Roles refactor using CDK Resolvers (Azure#47285)

Author: christothes

sdk/provisioning/Azure.Provisioning.CloudMachine/api/Azure.Provisioning.CloudMachine.net8.0.cs

@@ -87,6 +87,7 @@ public abstract partial class CloudMachineFeature
         protected CloudMachineFeature() { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         public Azure.Provisioning.Primitives.ProvisionableResource Emitted { get { throw null; } protected set { } }
+        protected internal System.Collections.Generic.Dictionary<Azure.Provisioning.Primitives.Provisionable, (string RoleName, string RoleId)[]> RequiredSystemRoles { get { throw null; } }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         public virtual void AddTo(Azure.CloudMachine.CloudMachineInfrastructure cm) { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]

sdk/provisioning/Azure.Provisioning.CloudMachine/api/Azure.Provisioning.CloudMachine.netstandard2.0.cs

@@ -87,6 +87,7 @@ public abstract partial class CloudMachineFeature
         protected CloudMachineFeature() { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         public Azure.Provisioning.Primitives.ProvisionableResource Emitted { get { throw null; } protected set { } }
+        protected internal System.Collections.Generic.Dictionary<Azure.Provisioning.Primitives.Provisionable, (string RoleName, string RoleId)[]> RequiredSystemRoles { get { throw null; } }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]
         public virtual void AddTo(Azure.CloudMachine.CloudMachineInfrastructure cm) { }
         [System.ComponentModel.EditorBrowsableAttribute(System.ComponentModel.EditorBrowsableState.Never)]

sdk/provisioning/Azure.Provisioning.CloudMachine/src/AzureSdkExtensions/KeyVaultFeature.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System.Collections.Generic;
 using Azure.Provisioning.Authorization;
 using Azure.Provisioning.CloudMachine;
 using Azure.Provisioning.Expressions;
@@ -44,20 +45,8 @@ protected override ProvisionableResource EmitCore(CloudMachineInfrastructure inf
                     ]
                 },
         };
-
         infrastructure.AddResource(keyVaultResource);
-
-        RoleAssignment ra = keyVaultResource.CreateRoleAssignment(KeyVaultBuiltInRole.KeyVaultAdministrator, RoleManagementPrincipalType.User, infrastructure.PrincipalIdParameter);
-        infrastructure.AddResource(ra);
-
-        // necessary until ResourceName is settable via AssignRole.
-        RoleAssignment kvMiRoleAssignment = new RoleAssignment(keyVaultResource.BicepIdentifier + "_" + infrastructure.Identity.BicepIdentifier + "_" + KeyVaultBuiltInRole.GetBuiltInRoleName(KeyVaultBuiltInRole.KeyVaultAdministrator));
-        kvMiRoleAssignment.Name = BicepFunction.CreateGuid(keyVaultResource.Id, infrastructure.Identity.Id, BicepFunction.GetSubscriptionResourceId("Microsoft.Authorization/roleDefinitions", KeyVaultBuiltInRole.KeyVaultAdministrator.ToString()));
-        kvMiRoleAssignment.Scope = new IdentifierExpression(keyVaultResource.BicepIdentifier);
-        kvMiRoleAssignment.PrincipalType = RoleManagementPrincipalType.ServicePrincipal;
-        kvMiRoleAssignment.RoleDefinitionId = BicepFunction.GetSubscriptionResourceId("Microsoft.Authorization/roleDefinitions", KeyVaultBuiltInRole.KeyVaultAdministrator.ToString());
-        kvMiRoleAssignment.PrincipalId = infrastructure.Identity.PrincipalId;
-        infrastructure.AddResource(kvMiRoleAssignment);
+        RequiredSystemRoles.Add(keyVaultResource, [(KeyVaultBuiltInRole.GetBuiltInRoleName(KeyVaultBuiltInRole.KeyVaultAdministrator), KeyVaultBuiltInRole.KeyVaultAdministrator.ToString())]);
 
         return keyVaultResource;
     }

sdk/provisioning/Azure.Provisioning.CloudMachine/src/AzureSdkExtensions/OpenAIFeature.cs

