Skip to content

Commit a2a38d8

Browse files
yithiankimorris27
andauthored
e2e test with rbac authorization instead of access policies on keyvault (Azure#4755)
* e2e test with rbac authorization instead of access policies on keyvault * assign the Key Vault Crypto Service Encryption User role to the disk encryption set MSI Co-authored-by: kimorris27 <kimorris@redhat.com>
1 parent eed5454 commit a2a38d8

4 files changed

Lines changed: 50 additions & 59 deletions

File tree

pkg/deploy/assets/cluster-development-predeploy.json

Lines changed: 15 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -96,12 +96,26 @@
9696
},
9797
"accessPolicies": [],
9898
"enabledForDiskEncryption": true,
99-
"enableRbacAuthorization": false,
99+
"enableRbacAuthorization": true,
100100
"enablePurgeProtection": true
101101
},
102102
"condition": "[parameters('ci')]",
103103
"apiVersion": "2019-09-01"
104104
},
105+
{
106+
"name": "[concat(parameters('kvName'), '/Microsoft.Authorization/', guid('crypto service encryption user role on disk encryption set keyvault', resourceGroup().id, subscription().subscriptionId))]",
107+
"type": "Microsoft.KeyVault/vaults/providers/roleAssignments",
108+
"properties": {
109+
"scope": "[resourceId('Microsoft.KeyVault/vaults', parameters('kvName'))]",
110+
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')]",
111+
"principalId": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', concat(resourceGroup().name, '-disk-encryption-set')), '2021-04-01', 'Full').identity.PrincipalId]",
112+
"principalType": "ServicePrincipal"
113+
},
114+
"apiVersion": "2018-09-01-preview",
115+
"dependsOn": [
116+
"[resourceId('Microsoft.KeyVault/vaults', parameters('kvName'))]"
117+
]
118+
},
105119
{
106120
"properties": {
107121
"kty": "RSA",
@@ -136,31 +150,6 @@
136150
"dependsOn": [
137151
"[resourceId('Microsoft.KeyVault/vaults/keys', parameters('kvName'), concat(resourceGroup().name, '-disk-encryption-key'))]"
138152
]
139-
},
140-
{
141-
"name": "[concat(parameters('kvName'), '/add')]",
142-
"type": "Microsoft.KeyVault/vaults/accessPolicies",
143-
"location": "[resourceGroup().location]",
144-
"properties": {
145-
"accessPolicies": [
146-
{
147-
"tenantId": "[subscription().tenantId]",
148-
"objectId": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', concat(resourceGroup().name, '-disk-encryption-set')), '2021-04-01', 'Full').identity.PrincipalId]",
149-
"permissions": {
150-
"keys": [
151-
"get",
152-
"wrapKey",
153-
"unwrapKey"
154-
]
155-
}
156-
}
157-
]
158-
},
159-
"condition": "[parameters('ci')]",
160-
"apiVersion": "2019-09-01",
161-
"dependsOn": [
162-
"[resourceId('Microsoft.Compute/diskEncryptionSets', concat(resourceGroup().name, '-disk-encryption-set'))]"
163-
]
164153
}
165154
]
166155
}

pkg/deploy/generator/resources_cluster.go

Lines changed: 33 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,12 @@ import (
99
armnetwork "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6"
1010
mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
1111
mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
12+
mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
1213

1314
"github.com/Azure/ARO-RP/pkg/util/arm"
1415
"github.com/Azure/ARO-RP/pkg/util/azureclient"
1516
"github.com/Azure/ARO-RP/pkg/util/pointerutils"
17+
"github.com/Azure/ARO-RP/pkg/util/rbac"
1618
)
1719

1820
const (
@@ -85,11 +87,41 @@ func (g *generator) clusterWorkerSubnet() *arm.Resource {
8587
}
8688

8789
func (g *generator) diskEncryptionKeyVault() *arm.Resource {
88-
vaultResource := g.keyVault("[parameters('kvName')]", &[]mgmtkeyvault.AccessPolicyEntry{}, "[parameters('ci')]", false, nil)
90+
vaultResource := g.keyVault("[parameters('kvName')]", &[]mgmtkeyvault.AccessPolicyEntry{}, "[parameters('ci')]", true, nil)
8991

