From 1b0208997b3a93ba485fe33ab88cadc769e2c2c7 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 10 Sep 2024 14:57:58 +0200 Subject: [PATCH 1/6] Test ACL Permission Workflow --- .github/workflows/_setAclPermissions.yml | 85 ++++++++++++++++++++++++ .github/workflows/setAclPermissions.yml | 54 +++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 .github/workflows/_setAclPermissions.yml create mode 100644 .github/workflows/setAclPermissions.yml diff --git a/.github/workflows/_setAclPermissions.yml b/.github/workflows/_setAclPermissions.yml new file mode 100644 index 0000000..cc36ca2 --- /dev/null +++ b/.github/workflows/_setAclPermissions.yml @@ -0,0 +1,85 @@ +name: Set ACL Permissions Template + +on: + workflow_call: + inputs: + environment: + required: true + type: string + default: "dev" + description: "Specifies the environment of the deployment." + storage_account_name: + required: true + type: string + description: "Specifies the name of the storage account." + storage_container_name: + required: true + type: string + description: "Specifies the name of the storage account container name." + storage_container_path: + required: true + type: string + description: "Specifies the path within the storage account container." + user_object_id: + required: true + type: string + description: "Specifies the object id of the identity that should be granted access." + acl_permissions: + required: true + type: string + description: "Specifies the acl permissions to be granted to the identity (e.g. 'rwx')." + secrets: + TENANT_ID: + required: true + description: "Specifies the tenant id of the deployment." + SUBSCRIPTION_ID: + required: true + description: "Specifies the subscription id of the deployment." + CLIENT_ID: + required: true + description: "Specifies the client id." + CLIENT_SECRET: + required: true + description: "Specifies the client secret." + +jobs: + exec: + name: Run Az CLI Command + runs-on: [self-hosted, linux, adp] + continue-on-error: false + environment: "${{ inputs.environment }}" + + steps: + # Login to Azure + - name: Azure Login + id: azure_login + uses: azure/login@v1 + with: + creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}' + + # Grant Access - ACL + - name: Grant Access - ACL + id: access_acl + run: | + echo "Set Azure Context" + az account set -s "${{ secrets.SUBSCRIPTION_ID }}" + + echo "Set ACL" + az storage fs access set \ + --acl "user:$USER_OBJECT_ID:$ACL_PERMISSIONS" \ + --path $STORAGE_CONTAINER_PATH \ + --file-system $STORAGE_CONTAINER_NAME \ + --account-name $STORAGE_ACCOUNT_NAME \ + --auth-mode login + env: + USER_OBJECT_ID: ${{ inputs.user_object_id }} + ACL_PERMISSIONS: ${{ inputs.acl_permissions }} + STORAGE_ACCOUNT_NAME: ${{ inputs.storage_account_name }} + STORAGE_CONTAINER_NAME: ${{ inputs.storage_container_name }} + STORAGE_CONTAINER_PATH: ${{ inputs.storage_container_path }} + + # Log out from Azure + - name: Log out from Azure + id: azure_logout + run: | + az logout diff --git a/.github/workflows/setAclPermissions.yml b/.github/workflows/setAclPermissions.yml new file mode 100644 index 0000000..607e882 --- /dev/null +++ b/.github/workflows/setAclPermissions.yml @@ -0,0 +1,54 @@ +name: Set ACL Permissions +on: + pull_request: + branches: + - main + # workflow_dispatch: + # inputs: + # environment: + # required: true + # description: 'Read environment for which the Terraform state shall be unlocked.' + # type: choice + # options: + # - dev + # - tst + # - prp + # - prd + # default: core_dev + # storage_account_name: + # required: true + # type: string + # description: "Specifies the name of the storage account." + # storage_container_name: + # required: true + # type: string + # description: "Specifies the name of the storage account container name." + # storage_container_path: + # required: true + # type: string + # description: "Specifies the path within the storage account container." + # user_object_id: + # required: true + # type: string + # description: "Specifies the object id of the identity that should be granted access." + # acl_permissions: + # required: true + # type: string + # description: "Specifies the acl permissions to be granted to the identity (e.g. 