equinor · sveinpj · May 7, 2024 · May 7, 2024
diff --git a/scripts/radix-zone/base-infrastructure/bootstrap.sh b/scripts/radix-zone/base-infrastructure/bootstrap.sh
@@ -164,7 +164,6 @@ echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER    : $AZ_SYSTEM_USER_CON
 echo -e "   -  AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD      : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
 echo -e "   -  APP_REGISTRATION_WEB_CONSOLE                : $APP_REGISTRATION_WEB_CONSOLE"
 echo -e "   -  APP_REGISTRATION_GRAFANA                    : $APP_REGISTRATION_GRAFANA"
-echo -e "   -  APP_REGISTRATION_VELERO                     : $APP_REGISTRATION_VELERO"
 echo -e "   -  APP_REGISTRATION_SERVICENOW_SERVER          : $APP_REGISTRATION_SERVICENOW_SERVER"
 echo -e ""
 echo -e "   -  MI_AKS                                      : $MI_AKS"
@@ -474,7 +473,6 @@ function create_base_system_users_and_store_credentials() {
     create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Service principal that provide read-only access to container registry"
     create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Service principal that provide push, pull, build in container registry"
     create_service_principal_and_store_credentials "$APP_REGISTRATION_GRAFANA" "Grafana OAuth"
-    create_service_principal_and_store_credentials "$APP_REGISTRATION_VELERO" "Used by Velero to access Azure resources"
     create_service_principal_and_store_credentials "$APP_REGISTRATION_WEB_CONSOLE" "Used by web console for login and other AD information"
 }
 

diff --git a/scripts/radix-zone/radix_zone_c2.env b/scripts/radix-zone/radix_zone_c2.env
@@ -99,7 +99,6 @@ AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"
 
 # App registrations
 APP_REGISTRATION_GRAFANA="ar-radix-grafana-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
-APP_REGISTRATION_VELERO="ar-radix-velero-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
 APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"
 APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}"

diff --git a/scripts/radix-zone/radix_zone_dev.env b/scripts/radix-zone/radix_zone_dev.env
@@ -102,7 +102,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 
 # App registrations
 APP_REGISTRATION_GRAFANA="ar-radix-grafana-${CLUSTER_TYPE}"
-APP_REGISTRATION_VELERO="radix-velero-${RADIX_ENVIRONMENT}"
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
 APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}"
 APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"

diff --git a/scripts/radix-zone/radix_zone_playground.env b/scripts/radix-zone/radix_zone_playground.env
@@ -101,7 +101,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 
 # App registrations
 APP_REGISTRATION_GRAFANA="ar-radix-grafana-${CLUSTER_TYPE}"
-APP_REGISTRATION_VELERO="radix-velero-${RADIX_ENVIRONMENT}"
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
 APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}"
 APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"

diff --git a/scripts/radix-zone/radix_zone_prod.env b/scripts/radix-zone/radix_zone_prod.env
@@ -102,7 +102,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"
 # App registrations
 APP_REGISTRATION_GRAFANA="ar-radix-grafana-${CLUSTER_TYPE}"
 APP_REGISTRATION_EXT_MON="ar-radix-grafana-ext-mon"
-APP_REGISTRATION_VELERO="radix-velero-${RADIX_ENVIRONMENT}"
 APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary"
 APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}"
 APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance"

diff --git a/scripts/velero/bootstrap.sh b/scripts/velero/bootstrap.sh
@@ -121,7 +121,6 @@ echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
 echo -e "   -  AZ_VELERO_RESOURCE_GROUP         : $AZ_VELERO_RESOURCE_GROUP"
 echo -e "   -  AZ_VELERO_STORAGE_ACCOUNT_ID     : $AZ_VELERO_STORAGE_ACCOUNT_ID"
-echo -e "   -  APP_REGISTRATION_VELERO          : $APP_REGISTRATION_VELERO"
 echo -e ""
 echo -e "   > WHO:"
 echo -e "   -------------------------------------------------------------------"
@@ -144,64 +143,6 @@ if [[ $USER_PROMPT == true ]]; then
 fi
 
 #######################################################################################
-### Resource group and storage container
+### Replaced by Terraform
 ### 
 
