions.bicep +++ b/dev-infrastructure/modules/acr/acr-permissions.bicep @@ -7,13 +7,6 @@ param grantPushAccess bool = false @description('Whether to grant manage token access to the ACR') param grantManageTokenAccess bool = false -@description(''' - The custom token management role might not be available in an environment due to quota limitations. - In such cases, the default ACR Contributor and Data Access Configuration Administrator role will - be used for token management permissions. - ''') -param useCustomManageTokenRole bool = false - @description('ACR Namespace Resource Group Id') param acrResourceGroupid string @@ -68,30 +61,7 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if } } -// -// Custom role for token management permissions -// - -import * as tmr from 'token-role-name.bicep' - -resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess && useCustomManageTokenRole) { - name: guid(tmr.tokenManagementRoleName) -} - -resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && useCustomManageTokenRole) { - name: guid(acrResourceGroupid, principalId, 'token-creation-role') - properties: { - roleDefinitionId: tokenManagementRole.id - principalId: principalId - principalType: 'ServicePrincipal' - } -} - -// -// Built-in wider role for token management permissions -// - -resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && !useCustomManageTokenRole) { +resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) { name: guid(acrResourceGroupid, principalId, acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId) properties: { roleDefinitionId: acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId diff --git a/dev-infrastructure/modules/acr/token-role-name.bicep b/dev-infrastructure/modules/acr/token-role-name.bicep deleted file mode 100644 index a05c147182..0000000000 --- a/dev-infrastructure/modules/acr/token-role-name.bicep +++ /dev/null @@ -1,2 +0,0 @@ -@export() -var tokenManagementRoleName = 'token-mgmt-role' diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep index 4aebfe5087..d7761c3b03 100644 --- a/dev-infrastructure/modules/cluster-service.bicep +++ b/dev-infrastructure/modules/cluster-service.bicep @@ -43,12 +43,6 @@ param acrResourceGroupNames array = [] @description('The resource ID of the managed identity used to manage the Postgres server') param postgresAdministrationManagedIdentityId string -@description(''' - Defines if the custom ACR token management role should be used to grant - CS token management permissions on the OCP ACR - ''') -param useCustomACRTokenManagementRole bool - // // P O S T G R E S // @@ -166,7 +160,6 @@ module acrManageTokenRole '../modules/acr/acr-permissions.bicep' = [ params: { principalId: clusterServiceManagedIdentityPrincipalId grantManageTokenAccess: true - useCustomManageTokenRole: useCustomACRTokenManagementRole acrResourceGroupid: clustersServiceAcrResourceGroups[i].id } } diff --git a/dev-infrastructure/templates/global-roles.bicep b/dev-infrastructure/templates/global-roles.bicep deleted file mode 100644 index 9be3455956..0000000000 --- a/dev-infrastructure/templates/global-roles.bicep +++ /dev/null @@ -1,30 +0,0 @@ -targetScope = 'subscription' - -@description('Defines if the ACR token management role should be created') -param manageTokenRole bool - -import * as tmr from '../modules/acr/token-role-name.bicep' - -resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (manageTokenRole) { - name: guid(tmr.tokenManagementRoleName) - properties: { - roleName: 'ARO HCP ACR Token Management' - type: 'CustomRole' - assignableScopes: [ - subscription().id - ] - description: 'This role allows the management of tokens in the ACR' - permissions: [ - { - actions: [ - 'Microsoft.ContainerRegistry/registries/tokens/read' - 'Microsoft.ContainerRegistry/registries/tokens/write' - 'Microsoft.ContainerRegistry/registries/tokens/delete' - 'Microsoft.ContainerRegistry/registries/generateCredentials/action' - 'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read' - 'Microsoft.ContainerRegistry/registries/scopeMaps/read' - ] - } - ] - } -} diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index 8d2b527dcf..89835072ea 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -125,12 +125,6 @@ param oidcStorageAccountSku string = 'Standard_ZRS' @description('Clusters Service ACR RG names') param clustersServiceAcrResourceGroupNames array = [] -@description(''' - Defines if the custom ACR token management role should be used to grant - CS token management permissions on the OCP ACR - ''') -param useCustomACRTokenManagementRole bool - @description('MSI that will be used to run the deploymentScript') param aroDevopsMsiId string @@ -302,7 +296,6 @@ module cs '../modules/cluster-service.bicep' = { regionalResourceGroup: regionalResourceGroup acrResourceGroupNames: clustersServiceAcrResourceGroupNames postgresAdministrationManagedIdentityId: aroDevopsMsiId - useCustomACRTokenManagementRole: useCustomACRTokenManagementRole } dependsOn: [ maestroServer