9092
return vaultResource
9193
}
9294

95+
func (g *generator) diskEncryptionKeyVaultRBAC() *arm.Resource {
96+
// use the Azure built-in Key Vault Crypto Service Encryption User role
97+
// See: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations
98+
99+
// Not using the rbac.ResourceRoleAssignment() function because it expects
100+
// the service principal ID to be passed in as an argument, not a template
101+
// function. Getting it via a [reference()] template function doesn't work
102+
// because it seems the [reference()] function isn't allowed inside the
103+
// [gui()] function
104+
resourceID := "resourceId('Microsoft.KeyVault/vaults', parameters('kvName'))"
105+
spID := fmt.Sprintf("[reference(resourceId('Microsoft.Compute/diskEncryptionSets', %s), '%s', 'Full').identity.PrincipalId]", diskEncryptionSetName, azureclient.APIVersion("Microsoft.Compute/diskEncryptionSets"))
106+
107+
return &arm.Resource{
108+
Resource: mgmtauthorization.RoleAssignment{
109+
Name: pointerutils.ToPtr("[concat(parameters('kvName'), '/Microsoft.Authorization/', guid('crypto service encryption user role on disk encryption set keyvault', resourceGroup().id, subscription().subscriptionId))]"),
110+
Type: pointerutils.ToPtr("Microsoft.KeyVault/vaults/providers/roleAssignments"),
111+
RoleAssignmentPropertiesWithScope: &mgmtauthorization.RoleAssignmentPropertiesWithScope{
112+
Scope: pointerutils.ToPtr("[" + resourceID + "]"),
113+
RoleDefinitionID: pointerutils.ToPtr("[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '" + rbac.RoleKeyVaultCryptoServiceEncryptionUser + "')]"),
114+
PrincipalID: &spID,
115+
PrincipalType: mgmtauthorization.ServicePrincipal,
116+
},
117+
},
118+
APIVersion: azureclient.APIVersion("Microsoft.Authorization"),
119+
DependsOn: []string{
120+
"[" + resourceID + "]",
121+
},
122+
}
123+
}
124+
93125
func (g *generator) diskEncryptionKey() *arm.Resource {
94126
key := &mgmtkeyvault.Key{
95127
KeyProperties: &mgmtkeyvault.KeyProperties{
@@ -134,34 +166,3 @@ func (g *generator) diskEncryptionSet() *arm.Resource {
134166
DependsOn: []string{fmt.Sprintf("[resourceId('Microsoft.KeyVault/vaults/keys', parameters('kvName'), %s)]", diskEncryptionKeyName)},
135167
}
136168
}
137-
138-
func (g *generator) diskEncryptionKeyVaultAccessPolicy() *arm.Resource {
139-
accessPolicy := &mgmtkeyvault.VaultAccessPolicyParameters{
140-
Properties: &mgmtkeyvault.VaultAccessPolicyProperties{
141-
AccessPolicies: &[]mgmtkeyvault.AccessPolicyEntry{
142-
{
143-
TenantID: &tenantUUIDHack,
144-
ObjectID: pointerutils.ToPtr(fmt.Sprintf("[reference(resourceId('Microsoft.Compute/diskEncryptionSets', %s), '%s', 'Full').identity.PrincipalId]", diskEncryptionSetName, azureclient.APIVersion("Microsoft.Compute/diskEncryptionSets"))),
145-
Permissions: &mgmtkeyvault.Permissions{
146-
Keys: &[]mgmtkeyvault.KeyPermissions{
147-
mgmtkeyvault.KeyPermissionsGet,
148-
mgmtkeyvault.KeyPermissionsWrapKey,
149-
mgmtkeyvault.KeyPermissionsUnwrapKey,
150-
},
151-
},
152-
},
153-
},
154-
},
155-
156-
Name: pointerutils.ToPtr("[concat(parameters('kvName'), '/add')]"),
157-
Type: pointerutils.ToPtr("Microsoft.KeyVault/vaults/accessPolicies"),
158-
Location: pointerutils.ToPtr("[resourceGroup().location]"),
159-
}
160-
161-
return &arm.Resource{
162-
Resource: accessPolicy,
163-
APIVersion: azureclient.APIVersion("Microsoft.KeyVault"),
164-
Condition: pointerutils.ToPtr("[parameters('ci')]"),
165-
DependsOn: []string{fmt.Sprintf("[resourceId('Microsoft.Compute/diskEncryptionSets', %s)]", diskEncryptionSetName)},
166-
}
167-
}

pkg/deploy/generator/templates_cluster.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,9 @@ func (g *generator) clusterPredeploy() *arm.Template {
3939
g.clusterMasterSubnet(),
4040
g.clusterWorkerSubnet(),
4141
g.diskEncryptionKeyVault(),
42+
g.diskEncryptionKeyVaultRBAC(),
4243
g.diskEncryptionKey(),
4344
g.diskEncryptionSet(),
44-
g.diskEncryptionKeyVaultAccessPolicy(),
4545
)
4646

4747
return t

pkg/util/rbac/rbac.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ const (
2424
RoleReader = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
2525
RoleStorageAccountContributor = "17d1049b-9a84-46fb-8f53-869881c3d3ab"
2626
RoleStorageBlobDataContributor = "ba92f5b4-2d11-453d-a403-e96b0029c9fe"
27+
RoleKeyVaultCryptoServiceEncryptionUser = "e147488a-f6f5-4113-8e2d-b22465e65bf6"
2728
RoleKeyVaultSecretsOfficer = "b86a8fe4-44ce-4948-aee5-eccb2c155cd7"
2829
RoleAzureRedHatOpenShiftFederatedCredentialRole = "ef318e2a-8334-4a05-9e4a-295a196c6a6e"
2930
)

0 commit comments

Comments
 (0)