Disable Batch Account and storage keys

deployment/helm/deploy-values.template.yaml

@@ -45,17 +45,16 @@ pctasks:
   run:
     task_runner_type: "batch"
     streaming_task_namespace: "pc"
-    streaming_task_node_group: {{ tf.aks_streaming_task_node_group_name }}
     task_poll_seconds: 30
 
     notifications:
       queue_name: "notifications"
-      connection_string: {{ tf.sa_connection_string }}
+      connection_string: "NOT_USED"
 
     tables:
       account_url: {{ tf.sa_tables_account_url }}
       account_name: {{ tf.sa_account_name }}
-      connection_string: {{ tf.sa_connection_string }}
+      connection_string: "NOT_USED"
       image_key_table_name: "imagekeys"
 
     blob:
@@ -82,7 +81,7 @@ pctasks:
     batch:
       enabled: true
       url: "{{ tf.batch_url }}"
-      key: "{{ tf.batch_key }}"
+      key: "NOT_USED"
       default_pool_id: "{{ tf.batch_default_pool_id }}"
       submit_threads: 0
 

deployment/terraform/resources/batch.tf

@@ -12,9 +12,18 @@ resource "azurerm_batch_account" "pctasks" {
   name                                = local.nodash_prefix
   resource_group_name                 = azurerm_resource_group.pctasks.name
   location                            = azurerm_resource_group.pctasks.location
-  pool_allocation_mode                = "BatchService"
+  pool_allocation_mode                = "UserSubscription"
   storage_account_id                  = azurerm_storage_account.pctasks-batch.id
-  storage_account_authentication_mode = "StorageKeys"
+  storage_account_authentication_mode = "BatchAccountManagedIdentity"
+  allowed_authentication_modes        = ["AAD"]
+  key_vault_reference {
+    id       = data.azurerm_key_vault.pctasks.id
+    url      = data.azurerm_key_vault.pctasks.vault_uri
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
 
   tags = {
     ManagedBy   = "AI4E"
@@ -53,3 +62,10 @@ resource "azurerm_role_assignment" "batch-tasks-blob-storage-contributor" {
     "/subscriptions/1b045d0d-e560-456a-952d-7514f87f1b1f", # NOAA Data Project
   ])
 }
+
+# Allow workflow identity to submit and manage Batch jobs
+resource "azurerm_role_assignment" "workflows-batch-contributor" {
+  role_definition_name = "Azure Batch Job Submitter"
+  principal_id         = azurerm_user_assigned_identity.workflows.principal_id
+  scope                = azurerm_batch_account.pctasks.id
+}

deployment/terraform/resources/keyvault.tf

@@ -9,6 +9,17 @@ resource "azurerm_role_assignment" "functions-secrets-user" {
   scope                = data.azurerm_key_vault.pctasks.id
 }
 
+# Required for Batch UserSubscription mode
+data "azuread_service_principal" "batch" {
+  display_name = "Microsoft Azure Batch"
+}
+
+resource "azurerm_role_assignment" "batch-keyvault-secrets-officer" {
+  role_definition_name = "Key Vault Secrets Officer"
+  principal_id         = data.azuread_service_principal.batch.object_id
+  scope                = data.azurerm_key_vault.pctasks.id
+}
+
 # Store database information as a secret
 
 resource "azurerm_key_vault_secret" "pgstac-connection-string" {
@@ -18,8 +29,8 @@ resource "azurerm_key_vault_secret" "pgstac-connection-string" {
 }
 
 resource "azurerm_key_vault_secret" "task-application-insights-connection-string" {
-  name = "task-application-insights-connection-string"
-  value = azurerm_application_insights.pctasks.connection_string
+  name         = "task-application-insights-connection-string"
+  value        = azurerm_application_insights.pctasks.connection_string
   key_vault_id = data.azurerm_key_vault.pctasks.id
 }
 

deployment/terraform/resources/output.tf

@@ -86,10 +86,6 @@ output "batch_url" {
   value = "https://${azurerm_batch_account.pctasks.account_endpoint}"
 }
 
-output "batch_key" {
-  value = azurerm_batch_account.pctasks.primary_access_key
-}
-
 output "batch_default_pool_id" {
   value = var.batch_default_pool_id
 }
@@ -134,10 +130,6 @@ output "sa_account_name" {
   value = azurerm_storage_account.pctasks.name
 }
 
-output "sa_connection_string" {
-  value = azurerm_storage_account.pctasks.primary_connection_string
-}
-
 ## Keyvault
 
 output "keyvault_url" {