fix: Adding permission management for BYO networks #450 (#477)

* Adding permission management for BYO networks #450

Signed-off-by: frozentank <[email protected]>

* Reversing check that looks for when BYO networks are being used.

Signed-off-by: frozentank <[email protected]>

---------

Signed-off-by: frozentank <[email protected]>
Co-authored-by: Chris Miller <[email protected]>

Author: frozentank

docs/CONFIG-VARS.md

@@ -177,6 +177,7 @@ Note: All of the following resources are expected to be in the Resource Group se
 | subnet_names | Existing subnets mapped to desired usage. | map(string) | null | Only required if deploying into existing subnets. See the example that follows. |
 | nsg_name | Name of pre-existing network security group. | string | null | Only required if deploying into existing NSG. |
 | aks_uai_name | Name of existing User Assigned Identity for the cluster | string | null | This Identity will need permissions as listed in [AKS Cluster Identity Permissions](https://docs.microsoft.com/en-us/azure/aks/concepts-identity#aks-cluster-identity-permissions) and [Additional Cluster Identity Permissions](https://docs.microsoft.com/en-us/azure/aks/concepts-identity#additional-cluster-identity-permissions). Alternatively, use can use the [Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor) role for this Identity. |
+| msi_network_roles | Roles that will be assigned to the vnet and route table | list of strings | ["Network Contributor"] | This field will only be used in the event that the User Assigned Identity is created by IaC. If this case the authenticating identity used to run Terraform must have [Permissions for Assigning Roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#prerequisites) scoped to the vnet and route table. |
 
 Example for the `subnet_names` variable:
 

docs/user/BYOnetwork.md

@@ -35,9 +35,9 @@ values set by the [`vm_public_access_cidrs`/`postgres_public_access_cidrs`](../C
 ## Cluster Identity
 
 When creating an AKS cluster, Azure associates an Identity with the cluster. Any resources created on behalf of the cluster (e.g. VMs for the Node Pools etc.) will use the permissions associated with that Identity.
-By default, an Identity with the same permissions as the [Identity used for  authenticating to the Terraform script](TerraformAzureAuthentication.md) will be used. You can choose to use the Service Principal directly (if used), or bring your own User Assigned Identity, depending on the setting of the  [`aks_identity`](../CONFIG-VARS.md#general) variable.
+By default, an Identity with the same permissions as the [Identity used for  authenticating to the Terraform script](TerraformAzureAuthentication.md) will be used. However, the new Identity may not have the same scope as the authenticating Identity. You can choose to use the Service Principal directly (if used), or bring your own User Assigned Identity, depending on the setting of the  [`aks_identity`](../CONFIG-VARS.md#general) variable. 
 
-When providing your own networking, the AKS cluster identity will need write access to the aks subnet and the associated routing table.
+When providing your own networking, the AKS cluster identity will need write access to the aks subnet and the associated routing table. If an alternate identity is not provided then the resulting identity will have permissions assigned to the networking components directly (by default Network Contributor). This will require your authenticating identity to have [Permissions for Assigning Roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#prerequisites).
 
 See [AKS Cluster Identity Permissions](https://docs.microsoft.com/en-us/azure/aks/concepts-identity#aks-cluster-identity-permissions) and [Additional Cluster Identity Permissions](https://docs.microsoft.com/en-us/azure/aks/concepts-identity#additional-cluster-identity-permissions) for details.
 

locals.tf

@@ -64,6 +64,14 @@ locals {
     : null
   )
 
+  aks_uai_principal_id = (var.aks_identity == "uai"
+    ? (var.aks_uai_name == null
+      ? azurerm_user_assigned_identity.uai[0].principal_id
+      : data.azurerm_user_assigned_identity.uai[0].principal_id
+    )
+    : null
+  )
+  
   cluster_egress_type = (var.cluster_egress_type == null
     ? (var.egress_public_ip_name == null
       ? "loadBalancer"

main.tf

@@ -87,6 +87,9 @@ module "vnet" {
   resource_group_name = local.network_rg.name
   location            = var.location
   subnets             = local.subnets
+  roles               = var.msi_network_roles
+  aks_uai_principal_id = local.aks_uai_principal_id
+  add_uai_permissions = (var.aks_uai_name == null)
   existing_subnets    = var.subnet_names
   address_space       = [var.vnet_address_space]
   tags                = var.tags

modules/azurerm_vnet/main.tf

@@ -58,3 +58,16 @@ resource "azurerm_subnet" "subnet" {
   depends_on = [data.azurerm_virtual_network.vnet, azurerm_virtual_network.vnet]
 }
 
+resource "azurerm_role_assignment" "existing_network_assignment" {
+    count = length(var.existing_subnets) == 0 ? 0 : (var.add_uai_permissions ? length(var.roles) : 0)
+    scope = data.azurerm_subnet.subnet["aks"].route_table_id
+    role_definition_name = var.roles[count.index]
+    principal_id = var.aks_uai_principal_id
+}
+
+resource "azurerm_role_assignment" "existing_vnet_assignment" {
+  count = var.name != null ? (var.add_uai_permissions ? length(var.roles) : 0) : 0
+  scope = data.azurerm_virtual_network.vnet[0].id
+  role_definition_name = var.roles[count.index]
+  principal_id = var.aks_uai_principal_id
+}

modules/azurerm_vnet/variables.tf

@@ -61,3 +61,20 @@ variable "tags" {
   description = "The tags to associate with your network and subnets."
   type        = map(string)
 }
+
+variable "roles" {
+    description = "Managed Identity permissions for VNet and Route Table"
+    type = list(string)
+    default = ["Network Contributor"]
+}
+
+variable "aks_uai_principal_id" {
+  description = "Managed Identity Principal ID used to associate permissions to network and route table"
+  type = string
+}
+
+variable "add_uai_permissions" {
+  description = "True if we should add roles to network objects"
+  default = false
+  type = bool
+}

variables.tf

@@ -30,6 +30,12 @@ variable "use_msi" {
   default     = false
 }
 
+variable "msi_network_roles" {
+    description = "Managed Identity permissions for VNet and Route Table"
+    type = list(string)
+    default = ["Network Contributor"]
+}
+
 variable "iac_tooling" {
   description = "Value used to identify the tooling used to generate this providers infrastructure."
   type        = string