Add a user and rg to box in ASO

Author: Jaykul

Cluster.bicep

@@ -381,6 +381,28 @@ module iam_flux_crypto 'modules/resourceRoleAssignment.bicep' = {
   }
 }
 
+// module rg 'modules/resourceGroup.bicep' = {
+//     scope: subscription()
+//     params: {
+//         name: '${resourceGroup().name}-aso'
+//         location: location
+//         tags: tags
+//     }
+// }
+
+module aso 'modules/azureServiceOperator.bicep' = {
+    name: '${deploymentName}_aso'
+    scope: resourceGroup('${resourceGroup().name}-aso')
+    params: {
+        deploymentNamePrefix: take(deploymentName, 47)
+        baseName: 'aso'
+        location: location
+        tags: tags
+        oidcIssuerUrl: aks.outputs.oidcIssuerUrl
+    }
+}
+
+
 // @description('Flux release namespace')
 // output fluxReleaseNamespace string = flux.outputs.fluxReleaseNamespace
 

Initialize-Azure.ps1

@@ -23,7 +23,11 @@ param(
 )
 
 # The resource group to create. E.g. "rg-cluster"
-$resourceGroupName = "rg-${BaseName}"
+$resourceGroupName = @(
+    # The first one should be the one where the cluster will be deployed
+    "rg-${BaseName}"
+    "rg-${BaseName}-aso"
+)
 
 # The service name to use. E.g. "rg-cluster-deploy"
 $serviceName = "rg-${BaseName}-deploy"
@@ -46,20 +50,24 @@ foreach ($feature in "FluxConfigurations") {
 }
 
 
+$app =  (Get-AzADApplication -DisplayName $serviceName) ??
+        (New-AzADApplication -DisplayName $serviceName)
+$service =  (Get-AzADServicePrincipal -ApplicationId $app.AppId) ??
+            (New-AzADServicePrincipal -ApplicationId $app.AppId)
+
 # Create resource group
-New-AzResourceGroup -Name $resourceGroupName -Location $location -Force -Tag @{
-    Repository = $Repository;
-    Purpose = "aks";
-    Created = Get-Date -Format "O"
+foreach ($name in $resourceGroupName) {
+    (Get-AzResourceGroup -Name $name -ErrorAction SilentlyContinue) ??
+    (New-AzResourceGroup -Name $name -Location $location -Force -Tag @{
+        Repository = $Repository;
+        Purpose    = "aks";
+        Created    = Get-Date -Format "O"
+    })
+    $role = (Get-AzRoleAssignment -ResourceGroupName $name -RoleDefinitionName Owner -ObjectId $service.Id) ??
+            (New-AzRoleAssignment -ResourceGroupName $name -RoleDefinitionName Owner -ObjectId $service.Id)
 }
 
-$app  = (Get-AzADApplication -DisplayName $serviceName) ??
-        (New-AzADApplication -DisplayName $serviceName)
-$service  = (Get-AzADServicePrincipal -ApplicationId $app.AppId) ??
-            (New-AzADServicePrincipal -ApplicationId $app.AppId)
-$role = (Get-AzRoleAssignment -ResourceGroupName $resourceGroupName -RoleDefinitionName Owner -ObjectId $service.Id) ??
-        (New-AzRoleAssignment -ResourceGroupName $resourceGroupName -RoleDefinitionName Owner -ObjectId $service.Id)
-$fedcred = (Get-AzADAppFederatedCredential -ApplicationObjectId $app.id -Filter "Subject eq 'repo:${Repository}:ref:refs/heads/main'" -ErrorAction SilentlyContinue) ??
+$fedcred =  (Get-AzADAppFederatedCredential -ApplicationObjectId $app.id -Filter "Subject eq 'repo:${Repository}:ref:refs/heads/main'" -ErrorAction SilentlyContinue) ??
             (New-AzADAppFederatedCredential -ApplicationObjectId $app.Id -Audience "api://AzureADTokenExchange" -Issuer "https://token.actions.githubusercontent.com" -Subject "repo:${Repository}:ref:refs/heads/main" -Name "$($Repository -replace '/','-')-main-gh")
 
 $ctx = Get-AzContext
@@ -68,7 +76,7 @@ $ctx = Get-AzContext
 gh secret set --repo https://github.com/$Repository AZURE_CLIENT_ID -b $app.AppId
 gh secret set --repo https://github.com/$Repository AZURE_TENANT_ID -b $ctx.Tenant
 gh secret set --repo https://github.com/$Repository AZURE_SUBSCRIPTION_ID -b $ctx.Subscription.Id
-gh secret set --repo https://github.com/$Repository AZURE_RG -b $resourceGroupName
+gh secret set --repo https://github.com/$Repository AZURE_RG -b $resourceGroupName[0]
 # gh secret set --repo https://github.com/$Repository USER_OBJECT_ID -b $spId
 
