Remove Cred/AD App during teardown. Rework Cred/AD App AuthZ

Signed-off-by: Chris Perro <[email protected]>

Author: cmperro

roles/platform/defaults/main.yml

@@ -167,7 +167,9 @@ plat__azure_assignment_name_suffix:           "{{ env.azure.role.name_suffix.ass
 plat__azure_metagroup_name:                   "{{ common__azure_metagroup_name }}"
 plat__azure_storage_name:                     "{{ common__azure_storage_name }}"
 
-plat__azure_consistency_wait:                 "{{ env.azure.app.wait | default(10) }}"
+plat__azure_consistency_wait:                 "{{ env.azure.app.wait | default(30) }}"
+plat__azure_xaccount_use_custom_role:         "{{ env.azure.app.use_custom_role | default(False) }}"
+plat__azure_single_resource_group:            "{{ env.azure.single_resource_group | default(False) }}"
 plat__azure_xaccount_app_name:                "{{ env.azure.app.name | default([plat__namespace, plat__azure_xaccount_suffix, plat__azure_app_suffix] | join('-')) }}"
 plat__azure_xaccount_role_name:               "{{ env.azure.role.name.cross_account | default([plat__namespace, plat__azure_xaccount_suffix, plat__azure_role_suffix] | join('-')) }}"
 plat__azure_policy_url:                       "{{ env.azure.policy.url | default('https://raw.githubusercontent.com/cloudera-labs/snippets/main/policies/azure/cloudbreak_minimal_multiple_rgs_v1.json') }}"

roles/platform/tasks/setup_azure_authz.yml

@@ -14,6 +14,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Handle Azure Cross Account Role
+  register: __azure_xaccount_role_info
+  azure.azcollection.azure_rm_roledefinition:  # This version fails idempotence if a description is set
+    state: present
+    name: "{{ plat__azure_xaccount_role_name }}"
+    assignable_scopes: "/subscriptions/{{ plat__azure_subscription_id }}"
+    permissions:
+      - actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('Actions') }}"
+        data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('DataActions') }}"
+        not_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotActions') }}"
+        not_data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotDataActions') }}"
+
 - name: Ensure Azure Cross Account App and Credential are Deployed
   when: plat__azure_xaccount_app_uuid is undefined or plat__xacccount_credential_name not in plat__cdp_credentials_list
   block:
@@ -33,15 +45,26 @@
           ansible.builtin.pause:
             seconds: "{{ plat__azure_consistency_wait }}"
 
+    - name: Dump MetaGroup URI
+      ansible.builtin.debug:
+        msg: Dumping... {{ plat__azure_metagroup_uri }}
+    
     # Owner role is required for DWX if you are thinking of modifying this task
     - name: Request Azure Cross Account App Creation
       no_log: True
       register: __azure_xaccount_app_info
       command: >
         az ad sp create-for-rbac
         --name {{ plat__azure_xaccount_app_name }}
-        --role {{ plat__azure_roles.owner }}
-        --scopes {{ plat__azure_metagroup_uri }}
+        --role {{ plat__azure_xaccount_use_custom_role | ternary(__azure_xaccount_role_info.id, plat__azure_roles.contrib) }}
+        --scope {{ plat__azure_subscription_uri }}
+       # --role {{ __azure_xaccount_role_info.id }}
+       # --scopes {{ plat__azure_metagroup_uri }}
+       # Bake ternary into the above
+
+    #- name: SLEEEP
+    #  command: >
+    #    sleep 180
 
     - name: Register Azure Cross Account App info
       no_log: True
@@ -95,22 +118,24 @@
         tenant: "{{ plat__azure_tenant_id }}"
         application: "{{ plat__azure_xaccount_app_uuid }}"
         secret: "{{ __azure_xaccount_app_pword }}"
-  
-- name: Handle Azure Cross Account Role
-  register: __azure_xaccount_role_info
-  azure.azcollection.azure_rm_roledefinition:  # This version fails idempotence if a description is set
-    state: present
-    name: "{{ plat__azure_xaccount_role_name }}"
-    assignable_scopes: "/subscriptions/{{ plat__azure_subscription_id }}"
-    permissions:
-      - actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('Actions') }}"
-        data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('DataActions') }}"
-        not_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotActions') }}"
-        not_data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotDataActions') }}"
 
-- name: Set Azure Cross Account Role URI
-  ansible.builtin.set_fact:
-    plat__azure_xaccount_role_uri: "{{ __azure_xaccount_role_info.id }}"
+#Move Up  
+#- name: Handle Azure Cross Account Role
+#  register: __azure_xaccount_role_info
+#  azure.azcollection.azure_rm_roledefinition:  # This version fails idempotence if a description is set
+#    state: present
+#    name: "{{ plat__azure_xaccount_role_name }}"
+#    assignable_scopes: "/subscriptions/{{ plat__azure_subscription_id }}"
+#    permissions:
+#      - actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('Actions') }}"
+#        data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('DataActions') }}"
+#        not_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotActions') }}"
+#        not_data_actions: "{{ lookup('file', __azure_policy_document.dest ) | from_json | community.general.json_query('NotDataActions') }}"
+
+#Not Needed?
+#- name: Set Azure Cross Account Role URI
+#  ansible.builtin.set_fact:
+#    plat__azure_xaccount_role_uri: "{{ __azure_xaccount_role_info.id }}"
 
