Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg

cmperro · Chris Perro · commit 8582f676963c · 2022-02-08T11:50:54.000-05:00
Signed-off-by: Chris Perro &lt;cmperro@gmail.com&gt;
diff --git a/roles/platform/defaults/main.yml b/roles/platform/defaults/main.yml
@@ -177,11 +177,16 @@ plat__azure_storage_name:                     "{{ common__azure_storage_name }}"
 
 plat__azure_consistency_wait:                 "{{ env.azure.app.wait | default(30) }}"
 <<<<<<< HEAD
+<<<<<<< HEAD
 plat__azure_xaccount_use_custom_role:         "{{ env.azure.use_custom_role | default(False) }}"
 plat__azure_xaccount_rg_scope:                "{{ env.azure.rg_scope | default(False) }}"
 =======
 plat__azure_xaccount_use_custom_role:         "{{ env.azure.app.use_custom_role | default(False) }}"
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+plat__azure_xaccount_use_custom_role:         "{{ env.azure.use_custom_role | default(False) }}"
+plat__azure_xaccount_rg_scope:                "{{ env.azure.rg_scope | default(False) }}"
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
 plat__azure_single_resource_group:            "{{ env.azure.single_resource_group | default(False) }}"
 plat__azure_xaccount_app_name:                "{{ env.azure.app.name | default([plat__namespace, plat__azure_xaccount_suffix, plat__azure_app_suffix] | join('-')) }}"
 plat__azure_xaccount_role_name:               "{{ env.azure.role.name.cross_account | default([plat__namespace, plat__azure_xaccount_suffix, plat__azure_role_suffix] | join('-')) }}"
diff --git a/roles/platform/tasks/setup_azure_authz.yml b/roles/platform/tasks/setup_azure_authz.yml
@@ -45,6 +45,7 @@
           ansible.builtin.pause:
             seconds: "{{ plat__azure_consistency_wait }}"
 <<<<<<< HEAD
+<<<<<<< HEAD
     
 =======
 
@@ -54,13 +55,17 @@
     
     # Owner role is required for DWX if you are thinking of modifying this task
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+    
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
     - name: Request Azure Cross Account App Creation
       no_log: True
       register: __azure_xaccount_app_info
       command: >
         az ad sp create-for-rbac
         --name {{ plat__azure_xaccount_app_name }}
         --role {{ plat__azure_xaccount_use_custom_role | ternary(__azure_xaccount_role_info.id, plat__azure_roles.contrib) }}
+<<<<<<< HEAD
 <<<<<<< HEAD
         --scope {{ plat__azure_xaccount_rg_scope | ternary(plat__azure_metagroup_uri, plat__azure_subscription_uri) }} 
 =======
@@ -73,6 +78,9 @@
     #  command: >
     #    sleep 180
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+        --scope {{ plat__azure_xaccount_rg_scope | ternary(plat__azure_metagroup_uri, plat__azure_subscription_uri) }} 
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
 
     - name: Register Azure Cross Account App info
       no_log: True
@@ -129,6 +137,7 @@
 <<<<<<< HEAD
 =======
 
+<<<<<<< HEAD
 #Move Up  
 #- name: Handle Azure Cross Account Role
 #  register: __azure_xaccount_role_info
@@ -148,6 +157,8 @@
 #    plat__azure_xaccount_role_uri: "{{ __azure_xaccount_role_info.id }}"
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
 
+=======
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
 - name: Request creation of Azure Managed Identities
   when: ( __azure_identity_list_names is undefined ) or ( __azure_msi_item not in __azure_identity_list_names )
   loop_control:
@@ -159,7 +170,7 @@
     - "{{ plat__azure_datalakeadmin_identity_name }}"
     - "{{ plat__azure_log_identity_name }}"
     - "{{ plat__azure_ranger_audit_identity_name }}"
-#Dupe of Below?
+
 - name: Wait for identities to be listed
   command: "az identity list -g {{ plat__azure_metagroup_name }}"
   register: __azure_identity_list
@@ -271,6 +282,7 @@
       scope: "{{ plat__azure_datapath_uri }}"
       assignee: "{{ __azure_ranger_audit_identity_uuid }}"
       desc: Assign Storage Blob Data Contributor Role to Ranger Role at Data Container level
+<<<<<<< HEAD
 <<<<<<< HEAD
   loop_control:
     loop_var: __azure_rl_assgn_item
@@ -298,3 +310,8 @@
 #  command: >
 #    sleep 1800
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+  loop_control:
+    loop_var: __azure_rl_assgn_item
+    label: "{{ __azure_rl_assgn_item.desc }}"
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
diff --git a/roles/platform/tasks/setup_azure_env.yml b/roles/platform/tasks/setup_azure_env.yml
@@ -30,11 +30,15 @@
     vpc_id: "{{ plat__vpc_name }}"
     tunnel: "{{ plat__tunnel }}"
     resource_gp: "{{ plat__azure_metagroup_name }}"
+<<<<<<< HEAD
 <<<<<<< HEAD
     use_single_resource_group: "{{ plat__azure_single_resource_group or plat__azure_xaccount_rg_scope | bool }}"
 =======
     use_single_resource_group: "{{ plat__azure_single_resource_group }}"
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+    use_single_resource_group: "{{ plat__azure_single_resource_group or plat__azure_xaccount_rg_scope | bool }}"
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
     subnet_ids: "{{ plat__azure_subnets }}"
     public_ip: "{{ plat__public_endpoint_access }}"
     tags: "{{ plat__tags }}"
diff --git a/roles/platform/tasks/teardown_azure_authz.yml b/roles/platform/tasks/teardown_azure_authz.yml
@@ -55,6 +55,7 @@
   when: plat__teardown_deletes_credential
   cloudera.cloud.env_cred:
     state: absent
+<<<<<<< HEAD
 <<<<<<< HEAD
     name: "{{ plat__xacccount_credential_name }}"
 =======
@@ -65,19 +66,29 @@
     #application: "{{ plat__azure_xaccount_app_uuid }}"
     #secret: "{{ __azure_xaccount_app_pword }}"
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+    name: "{{ plat__xacccount_credential_name }}"
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
 
 - name: Tear down Azure AD App Registration
   when: plat__teardown_deletes_xaccount and ( plat__azure_xaccount_app_uuid is defined ) and ( plat__azure_xaccount_app_uuid | length > 0 )
   command: >
       az ad sp delete
 <<<<<<< HEAD
+<<<<<<< HEAD
+=======
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
       --id {{ plat__azure_application_service_principal_objuuid }}
 
 - name: Tear down Custom Role
   when: plat__teardown_deletes_roles
   azure.azcollection.azure_rm_roledefinition:
     state: absent
+<<<<<<< HEAD
     name: "{{ plat__azure_xaccount_role_name }}"
 =======
       --id {{ plat__azure_application_service_principal_objuuid }}
 >>>>>>> 77d54e8 (Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ)
+=======
+    name: "{{ plat__azure_xaccount_role_name }}"
+>>>>>>> 374439c (Updates to authz setup and teardown for deleting custom role, and scoping ad app down to the rg)