 # Create an AD Group to be administrators of the cluster:

README.md

@@ -6,22 +6,28 @@ I've written my own templates for deploying AKS in [Azure Bicep](https://docs.mi
 
 ## Azure Prerequisites
 
-These pre-requisites are not part of the CI/CD build, because they only have to be done once, but the [Initialize-Azure](./Initialize-Azure.ps1) script is essentially idempotent and re-runnable.
+These pre-requisites are not part of the CI/CD build, because they only have to be done once, but the [`Initialize-Azure`](./Initialize-Azure.ps1) script is essentially idempotent and re-runnable.
 
 1. Enable some features in your Azure tenant (some of which are pre-release features as of this writing)
-2. Create a resource group in Azure to deploy to
+2. Create a resource group in Azure to deploy to (currently TWO resource groups, see [Azure Service Operator](#azure-service-operator) below)
 3. Create a service account in Azure for automation
 4. Assign the "owner" role on the resource group to the service account
 5. Create secrets in github for authentication as that service account
 
 The first step, enabling features, only has to be done once per subscription. For best practices, the remaining steps should be done once for each cluster, for security purposes. The idea is that the subscription owner runs this script by hand, and then the automated service account is restricted to deploying to this single resource group.
 
-See [Initialize-Azure](./Initialize-Azure.ps1)` for details. You might call it like this:
+See [`Initialize-Azure`](./Initialize-Azure.ps1) for details. You might call it like this:
 
 ```PowerShell
 ./Initialize-Azure -BaseName $name
 ```
 
+### Azure Service Operator
+
+I'm testing some things with the [Azure Service Operator](https://github.com/Azure/azure-service-operator), and for right now, this bicep creates a third resource group (i.e. if you create 'rg-poshcode' in Azure, AKS will create 'rg-poshcode-aks' and the bicep needs 'rg-poshcode-aso' to _contain_ the operator). That way it's creating a user assigned identity for the [Azure Service Operator](https://github.com/Azure/azure-service-operator) to use which has `Contributor` access just to the -aso resource group.
+
+In order to avoid giving the github service account additional access, I modified the Initialize-Azure PowerShell script instead.
+
 ## Deploying Infrastructure
 
 Each time the IAC templates change, we're going to run New-AzResourceGroupDeployment, but we have a [workflow for that](.github/workflows/deploy.yaml), of course.

modules/azureServiceOperator.bicep

@@ -0,0 +1,43 @@
+targetScope = 'resourceGroup'
+
+// *** This template deploys the cluster for poshcode.org. See README.md before making changes ***
+@description('Required. The AKS OIDC IssuerUrl')
+param oidcIssuerUrl string
+
+@description('Optional. This template deploys the cluster for poshcode.org. See README.md before making changes')
+param baseName string = 'aso'
+
+@description('Optional. The location to deploy. Defaults to resourceGroup().location')
+param location string = resourceGroup().location
+
+@description('Optional. Tags for the resource. Defaults to resourceGroup().tags')
+param tags object = resourceGroup().tags
+
+// 64 is the max deployment name, and the longest name in our sub-deployments is 17 characters, 64-17 = 47
+@description('Optional. Provide unique deployment name prefix for the module references. Defaults to take(deploymentName().name, 47)')
+@maxLength(47)
+param deploymentNamePrefix string = take(deployment().name, 64-17)
+
+
+module asoId 'userAssignedIdentity.bicep' = {
+  name: '${deploymentNamePrefix}_uai_asoId'
+  params: {
+    baseName: baseName
+    location: location
+    tags: tags
+    federatedIdentitySubjectIssuerDictionary: {
+      // For creating Azure resources
+      'system:serviceaccount:azure:operator': oidcIssuerUrl
+    }
+  }
+}
+
+
+module iam_azure_owner 'resourceRoleAssignment.bicep' = {
+  name: '${deploymentNamePrefix}_iam_aso_operator'
+  params: {
+    principalIds: [ asoId.outputs.principalId ]
+    resourceId: asoId.outputs.id
+    roleName: 'Contributor'
+  }
+}

modules/resourceGroup.bicep

@@ -0,0 +1,25 @@
+targetScope = 'subscription'
+
+@description('Required. The base name of the resource group (will be prefixed with "rg-")')
+param name string
+
+@description('The location to deploy')
+param location string
+
+@description('Tags for the resource')
+param tags object
+
+resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+    name: name
+    location: location
+    tags: tags
+}
+
+@description('The resource ID of the resource group')
+output id string = rg.id
+
+@description('The name of the resource group')
+output name string = rg.name
+
+@description('The location of the resource group')
+output location string = rg.location