remove custom ACR role for token management

config/config.msft.yaml

@@ -8,7 +8,6 @@ defaults:
   global:
     rg: global-shared-resources
     subscription: hcp-{{ .ctx.region }}
-    manageTokenCustomRole: false
     region: uksouth
     globalMSIName: "global-ev2-identity"
 

config/config.schema.json

@@ -221,9 +221,6 @@
           "subscription": {
             "type": "string"
           },
-          "manageTokenCustomRole": {
-            "type": "boolean"
-          },
           "region": {
             "type": "string"
           },
@@ -235,7 +232,6 @@
         "required": [
           "rg",
           "subscription",
-          "manageTokenCustomRole",
           "region"
         ]
       },

config/config.yaml

@@ -6,7 +6,6 @@ defaults:
   global:
     rg: global
     subscription: ARO Hosted Control Planes (EA Subscription 1)
-    manageTokenCustomRole: true
     region: westus3
     globalMSIName: "global-rollout-identity"
 

config/public-cloud-cs-pr.json

@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
-    "manageTokenCustomRole": true,
     "region": "westus3",
     "rg": "global",
     "subscription": "ARO Hosted Control Planes (EA Subscription 1)"

config/public-cloud-dev.json

@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
-    "manageTokenCustomRole": true,
     "region": "westus3",
     "rg": "global",
     "subscription": "ARO Hosted Control Planes (EA Subscription 1)"

config/public-cloud-msft-int.json

@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-ev2-identity",
-    "manageTokenCustomRole": false,
     "region": "uksouth",
     "rg": "global-shared-resources",
     "subscription": "hcp-westus3"

config/public-cloud-personal-dev.json

@@ -61,7 +61,6 @@
   },
   "global": {
     "globalMSIName": "global-rollout-identity",
-    "manageTokenCustomRole": true,
     "region": "westus3",
     "rg": "global",
     "subscription": "ARO Hosted Control Planes (EA Subscription 1)"

dev-infrastructure/.gitignore

@@ -12,7 +12,6 @@ configurations/cs-integ-msi.bicepparam
 configurations/output-region.bicepparam
 configurations/mock-identities.bicepparam
 configurations/global-acr.bicepparam
-configurations/global-roles.bicepparam
 configurations/global-infra.bicepparam
 config.mk
 

dev-infrastructure/Makefile

@@ -418,14 +418,6 @@ acr: global.rg
 		$(PROMPT_TO_CONFIRM) \
 		--parameters \
 			configurations/global-acr.bicepparam
-	@./ensure-no-running-deployment.sh $(GLOBAL_RESOURCEGROUP) ${GLOBAL_RG_DEPLOYMENT_NAME}-roles
-	az deployment sub create \
-		--name ${GLOBAL_RG_DEPLOYMENT_NAME}-roles \
-		--template-file templates/global-roles.bicep \
-		$(PROMPT_TO_CONFIRM) \
-		--parameters \
-			configurations/global-roles.bicepparam \
-		--location ${GLOBAL_REGION}
 .PHONY: acr
 
 acr.what-if: global.rg
@@ -435,12 +427,6 @@ acr.what-if: global.rg
 		--template-file templates/global-acr.bicep \
 		--parameters \
 			configurations/global-acr.bicepparam
-	az deployment sub what-if \
-		--name ${GLOBAL_RG_DEPLOYMENT_NAME}-roles \
-		--template-file templates/global-roles.bicep \
-		--parameters \
-			configurations/global-roles.bicepparam \
-		--location ${GLOBAL_REGION}
 .PHONY: acr.what-if
 
 acr-svc-cfg: acr

dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam

@@ -40,7 +40,6 @@ param serviceKeyVaultResourceGroup = '{{ .serviceKeyVault.rg }}'
 
 param acrPullResourceGroups = ['{{ .global.rg }}']
 param clustersServiceAcrResourceGroupNames = ['{{ .clusterService.acrRG }}']
-param useCustomACRTokenManagementRole = {{ .global.manageTokenCustomRole }}
 
