Enable User assigned managed identity for scalesets (#219)

2025-06-20 05:23:44 +00:00 · 2020-10-29 10:53:11 -07:00
parent 99b69d3e56
commit 154be220ae
6 changed files with 92 additions and 12 deletions
--- a/src/deployment/azuredeploy.json
+++ b/src/deployment/azuredeploy.json
@ -38,6 +38,7 @@
        }
    },
    "variables": {
+        "scaleset_identity": "[concat(parameters('name'), '-scalesetid')]",
        "telemetry": "d7a73cf4-5a1a-4030-85e1-e5b25867e45a",
        "signalr-name": "[concat('onefuzz-', uniquestring(resourceGroup().id))]",
        "monitorAccountName": "[concat('logs-wb-', uniquestring(resourceGroup().id))]",
@ -47,6 +48,7 @@
        "Storage Account Contributor": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
        "Virtual Machine Contributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
        "Log Analytics Contributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
+        "Managed Identity Operator": "f1a07417-d97a-45cb-824c-7a7467783830",
        "storage_account_sas": {
            "signedServices": "bfqt",
            "signedPermission": "rwdlacup",
@ -93,6 +95,12 @@
        }
    ],
    "resources": [
+        {
+            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+            "name": "[variables('scaleset_identity')]",
+            "apiVersion": "2018-11-30",
+            "location": "[resourceGroup().location]"
+        },
        {
            "apiVersion": "2018-11-01",
            "name": "[parameters('name')]",
@ -580,6 +588,21 @@
                "OWNER": "[parameters('owner')]"
            }
        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2017-09-01",
+            "name": "[guid(concat(resourceGroup().id, '-user_managed_idenity'))]",
+            "properties": {
+                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', variables('Managed Identity Operator'))]",
+                "principalId": "[reference(resourceId('Microsoft.Web/sites', parameters('name')), '2018-02-01', 'Full').identity.principalId]"
+            },
+            "DependsOn": [
+                "[resourceId('Microsoft.Web/sites', parameters('name'))]"
+            ],
+            "tags": {
+                "OWNER": "[parameters('owner')]"
+            }
+        },
        {
            "type": "Microsoft.SignalRService/SignalR",
            "apiVersion": "2018-10-01",
@ -640,6 +663,10 @@
        "func-key": {
            "type": "string",
            "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountNameFunc')), '2019-06-01').keys[0].value]"
+        },
+        "scaleset-identity": {
+            "type": "string",
+            "value": "[variables('scaleset_identity')]"
        }
    }
 }
--- a/src/deployment/deploy.py
+++ b/src/deployment/deploy.py
@ -62,6 +62,7 @@ from msrest.serialization import TZ_UTC
 from data_migration import migrate
 from registration import (
    add_application_password,
+    assign_scaleset_role,
    authorize_application,
    get_application,
    register_application,
@ -395,6 +396,11 @@ class Client:
            sys.exit(1)
        self.results["deploy"] = result.properties.outputs

+        logger.info("assigning the user managed identity role")
+        assign_scaleset_role(
+            self.application_name, self.results["deploy"]["scaleset-identity"]["value"]
+        )
+
    def apply_migrations(self):
        self.results["deploy"]["func-storage"]["value"]
        name = self.results["deploy"]["func-name"]["value"]
--- a/src/deployment/registration.py
+++ b/src/deployment/registration.py
@ -298,28 +298,39 @@ def assign_scaleset_role(onefuzz_instance_name: str, scaleset_name: str):
        raise Exception("scaleset service principal not found")
    scaleset_service_principal = scaleset_service_principals["value"][0]

-    lab_machine_role = (
+    managed_node_role = (
        seq(onefuzz_service_principal["appRoles"])
        .filter(lambda x: x["value"] == "ManagedNode")
        .head_option()
    )

-    if not lab_machine_role:
+    if not managed_node_role:
        raise Exception(
            "ManagedNode role not found int the onefuzz application registration. Please redeploy the instance"
        )

-    query_microsoft_graph(
-        method="POST",
-        resource="servicePrincipals/%s/appRoleAssignedTo"
+    assignments = query_microsoft_graph(
+        method="GET",
+        resource="servicePrincipals/%s/appRoleAssignments"
        % scaleset_service_principal["id"],
-        body={
-            "principalId": scaleset_service_principal["id"],
-            "resourceId": onefuzz_service_principal["id"],
-            "appRoleId": lab_machine_role["id"],
-        },
    )

+    # check if the role is already assigned
+    role_assigned = seq(assignments["value"]).find(
+        lambda assignment: assignment["appRoleId"] == managed_node_role["id"]
+    )
+    if not role_assigned:
+        query_microsoft_graph(
+            method="POST",
+            resource="servicePrincipals/%s/appRoleAssignedTo"
+            % scaleset_service_principal["id"],
+            body={
+                "principalId": scaleset_service_principal["id"],
+                "resourceId": onefuzz_service_principal["id"],
+                "appRoleId": managed_node_role["id"],
+            },
+        )
+

 def main():
    formatter = argparse.ArgumentDefaultsHelpFormatter