add role assignments for gmsa creds

infra/azure/terraform/capz/identities/main.tf

@@ -22,6 +22,14 @@ variable "location" {
   type = string
 }
 
+variable "subscription_id" {
+  type = string
+}
+
+variable "container_registry_scope" {
+  type = string
+}
+
 resource "azurerm_user_assigned_identity" "cloud_provider_user_identity" {
   name                = "cloud-provider-user-identity"
   location            = var.location
@@ -40,6 +48,43 @@ resource "azurerm_user_assigned_identity" "gmsa_user_identity" {
   resource_group_name = var.resource_group_name
 }
 
+resource "azurerm_role_definition" "gmsa_custom_role" {
+  name        = "gMSA"
+  scope       = "/subscriptions/${var.subscription_id}"
+  description = "Required permissions for gmsa to read properties of subscriptions and managed identities"
+
+  permissions {
+    actions = [
+      "Microsoft.Resources/subscriptions/read",
+      "Microsoft.ManagedIdentity/userAssignedIdentities/read"
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    "/subscriptions/${var.subscription_id}"
+  ]
+}
+
+resource "azurerm_role_assignment" "gmsa_role_assignment" {
+  principal_id   = azurerm_user_assigned_identity.domain_vm_identity.principal_id
+  role_definition_name = azurerm_role_definition.gmsa_custom_role.name
+  scope          = "/subscriptions/${var.subscription_id}"
+  depends_on     = [azurerm_user_assigned_identity.domain_vm_identity]
+}
+
+resource "azurerm_role_assignment" "cloud_provider_sub_contributor" {
+  principal_id         = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
+  role_definition_name = "Contributor"
+  scope                = "/subscriptions/${var.subscription_id}"
+}
+
+resource "azurerm_role_assignment" "acr_pull" {
+  principal_id         = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
+  role_definition_name = "AcrPull"
+  scope                = var.container_registry_scope
+}
+
 output "cloud_provider_user_identity_id" {
   value = azurerm_user_assigned_identity.cloud_provider_user_identity.principal_id
 }

infra/azure/terraform/capz/main.tf

@@ -80,37 +80,46 @@ resource "azurerm_storage_account" "k8sprowstorage" {
   min_tls_version                  = "TLS1_0"
   account_replication_type         = "RAGRS"
   cross_tenant_replication_enabled = true
-  depends_on = [azurerm_resource_group.capz_ci]
+  depends_on = [
+    azurerm_resource_group.capz_ci
+  ]
 }
 
-# Import identities module
-module "identities" {
-  source              = "./identities"
+# Import container registry module
+module "container_registry" {
+  source              = "./container-registry"
   resource_group_name = var.resource_group_name
   location            = var.location
-  depends_on = [azurerm_resource_group.capz_ci]
+  depends_on = [
+    azurerm_resource_group.capz_ci
+  ]
+}
+
+# Import identities module
+module "identities" {
+  source                   = "./identities"
+  resource_group_name      = var.resource_group_name
+  location                 = var.location
+  subscription_id          = data.azurerm_client_config.current.subscription_id
+  container_registry_scope = module.container_registry.container_registry_id 
+  depends_on = [
+    azurerm_resource_group.capz_ci
+  ]
 }
 
 # Import key vault module
 module "key_vault" {
-  source              = "./key-vault"
-  resource_group_name = var.resource_group_name
-  location            = var.location
-  tenant_id           = data.azurerm_client_config.current.tenant_id  
+  source                            = "./key-vault"
+  resource_group_name               = var.resource_group_name
+  location                          = var.location
+  tenant_id                         = data.azurerm_client_config.current.tenant_id  
   identities = {
-    cloud_provider_user_identity_id = module.identities.cloud_provider_user_identity_id
     domain_vm_identity_id           = module.identities.domain_vm_identity_id
     gmsa_user_identity_id           = module.identities.gmsa_user_identity_id
   }
-  depends_on = [azurerm_resource_group.capz_ci]
-}
-
-# Import container registry module
-module "container_registry" {
-  source              = "./container-registry"
-  resource_group_name = var.resource_group_name
-  location            = var.location
-  depends_on = [azurerm_resource_group.capz_ci]
+  depends_on = [
+    azurerm_resource_group.capz_ci
+  ]
 }
 
 # Import role assignments module
@@ -120,6 +129,7 @@ module "role_assignments" {
   container_registry_scope = module.container_registry.container_registry_id
   storage_account_scope    = azurerm_storage_account.k8sprowstorage.id
   subscription_id          = data.azurerm_client_config.current.subscription_id 
+  key_vault_id             = module.key_vault.key_vault_id
   depends_on = [
     azurerm_resource_group.capz_ci,
     azurerm_storage_account.k8sprowstorage,

infra/azure/terraform/capz/role-assignments/main.tf

@@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+# This module maintains all role assignments for our service principal - az-cli-prow
+
 variable "resource_group_name" {
   type = string
 }
@@ -30,6 +32,10 @@ variable "subscription_id" {
   type = string
 }
 
+variable "key_vault_id" {
+  type = string
+} 
+
 data "azuread_service_principal" "az_service_principal" {
   display_name = "az-cli-prow"
 }
@@ -73,3 +79,15 @@ resource "azurerm_role_assignment" "sp_custom_role_assignment" {
   role_definition_name = azurerm_role_definition.custom_role.name
   scope                = "/subscriptions/${var.subscription_id}"
 }
+
+resource "azurerm_key_vault_access_policy" "access_policy_gmsa_sp" {
+  key_vault_id = var.key_vault_id
+  tenant_id    = data.azuread_service_principal.az_service_principal.application_tenant_id
+  object_id    = data.azuread_service_principal.az_service_principal.id
+  secret_permissions = [
+    "Get",
+    "Delete",
+    "List",
+    "Purge"
+  ]
+}