roachprod: azure vm identities

golgeek · golgeek · commit 0345413bde1c · 2025-09-03T13:26:16.000-04:00
Previously Azure VMs didn't have an identity attached at creation, which
meant they couldn't perform actions requiring authentication via the
Azure metadata server.

As some roachtests require access to an Azure storage container to pull
and push fixtures, a User Managed Identity will now be assigned to the
VMs at creation in order to simplify the credentials management.

One `rp-roachtest` UMI has been created in each subscription used to run
roachtests. These UMIs have been assigned a `roachtest` role that grants
blob management in Azure storage containers in the same subscription.
Since VMs are only attached a single identity, this is compatible with
`DefaultAzureCredential` without specifying any other credentials.

The subscription scope ensures that no test-production fixtures will be
created or updated during tests development (in the `Sponsorship` sub),
and that the nightly tests triggered from TeamCity (in the `e2e-infra`
sub) will always be isolated.

This requires the creation of one storage account per subscription
roachtests are triggered on, and will require the tests to implement
logic to determine the storage account to use based on the current
subscription ID, which can be accessed via the `AZURE_SUBSCRIPTION_ID`
environment variable.

Epic: none
Release note: None
diff --git a/pkg/roachprod/vm/azure/azure.go b/pkg/roachprod/vm/azure/azure.go
@@ -46,6 +46,12 @@ const (
 	remoteUser   = "ubuntu"
 	tagComment   = "comment"
 	tagSubnet    = "subnetPrefix"
+
+	// UserManagedIdentity expected to exist in the subscription.
+	// This identity will be associated to the VMs and will grant permissions
+	// for roachprod testing.
+	userManagedIdentityName          = "rp-roachtest"
+	userManagedIdentityResourceGroup = "rp-roachtest"
 )
 
 // providerInstance is the instance to be registered into vm.Providers by Init.
@@ -983,6 +989,17 @@ func (p *Provider) createVM(
 		Location: group.Location,
 		Zones:    to.StringSlicePtr([]string{zone.AvailabilityZone}),
 		Tags:     tags,
+		Identity: &compute.VirtualMachineIdentity{
+			Type: compute.ResourceIdentityTypeUserAssigned,
+			UserAssignedIdentities: map[string]*compute.UserAssignedIdentitiesValue{
+				fmt.Sprintf(
+					"/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s",
+					sub,
+					userManagedIdentityResourceGroup,
+					userManagedIdentityName,
+				): {},
+			},
+		},
 		VirtualMachineProperties: &compute.VirtualMachineProperties{
 			HardwareProfile: &compute.HardwareProfile{
 				VMSize: compute.VirtualMachineSizeTypes(providerOpts.MachineType),
@@ -1102,6 +1119,7 @@ func (p *Provider) createVM(
 	if err = future.WaitForCompletionRef(ctx, client.Client); err != nil {
 		return
 	}
+
 	return future.Result(client)
 }
 