'rwx')." + +jobs: + set_acl: + uses: ./.github/workflows/_setAclPermissions.yml + name: "Set ACL Permissions" + with: + environment: "dev" # "${{ inputs.environment }}" + storage_account_name: "mabussadls001" # "${{ inputs.storage_account_name }}" + storage_container_name: "testsetacl" # "${{ inputs.storage_container_name }}" + storage_container_path: "/" # "${{ inputs.storage_container_path }}" + user_object_id: "c1b9add1-e5cb-47c7-aa95-be63e1d5fd11" # "${{ inputs.user_object_id }}" + acl_permissions: "rwx" # "${{ inputs.acl_permissions }}" + secrets: + TENANT_ID: ${{ secrets.TENANT_ID }} + SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }} + CLIENT_ID: ${{ secrets.CLIENT_ID }} + CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} From 24c01489e23efe6f7e351fd0b284f701b191d26b Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 10 Sep 2024 14:59:39 +0200 Subject: [PATCH 2/6] Update runtime --- .github/workflows/_setAclPermissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_setAclPermissions.yml b/.github/workflows/_setAclPermissions.yml index cc36ca2..ec153f1 100644 --- a/.github/workflows/_setAclPermissions.yml +++ b/.github/workflows/_setAclPermissions.yml @@ -45,7 +45,7 @@ on: jobs: exec: name: Run Az CLI Command - runs-on: [self-hosted, linux, adp] + runs-on: ubuntu-latest # [self-hosted, linux, adp] continue-on-error: false environment: "${{ inputs.environment }}" From 64b101b4a41a37ce8ad5f689315f9918cad546a5 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 10 Sep 2024 15:00:59 +0200 Subject: [PATCH 3/6] fix workflow --- .github/workflows/setAclPermissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/setAclPermissions.yml b/.github/workflows/setAclPermissions.yml index 607e882..fd55338 100644 --- a/.github/workflows/setAclPermissions.yml +++ b/.github/workflows/setAclPermissions.yml @@ -1,6 +1,6 @@ name: Set ACL Permissions on: - pull_request: + pull_request: branches: - main # workflow_dispatch: From 57bceeb296a6e2a7ad9889330d935e5610d54e3d Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 10 Sep 2024 15:10:51 +0200 Subject: [PATCH 4/6] Update identity --- .github/workflows/setAclPermissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/setAclPermissions.yml b/.github/workflows/setAclPermissions.yml index fd55338..fa87d73 100644 --- a/.github/workflows/setAclPermissions.yml +++ b/.github/workflows/setAclPermissions.yml @@ -45,7 +45,7 @@ jobs: storage_account_name: "mabussadls001" # "${{ inputs.storage_account_name }}" storage_container_name: "testsetacl" # "${{ inputs.storage_container_name }}" storage_container_path: "/" # "${{ inputs.storage_container_path }}" - user_object_id: "c1b9add1-e5cb-47c7-aa95-be63e1d5fd11" # "${{ inputs.user_object_id }}" + user_object_id: "cc068096-fcd1-4cfb-9980-807c71e41d69" # "${{ inputs.user_object_id }}" acl_permissions: "rwx" # "${{ inputs.acl_permissions }}" secrets: TENANT_ID: ${{ secrets.TENANT_ID }} From 716b9497c541f2ae17741e3f1942e30c616cfd4b Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 10 Sep 2024 15:18:08 +0200 Subject: [PATCH 5/6] Update acl --- .github/workflows/_setAclPermissions.yml | 2 +- .github/workflows/setAclPermissions.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_setAclPermissions.yml b/.github/workflows/_setAclPermissions.yml index ec153f1..155b80d 100644 --- a/.github/workflows/_setAclPermissions.yml +++ b/.github/workflows/_setAclPermissions.yml @@ -66,7 +66,7 @@ jobs: echo "Set ACL" az storage fs access set \ - --acl "user:$USER_OBJECT_ID:$ACL_PERMISSIONS" \ + --acl "user::rwx,group::r-x,other::---,user:$USER_OBJECT_ID:$ACL_PERMISSIONS" \ --path $STORAGE_CONTAINER_PATH \ --file-system $STORAGE_CONTAINER_NAME \ --account-name $STORAGE_ACCOUNT_NAME \ diff --git a/.github/workflows/setAclPermissions.yml b/.github/workflows/setAclPermissions.yml index fa87d73..fd55338 100644 --- a/.github/workflows/setAclPermissions.yml +++ b/.github/workflows/setAclPermissions.yml @@ -45,7 +45,7 @@ jobs: storage_account_name: "mabussadls001" # "${{ inputs.storage_account_name }}" storage_container_name: "testsetacl" # "${{ inputs.storage_container_name }}" storage_container_path: "/" # "${{ inputs.storage_container_path }}" - user_object_id: "cc068096-fcd1-4cfb-9980-807c71e41d69" # "${{ inputs.user_object_id }}" + user_object_id: "c1b9add1-e5cb-47c7-aa95-be63e1d5fd11" # "${{ inputs.user_object_id }}" acl_permissions: "rwx" # "${{ inputs.acl_permissions }}" secrets: TENANT_ID: ${{ secrets.TENANT_ID }} From 6cfb149d9d124081a42e45148ace6b99cc8173e2 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Tue, 10 Sep 2024 15:23:52 +0200 Subject: [PATCH 6/6] Add mask --- .github/workflows/_setAclPermissions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_setAclPermissions.yml b/.github/workflows/_setAclPermissions.yml index 155b80d..f18d267 100644 --- a/.github/workflows/_setAclPermissions.yml +++ b/.github/workflows/_setAclPermissions.yml @@ -66,7 +66,7 @@ jobs: echo "Set ACL" az storage fs access set \ - --acl "user::rwx,group::r-x,other::---,user:$USER_OBJECT_ID:$ACL_PERMISSIONS" \ + --acl "user::rwx,group::r-x,other::---,mask::rwx,user:$USER_OBJECT_ID:$ACL_PERMISSIONS" \ --path $STORAGE_CONTAINER_PATH \ --file-system $STORAGE_CONTAINER_NAME \ --account-name $STORAGE_ACCOUNT_NAME \