Add RBAC role assignment support for resource group security

• Add RoleAssignmentTask to assign RBAC roles to Azure resources in a resource group
• Extract ServicePrincipalResolver to resolve object ID from client credentials, shared by RoleAssignmentTask and KeyVaultTasks
• Add ResourceSecurityInstallJob to assign Reader role to the runtime account
• Integrate ResourceSecurityInstallJob into SolutionInstaller, continuing on failure
• Add Azure.ResourceManager.Authorization package dependency

Author: sambetts

src/AnalyticsEngine/App.ControlPanel.Engine/App.ControlPanel.Engine.csproj

@@ -78,6 +78,7 @@
     <Compile Include="InstallerTasks\JobTasks\AutomationAccountTask.cs" />
     <Compile Include="ConfigureAzureComponentsTasks.cs" />
     <Compile Include="InstallerTasks\JobTasks\RunbookCreateOrUpdateTasks.cs" />
+    <Compile Include="InstallerTasks\ResourceSecurityInstallJob.cs" />
     <Compile Include="InstallerTasks\RunbooksInstallJob.cs" />
     <Compile Include="Models\AzStorageConnectionInfo.cs" />
     <Compile Include="SolutionUninstaller.cs" />

src/AnalyticsEngine/App.ControlPanel.Engine/InstallerTasks/AzurePaaSInstallJob.cs

@@ -21,6 +21,7 @@ namespace App.ControlPanel.Engine.InstallerTasks
     /// </summary>
     public class AzurePaaSInstallJob : BaseAnalyticsSolutionInstallJob
     {
+        private readonly GetOrCreateResourceGroupTask _rgCreateTask;
         private readonly AutomationAccountTask _automationAccountTask;
 
         private readonly SqlServerTask _sqlServerTask;
@@ -44,6 +45,12 @@ public class AzurePaaSInstallJob : BaseAnalyticsSolutionInstallJob
         /// </summary>
         public AzurePaaSInstallJob(ILogger logger, SolutionInstallConfig config, SubscriptionResource subscription) : base(logger, config, subscription)
         {
+
+            var tagDic = config.Tags.ToDictionary();
+
+            _rgCreateTask = new GetOrCreateResourceGroupTask(TaskConfig.GetConfigForName(config.ResourceGroupName), logger, Location, tagDic, subscription);
+            this.AddTask(_rgCreateTask);
+
             // Performance levels
             var appPerfTier = AppServicePlanTask.PERF_TIER_BASIC1;
             var sqlPerfTier = SqlDatabaseTask.PERF_TIER_BASIC;
@@ -54,8 +61,6 @@ public AzurePaaSInstallJob(ILogger logger, SolutionInstallConfig config, Subscri
                 appPerfTier = AppServicePlanTask.PERF_TIER_BASIC2;
             }
 
-            var tagDic = config.Tags.ToDictionary();
-
             // Web 
             var appServicePlanConfig = TaskConfig.GetConfigForName(config.AppServiceWebAppName).AddSetting(AppServicePlanTask.CONFIG_KEY_PERF_TIER, appPerfTier);
             _appServicePlanTask = new AppServicePlanTask(appServicePlanConfig, logger, Location, tagDic);

src/AnalyticsEngine/App.ControlPanel.Engine/InstallerTasks/ResourceSecurityInstallJob.cs

@@ -0,0 +1,34 @@
+using Azure.ResourceManager.Authorization;
+using Azure.ResourceManager.Resources;
+using CloudInstallEngine;
+using CloudInstallEngine.Azure.InstallTasks;
+using Common.Entities.Installer;
+using Microsoft.Extensions.Logging;
+
+namespace App.ControlPanel.Engine.InstallerTasks
+{
+    /// <summary>
+    /// Secures resources in the resource group by assigning RBAC roles.
+    /// </summary>
+    public class ResourceSecurityInstallJob : BaseAnalyticsSolutionInstallJob
+    {
+        private readonly RoleAssignmentTask _appInsightsReaderRoleTask;
+
+        public ResourceSecurityInstallJob(ILogger logger, SolutionInstallConfig config, SubscriptionResource subscription) : base(logger, config, subscription)
+        {
+            var tagDic = config.Tags.ToDictionary();
+
+            // Assign Reader role to the runtime account on the resource group (covers App Insights and all resources)
+            var readerRoleConfig = TaskConfig.GetConfigForPropAndVal(RoleAssignmentTask.CONFIG_KEY_ROLE_NAME, "Reader")
+                .AddSetting(RoleAssignmentTask.CONFIG_KEY_CLIENT_ID, config.RuntimeAccountOffice365.ClientId)
+                .AddSetting(RoleAssignmentTask.CONFIG_KEY_CLIENT_SECRET, config.RuntimeAccountOffice365.Secret)
+                .AddSetting(RoleAssignmentTask.CONFIG_KEY_TENANT_ID, config.RuntimeAccountOffice365.DirectoryId)
+                .AddSetting(RoleAssignmentTask.CONFIG_KEY_PRINCIPAL_TYPE, "ServicePrincipal");
+
+            _appInsightsReaderRoleTask = new RoleAssignmentTask(readerRoleConfig, logger, Location, tagDic);
+            this.AddTask(_appInsightsReaderRoleTask);
+        }
+
+        public RoleAssignmentResource AppInsightsReaderRole => GetTaskResult<RoleAssignmentResource>(_appInsightsReaderRoleTask);
+    }
+}

