Add a user and rg to box in ASO

Jaykul · Jaykul · commit 088935da8315 · 2025-04-13T14:42:07.000-04:00
diff --git a/Cluster.bicep b/Cluster.bicep
@@ -381,6 +381,28 @@ module iam_flux_crypto 'modules/resourceRoleAssignment.bicep' = {
   }
 }
 
+module rg 'modules/resourceGroup.bicep' = {
+    scope: subscription()
+    params: {
+        name: '${resourceGroup().name}-aso'
+        location: location
+        tags: tags
+    }
+}
+
+module aso 'modules/azureServiceOperator.bicep' = {
+    name: '${deploymentName}_aso'
+    scope: resourceGroup('${resourceGroup().name}-aso')
+    params: {
+        deploymentNamePrefix: take(deploymentName, 47)
+        baseName: 'aso'
+        location: rg.outputs.location
+        tags: tags
+        oidcIssuerUrl: aks.outputs.oidcIssuerUrl
+    }
+}
+
+
 // @description('Flux release namespace')
 // output fluxReleaseNamespace string = flux.outputs.fluxReleaseNamespace
 
diff --git a/README.md b/README.md
@@ -4,6 +4,10 @@ This repo has a full bicep deployment for a Kubernetes Cluster, including a gith
 
 I've written my own templates for deploying AKS in [Azure Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview), and I've been maintaining them for a number of years at this point. They are relatively opinionated as to what features I use, and I last overhauled them completely in early 2024. I'm still maintaining them, and doing clean deploys as of March 2024. If you're not interested in my infrastructure code, but want to deploy Kubernetes to Azure, you should consider the [AKS Construction](https://azure.github.io/AKS-Construction/) as an alternative. There are also AKS templates in the [Azure Quickstart Templates](https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/aks/), although those are relatively simplistic -- fine for a test case or demo, but perhaps not for your production cluster.
 
+## NOTE
+
+    I'm testing some things with the Azure Service Operator, and for right now, this bicep creates a third resource group (i.e. if you create 'rg-poshcode' in Azure, AKS will create 'rg-poshcode-aks' and the bicep will create 'rg-poshcode-aso' to _contain_ the Azure Service Operator). That way it's creating a user assigned identity for the Azure Service Operator to use which has `Contributor` access just to the -aso resource group.
+
 ## Azure Prerequisites
 
 These pre-requisites are not part of the CI/CD build, because they only have to be done once, but the [Initialize-Azure](./Initialize-Azure.ps1) script is essentially idempotent and re-runnable.
diff --git a/modules/azureServiceOperator.bicep b/modules/azureServiceOperator.bicep
@@ -0,0 +1,43 @@
+targetScope = 'resourceGroup'
+
+// *** This template deploys the cluster for poshcode.org. See README.md before making changes ***
+@description('Required. The AKS OIDC IssuerUrl')
+param oidcIssuerUrl string
+
+@description('Optional. This template deploys the cluster for poshcode.org. See README.md before making changes')
+param baseName string = 'aso'
+
+@description('Optional. The location to deploy. Defaults to resourceGroup().location')
+param location string = resourceGroup().location
+
+@description('Optional. Tags for the resource. Defaults to resourceGroup().tags')
+param tags object = resourceGroup().tags
+
+// 64 is the max deployment name, and the longest name in our sub-deployments is 17 characters, 64-17 = 47
+@description('Optional. Provide unique deployment name prefix for the module references. Defaults to take(deploymentName().name, 47)')
+@maxLength(47)
+param deploymentNamePrefix string = take(deployment().name, 64-17)
+
+
+module asoId 'userAssignedIdentity.bicep' = {
+  name: '${deploymentNamePrefix}_uai_asoId'
+  params: {
+    baseName: baseName
+    location: location
+    tags: tags
+    federatedIdentitySubjectIssuerDictionary: {
+      // For creating Azure resources
+      'system:serviceaccount:azure:operator': oidcIssuerUrl
+    }
+  }
+}
+
+
+module iam_azure_owner 'resourceRoleAssignment.bicep' = {
+  name: '${deploymentNamePrefix}_iam_aso_operator'
+  params: {
+    principalIds: [ asoId.outputs.principalId ]
+    resourceId: asoId.outputs.id
+    roleName: 'Contributor'
+  }
+}
diff --git a/modules/resourceGroup.bicep b/modules/resourceGroup.bicep
@@ -0,0 +1,25 @@
+targetScope = 'subscription'
+
+@description('Required. The base name of the resource group (will be prefixed with "rg-")')
+param name string
+
+@description('The location to deploy')
+param location string
+
+@description('Tags for the resource')
+param tags object
+
+resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+    name: name
+    location: location
+    tags: tags
+}
+
+@description('The resource ID of the resource group')
+output id string = rg.id
+
+@description('The name of the resource group')
+output name string = rg.name
+
+@description('The location of the resource group')
+output location string = rg.location