-echo ""
-echo "Create resource group..."
-az group create -n "$AZ_VELERO_RESOURCE_GROUP" --location "$AZ_RADIX_ZONE_LOCATION" 2>&1 >/dev/null
-echo "Done."
-
-echo ""
-echo "Create storage account..."
-az storage account create --name "$AZ_VELERO_STORAGE_ACCOUNT_ID" \
-    --resource-group "$AZ_VELERO_RESOURCE_GROUP" \
-    --encryption-services blob \
-    --https-only true \
-    --access-tier Hot \
-    --min-tls-version "${AZ_STORAGEACCOUNT_MIN_TLS_VERSION}" \
-    --sku "${AZ_STORAGEACCOUNT_SKU}" \
-    --kind "${AZ_VELERO_STORAGE_ACCOUNT_KIND}" \
-    --access-tier "${AZ_STORAGEACCOUNT_TIER}"
-    2>&1 >/dev/null
-echo "Done."
-
-# The blob has to be unique for each cluster, and so we will create a blob when installing the base components for the cluster.
-# This blob will be shared among all clusters. Not good.
-# We will move the creation of a separate blob per cluster into the "install base components" script.
-# echo ""
-# echo "Create storage container..."
-# az storage container create -n "$AZ_VELERO_STORAGE_BLOB_CONTAINER" \
-#     --public-access off \
-#     --account-name "$AZ_VELERO_STORAGE_ACCOUNT_ID" \
-#     2>&1 >/dev/null
-# echo "Done."
-
-
-#######################################################################################
-### Service principal
-###
-
-
-printf "Working on \"${APP_REGISTRATION_VELERO}\": Creating service principal..."
-AZ_VELERO_SERVICE_PRINCIPAL_SCOPE="$(az group show --name ${AZ_VELERO_RESOURCE_GROUP} | jq -r '.id')"
-AZ_VELERO_SERVICE_PRINCIPAL_PASSWORD="$(az ad sp create-for-rbac --name "$APP_REGISTRATION_VELERO" --scope="${AZ_VELERO_SERVICE_PRINCIPAL_SCOPE}" --role "Contributor" --query 'password' -o tsv)"
-AZ_VELERO_SERVICE_PRINCIPAL_ID="$(az ad sp list --display-name "$APP_REGISTRATION_VELERO" --query '[0].appId' -o tsv)"
-AZ_VELERO_SERVICE_PRINCIPAL_DESCRIPTION="Used by Velero to access Azure resources"
-
-printf "Update credentials in keyvault..."
-update_service_principal_credentials_in_az_keyvault "${APP_REGISTRATION_VELERO}" "${AZ_VELERO_SERVICE_PRINCIPAL_ID}" "${AZ_VELERO_SERVICE_PRINCIPAL_PASSWORD}" "${AZ_VELERO_SERVICE_PRINCIPAL_DESCRIPTION}"
-printf "Done.\n"
-
-# Clean up
-unset AZ_VELERO_SERVICE_PRINCIPAL_PASSWORD # Clear credentials from memory
-
-echo ""
-echo "WARNING!"
-echo "You _must_ manually set team members as owners for the service principal \"$APP_REGISTRATION_VELERO\","
-echo "as this is not possible to do by script (yet)."
-echo ""
-
-echo ""
-echo "Bootstrap of Velero is done!"
-
diff --git a/scripts/velero/install_prerequisites_in_cluster.sh b/scripts/velero/install_prerequisites_in_cluster.sh
@@ -126,7 +126,6 @@ echo -e ""
 echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
 echo -e "   -  VELERO_NAMESPACE                 : $VELERO_NAMESPACE"
-echo -e "   -  APP_REGISTRATION_VELERO          : $APP_REGISTRATION_VELERO"
 echo -e "   -  CREDENTIALS_TEMPLATE_PATH        : $CREDENTIALS_TEMPLATE_PATH"
 echo -e "   -  BACKUP_STORAGE_CONTAINER         : $CLUSTER_NAME"
 echo -e ""
@@ -188,31 +187,6 @@ function cleanup() {
   rm -f "$CREDENTIALS_GENERATED_PATH"
 }
 
