From 711fecc0ff8a9c1cb9db4c4b8cbf53543be57b44 Mon Sep 17 00:00:00 2001 From: Bruno Gabrielli Date: Thu, 21 Mar 2024 23:38:42 +0100 Subject: [PATCH] AMA Script for Assigning Identity to Platform MG (#1607) Co-authored-by: Arjen Huitema --- docs/wiki/Whats-new.md | 15 ++-- src/scripts/Set-RBACAmaPolicyAssignment.ps1 | 79 +++++++++++++++++++++ 2 files changed, 84 insertions(+), 10 deletions(-) create mode 100644 src/scripts/Set-RBACAmaPolicyAssignment.ps1 diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 1ac4007304..de923bacf7 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -58,16 +58,11 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Add an additional role assignment for ChangeTracking Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group. - Add an additional role assignment to Azure Update Manger Policies, granting Managed Identity Operator at the same scope as the assignment. - **To update an existing deployment:** - - For each of the VMInsights and ChangeTracking Initiative assignments: - - **Only required for the Initiatives assigned to Landing Zones Management group scope** - - Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID - - Go to Management Groups, select the Platform Management group and go to Access control (IAM) - - Add a new role assignment and assign the Reader role the Principal ID that was copied in the first step. - - For each of the Azure Update Manger Initiative assignments: - - **Applies to the Initiatives assigned to both the Landing Zones and the Platform Management group scopes** - - Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID - - Go to Management Groups, select the same management group as the assignment you copied the Principal ID from and go to Access control (IAM) - - Add a new role assignment and assign the Managed Identity Operator role the Principal ID that was copied in the first step. + - This script [Set-RBACAmaPolicyAssignment.ps1](https://github.com/Azure/Enterprise-Scale/blob/main/src/scripts/Set-RBACAmaPolicyAssignment.ps1) will update the required role assignments. The `enterpriseScaleCompanyPrefix` parameter is required for running the script and should contain the intermediate root management group name. + + ```powershell + .\Set-RBACAmaPolicyAssignment.ps1 -enterpriseScaleCompanyPrefix contoso + ``` ### February 2024 diff --git a/src/scripts/Set-RBACAmaPolicyAssignment.ps1 b/src/scripts/Set-RBACAmaPolicyAssignment.ps1 new file mode 100644 index 0000000000..564456a9a0 --- /dev/null +++ b/src/scripts/Set-RBACAmaPolicyAssignment.ps1 @@ -0,0 +1,79 @@ +#!/usr/bin/pwsh + +# +# PowerShell Script +# - Assigns 'Reader' role permissions on Platform MG to the identities (Deploy-vmHybr-Monitoring, Deploy-VM-Monitoring, Deploy-VMSS-Monitoring, +# Deploy-vmArc-ChangeTrack, Deploy-VM-ChangeTrack, Deploy-VMSS-ChangeTrack) configured on the Landing Zones MG +# - Assigns 'Managed Identity Operator' on both Platform and Landing Zones MGs to the "Enable-AUM-CheckUpdates" identity +# + +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'enterpriseScaleCompanyPrefix', Justification = 'False positive as rule does not know that Where-Object operates within the same scope')] + +[CmdletBinding(SupportsShouldProcess)] +param( + # the pseudo managemnt group to start from + [Parameter(Mandatory = $True, + ValueFromPipeline = $false)] + [string]$enterpriseScaleCompanyPrefix +) + +process { + $vmiCtIdentityList = "Deploy-vmHybr-Monitoring", "Deploy-VM-Monitoring", "Deploy-VMSS-Monitoring", "Deploy-vmArc-ChangeTrack", "Deploy-VM-ChangeTrack", "Deploy-VMSS-ChangeTrack" + $aumIdentityList = "Enable-AUM-CheckUpdates" + + If (-NOT(Get-Module -ListAvailable Az.Resources)) { + Write-Output "This script requires the Az.Resources module." + + $response = Read-Host "Would you like to install the 'Az.Resources' module now? (y/n)" + If ($response -match '[yY]') { Install-Module Az.Resources -Scope CurrentUser } + } + + Write-Output "Retrieving Platform and Landing Zones management groups ..." + + # getting Platform and Landing Zones mgs + $platformMg = Get-AzManagementGroup | Where-Object { $_.Name -like "$enterpriseScaleCompanyPrefix*-platform" } -ErrorAction SilentlyContinue + $landingZonesMg = Get-AzManagementGroup | Where-Object { $_.Name -like "$enterpriseScaleCompanyPrefix*-landingzones" } -ErrorAction SilentlyContinue + + if ($platformMg -and $landingZonesMg) { + # getting role assignments for both Platform and landing Zones mgs + Write-Output "`tRetrieving role assignments on Platform management group ..." + $platformMgAumRoleAssignments = Get-AzRoleAssignment -Scope $($platformMg.Id) | where-object { $_.Displayname -in $aumIdentityList } | Sort-Object -Property ObjectId -Unique + + Write-Output "`tRetrieving role assignments on Landing Zones management group ..." + $landingZonesMgAumRoleAssignments = Get-AzRoleAssignment -Scope $($landingZonesMg.Id) | where-object { $_.Displayname -in $aumIdentityList } | Sort-Object -Property ObjectId -Unique + $landingZonesMgVmiCtRoleAssignments = Get-AzRoleAssignment -Scope $($landingZonesMg.Id) | where-object { $_.Displayname -in $vmiCtIdentityList } | Sort-Object -Property ObjectId -Unique + # Performing role assignments + if ($landingZonesMgVmiCtRoleAssignments) { + # assigning Reader role for VMI and CT Managed Identities from LandingZones to Platform mg + Write-Output "`t`tAssigning 'Reader' role for 'VMInsights' and 'Change Tracking' Managed Identities from Landing Zones to Platform management group ..." + $landingZonesMgVmiCtRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Reader' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Landing Zones management group for the given 'VMInsights' and 'Change Tracking' Managed Identities." + } + + if ($landingZonesMgAumRoleAssignments) { + # assigning Managed Identity Operator to Azure Update Manager Managed Identity on Landing Zones mg + Write-Output "`t`tAssigning 'Managed Identity Operator' role to 'Azure Update Manager' Managed Identity on Landing Zones management group ..." + $landingZonesMgAumRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($landingZonesMg.Id) -RoleDefinitionName 'Managed Identity Operator' -ObjectId $_.ObjectId -ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Landing Zones management group for the given 'Azure Update Manger' Managed Identities." + } + + if ($platformMgAumRoleAssignments) { + # assigning Managed Identity Operator to Azure Update Manager Managed Identity on Platform mg + Write-Output "`t`tAssigning 'Managed Identity Operator' role to 'Azure Update Manager' Managed Identity on Platform management group ..." + $platformMgAumRoleAssignments | ForEach-Object { New-AzRoleAssignment -Scope $($platformMg.Id) -RoleDefinitionName 'Managed Identity Operator' -ObjectId $_.ObjectId-ErrorAction SilentlyContinue } + } + else { + Write-Output "`t`tNo role assignment found on the Platform management group for the given 'Azure Update Manger' Managed Identity." + } + } + else { + Write-Output "`tOne or more management group of type 'Platform' and 'Landing Zones' was not found. Make sure you have the necessary permissions and/or that the hierachy is Azure Landing Zones aligned." + } +} +End { + Write-Output "Script execution completed." +} \ No newline at end of file