 param oidcStorageAccountName = '{{ .oidcStorageAccountName }}'
 param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'

dev-infrastructure/global-acr-pipeline.yaml

@@ -11,12 +11,6 @@ resourceGroups:
     template: templates/global-acr.bicep
     parameters: configurations/global-acr.tmpl.bicepparam
     deploymentLevel: ResourceGroup
-  # deploys the custom roles at subscription level
-  - name: global-roles
-    action: ARM
-    template: templates/global-roles.bicep
-    parameters: configurations/global-roles.tmpl.bicepparam
-    deploymentLevel: Subscription
   # imagesync
   - name: imagesync
     action: ARM

dev-infrastructure/modules/acr/acr-permissions.bicep

@@ -7,13 +7,6 @@ param grantPushAccess bool = false
 @description('Whether to grant manage token access to the ACR')
 param grantManageTokenAccess bool = false
 
-@description('''
-  The custom token management role might not be available in an environment due to quota limitations.
-  In such cases, the default ACR Contributor and Data Access Configuration Administrator role will
-  be used for token management permissions.
-  ''')
-param useCustomManageTokenRole bool = false
-
 @description('ACR Namespace Resource Group Id')
 param acrResourceGroupid string
 
@@ -68,30 +61,7 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-//
-// Custom role for token management permissions
-//
-
-import * as tmr from 'token-role-name.bicep'
-
-resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess && useCustomManageTokenRole) {
-  name: guid(tmr.tokenManagementRoleName)
-}
-
-resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && useCustomManageTokenRole) {
-  name: guid(acrResourceGroupid, principalId, 'token-creation-role')
-  properties: {
-    roleDefinitionId: tokenManagementRole.id
-    principalId: principalId
-    principalType: 'ServicePrincipal'
-  }
-}
-
-//
-// Built-in wider role for token management permissions
-//
-
-resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess && !useCustomManageTokenRole) {
+resource acrContributorAndDataAccessConfigurationAdministratorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) {
   name: guid(acrResourceGroupid, principalId, acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId)
   properties: {
     roleDefinitionId: acrContributorAndDataAccessConfigurationAdministratorRoleDefinitionId

dev-infrastructure/modules/cluster-service.bicep

@@ -43,12 +43,6 @@ param acrResourceGroupNames array = []
 @description('The resource ID of the managed identity used to manage the Postgres server')
 param postgresAdministrationManagedIdentityId string
 
-@description('''
-  Defines if the custom ACR token management role should be used to grant
-  CS token management permissions on the OCP ACR
-  ''')
-param useCustomACRTokenManagementRole bool
-
 //
 //   P O S T G R E S
 //
@@ -166,7 +160,6 @@ module acrManageTokenRole '../modules/acr/acr-permissions.bicep' = [
     params: {
       principalId: clusterServiceManagedIdentityPrincipalId
       grantManageTokenAccess: true
-      useCustomManageTokenRole: useCustomACRTokenManagementRole
       acrResourceGroupid: clustersServiceAcrResourceGroups[i].id
     }
   }

dev-infrastructure/templates/svc-cluster.bicep

@@ -125,12 +125,6 @@ param oidcStorageAccountSku string = 'Standard_ZRS'
 @description('Clusters Service ACR RG names')
 param clustersServiceAcrResourceGroupNames array = []
 
-@description('''
-  Defines if the custom ACR token management role should be used to grant
-  CS token management permissions on the OCP ACR
-  ''')
-param useCustomACRTokenManagementRole bool
-
 @description('MSI that will be used to run the deploymentScript')
 param aroDevopsMsiId string
 
@@ -302,7 +296,6 @@ module cs '../modules/cluster-service.bicep' = {
     regionalResourceGroup: regionalResourceGroup
     acrResourceGroupNames: clustersServiceAcrResourceGroupNames
     postgresAdministrationManagedIdentityId: aroDevopsMsiId
-    useCustomACRTokenManagementRole: useCustomACRTokenManagementRole
   }
   dependsOn: [
     maestroServer