-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Spike]: API for role assignments #6636
base: main
Are you sure you want to change the base?
Conversation
|
||
param storage_outputs_name string | ||
|
||
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We generate a module per container/project and that module has both the user assigned identity and role assignments for that compute resource.
output id string = identity.id | ||
|
||
output clientId string = identity.properties.clientId |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These end up as outputs for the container app to use for both runtime and to associate this user assigned identity with the container app.
resource storage 'Microsoft.Storage/storageAccounts@2024-01-01' existing = { | ||
name: storage_outputs_name | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to reference the set of resources we are creating role assignments for.
- Added descriptions to role assignments - Fixed tests with new output
/// <param name="Description"></param> | ||
|
||
// REVIEW: This should be part of the Azure.Provisioning APIs | ||
public record struct RoleDefinition(string Id, string Description); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need a single type for role definitions and then per resource types that have the well known ones. That would reduce the API explosion.
cc @tg-msft
var account = StorageAccount.FromExisting(Infrastructure.NormalizeBicepIdentifier(Name)); | ||
account.Name = name; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tried deploying this? Based on the Bicep being generated it looks like you are deploying the I think it'll be OK because for container app to container app communication the container app identity (resource side) is not what matters, there would need to be a different Azure Entra app registration which represents the resource (which we are going to need to support defining in the app model). You know if we get this working it's going to take a lot of the friction out of doing S2S auth. |
Not yet, there was a bug in azd, fixed in this pr. It'll work because the identity and role assignments are part of the provision phase. I'll update the description with the deployment details. |
Deployment works! |
This is a spike to explore APIs for modeling a more secure default security configuration when deploying to azure container apps. It includes a few things:
In the above
WithRoleAssignments
allows the user to specify which roles this project/container requires what roles for a specific storage account.The other API is
RemoveDefaultRoleAssignments
, which is a way to remove the default role assignments for a storage account.Each compute resource that becomes a container app, gets a roles bicep resource that allocates the managed identity and sets up specific role assignments for that identity based on both the either the per reference role assignments or the resource defaults.
Role assignment scopes are resource references. This means we need the ability to get a reference to the underlying azure resource by name, so we can use an existing bicep resource reference in "roles" bicep module. This led to a strange API that was added to
AzureProvisioningResource
to do this in a way that avoids the compute resource needing to know how to get a reference to the underlying azure resource.Microsoft Reviewers: Open in CodeFlow