 - name: Request creation of Azure Managed Identities
   when: ( __azure_identity_list_names is undefined ) or ( __azure_msi_item not in __azure_identity_list_names )
@@ -123,7 +148,7 @@
     - "{{ plat__azure_datalakeadmin_identity_name }}"
     - "{{ plat__azure_log_identity_name }}"
     - "{{ plat__azure_ranger_audit_identity_name }}"
-
+#Dupe of Below?
 - name: Wait for identities to be listed
   command: "az identity list -g {{ plat__azure_metagroup_name }}"
   register: __azure_identity_list
@@ -235,16 +260,20 @@
       scope: "{{ plat__azure_datapath_uri }}"
       assignee: "{{ __azure_ranger_audit_identity_uuid }}"
       desc: Assign Storage Blob Data Contributor Role to Ranger Role at Data Container level
-    - role: "{{ __azure_contributor_role_uri }}"
-      name: "{{ plat__azure_xaccount_contributor_assn_name }}"
-      scope: "{{ plat__azure_subscription_uri }}"
-      assignee: "{{ plat__azure_application_service_principal_objuuid }}"
-      desc: Assign top level Contributor Role to Cross Account App
-    - role: "{{ __azure_xaccount_role_uri }}"
-      name: "{{ plat__azure_xaccount_role_assn_name }}"
-      scope: "{{ plat__azure_subscription_uri }}"
-      assignee: "{{ plat__azure_application_service_principal_objuuid }}"
-      desc: Assign Cross Account Role to Cross Account App
+    #- role: "{{ __azure_contributor_role_uri }}"
+    #  name: "{{ plat__azure_xaccount_contributor_assn_name }}"
+    #  scope: "{{ plat__azure_subscription_uri }}"
+    #  assignee: "{{ plat__azure_application_service_principal_objuuid }}"
+    #  desc: Assign top level Contributor Role to Cross Account App
+    #- role: "{{ __azure_xaccount_role_uri }}"
+    #  name: "{{ plat__azure_xaccount_role_assn_name }}"
+    #  scope: "{{ plat__azure_subscription_uri }}"
+    #  assignee: "{{ plat__azure_application_service_principal_objuuid }}"
+    #  desc: Assign Cross Account Role to Cross Account App
   loop_control:
     loop_var: __azure_rl_assgn_item
-    label: "{{ __azure_rl_assgn_item.desc }}"
+    label: "{{ __azure_rl_assgn_item.desc }}"
+
+#- name: SLEEEEEEEEEEP
+#  command: >
+#    sleep 1800

roles/platform/tasks/setup_azure_env.yml

@@ -30,6 +30,7 @@
     vpc_id: "{{ plat__vpc_name }}"
     tunnel: "{{ plat__tunnel }}"
     resource_gp: "{{ plat__azure_metagroup_name }}"
+    use_single_resource_group: "{{ plat__azure_single_resource_group }}"
     subnet_ids: "{{ plat__azure_subnets }}"
     public_ip: "{{ plat__public_endpoint_access }}"
     tags: "{{ plat__tags }}"

roles/platform/tasks/teardown_azure_authz.yml

@@ -49,4 +49,21 @@
     - plat__azure_idbroker_identity_name not in ( __azure_identity_list.stdout | from_json | community.general.json_query('[*].name') )
     - plat__azure_datalakeadmin_identity_name not in ( __azure_identity_list.stdout | from_json | community.general.json_query('[*].name') )
     - plat__azure_log_identity_name not in ( __azure_identity_list.stdout | from_json | community.general.json_query('[*].name') )
-    - plat__azure_ranger_audit_identity_name not in ( __azure_identity_list.stdout | from_json | community.general.json_query('[*].name') )
+    - plat__azure_ranger_audit_identity_name not in ( __azure_identity_list.stdout | from_json | community.general.json_query('[*].name') )
+
+- name: Remove CDP Cross Account Credential for Azure
+  when: plat__teardown_deletes_credential
+  cloudera.cloud.env_cred:
+    state: absent
+    #cloud: "{{ plat__infra_type }}"
+    name: "{{ plat__xacccount_credential_name }}"
+    #subscription: "{{ plat__azure_subscription_id }}"
+    #tenant: "{{ plat__azure_tenant_id }}"
+    #application: "{{ plat__azure_xaccount_app_uuid }}"
+    #secret: "{{ __azure_xaccount_app_pword }}"
+
+- name: Tear down Azure AD App Registration
+  when: plat__teardown_deletes_xaccount and ( plat__azure_xaccount_app_uuid is defined ) and ( plat__azure_xaccount_app_uuid | length > 0 )
+  command: >
+      az ad sp delete
+      --id {{ plat__azure_application_service_principal_objuuid }}