@@ -2,7 +2,6 @@
 // Licensed under the MIT License.
 using System;
 using System.Collections.Generic;
-using Azure.Provisioning.Authorization;
 using Azure.Provisioning.CloudMachine;
 using Azure.Provisioning.CognitiveServices;
 using Azure.Provisioning.Primitives;
@@ -14,25 +13,14 @@ internal class OpenAIFeature : CloudMachineFeature
     private List<OpenAIModel> _models = new List<OpenAIModel>();
 
     public OpenAIFeature()
-    {}
+    { }
 
     protected override ProvisionableResource EmitCore(CloudMachineInfrastructure cloudMachine)
     {
         CognitiveServicesAccount cognitiveServices = CreateOpenAIAccount(cloudMachine);
         cloudMachine.AddResource(cognitiveServices);
 
-        cloudMachine.AddResource(cognitiveServices.CreateRoleAssignment(
-            CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor,
-            RoleManagementPrincipalType.User,
-            cloudMachine.PrincipalIdParameter)
-        );
-
-        cloudMachine.AddResource(cloudMachine.CreateRoleAssignment(
-            cognitiveServices,
-            cognitiveServices.Id,
-            CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor,
-            cloudMachine.Identity)
-        );
+        RequiredSystemRoles.Add(cognitiveServices, [(CognitiveServicesBuiltInRole.GetBuiltInRoleName(CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor) ,CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor.ToString())]);
 
         Emitted = cognitiveServices;
 
@@ -52,7 +40,7 @@ protected override ProvisionableResource EmitCore(CloudMachineInfrastructure clo
 
     internal void AddModel(OpenAIModel model)
     {
-        if (model.Account!= null)
+        if (model.Account != null)
         {
             throw new InvalidOperationException("Model already added to an account");
         }

sdk/provisioning/Azure.Provisioning.CloudMachine/src/AzureSdkExtensions/OpenAIModel.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.Diagnostics;
 using Azure.Provisioning.CloudMachine;
 using Azure.Provisioning.CognitiveServices;

sdk/provisioning/Azure.Provisioning.CloudMachine/src/CDKLevel3/CloudMachineCoreFeature.cs