-# function generateCredentialsFile() {
-#   local SP_JSON="$(az keyvault secret show \
-#     --vault-name $AZ_RESOURCE_KEYVAULT \
-#     --name $APP_REGISTRATION_VELERO |
-#     jq '.value | fromjson')"
-
-#   # Set variables used in the manifest templates
-#   local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID"
-#   local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')"
-#   local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')"
-#   local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')"
-
-#   # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file
-#   CREDENTIALS_GENERATED_PATH="$(mktemp)"
-#   local tmp_heredoc="$(mktemp)"
-#   (
-#     echo "#!/bin/sh"
-#     echo "cat <<EOF >>${CREDENTIALS_GENERATED_PATH}"
-#     cat ${CREDENTIALS_TEMPLATE_PATH}
-#     echo ""
-#     echo "EOF"
-#   ) >${tmp_heredoc} && chmod +x ${tmp_heredoc}
-#   source "$tmp_heredoc"
-# }
-
 # Run cleanup even if script crashed
 trap cleanup 0 2 3 15
 
@@ -268,29 +242,6 @@ az storage account network-rule remove \
   --output none \
   --only-show-errors
 
-# Velero custom RBAC clusterrole
-RBAC_CLUSTERROLE="velero-admin"
-printf "\nCreating $RBAC_CLUSTERROLE clusterrole..\n"
-cat <<EOF | kubectl apply -f -
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: $RBAC_CLUSTERROLE
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-rules:
-- apiGroups:
-  - "*"
-  resources:
-  - "*"
-  verbs:
-  - "*"
-- nonResourceURLs: ["*"]
-  verbs: ["*"]
-EOF
-
 # Create configMap that will hold the cluster specific values that Flux will later use when it manages the deployment of Velero
 printf "Working on configmap for flux..."
 cat <<EOF | kubectl apply -f - 2>&1 >/dev/null

diff --git a/scripts/velero/teardown.sh b/scripts/velero/teardown.sh
@@ -111,7 +111,6 @@ echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
 echo -e "   -  AZ_VELERO_RESOURCE_GROUP         : $AZ_VELERO_RESOURCE_GROUP"
 echo -e "   -  AZ_VELERO_STORAGE_ACCOUNT_ID     : $AZ_VELERO_STORAGE_ACCOUNT_ID"
-echo -e "   -  APP_REGISTRATION_VELERO          : $APP_REGISTRATION_VELERO"
 echo -e ""
 echo -e "   > WHO:"
 echo -e "   -------------------------------------------------------------------"
@@ -152,10 +151,6 @@ echo "Deleting resource group..."
 az group delete --yes --name "$AZ_VELERO_RESOURCE_GROUP" 2>&1 >/dev/null
 echo "Done."
 
-echo ""
-echo "Deleting service principal..."
-delete_ad_app_and_stored_credentials "${APP_REGISTRATION_VELERO}"
-echo "Done."
 
 
 #######################################################################################

diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf
@@ -61,22 +61,6 @@ resource "azurerm_role_assignment" "roleassignment" {
   depends_on           = [azurerm_storage_account.storageaccount]
 }
 
-# #######################################################################################
-# ### Role assignment for Velero Service Principal to be used to the Storage account
-# ###
-
-data "azuread_service_principal" "velero" { # wip To be changed to workload identity in the future
-  display_name = var.velero_service_principal
-}
-
-resource "azurerm_role_assignment" "storage_blob_data_conntributor" {
-  for_each             = can(regex("radixvelero.*", var.name)) ? { "${var.name}" : true } : {}
-  scope                = azurerm_storage_account.storageaccount.id
-  role_definition_name = "Storage Account Contributor"
-  principal_id         = data.azuread_service_principal.velero.id
-  depends_on           = [azurerm_storage_account.storageaccount]
-}
-
 ######################################################################################
 ## Blob Protection
 ##

diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf
@@ -74,11 +74,6 @@ variable "principal_id" {
   type        = string
 }
 
