diff --git a/scripts/radix-zone/base-infrastructure/bootstrap.sh b/scripts/radix-zone/base-infrastructure/bootstrap.sh index ebb9e8bc0..26a7bfea9 100755 --- a/scripts/radix-zone/base-infrastructure/bootstrap.sh +++ b/scripts/radix-zone/base-infrastructure/bootstrap.sh @@ -193,56 +193,11 @@ if [[ $USER_PROMPT == true ]]; then fi -####################################################################################### -### App registration permissions -### - -function update_app_registrations(){ - update_app_registration_permissions="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/../../update_app_registration_permissions.sh" - if [[ ! -f "$update_app_registration_permissions" ]]; then - echo "ERROR: The dependency LIB_SERVICE_PRINCIPAL_PATH=$update_app_registration_permissions is invalid, the file does not exist." >&2 - exit 1 - fi -} - -####################################################################################### -### Resource groups -### - -# function create_resource_groups() { -# printf "Creating all resource groups..." -# az group create \ -# --location "${AZ_RADIX_ZONE_LOCATION}" \ -# --name "${AZ_RESOURCE_GROUP_CLUSTERS}" \ -# --subscription "${AZ_SUBSCRIPTION_ID}" \ -# --output none - -# az group create \ -# --location "${AZ_RADIX_ZONE_LOCATION}" \ -# --name "${AZ_RESOURCE_GROUP_COMMON}" \ -# --subscription "${AZ_SUBSCRIPTION_ID}" \ -# --output none - -# az group create \ -# --location "${AZ_RADIX_ZONE_LOCATION}" \ -# --name "${AZ_RESOURCE_GROUP_MONITORING}" \ -# --subscription "${AZ_SUBSCRIPTION_ID}" \ -# --output none -# } - ####################################################################################### ### Common resources ### function create_common_resources() { - printf "Creating key vault: %s...\n" "${AZ_RESOURCE_KEYVAULT}" - az keyvault create \ - --name "${AZ_RESOURCE_KEYVAULT}" \ - --resource-group "${AZ_RESOURCE_GROUP_COMMON}" \ - --subscription "${AZ_SUBSCRIPTION_ID}" \ - --enable-purge-protection \ - --output none - printf "...Done\n" printf "Set access policy for group \"Radix Platform Operators\" in key vault: %s...\n" "${AZ_RESOURCE_KEYVAULT}" az keyvault set-policy \ @@ -541,8 +496,6 @@ function update_app_registration() { ### MAIN ### -update_app_registrations -# create_resource_groups create_common_resources create_outbound_public_ip_prefix create_inbound_public_ip_prefix diff --git a/scripts/update_app_registration_permissions.sh b/scripts/update_app_registration_permissions.sh deleted file mode 100755 index 48dfbd69f..000000000 --- a/scripts/update_app_registration_permissions.sh +++ /dev/null @@ -1,127 +0,0 @@ -#!/usr/bin/env bash - -####################################################################################### -### PURPOSE -### - -# Update App registration with API permissions - -####################################################################################### -### INPUTS -### - -# Required: -# - RADIX_ZONE_ENV : Path to *.env file -# - PERMISSIONS : Ex: {"api": "Microsoft Graph","permissions": ["User.Read","GroupMember.Read.All"]} - -####################################################################################### -### HOW TO USE -### - -# RADIX_ZONE_ENV=./radix-zone/radix_zone_dev.env PERMISSIONS='{"api": "Microsoft Graph","permissions": ["User.Read","GroupMember.Read.All"]}' ./update_app_registration_permissions.sh - -####################################################################################### -### Check for prerequisites binaries -### - -red=$'\e[1;31m' -grn=$'\e[1;32m' -yel=$'\e[1;33m' -normal=$(tput sgr0) - -function version { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; } - -echo "" -printf "Check for neccesary executables... \n" -hash az 2>/dev/null || { - echo -e "\nERROR: Azure-CLI not found in PATH. Exiting... \n" >&2 - exit 1 -} - -hash jq 2>/dev/null || { - echo -e "\nERROR: jq not found in PATH. Exiting..." >&2 - exit 1 -} - -AZ_CLI=$(az version --output json | jq -r '."azure-cli"') -MIN_AZ_CLI="2.41.0" -if [ $(version $AZ_CLI) -lt $(version "$MIN_AZ_CLI") ]; then - printf ""${yel}"Please update az cli to ${MIN_AZ_CLI}. You got version $AZ_CLI.${normal}\n" - exit 1 -fi - -printf "Done.\n" - -####################################################################################### -### Read inputs and configs -### - -# Required inputs - -if [[ -z "$RADIX_ZONE_ENV" ]]; then - echo "ERROR: Please provide RADIX_ZONE_ENV" >&2 - exit 1 -else - if [[ ! -f "$RADIX_ZONE_ENV" ]]; then - echo "ERROR: RADIX_ZONE_ENV=$RADIX_ZONE_ENV is invalid, the file does not exist." >&2 - exit 1 - fi - source "$RADIX_ZONE_ENV" -fi - -if [[ -z "$PERMISSIONS" ]]; then - echo "ERROR: Please provide PERMISSIONS" >&2 - exit 1 -fi - -function update_app_registration_permissions() { - APP_REGISTRATION_ID="$(az ad sp list --filter "displayname eq '${APP_REGISTRATION_WEB_CONSOLE}'" --query [].appId --output tsv 2>/dev/null)" - if [ -z "$APP_REGISTRATION_ID" ]; then - printf " Could not find app registration. Exiting...\n" - return - fi - CURRENT_API_PERMISSIONS="$(az ad app permission list --id "$APP_REGISTRATION_ID")" - - while read -r i; do - API_NAME=$(jq -n "$i" | jq -r '.api') - API_ID="$(az ad sp list --filter "displayname eq '$API_NAME'" | jq -r .[].appId)" - API_PERMISSIONS=$(jq -n "$i" | jq -r '.permissions') - - if [ -z "$API_ID" ]; then - printf " Could not get API_ID. Exiting...\n" - return - fi - if [ -z "$API_PERMISSIONS" ]; then - printf " API permissions missing. Exiting...\n" - return - fi - - while read -r i; do - PERMISSION_NAME=$(jq -n "$i" | jq -r .) - PERMISSION_ID="$(az ad sp show --id "$API_ID" --query "oauth2PermissionScopes[?value=='$PERMISSION_NAME'].id" --output tsv)" - CHECK_DUPLICATION=$(jq -n "$CURRENT_API_PERMISSIONS" | jq -r ".[] | .resourceAccess[] | select(.id == \"$PERMISSION_ID\") | .id") - - if [ -z "$PERMISSION_ID" ]; then - printf " Permission id missing. Exiting...\n" - return - fi - if [ -z "$CHECK_DUPLICATION" ]; then - printf " Adding %s %s to %s..." "$API_NAME" "$PERMISSION_NAME" "$APP_REGISTRATION_WEB_CONSOLE" - az ad app permission add \ - --id "$APP_REGISTRATION_ID" \ - --api "$API_ID" \ - --api-permissions "$PERMISSION_ID=Scope" \ - --only-show-errors - printf "Done.\n" - else - printf " %s %s exist...skipping...\n" "$API_NAME" "$PERMISSION_NAME" - fi - - done < <(echo "${API_PERMISSIONS[@]}" | jq -c '.[]') - - done < <(echo "${PERMISSIONS[@]}" | jq -c '.') -} - -printf "Updating app registration permission for %s\n" "$APP_REGISTRATION_WEB_CONSOLE" -update_app_registration_permissions -printf "Done.\n" diff --git a/terraform/subscriptions/modules/key-vault/main.tf b/terraform/subscriptions/modules/key-vault/main.tf index e5af62496..911381419 100644 --- a/terraform/subscriptions/modules/key-vault/main.tf +++ b/terraform/subscriptions/modules/key-vault/main.tf @@ -1,3 +1,8 @@ +data "azuread_group" "this" { + display_name = "Radix Platform Operators" + security_enabled = true +} + resource "azurerm_key_vault" "this" { name = var.vault_name location = var.location @@ -25,6 +30,23 @@ data "azurerm_subnet" "subnet" { virtual_network_name = var.virtual_network resource_group_name = var.vnet_resource_group } + +resource "azurerm_key_vault_access_policy" "this" { + for_each = var.enable_rbac_authorization == false ? { "${var.vault_name}" : true } : {} + key_vault_id = azurerm_key_vault.this.id + tenant_id = var.tenant_id + object_id = data.azuread_group.this.object_id + certificate_permissions = [ + "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "ManageContacts", "ManageIssuers", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers" + ] + key_permissions = [ + "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore" + ] + secret_permissions = [ + "Get", "List", "Set", "Delete", "Recover", "Backup", "Restore" + ] +} + resource "azurerm_private_endpoint" "this" { name = "pe-${var.vault_name}" location = var.location diff --git a/terraform/subscriptions/s941/dev/key-vault/.terraform.lock.hcl b/terraform/subscriptions/s941/dev/key-vault/.terraform.lock.hcl index 62a69b534..13ddce936 100644 --- a/terraform/subscriptions/s941/dev/key-vault/.terraform.lock.hcl +++ b/terraform/subscriptions/s941/dev/key-vault/.terraform.lock.hcl @@ -1,22 +1,41 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.53.1" + hashes = [ + "h1:0z/718jtR2TJHQQMMqi4nvd6XFPV/iA1jb/5fyAcn5o=", + "zh:162916b037e5133f49298b0ffa3e7dcef7d76530a8ca738e7293373980f73c68", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:492931cea4f30887ab5bca36a8556dfcb897288eddd44619c0217fc5da2d57e7", + "zh:4c895e450e18335ad8714cc6d3488fc1a78816ad2851a91b06cb2ef775dd7c66", + "zh:60d92fdaf7235574201f2d8f68f733ee00a822993b3fc95e6952e09e6ec76999", + "zh:67a169119efa41c1fb867ef1a8e79bf03472a2324384c36eb55370c817dcce42", + "zh:9dd4d5ed9233cf9329262200bc5a1aa60942b80dbc611e2ef4b09f47531b39b1", + "zh:a3c160e35b9e40fc1497b83c2f37a8e24565b05a1783c7733609f3695735c2a9", + "zh:a4a221da42b1f46e7c436c7145e5beaadfd9d03f3be6fd526d132c03f18a5979", + "zh:af0d3476a9702d2287e168e3baa670e64daab9c9b01c01e17025a5248f3e28e9", + "zh:e3579bff7894f3d36066b74ec324be6d28f56a42a387a2b8a0eabf33cbff86df", + "zh:f1749ee8ad972ae6424665aa9d2c0ece8c40c51d41ec2f38b863148cb437e865", + ] +} + provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.113.0" + version = "3.114.0" constraints = ">= 3.110.0" hashes = [ - "h1:eEUtt0lrLdpVaF6FiDq8BGQPgEcykmhj0aNIL7hTOGw=", - "zh:12479f5664288943400447b55e50df675c28ae82ad8d373cc2e5682f3a3411f0", - "zh:1b42a14e80e568429d3b55fed753ca3ef0df9dcdfa107890d7264599c020940f", - "zh:381be6ca617f848de3baa3985a6e1788e91a803afe04a3c5c727453528b6310d", - "zh:3e70e2e07b6db1c363de3e5d0ca47f27fc956473df03329c7d2e54d3ac29176b", - "zh:87c7633aeaa828098c6055da9e67d4acaf4b46748b6b3f0267e105e55f05de25", - "zh:8d0d98226901f874770dd5220d4701a12ae8bd586994615aa7dcba12b9736bec", - "zh:9fd913acd42a60c3a90a18ce803567ef861db8779a59aacced91f2cbd86de9d9", - "zh:b6f3f7ae0a055437fb36c139af9bb3135e7f4dad172157ae1eb0177dc74d703f", - "zh:b927027ba2bf40d34e03d742fd2b6c5299023b5ab8e6f05e50aac76a46ad1094", - "zh:ceb5187b9d2a439f4e48944f3ffeeeaf47a03dbe6f3325ea1775bf659ce0aa88", + "h1:9gfR0VCUpoynii31LxsLaK9fV1blcnJQi3vnjJLSiaI=", + "zh:016b6f4662d1cfcddbe968624e899c1a20c6df0ed5014cdeed19c3e945ea80ee", + "zh:08448eeaaa9e9e84a2887282f9524faa2bb000fbdfcdac610c088a74e36e6911", + "zh:17975bb18d0ad3e2530261773e4fbfae078bfc4db4e0a5458b823b3ec79642e1", + "zh:3030ad1b13fe487ce791c851c6b5f3035af08f60b335d7be5ce6ce76af43062f", + "zh:68b2914edae1049506aab9f2c11c5b2b2c8d01aa3e0ad53e07ce75ae58906a45", + "zh:cffa9af324a0c621317b6d33f80a28159d01706846877d5784d37dad76635d78", + "zh:d36d44617b890a8a6d404a016c10428c3393e072d484addfb56334183893998b", + "zh:d5c217d7a24b32b18cb9ad47544050c5ec9e6b40ce3f34ff37be5e2d232b4dad", + "zh:d5cd83a9701a9bcd17bbd86beb5accdc6c487fcfa472b868bc581e4d5b67d59d", + "zh:f4ba0bd65d9a10f8185e163217e10e5fa91e386c68e6773c188881b088315477", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb9d78dfeca7489bffca9b1a1f3abee7f16dbbcba31388aea1102062c1d6dce8", + "zh:f807554e5e08e38e6526e363641219e89ad9eda0b24ec09f25e61c74eece2490", ] } diff --git a/terraform/subscriptions/s941/playground/key-vault/.terraform.lock.hcl b/terraform/subscriptions/s941/playground/key-vault/.terraform.lock.hcl index 62a69b534..13ddce936 100644 --- a/terraform/subscriptions/s941/playground/key-vault/.terraform.lock.hcl +++ b/terraform/subscriptions/s941/playground/key-vault/.terraform.lock.hcl @@ -1,22 +1,41 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.53.1" + hashes = [ + "h1:0z/718jtR2TJHQQMMqi4nvd6XFPV/iA1jb/5fyAcn5o=", + "zh:162916b037e5133f49298b0ffa3e7dcef7d76530a8ca738e7293373980f73c68", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:492931cea4f30887ab5bca36a8556dfcb897288eddd44619c0217fc5da2d57e7", + "zh:4c895e450e18335ad8714cc6d3488fc1a78816ad2851a91b06cb2ef775dd7c66", + "zh:60d92fdaf7235574201f2d8f68f733ee00a822993b3fc95e6952e09e6ec76999", + "zh:67a169119efa41c1fb867ef1a8e79bf03472a2324384c36eb55370c817dcce42", + "zh:9dd4d5ed9233cf9329262200bc5a1aa60942b80dbc611e2ef4b09f47531b39b1", + "zh:a3c160e35b9e40fc1497b83c2f37a8e24565b05a1783c7733609f3695735c2a9", + "zh:a4a221da42b1f46e7c436c7145e5beaadfd9d03f3be6fd526d132c03f18a5979", + "zh:af0d3476a9702d2287e168e3baa670e64daab9c9b01c01e17025a5248f3e28e9", + "zh:e3579bff7894f3d36066b74ec324be6d28f56a42a387a2b8a0eabf33cbff86df", + "zh:f1749ee8ad972ae6424665aa9d2c0ece8c40c51d41ec2f38b863148cb437e865", + ] +} + provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.113.0" + version = "3.114.0" constraints = ">= 3.110.0" hashes = [ - "h1:eEUtt0lrLdpVaF6FiDq8BGQPgEcykmhj0aNIL7hTOGw=", - "zh:12479f5664288943400447b55e50df675c28ae82ad8d373cc2e5682f3a3411f0", - "zh:1b42a14e80e568429d3b55fed753ca3ef0df9dcdfa107890d7264599c020940f", - "zh:381be6ca617f848de3baa3985a6e1788e91a803afe04a3c5c727453528b6310d", - "zh:3e70e2e07b6db1c363de3e5d0ca47f27fc956473df03329c7d2e54d3ac29176b", - "zh:87c7633aeaa828098c6055da9e67d4acaf4b46748b6b3f0267e105e55f05de25", - "zh:8d0d98226901f874770dd5220d4701a12ae8bd586994615aa7dcba12b9736bec", - "zh:9fd913acd42a60c3a90a18ce803567ef861db8779a59aacced91f2cbd86de9d9", - "zh:b6f3f7ae0a055437fb36c139af9bb3135e7f4dad172157ae1eb0177dc74d703f", - "zh:b927027ba2bf40d34e03d742fd2b6c5299023b5ab8e6f05e50aac76a46ad1094", - "zh:ceb5187b9d2a439f4e48944f3ffeeeaf47a03dbe6f3325ea1775bf659ce0aa88", + "h1:9gfR0VCUpoynii31LxsLaK9fV1blcnJQi3vnjJLSiaI=", + "zh:016b6f4662d1cfcddbe968624e899c1a20c6df0ed5014cdeed19c3e945ea80ee", + "zh:08448eeaaa9e9e84a2887282f9524faa2bb000fbdfcdac610c088a74e36e6911", + "zh:17975bb18d0ad3e2530261773e4fbfae078bfc4db4e0a5458b823b3ec79642e1", + "zh:3030ad1b13fe487ce791c851c6b5f3035af08f60b335d7be5ce6ce76af43062f", + "zh:68b2914edae1049506aab9f2c11c5b2b2c8d01aa3e0ad53e07ce75ae58906a45", + "zh:cffa9af324a0c621317b6d33f80a28159d01706846877d5784d37dad76635d78", + "zh:d36d44617b890a8a6d404a016c10428c3393e072d484addfb56334183893998b", + "zh:d5c217d7a24b32b18cb9ad47544050c5ec9e6b40ce3f34ff37be5e2d232b4dad", + "zh:d5cd83a9701a9bcd17bbd86beb5accdc6c487fcfa472b868bc581e4d5b67d59d", + "zh:f4ba0bd65d9a10f8185e163217e10e5fa91e386c68e6773c188881b088315477", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fb9d78dfeca7489bffca9b1a1f3abee7f16dbbcba31388aea1102062c1d6dce8", + "zh:f807554e5e08e38e6526e363641219e89ad9eda0b24ec09f25e61c74eece2490", ] }