Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg

cmperro · cmperro · commit 60113ee02161 · 2021-11-17T15:54:37.000-05:00
Signed-off-by: Chris Perro &lt;cmperro@gmail.com&gt;
diff --git a/roles/platform/defaults/main.yml b/roles/platform/defaults/main.yml
@@ -168,7 +168,8 @@ plat__azure_metagroup_name:                   "{{ common__azure_metagroup_name }
 plat__azure_storage_name:                     "{{ common__azure_storage_name }}"
 
 plat__azure_consistency_wait:                 "{{ env.azure.app.wait | default(30) }}"
-plat__azure_xaccount_use_custom_role:         "{{ env.azure.app.use_custom_role | default(False) }}"
+plat__azure_xaccount_use_custom_role:         "{{ env.azure.use_custom_role | default(False) }}"
+plat__azure_xaccount_rg_scope:                "{{ env.azure.rg_scope | default(False) }}"
 plat__azure_single_resource_group:            "{{ env.azure.single_resource_group | default(False) }}"
 plat__azure_xaccount_app_name:                "{{ env.azure.app.name | default([plat__namespace, plat__azure_xaccount_suffix, plat__azure_app_suffix] | join('-')) }}"
 plat__azure_xaccount_role_name:               "{{ env.azure.role.name.cross_account | default([plat__namespace, plat__azure_xaccount_suffix, plat__azure_role_suffix] | join('-')) }}"
diff --git a/roles/platform/tasks/setup_azure_authz.yml b/roles/platform/tasks/setup_azure_authz.yml
@@ -44,27 +44,15 @@
         - name: Wait for consistency
           ansible.builtin.pause:
             seconds: "{{ plat__azure_consistency_wait }}"
-
-    - name: Dump MetaGroup URI
-      ansible.builtin.debug:
-        msg: Dumping... {{ plat__azure_metagroup_uri }}
     
-    # Owner role is required for DWX if you are thinking of modifying this task
     - name: Request Azure Cross Account App Creation
       no_log: True
       register: __azure_xaccount_app_info
       command: >
         az ad sp create-for-rbac
         --name {{ plat__azure_xaccount_app_name }}
         --role {{ plat__azure_xaccount_use_custom_role | ternary(__azure_xaccount_role_info.id, plat__azure_roles.contrib) }}
-        --scope {{ plat__azure_subscription_uri }}
-       # --role {{ __azure_xaccount_role_info.id }}
-       # --scopes {{ plat__azure_metagroup_uri }}
-       # Bake ternary into the above
-
-    #- name: SLEEEP
-    #  command: >
-    #    sleep 180
+        --scope {{ plat__azure_xaccount_rg_scope | ternary(plat__azure_metagroup_uri, plat__azure_subscription_uri) }} 
 
     - name: Register Azure Cross Account App info
       no_log: True
@@ -119,24 +107,6 @@
         application: "{{ plat__azure_xaccount_app_uuid }}"
         secret: "{{ __azure_xaccount_app_pword }}"
 
-#Move Up  
-#- name: Handle Azure Cross Account Role
-#  register: __azure_xaccount_role_info
-#  azure.azcollection.azure_rm_roledefinition:  # This version fails idempotence if a description is set
-#    state: present
-#    name: "{{ plat__azure_xaccount_role_name }}"
-#    assignable_scopes: "/subscriptions/{{ plat__azure_subscription_id }}"
-#    permissions:
-#      - actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('Actions') }}"
-#        data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('DataActions') }}"
-#        not_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotActions') }}"
-#        not_data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotDataActions') }}"
-
-#Not Needed?
-#- name: Set Azure Cross Account Role URI
-#  ansible.builtin.set_fact:
-#    plat__azure_xaccount_role_uri: "{{ __azure_xaccount_role_info.id }}"
-
 - name: Request creation of Azure Managed Identities
   when: ( __azure_identity_list_names is undefined ) or ( __azure_msi_item not in __azure_identity_list_names )
   loop_control:
@@ -148,7 +118,7 @@
     - "{{ plat__azure_datalakeadmin_identity_name }}"
     - "{{ plat__azure_log_identity_name }}"
     - "{{ plat__azure_ranger_audit_identity_name }}"
-#Dupe of Below?
+
 - name: Wait for identities to be listed
   command: "az identity list -g {{ plat__azure_metagroup_name }}"
   register: __azure_identity_list
@@ -260,20 +230,6 @@
       scope: "{{ plat__azure_datapath_uri }}"
       assignee: "{{ __azure_ranger_audit_identity_uuid }}"
       desc: Assign Storage Blob Data Contributor Role to Ranger Role at Data Container level
-    #- role: "{{ __azure_contributor_role_uri }}"
-    #  name: "{{ plat__azure_xaccount_contributor_assn_name }}"
-    #  scope: "{{ plat__azure_subscription_uri }}"
-    #  assignee: "{{ plat__azure_application_service_principal_objuuid }}"
-    #  desc: Assign top level Contributor Role to Cross Account App
-    #- role: "{{ __azure_xaccount_role_uri }}"
-    #  name: "{{ plat__azure_xaccount_role_assn_name }}"
-    #  scope: "{{ plat__azure_subscription_uri }}"
-    #  assignee: "{{ plat__azure_application_service_principal_objuuid }}"
-    #  desc: Assign Cross Account Role to Cross Account App
   loop_control:
     loop_var: __azure_rl_assgn_item
     label: "{{ __azure_rl_assgn_item.desc }}"
-
-#- name: SLEEEEEEEEEEP
-#  command: >
-#    sleep 1800
diff --git a/roles/platform/tasks/setup_azure_env.yml b/roles/platform/tasks/setup_azure_env.yml
@@ -30,7 +30,7 @@
     vpc_id: "{{ plat__vpc_name }}"
     tunnel: "{{ plat__tunnel }}"
     resource_gp: "{{ plat__azure_metagroup_name }}"
-    use_single_resource_group: "{{ plat__azure_single_resource_group }}"
+    use_single_resource_group: "{{ plat__azure_single_resource_group or plat__azure_xaccount_rg_scope | bool }}"
     subnet_ids: "{{ plat__azure_subnets }}"
     public_ip: "{{ plat__public_endpoint_access }}"
     tags: "{{ plat__tags }}"
diff --git a/roles/platform/tasks/teardown_azure_authz.yml b/roles/platform/tasks/teardown_azure_authz.yml
@@ -55,15 +55,16 @@
   when: plat__teardown_deletes_credential
   cloudera.cloud.env_cred:
     state: absent
-    #cloud: "{{ plat__infra_type }}"
     name: "{{ plat__xacccount_credential_name }}"
-    #subscription: "{{ plat__azure_subscription_id }}"
-    #tenant: "{{ plat__azure_tenant_id }}"
-    #application: "{{ plat__azure_xaccount_app_uuid }}"
-    #secret: "{{ __azure_xaccount_app_pword }}"
 
 - name: Tear down Azure AD App Registration
   when: plat__teardown_deletes_xaccount and ( plat__azure_xaccount_app_uuid is defined ) and ( plat__azure_xaccount_app_uuid | length > 0 )
   command: >
       az ad sp delete
-      --id {{ plat__azure_application_service_principal_objuuid }}
+      --id {{ plat__azure_application_service_principal_objuuid }}
+
+- name: Tear down Custom Role
+  when: plat__teardown_deletes_roles
+  azure.azcollection.azure_rm_roledefinition:
+    state: absent
+    name: "{{ plat__azure_xaccount_role_name }}"