@@ -0,0 +1,206 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using System.Collections.Generic;
+using Azure.Provisioning;
+using Azure.Provisioning.Authorization;
+using Azure.Provisioning.CloudMachine;
+using Azure.Provisioning.EventGrid;
+using Azure.Provisioning.Expressions;
+using Azure.Provisioning.Primitives;
+using Azure.Provisioning.Resources;
+using Azure.Provisioning.ServiceBus;
+using Azure.Provisioning.Storage;
+
+namespace Azure.CloudMachine;
+
+internal class CloudMachineCoreFeature : CloudMachineFeature
+{
+    public CloudMachineCoreFeature()
+    { }
+    protected override ProvisionableResource EmitCore(CloudMachineInfrastructure infrastructure)
+    {
+        ManagedServiceIdentity managedServiceIdentity = new()
+        {
+            ManagedServiceIdentityType = ManagedServiceIdentityType.UserAssigned,
+            UserAssignedIdentities = { { BicepFunction.Interpolate($"{infrastructure.Identity.Id}").Compile().ToString(), new UserAssignedIdentityDetails() } }
+        };
+
+        var _storage =
+            new StorageAccount("cm_storage", StorageAccount.ResourceVersions.V2023_01_01)
+            {
+                Kind = StorageKind.StorageV2,
+                Sku = new StorageSku { Name = StorageSkuName.StandardLrs },
+                IsHnsEnabled = true,
+                AllowBlobPublicAccess = false
+            };
+        _storage.Identity = managedServiceIdentity;
+        _storage.Name = infrastructure.Id;
+
+        var _blobs = new BlobService("cm_storage_blobs")
+        {
+            Parent = _storage,
+        };
+        var _container = new BlobContainer("cm_storage_blobs_container", "2023-01-01")
+        {
+            Parent = _blobs,
+            Name = "default"
+        };
+
+        var _serviceBusNamespace = new ServiceBusNamespace("cm_servicebus")
+        {
+            Sku = new ServiceBusSku
+            {
+                Name = ServiceBusSkuName.Standard,
+                Tier = ServiceBusSkuTier.Standard
+            },
+            Name = infrastructure.Id,
+        };
+        var _serviceBusNamespaceAuthorizationRule = new ServiceBusNamespaceAuthorizationRule("cm_servicebus_auth_rule", "2021-11-01")
+        {
+            Parent = _serviceBusNamespace,
+            Rights = [ServiceBusAccessRight.Listen, ServiceBusAccessRight.Send, ServiceBusAccessRight.Manage]
+        };
+        var _serviceBusTopic_private = new ServiceBusTopic("cm_servicebus_topic_private", "2021-11-01")
+        {
+            Name = "cm_servicebus_topic_private",
+            Parent = _serviceBusNamespace,
+            MaxMessageSizeInKilobytes = 256,
+            DefaultMessageTimeToLive = TimeSpan.FromDays(14),
+            RequiresDuplicateDetection = false,
+            EnableBatchedOperations = true,
+            SupportOrdering = true,
+            Status = ServiceBusMessagingEntityStatus.Active
+        };
+        var _serviceBusSubscription_private = new ServiceBusSubscription(CloudMachineInfrastructure.SB_PRIVATE_SUB, "2021-11-01")
+        {
+            Name = CloudMachineInfrastructure.SB_PRIVATE_SUB,
+            Parent = _serviceBusTopic_private,
+            IsClientAffine = false,
+            LockDuration = TimeSpan.FromSeconds(30),
+            RequiresSession = false,
+            DefaultMessageTimeToLive = TimeSpan.FromDays(14),
+            DeadLetteringOnFilterEvaluationExceptions = true,
+            DeadLetteringOnMessageExpiration = true,
+            MaxDeliveryCount = 10,
+            EnableBatchedOperations = true,
+            Status = ServiceBusMessagingEntityStatus.Active
+        };
+        var _serviceBusTopic_default = new ServiceBusTopic("cm_servicebus_topic_default", "2021-11-01")
+        {
+            Name = "cm_servicebus_default_topic",
+            Parent = _serviceBusNamespace,
+            MaxMessageSizeInKilobytes = 256,
+            DefaultMessageTimeToLive = TimeSpan.FromDays(14),
+            RequiresDuplicateDetection = false,
+            EnableBatchedOperations = true,
+            SupportOrdering = true,
+            Status = ServiceBusMessagingEntityStatus.Active
+        };
+        var _serviceBusSubscription_default = new ServiceBusSubscription("cm_servicebus_subscription_default", "2021-11-01")
+        {
+            Name = "cm_servicebus_subscription_default",
+            Parent = _serviceBusTopic_default,
+            IsClientAffine = false,
+            LockDuration = TimeSpan.FromSeconds(30),
+            RequiresSession = false,
+            DefaultMessageTimeToLive = TimeSpan.FromDays(14),
+            DeadLetteringOnFilterEvaluationExceptions = true,
+            DeadLetteringOnMessageExpiration = true,
+            MaxDeliveryCount = 10,
+            EnableBatchedOperations = true,
+            Status = ServiceBusMessagingEntityStatus.Active
+        };
+        var _eventGridTopic_blobs = new SystemTopic("cm_eventgrid_topic_blob", "2022-06-15")
+        {
+            TopicType = "Microsoft.Storage.StorageAccounts",
+            Source = _storage.Id,
+            Identity = new()
+            {
+                ManagedServiceIdentityType = ManagedServiceIdentityType.UserAssigned,
+                UserAssignedIdentities = { { BicepFunction.Interpolate($"{infrastructure.Identity.Id}").Compile().ToString(), new UserAssignedIdentityDetails() } }