src/AnalyticsEngine/App.ControlPanel.Engine/SolutionInstaller.cs

@@ -48,6 +48,17 @@ public async Task InstallOrUpdate()
                 var azureBackeEndCreationJob = new AzurePaaSInstallJob(_logger, Config, azureSub);
                 await azureBackeEndCreationJob.Install();
 
+                // Secure resources with RBAC roles
+                try
+                {
+                    var resourceSecurityJob = new ResourceSecurityInstallJob(_logger, Config, azureSub);
+                    await resourceSecurityJob.Install();
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogError($"Failed to assign RBAC roles: {ex.Message}. Continuing installation...");
+                }
+
                 // Run stuff now everything in Azure is created
                 var tasks = new ConfigureAzureComponentsTasks(Config, _logger, _ftpConfig, InstalledByUsername, _softwareConfig, _configPassword);
                 await tasks.RunPostCreatePaaSTasks(

src/AnalyticsEngine/Common/CloudInstallEngine/Azure/InstallTasks/KeyVaultTasks.cs

@@ -9,7 +9,6 @@
 using Microsoft.Extensions.Logging;
 using System;
 using System.Collections.Generic;
-using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
 using System.Threading.Tasks;
 
@@ -109,18 +108,10 @@ protected async Task AddPolicyForConfiguredRuntimeAccount(KeyVaultResource vault
             _logger.LogInformation($"Adding Azure AD application with client ID '{clientId}' to key vault {vaultResource.Data.Name} for secret read & list; certificate read");
 
             // Extract object Id by getting a token from the credentials passed
-            var creds = new ClientSecretCredential(tenantId.ToString(), clientId, secret);
-            var credTokenResponse = await creds.GetTokenAsync(new TokenRequestContext(new string[] { "https://management.core.windows.net/.default" }, null));
-            var handler = new JwtSecurityTokenHandler();
-            var jwtSecurityToken = handler.ReadJwtToken(credTokenResponse.Token);
-            var objectId = jwtSecurityToken.Claims.Where(c => c.Type == "oid").FirstOrDefault();
-            if (objectId == null)
-            {
-                throw new InstallException($"No object ID found for client credentials");
-            }
-            _logger.LogInformation($"Detected client ID '{clientId}' has object ID '{objectId.Value}'");
+            var objectIdValue = await ServicePrincipalResolver.GetObjectIdFromClientCredentials(tenantId.ToString(), clientId, secret);
+            _logger.LogInformation($"Detected client ID '{clientId}' has object ID '{objectIdValue}'");
 
-            await AddPolicyForConfiguredAccount(vaultResource, tenantId, objectId.Value, secretPerms, certPerms);
+            await AddPolicyForConfiguredAccount(vaultResource, tenantId, objectIdValue, secretPerms, certPerms);
         }
 
         protected Guid TenantGuidFromConfig()

src/AnalyticsEngine/Common/CloudInstallEngine/Azure/InstallTasks/ResourceGroupTask.cs

@@ -29,7 +29,7 @@ public ResourceGroupContainerLoader(TaskConfig config, ILogger logger, Subscript
         public override async Task<ResourceGroupResource> ExecuteTaskReturnResult(object contextArg)
         {
             var rgTask = new GetOrCreateResourceGroupTask(_config, _logger, _location, _tags, _subscription);
-            var rg = await rgTask.GetOrCreateResourceGroup(true);
+            var rg = await rgTask.GetOrCreateResourceGroup(true, false);
 
             return rg;
         }
@@ -53,10 +53,10 @@ public GetOrCreateResourceGroupTask(TaskConfig config, ILogger logger, AzureLoca
 
         public override async Task<object> ExecuteTask(object contextArg)
         {
-            return await GetOrCreateResourceGroup(true);
+            return await GetOrCreateResourceGroup(true, true);
         }
 
