Add devops identity as Storage Blob Data Contributor to rpversion SA (#4094)

tsatam · web-flow · commit 3a0f4bd8561f · 2025-02-11T18:21:17.000-05:00
diff --git a/pkg/deploy/assets/rp-production-global.json b/pkg/deploy/assets/rp-production-global.json
@@ -18,6 +18,9 @@
         "gatewayServicePrincipalId": {
             "type": "string"
         },
+        "globalDevopsServicePrincipalId": {
+            "type": "string"
+        },
         "rpParentDomainName": {
             "type": "string"
         },
@@ -111,6 +114,20 @@
             "name": "[parameters('rpVersionStorageAccountName')]",
             "type": "Microsoft.Storage/storageAccounts",
             "apiVersion": "2021-09-01"
+        },
+        {
+            "name": "[concat(parameters('rpVersionStorageAccountName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))))]",
+            "type": "Microsoft.Storage/storageAccounts/providers/roleAssignments",
+            "properties": {
+                "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))]",
+                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]",
+                "principalId": "[parameters('globalDevopsServicePrincipalId')]",
+                "principalType": "ServicePrincipal"
+            },
+            "apiVersion": "2018-09-01-preview",
+            "dependsOn": [
+                "[resourceId('Microsoft.Storage/storageAccounts', parameters('rpVersionStorageAccountName'))]"
+            ]
         }
     ]
 }
diff --git a/pkg/deploy/generator/resources_rp.go b/pkg/deploy/generator/resources_rp.go
@@ -1517,14 +1517,22 @@ func (g *generator) rpACRRBAC() []*arm.Resource {
 }
 
 func (g *generator) rpVersionStorageAccount() []*arm.Resource {
+	storageAccountName := "parameters('rpVersionStorageAccountName')"
 	return []*arm.Resource{
 		g.storageAccount(
-			"[parameters('rpVersionStorageAccountName')]",
+			fmt.Sprintf("[%s]", storageAccountName),
 			&mgmtstorage.AccountProperties{
 				AllowBlobPublicAccess: to.BoolPtr(false),
 				MinimumTLSVersion:     mgmtstorage.MinimumTLSVersionTLS12,
 			},
 			map[string]*string{},
 		),
+		rbac.ResourceRoleAssignmentWithName(
+			rbac.RoleStorageAccountContributor,
+			"parameters('globalDevopsServicePrincipalId')",
+			resourceTypeStorageAccount,
+			storageAccountName,
+			fmt.Sprintf("concat(%s, '/Microsoft.Authorization/', guid(resourceId('%s', %s)))", storageAccountName, resourceTypeStorageAccount, storageAccountName),
+		),
 	}
 }
diff --git a/pkg/deploy/generator/templates_rp.go b/pkg/deploy/generator/templates_rp.go
@@ -193,6 +193,7 @@ func (g *generator) rpGlobalTemplate() *arm.Template {
 		"rpParentDomainName",
 		"rpServicePrincipalId",
 		"rpVersionStorageAccountName",
+		"globalDevopsServicePrincipalId",
 	}
 
 	for _, param := range params {
diff --git a/pkg/deploy/predeploy.go b/pkg/deploy/predeploy.go
@@ -108,8 +108,13 @@ func (d *deployer) PreDeploy(ctx context.Context, lbHealthcheckWaitTimeSec int)
 		return err
 	}
 
+	globalDevopsMSI, err := d.globaluserassignedidentities.Get(ctx, *d.config.Configuration.GlobalResourceGroupName, *d.config.Configuration.GlobalDevopsManagedIdentity)
+	if err != nil {
+		return err
+	}
+
 	// deploy ACR RBAC, RP version storage account
-	err = d.deployRPGlobal(ctx, rpMSI.PrincipalID.String(), gwMSI.PrincipalID.String())
+	err = d.deployRPGlobal(ctx, rpMSI.PrincipalID.String(), gwMSI.PrincipalID.String(), globalDevopsMSI.PrincipalID.String())
 	if err != nil {
 		return err
 	}
@@ -158,7 +163,7 @@ func (d *deployer) PreDeploy(ctx context.Context, lbHealthcheckWaitTimeSec int)
 	return d.configureServiceSecrets(ctx, lbHealthcheckWaitTimeSec)
 }
 
-func (d *deployer) deployRPGlobal(ctx context.Context, rpServicePrincipalID, gatewayServicePrincipalID string) error {
+func (d *deployer) deployRPGlobal(ctx context.Context, rpServicePrincipalID, gatewayServicePrincipalID, devopsServicePrincipalId string) error {
 	deploymentName := "rp-global-" + d.config.Location
 
 	asset, err := assets.EmbeddedFiles.ReadFile(generator.FileRPProductionGlobal)
@@ -179,6 +184,9 @@ func (d *deployer) deployRPGlobal(ctx context.Context, rpServicePrincipalID, gat
 	parameters.Parameters["gatewayServicePrincipalId"] = &arm.ParametersParameter{
 		Value: gatewayServicePrincipalID,
 	}
+	parameters.Parameters["globalDevopsServicePrincipalId"] = &arm.ParametersParameter{
+		Value: devopsServicePrincipalId,
+	}
 
 	for i := 0; i < 2; i++ {
 		d.log.Infof("deploying %s", deploymentName)
diff --git a/pkg/deploy/predeploy_test.go b/pkg/deploy/predeploy_test.go
diff --git a/pkg/util/rbac/rbac.go b/pkg/util/rbac/rbac.go

Original file line number	Diff line number	Diff line change
`@@ -193,6 +193,7 @@ func (g generator) rpGlobalTemplate() arm.Template {`
`193`	`193`	`"rpParentDomainName",`
`194`	`194`	`"rpServicePrincipalId",`
`195`	`195`	`"rpVersionStorageAccountName",`
	`196`	`+ "globalDevopsServicePrincipalId",`
`196`	`197`	`}`
`197`	`198`
`198`	`199`	`for _, param := range params {`