From b469f98a6d99723bd3c14180c991a954fdbe8f0b Mon Sep 17 00:00:00 2001 From: Sushil Kumar Date: Wed, 20 Apr 2022 15:04:27 -0700 Subject: [PATCH 1/3] Add a custom role for accessing batch account --- deploy/infra/groups/orchestration.bicep | 9 +++++ deploy/infra/modules/batch.account.bicep | 4 +- .../modules/batch.account.custom.role.bicep | 37 +++++++++++++++++++ deploy/infra/modules/custom.role.bicep | 33 +++++++++++++++++ 4 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 deploy/infra/modules/batch.account.custom.role.bicep create mode 100644 deploy/infra/modules/custom.role.bicep diff --git a/deploy/infra/groups/orchestration.bicep b/deploy/infra/groups/orchestration.bicep index 22f0d75..5804148 100644 --- a/deploy/infra/groups/orchestration.bicep +++ b/deploy/infra/groups/orchestration.bicep @@ -161,6 +161,14 @@ module uami '../modules/managed.identity.user.bicep' = { } } +module batchAccountCustomRole '../modules/batch.account.custom.role.bicep' = { + name: '${namingPrefix}-batch-account-custom-role' + scope: subscription() + params: { + batchAccountName: toLower(batchAccountNameVar) + } +} + module batchAccount '../modules/batch.account.bicep' = { name: '${namingPrefix}-batch-account' params: { @@ -175,6 +183,7 @@ module batchAccount '../modules/batch.account.bicep' = { poolAllocationMode: batchAccountPoolAllocationMode publicNetworkAccess: batchAccountPublicNetworkAccess keyVaultName: keyvaultNameVar + assignRoleToUserManagedIdentity: batchAccountCustomRole.outputs.batchAccountCustomRoleName } dependsOn: [ uami diff --git a/deploy/infra/modules/batch.account.bicep b/deploy/infra/modules/batch.account.bicep index ae93292..73e61db 100644 --- a/deploy/infra/modules/batch.account.bicep +++ b/deploy/infra/modules/batch.account.bicep @@ -103,11 +103,11 @@ var role = { } resource assignRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { - name: guid(batchAccount.id, userManagedIdentityPrincipalId, role[toLower(assignRoleToUserManagedIdentity)]) + name: guid(batchAccount.id, userManagedIdentityPrincipalId, assignRoleToUserManagedIdentity) scope: batchAccount properties: { principalId: userManagedIdentityPrincipalId - roleDefinitionId: role[toLower(assignRoleToUserManagedIdentity)] + roleDefinitionId: assignRoleToUserManagedIdentity } } diff --git a/deploy/infra/modules/batch.account.custom.role.bicep b/deploy/infra/modules/batch.account.custom.role.bicep new file mode 100644 index 0000000..257b8eb --- /dev/null +++ b/deploy/infra/modules/batch.account.custom.role.bicep @@ -0,0 +1,37 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. + +targetScope = 'subscription' + +param batchAccountName string +param allowedActions array = [ + 'Microsoft.Batch/batchAccounts/pools/write' + 'Microsoft.Batch/batchAccounts/pools/read' + 'Microsoft.Batch/batchAccounts/pools/delete' + 'Microsoft.Batch/batchAccounts/read' + 'Microsoft.Batch/batchAccounts/listKeys/action' +] +param allowedDataActions array = [ + 'Microsoft.Batch/batchAccounts/jobSchedules/write' + 'Microsoft.Batch/batchAccounts/jobSchedules/delete' + 'Microsoft.Batch/batchAccounts/jobSchedules/read' + 'Microsoft.Batch/batchAccounts/jobs/write' + 'Microsoft.Batch/batchAccounts/jobs/delete' + 'Microsoft.Batch/batchAccounts/jobs/read' +] +param deniedActions array = [] +param deniedDataActions array = [] + +module batchAccountCustomRole './custom.role.bicep' = { + name: 'custom-role-for-${batchAccountName}' + params: { + roleName: 'custom-role-for-${batchAccountName}' + roleDescription: 'Custom Role for Accessing Batch Accounts' + allowedActions: allowedActions + allowedDataActions: allowedDataActions + deniedActions: deniedActions + deniedDataActions: deniedDataActions + } +} + +output batchAccountCustomRoleName string = batchAccountCustomRole.outputs.customRoleID diff --git a/deploy/infra/modules/custom.role.bicep b/deploy/infra/modules/custom.role.bicep new file mode 100644 index 0000000..0122b3a --- /dev/null +++ b/deploy/infra/modules/custom.role.bicep @@ -0,0 +1,33 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. + +targetScope = 'subscription' + +param roleName string +param roleDescription string = '' +param allowedActions array = [] +param allowedDataActions array = [] +param deniedActions array = [] +param deniedDataActions array = [] + +resource customRole 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { + name: guid(roleName) + properties: { + description: roleDescription + assignableScopes: [ + subscription().id + ] + permissions: [ + { + actions: allowedActions + dataActions: allowedDataActions + notActions: deniedActions + notDataActions: deniedDataActions + } + ] + roleName: roleName + type: 'CustomRole' + } +} + +output customRoleID string = customRole.id From c4378802258804d0a21983d438b94e86324ea3f5 Mon Sep 17 00:00:00 2001 From: Sushil Kumar Date: Thu, 21 Apr 2022 16:05:30 -0700 Subject: [PATCH 2/3] Added information to README.md regarding custom role and default permissions --- deploy/README.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/deploy/README.md b/deploy/README.md index 24687cd..a4fc752 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -126,8 +126,22 @@ Following is the list of resource-groups and resources that should be created if Wait for all pools to complete resizing before moving to the next steps. - Note: The Bicep template adds the Synapse workspace's Managed Identity to the Batch Account as `Contributor`. Alternatively, Custom Role Definitions can be used to assign the Synapse workspace's Managed Identity to the Batch Account with required Azure RBAC operations. - + Note: The Bicep template adds the Synapse workspace's Managed Identity to the Batch Account with a Custom Role Access. + + Following is the default list of permissions assigned to the custom role created. + ``` + Microsoft.Batch/batchAccounts/pools/write + Microsoft.Batch/batchAccounts/pools/read + Microsoft.Batch/batchAccounts/pools/delete + Microsoft.Batch/batchAccounts/read + Microsoft.Batch/batchAccounts/listKeys/action + Microsoft.Batch/batchAccounts/jobSchedules/write + Microsoft.Batch/batchAccounts/jobSchedules/delete + Microsoft.Batch/batchAccounts/jobSchedules/read + Microsoft.Batch/batchAccounts/jobs/write + Microsoft.Batch/batchAccounts/jobs/delete + Microsoft.Batch/batchAccounts/jobs/read + ``` - Keyvault named `aoi-orc-kv`. - User managed identity `aoi-orc-umi` for access and authentication. - Azure Container registry instance named `aoiorcacr` to store container images. From 2c4d000b28ea2964901c804113e51096535cab2e Mon Sep 17 00:00:00 2001 From: Sushil Kumar Date: Fri, 22 Apr 2022 11:14:23 -0700 Subject: [PATCH 3/3] Included the sysnapse MI and user MI for custom-role --- deploy/infra/groups/orchestration.bicep | 33 +++++++++++-------- deploy/infra/modules/batch.account.bicep | 17 ---------- .../batch.account.role.assignment.bicep | 12 +++---- 3 files changed, 25 insertions(+), 37 deletions(-) diff --git a/deploy/infra/groups/orchestration.bicep b/deploy/infra/groups/orchestration.bicep index 5804148..4448e35 100644 --- a/deploy/infra/groups/orchestration.bicep +++ b/deploy/infra/groups/orchestration.bicep @@ -9,13 +9,6 @@ param location string param synapseMIPrincipalId string -// Guid to role definitions to be used during role -// assignments including the below roles definitions: -// Contributor -param synapseMIBatchAccountRoles array = [ - 'b24988ac-6180-42a0-ab88-20f7382dd24c' -] - // Name parameters for infrastructure resources param orchestrationResourceGroupName string = '' param keyvaultName string = '' @@ -176,14 +169,12 @@ module batchAccount '../modules/batch.account.bicep' = { location: location batchAccountName: toLower(batchAccountNameVar) userManagedIdentityId: uami.outputs.uamiId - userManagedIdentityPrincipalId: uami.outputs.uamiPrincipalId allowedAuthenticationModes: batchAccountPoolAllocationMode == 'BatchService' ? allowedAuthenticationModesBatchSvc : allowedAuthenticationModesUsrSub autoStorageAuthenticationMode: batchAccountAutoStorageAuthenticationMode autoStorageAccountName: batchAccountAutoStorageAccountNameVar poolAllocationMode: batchAccountPoolAllocationMode publicNetworkAccess: batchAccountPublicNetworkAccess keyVaultName: keyvaultNameVar - assignRoleToUserManagedIdentity: batchAccountCustomRole.outputs.batchAccountCustomRoleName } dependsOn: [ uami @@ -192,17 +183,29 @@ module batchAccount '../modules/batch.account.bicep' = { ] } -module synapseIdentityForBatchAccess '../modules/batch.account.role.assignment.bicep' = [ for role in synapseMIBatchAccountRoles: { - name: '${namingPrefix}-batch-account-role-assgn' +module synapseIdentityForBatchAccess '../modules/batch.account.role.assignment.bicep' = { + name: '${namingPrefix}-batch-account-synapse-role-assign' params: { - resourceName: toLower(batchAccountNameVar) + batchAccountName: toLower(batchAccountNameVar) principalId: synapseMIPrincipalId - roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${role}' + roleDefinitionId: batchAccountCustomRole.outputs.batchAccountCustomRoleName + } + dependsOn: [ + batchAccount + ] +} + +module userManagedIdentityForBatchAccess '../modules/batch.account.role.assignment.bicep' = { + name: '${namingPrefix}-batch-account-umi-role-assign' + params: { + batchAccountName: toLower(batchAccountNameVar) + principalId: uami.outputs.uamiPrincipalId + roleDefinitionId: batchAccountCustomRole.outputs.batchAccountCustomRoleName } dependsOn: [ batchAccount ] -}] +} module batchAccountPoolCheck '../modules/batch.account.pool.exists.bicep' = { name: '${namingPrefix}-batch-account-pool-exists' @@ -216,6 +219,7 @@ module batchAccountPoolCheck '../modules/batch.account.pool.exists.bicep' = { dependsOn: [ batchAccountAutoStorageAccount batchAccount + userManagedIdentityForBatchAccess ] } @@ -241,6 +245,7 @@ module batchAccountCpuOnlyPool '../modules/batch.account.pools.bicep' = { dependsOn: [ batchAccountAutoStorageAccount batchAccount + userManagedIdentityForBatchAccess batchAccountPoolCheck ] } diff --git a/deploy/infra/modules/batch.account.bicep b/deploy/infra/modules/batch.account.bicep index 73e61db..d221af3 100644 --- a/deploy/infra/modules/batch.account.bicep +++ b/deploy/infra/modules/batch.account.bicep @@ -16,8 +16,6 @@ param autoStorageAuthenticationMode string = 'StorageKeys' param autoStorageAccountName string param poolAllocationMode string = 'BatchService' param publicNetworkAccess bool = true -param assignRoleToUserManagedIdentity string = 'Owner' -param userManagedIdentityPrincipalId string param objIdForPolicy string = 'f520d84c-3fd3-4cc8-88d4-2ed25b00d27a' @@ -96,19 +94,4 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2021-06-01' = { ] } -var role = { - owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' -} - -resource assignRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { - name: guid(batchAccount.id, userManagedIdentityPrincipalId, assignRoleToUserManagedIdentity) - scope: batchAccount - properties: { - principalId: userManagedIdentityPrincipalId - roleDefinitionId: assignRoleToUserManagedIdentity - } -} - output batchAccountId string = batchAccount.id diff --git a/deploy/infra/modules/batch.account.role.assignment.bicep b/deploy/infra/modules/batch.account.role.assignment.bicep index 757ddde..10e23b4 100644 --- a/deploy/infra/modules/batch.account.role.assignment.bicep +++ b/deploy/infra/modules/batch.account.role.assignment.bicep @@ -4,17 +4,17 @@ param principalId string param roleDefinitionId string -param resourceName string +param batchAccountName string -param roleAssignmentId string = guid(principalId, roleDefinitionId, resourceName) +param roleAssignmentId string = guid(principalId, roleDefinitionId, batchAccountName) -resource existingResource 'Microsoft.Batch/batchAccounts@2021-06-01' existing = { - name: resourceName +resource batchAccount 'Microsoft.Batch/batchAccounts@2021-06-01' existing = { + name: batchAccountName } -resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { +resource assignRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = { name: roleAssignmentId - scope: existingResource + scope: batchAccount properties: { principalId: principalId roleDefinitionId: roleDefinitionId