EES-4765 Add conditional deploy of ACR Pull role assignment

dfe-analytical-services · Dec 21, 2023 · d6a82c9 · d6a82c9
1 parent 3ea7162
commit d6a82c9
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 2 deletions.
diff --git a/.azdo/pipelines/azure-dev.yml b/.azdo/pipelines/azure-dev.yml
@@ -3,6 +3,12 @@ trigger:
   - main
 pr: none
 
+parameters:
+- name: deployRoleAssignments
+  displayName: 'Deploy role assignments?'
+  type: boolean
+  default: false
+
 jobs:
 - deployment: All
   displayName: All
@@ -30,4 +36,6 @@ jobs:
               AZURE_SUBSCRIPTION_ID: $(AZURE_SUBSCRIPTION_ID)
               AZURE_ENV_NAME: $(Environment.Name)
               AZURE_LOCATION: $(AZURE_LOCATION)
-              AZURE_RESOURCE_GROUP_NAME: ${AZURE_RESOURCE_GROUP_NAME}
+              AZURE_RESOURCE_GROUP_NAME: ${AZURE_RESOURCE_GROUP_NAME}
+              PRODUCT_NAME: ${PRODUCT_NAME}
+              DEPLOY_ROLE_ASSIGNMENTS: ${parameters.deployRoleAssignments}
diff --git a/infra/app/api.bicep b/infra/app/api.bicep
@@ -1,10 +1,20 @@
+param name string
 param location string = resourceGroup().location
 param tags object = {}
 
 param identityName string
 
+param deployRoleAssignments bool = true
+
 resource apiIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: identityName
   location: location
   tags: tags
 }
+
+module containerRegistryAccess '../shared/container-registry-access.bicep' = if (deployRoleAssignments) {
+  name: '${name}-container-registry-access'
+  params: {
+    principalId: apiIdentity.properties.principalId
+  }
+}
diff --git a/infra/app/web.bicep b/infra/app/web.bicep
@@ -1,10 +1,20 @@
+param name string
 param location string = resourceGroup().location
 param tags object = {}
 
 param identityName string
 
+param deployRoleAssignments bool = true
+
 resource webIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
   name: identityName
   location: location
   tags: tags
 }
+
+module containerRegistryAccess '../shared/container-registry-access.bicep' = if (deployRoleAssignments) {
+  name: '${name}-container-registry-access'
+  params: {
+    principalId: webIdentity.properties.principalId
+  }
+}
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -22,6 +22,9 @@ param productName string
 @description('Name of the resource group')
 param resourceGroupName string
 
+@description('Specify if role assignments should be deployed')
+param deployRoleAssignments bool = true
+
 // Tags that should be applied to all resources.
 // 
 // Note that 'azd-service-name' tags should be applied separately to service host resources.
@@ -80,9 +83,11 @@ module monitoring './shared/monitoring.bicep' = {
 module api './app/api.bicep' = {
   name: 'api'
   params: {
+    name: '${resourceGroupName}-${abbrs.appContainerApps}api'
     location: location
     tags: tags
     identityName: '${resourceGroupName}-${abbrs.managedIdentityUserAssignedIdentities}api'
+    deployRoleAssignments: deployRoleAssignments
   }
   scope: rg
 }
@@ -91,9 +96,11 @@ module api './app/api.bicep' = {
 module web './app/web.bicep' = {
   name: 'web'
   params: {
+    name: '${resourceGroupName}-${abbrs.appContainerApps}web'
     location: location
     tags: tags
     identityName: '${resourceGroupName}-${abbrs.managedIdentityUserAssignedIdentities}web'
+    deployRoleAssignments: deployRoleAssignments
   }
   scope: rg
 }

diff --git a/infra/main.parameters.json b/infra/main.parameters.json
@@ -15,7 +15,10 @@
       "value": "${AZURE_RESOURCE_GROUP_NAME}"
     },
     "productName": {
-      "value": "Statistics as a Service"
+      "value": "${PRODUCT_NAME}"
+    },
+    "deployRoleAssignments": {
+      "value": "${DEPLOY_ROLE_ASSIGNMENTS=true}"
     }
   }
 }
diff --git a/infra/shared/container-registry-access.bicep b/infra/shared/container-registry-access.bicep
@@ -0,0 +1,17 @@
+metadata description = 'Assigns ACR Pull role to access an Azure Container Registry.'
+
+param principalId string
+
+var acrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+
+// This requires Microsoft.Authorization/roleAssignments/write permission,
+// such as being an Owner, User Access Administrator, or RBAC Administrator at the scope the role is being assigned.
+resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: resourceGroup() // Scope is specified as the resource group level but this could be changed to be a specific ACR resource
+  name: guid(resourceGroup().id, principalId, acrPullRole)
+  properties: {
+    roleDefinitionId: acrPullRole
+    principalType: 'ServicePrincipal'
+    principalId: principalId
+  }
+}