-        public async Task<ResourceGroupResource> GetOrCreateResourceGroup(bool createIfNotExists)
+        public async Task<ResourceGroupResource> GetOrCreateResourceGroup(bool createIfNotExists, bool verboseLogging)
         {
             var resourceGroups = _subscription.GetResourceGroups();
             ResourceGroupResource resourceGroup = null;
@@ -71,7 +71,10 @@ public async Task<ResourceGroupResource> GetOrCreateResourceGroup(bool createIfN
 
             if (resourceGroup != null)
             {
-                _logger.LogInformation($"Have already resource-group '{_config.ResourceName}'.");
+                if (verboseLogging)
+                {
+                    _logger.LogInformation($"Have already resource-group '{_config.ResourceName}'.");
+                }
                 if (createIfNotExists)
                 {
                     await base.EnsureTagsOnExisting(resourceGroup.Data.Tags, _tags, resourceGroup.GetTagResource());
@@ -82,18 +85,25 @@ public async Task<ResourceGroupResource> GetOrCreateResourceGroup(bool createIfN
             // Create
             if (createIfNotExists)
             {
-                Console.WriteLine($"Creating resource-group '{_config.ResourceName}'...");
+                if (verboseLogging)
+                {
+                    Console.WriteLine($"Creating resource-group '{_config.ResourceName}'...");
+                }
 
                 var resourceGroupData = new ResourceGroupData(_location);
                 base.EnsureTagsOnNew(resourceGroupData.Tags, _tags);
                 var operation = await resourceGroups.CreateOrUpdateAsync(WaitUntil.Completed, _config.ResourceName, resourceGroupData);
 
                 _logger.LogInformation($"Created resource-group '{_config.ResourceName}'.");
+
                 return operation.Value;
             }
             else
             {
-                _logger.LogInformation($"Can't find resource-group '{_config.ResourceName}', but no errors in calling Azure APIs.");
+                if (verboseLogging)
+                {
+                    _logger.LogInformation($"Can't find resource-group '{_config.ResourceName}', but no errors in calling Azure APIs.");
+                }
                 return null;
             }
 

src/AnalyticsEngine/Common/CloudInstallEngine/Azure/InstallTasks/RoleAssignmentTask.cs

@@ -0,0 +1,92 @@
+using Azure;
+using Azure.Core;
+using Azure.ResourceManager.Authorization;
+using Azure.ResourceManager.Authorization.Models;
+using CloudInstallEngine.Models;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace CloudInstallEngine.Azure.InstallTasks
+{
+    /// <summary>
+    /// Assigns an RBAC role to an Azure resource within a resource group.
+    /// </summary>
+    public class RoleAssignmentTask : InstallTaskInAzResourceGroup<RoleAssignmentResource>
+    {
+        public const string CONFIG_KEY_ROLE_NAME = "roleName";
+        public const string CONFIG_KEY_PRINCIPAL_TYPE = "principalType";
+        public const string CONFIG_KEY_CLIENT_ID = "clientId";
+        public const string CONFIG_KEY_CLIENT_SECRET = "clientSecret";
+        public const string CONFIG_KEY_TENANT_ID = "tenantId";
+
+        public RoleAssignmentTask(TaskConfig config, ILogger logger, AzureLocation azureLocation, Dictionary<string, string> tags)
+            : base(config, logger, azureLocation, tags)
+        {
+        }
+
+        public override string TaskName => "assign RBAC role";
+
+        public override async Task<RoleAssignmentResource> ExecuteTaskReturnResult(object contextArg)
+        {
+            var roleName = _config.GetConfigValue(CONFIG_KEY_ROLE_NAME);
+            var clientId = _config.GetConfigValue(CONFIG_KEY_CLIENT_ID);
+            var clientSecret = _config.GetConfigValue(CONFIG_KEY_CLIENT_SECRET);
+            var tenantId = _config.GetConfigValue(CONFIG_KEY_TENANT_ID);
+
+            // Resolve the service principal object ID from client credentials
+            var objectIdStr = await ServicePrincipalResolver.GetObjectIdFromClientCredentials(tenantId, clientId, clientSecret);
+            _logger.LogInformation($"Resolved client ID '{clientId}' to object ID '{objectIdStr}'");
+
+            if (!Guid.TryParse(objectIdStr, out var principalId))
+            {
+                throw new InstallException($"Invalid object ID '{objectIdStr}' resolved for client ID '{clientId}'");
+            }
+
+            // Find role definition by name on the resource group scope
+            var scope = Container.Id;
+            AuthorizationRoleDefinitionResource roleDefinition = null;
+            foreach (var rd in Container.GetAuthorizationRoleDefinitions())
+            {
+                if (string.Equals(rd.Data.RoleName, roleName, StringComparison.OrdinalIgnoreCase))
+                {
+                    roleDefinition = rd;
+                    break;
+                }
+            }
+            if (roleDefinition == null)
+            {
+                throw new InstallException($"Role definition '{roleName}' not found on scope '{scope}'");
+            }
+
+            // Check for existing assignment
+            foreach (var existing in Container.GetRoleAssignments())
+            {
+                if (existing.Data.PrincipalId == principalId &&
+                    existing.Data.RoleDefinitionId == roleDefinition.Id)
+                {
+                    _logger.LogInformation($"Role '{roleName}' already assigned to principal '{principalId}'.");
+                    return existing;
+                }
+            }
+
+            // Create new role assignment
+            _logger.LogInformation($"Assigning role '{roleName}' to principal '{principalId}'...");
+            var roleAssignmentId = Guid.NewGuid().ToString();
+            var content = new RoleAssignmentCreateOrUpdateContent(roleDefinition.Id, principalId);
+
+            if (_config.ContainsKey(CONFIG_KEY_PRINCIPAL_TYPE))
+            {
+                content.PrincipalType = new RoleManagementPrincipalType(_config.GetConfigValue(CONFIG_KEY_PRINCIPAL_TYPE));
+            }
+
+            var result = await Container.GetRoleAssignments().CreateOrUpdateAsync(
+                WaitUntil.Completed, roleAssignmentId, content);
+
+            _logger.LogInformation($"Role '{roleName}' assigned successfully.");
+            return result.Value;
+        }
+    }
+}