-variable "velero_service_principal" {
-  description = "The Name of the Principal (User, Group or Service Principal) to assign the Role Definition to"
-  type        = string
-}
-
 variable "vault_id" {
   description = "The ID of the Backup Vault"
   type        = string

diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf
@@ -54,7 +54,6 @@ module "storageaccount" {
   vault_id                 = module.backupvault.data.backupvault.id
   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
   subnet_id                = data.azurerm_subnet.this.id
-  velero_service_principal = each.value.velero_service_principal
   vnet_resource_group      = module.config.vnet_resource_group
   lifecyclepolicy          = each.value.lifecyclepolicy
 }

diff --git a/terraform/subscriptions/s940/c2/common/variables.tf b/terraform/subscriptions/s940/c2/common/variables.tf
@@ -7,7 +7,6 @@ variable "storageaccounts" {
     account_tier             = optional(string, "Standard")
     account_replication_type = optional(string, "LRS")
     kind                     = optional(string, "StorageV2")
-    velero_service_principal = optional(string, "ar-radix-velero-c2-prod")
     change_feed_enabled      = optional(bool, false)
     versioning_enabled       = optional(bool, false)
     backup                   = optional(bool, false)

diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf
@@ -55,7 +55,6 @@ module "storageaccount" {
   vault_id                 = module.backupvault.data.backupvault.id
   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
   subnet_id                = data.azurerm_subnet.this.id
-  velero_service_principal = each.value.velero_service_principal
   vnet_resource_group      = module.config.vnet_resource_group
   lifecyclepolicy          = each.value.lifecyclepolicy
 }

diff --git a/terraform/subscriptions/s940/extmon/common/variables.tf b/terraform/subscriptions/s940/extmon/common/variables.tf
@@ -7,7 +7,6 @@ variable "storageaccounts" {
     account_tier             = optional(string, "Standard")
     account_replication_type = optional(string, "LRS")
     kind                     = optional(string, "StorageV2")
-    velero_service_principal = optional(string, "radix-velero-prod")
     change_feed_enabled      = optional(bool, false)
     versioning_enabled       = optional(bool, false)
     backup                   = optional(bool, false)

diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf
@@ -54,7 +54,6 @@ module "storageaccount" {
   vault_id                 = module.backupvault.data.backupvault.id
   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
   subnet_id                = data.azurerm_subnet.this.id
-  velero_service_principal = each.value.velero_service_principal
   vnet_resource_group      = module.config.vnet_resource_group
   lifecyclepolicy          = each.value.lifecyclepolicy
 }

diff --git a/terraform/subscriptions/s940/prod/common/variables.tf b/terraform/subscriptions/s940/prod/common/variables.tf
@@ -8,7 +8,6 @@ variable "storageaccounts" {
     account_tier             = optional(string, "Standard")
     account_replication_type = optional(string, "LRS")
     kind                     = optional(string, "StorageV2")
-    velero_service_principal = optional(string, "radix-velero-prod")
     change_feed_enabled      = optional(bool, false)
     versioning_enabled       = optional(bool, false)
     backup                   = optional(bool, false)

diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf
@@ -54,7 +54,6 @@ module "storageaccount" {
   vault_id                 = module.backupvault.data.backupvault.id
   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
   subnet_id                = data.azurerm_subnet.this.id
-  velero_service_principal = "radix-velero-${module.config.environment}"
   vnet_resource_group      = module.config.vnet_resource_group
   lifecyclepolicy          = each.value.lifecyclepolicy
 }

diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf
@@ -54,7 +54,6 @@ module "storageaccount" {
   vault_id                 = module.backupvault.data.backupvault.id
   policyblobstorage_id     = module.backupvault.data.policyblobstorage.id
   subnet_id                = data.azurerm_subnet.this.id
-  velero_service_principal = each.value.velero_service_principal
   vnet_resource_group      = module.config.vnet_resource_group
   lifecyclepolicy          = each.value.lifecyclepolicy
 }

diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf
@@ -7,7 +7,6 @@ variable "storageaccounts" {
     account_tier             = optional(string, "Standard")
     account_replication_type = optional(string, "LRS")
     kind                     = optional(string, "StorageV2")
-    velero_service_principal = optional(string, "radix-velero-dev")
     change_feed_enabled      = optional(bool, false)
     versioning_enabled       = optional(bool, false)
     backup                   = optional(bool, false)