+            },
+            Name = infrastructure.Id
+        };
+        var _eventGridSubscription_blobs = new SystemTopicEventSubscription("cm_eventgrid_subscription_blob", "2022-06-15")
+        {
+            Name = "cm-eventgrid-subscription-blob",
+            Parent = _eventGridTopic_blobs,
+            DeliveryWithResourceIdentity = new DeliveryWithResourceIdentity
+            {
+                Identity = new EventSubscriptionIdentity
+                {
+                    IdentityType = EventSubscriptionIdentityType.UserAssigned,
+                    UserAssignedIdentity = infrastructure.Identity.Id
+                },
+                Destination = new ServiceBusTopicEventSubscriptionDestination
+                {
+                    ResourceId = _serviceBusTopic_private.Id
+                }
+            },
+            Filter = new EventSubscriptionFilter
+            {
+                IncludedEventTypes =
+                [
+                    "Microsoft.Storage.BlobCreated",
+                    "Microsoft.Storage.BlobDeleted",
+                    "Microsoft.Storage.BlobRenamed"
+                ],
+                IsAdvancedFilteringOnArraysEnabled = true
+            },
+            EventDeliverySchema = EventDeliverySchema.EventGridSchema,
+            RetryPolicy = new EventSubscriptionRetryPolicy
+            {
+                MaxDeliveryAttempts = 30,
+                EventTimeToLiveInMinutes = 1440
+            }
+        };
+
+        infrastructure.AddResource(infrastructure.PrincipalIdParameter);
+        infrastructure.AddResource(infrastructure.Identity);
+        infrastructure.AddResource(_storage);
+        RequiredSystemRoles.Add(
+            _storage,
+            [
+                (StorageBuiltInRole.GetBuiltInRoleName(StorageBuiltInRole.StorageBlobDataContributor),StorageBuiltInRole.StorageBlobDataContributor.ToString()),
+                (StorageBuiltInRole.GetBuiltInRoleName(StorageBuiltInRole.StorageTableDataContributor), StorageBuiltInRole.StorageTableDataContributor.ToString())
+            ]);
+
+        infrastructure.AddResource(_container);
+        infrastructure.AddResource(_blobs);
+        infrastructure.AddResource(_serviceBusNamespace);
+
+        RequiredSystemRoles.Add(
+            _serviceBusNamespace,
+            [
+                (ServiceBusBuiltInRole.GetBuiltInRoleName(ServiceBusBuiltInRole.AzureServiceBusDataOwner), ServiceBusBuiltInRole.AzureServiceBusDataOwner.ToString()),
+            ]);
+
+        var role = ServiceBusBuiltInRole.AzureServiceBusDataSender;
+        RoleAssignment roleAssignment = new RoleAssignment("cm_servicebus_role");
+        roleAssignment.Name = BicepFunction.CreateGuid(_serviceBusNamespace.Id, infrastructure.Identity.Id, BicepFunction.GetSubscriptionResourceId("Microsoft.Authorization/roleDefinitions", role.ToString()));
+        roleAssignment.Scope = new IdentifierExpression(_serviceBusNamespace.BicepIdentifier);
+        roleAssignment.PrincipalType = RoleManagementPrincipalType.ServicePrincipal;
+        roleAssignment.RoleDefinitionId = BicepFunction.GetSubscriptionResourceId("Microsoft.Authorization/roleDefinitions", role.ToString());
+        roleAssignment.PrincipalId = infrastructure.Identity.PrincipalId;
+        infrastructure.AddResource(roleAssignment);
+
+        // the role assignment must exist before the system topic event subscription is created.
+        _eventGridSubscription_blobs.DependsOn.Add(roleAssignment);
+
+        infrastructure.AddResource(_serviceBusNamespaceAuthorizationRule);
+        infrastructure.AddResource(_serviceBusTopic_private);
+        infrastructure.AddResource(_serviceBusTopic_default);
+        infrastructure.AddResource(_serviceBusSubscription_private);
+        infrastructure.AddResource(_serviceBusSubscription_default);
+        infrastructure.AddResource(_eventGridSubscription_blobs);
+        infrastructure.AddResource(_eventGridTopic_blobs);
+
+        // Placeholders for now.
+        infrastructure.AddResource(new ProvisioningOutput($"storage_name", typeof(string)) { Value = _storage.Name });
+        infrastructure.AddResource(new ProvisioningOutput($"servicebus_name", typeof(string)) { Value = _serviceBusNamespace.Name });
+
+        return _storage;
+    }
+}

sdk/provisioning/Azure.Provisioning.CloudMachine/src/CDKLevel3/CloudMachineFeature.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System.Collections.Generic;
 using System.ComponentModel;
 using Azure.CloudMachine;
 using Azure.Provisioning.Primitives;
@@ -15,7 +16,8 @@ public abstract class CloudMachineFeature
     [EditorBrowsable(EditorBrowsableState.Never)]
     public void Emit(CloudMachineInfrastructure cm)
     {
-        if (Emitted != null) return;
+        if (Emitted != null)
+            return;
         ProvisionableResource provisionable = EmitCore(cm);
         Emitted = provisionable;
     }
@@ -24,4 +26,6 @@ public void Emit(CloudMachineInfrastructure cm)
 
     [EditorBrowsable(EditorBrowsableState.Never)]
     public ProvisionableResource Emitted { get; protected set; } = default!;
+
+    protected internal Dictionary<Provisionable, (string RoleName, string RoleId)[]> RequiredSystemRoles { get; } = [];
 }