src/AnalyticsEngine/Common/CloudInstallEngine/Azure/ResourceGroupTestOnlyInstallJob.cs

@@ -24,7 +24,7 @@ public override async Task Install()
             var t = new GetOrCreateResourceGroupTask(TaskConfig.GetConfigForName(ResourceGroupName), Logger, Location, new Dictionary<string, string>(), _subscription);
 
             // Remember group found
-            _resourceGroupFound = await t.GetOrCreateResourceGroup(false);
+            _resourceGroupFound = await t.GetOrCreateResourceGroup(false, true);
         }
 
         public ResourceGroupResource ResourceGroupFound => _resourceGroupFound;

src/AnalyticsEngine/Common/CloudInstallEngine/Azure/ServicePrincipalResolver.cs

@@ -0,0 +1,32 @@
+using Azure.Core;
+using Azure.Identity;
+using CloudInstallEngine.Models;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace CloudInstallEngine.Azure
+{
+    /// <summary>
+    /// Resolves the Entra ID object ID (service principal) from app registration client credentials.
+    /// </summary>
+    public static class ServicePrincipalResolver
+    {
+        /// <summary>
+        /// Gets the object ID of a service principal by authenticating with client credentials and reading the "oid" claim from the resulting JWT.
+        /// </summary>
+        public static async Task<string> GetObjectIdFromClientCredentials(string tenantId, string clientId, string clientSecret)
+        {
+            var creds = new ClientSecretCredential(tenantId, clientId, clientSecret);
+            var credTokenResponse = await creds.GetTokenAsync(new TokenRequestContext(new string[] { "https://management.core.windows.net/.default" }, null));
+            var handler = new JwtSecurityTokenHandler();
+            var jwtSecurityToken = handler.ReadJwtToken(credTokenResponse.Token);
+            var objectIdClaim = jwtSecurityToken.Claims.Where(c => c.Type == "oid").FirstOrDefault();
+            if (objectIdClaim == null)
+            {
+                throw new InstallException("No object ID found in token for the given client credentials");
+            }
+            return objectIdClaim.Value;
+        }
+    }
+}

src/AnalyticsEngine/Common/CloudInstallEngine/CloudInstallEngine.csproj

@@ -7,6 +7,7 @@
   <ItemGroup>
     <PackageReference Include="Azure.Identity" Version="1.11.4" />
     <PackageReference Include="Azure.ResourceManager.AppService" Version="1.0.0" />
+    <PackageReference Include="Azure.ResourceManager.Authorization" Version="1.1.0" />
     <PackageReference Include="Azure.ResourceManager.CognitiveServices" Version="1.2.0" />
     <PackageReference Include="Azure.ResourceManager.KeyVault" Version="1.1.0" />
     <PackageReference Include="Azure.ResourceManager.OperationalInsights" Version="1.1.0" />