feat: add permissions to installer for private links (#62)

Co-authored-by: Adam Smith <[email protected]>
appvia · Sep 16, 2024 · 3cc4e92 · 3cc4e92
1 parent 2b702ff
commit 3cc4e92
Show file tree

Hide file tree

Showing 10 changed files with 115 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -89,6 +89,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_enable_wf_cloudaccess"></a> [enable\_wf\_cloudaccess](#input\_enable\_wf\_cloudaccess) | Whether to configure CloudIdentity and admin CloudAccessConfig resources in Wayfinder once installed (requires enable\_k8s\_resources) | `bool` | `true` | no |
 | <a name="input_enable_wf_costestimates"></a> [enable\_wf\_costestimates](#input\_enable\_wf\_costestimates) | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `true` | no |
 | <a name="input_enable_wf_dnszonemanager"></a> [enable\_wf\_dnszonemanager](#input\_enable\_wf\_dnszonemanager) | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `false` | no |
+| <a name="input_enable_wf_privatelinks"></a> [enable\_wf\_privatelinks](#input\_enable\_wf\_privatelinks) | Whether to configure admin CloudAccessConfig for Private Link Management in the account wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment in which the resources are deployed. | `string` | `"production"` | no |
 | <a name="input_location"></a> [location](#input\_location) | The Azure region to use. | `string` | `"uksouth"` | no |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | Private DNS zone to use for private clusters | `string` | `null` | no |

diff --git a/main.tf b/main.tf
@@ -16,6 +16,8 @@ locals {
 
   # if not provided, use the same resource group as the AKS cluster
   private_link_resourcegroup = var.private_link_resourcegroup == "" ? var.resource_group_name : var.private_link_resourcegroup
+
+  cloudidentity_name = "cloudidentity-azure"
 }
 
 resource "time_sleep" "after_azurerm_role_definition_main" {

diff --git a/manifests/wayfinder-azure-privatelinkmanager-cloudaccessconfig.yml.tpl b/manifests/wayfinder-azure-privatelinkmanager-cloudaccessconfig.yml.tpl
@@ -0,0 +1,17 @@
+apiVersion: cloudaccess.appvia.io/v2beta2
+kind: CloudAccessConfig
+metadata:
+  name: azure-privatelinks
+  namespace: ws-admin
+spec:
+  cloud: azure
+  azure:
+    subscription: ${subscription_id}
+    tenantID: ${tenant_id}
+  description: Platform Private Link Management, created by Wayfinder install
+  type: NetworkPrivateLinks
+  cloudIdentityRef:
+    cloud: azure
+    name: ${identity}
+  permissions:
+  - permission: PrivateLinkManager
diff --git a/modules/cloudaccess/README.md b/modules/cloudaccess/README.md
@@ -22,6 +22,7 @@ Please see the [examples](./examples) directory to see how to deploy this module
 | <a name="input_enable_dns_zone_manager"></a> [enable\_dns\_zone\_manager](#input\_enable\_dns\_zone\_manager) | Whether to create the DNS Zone Manager IAM Role | `bool` | `false` | no |
 | <a name="input_enable_network_manager"></a> [enable\_network\_manager](#input\_enable\_network\_manager) | Whether to create the Network Manager IAM Role | `bool` | `false` | no |
 | <a name="input_enable_peering_acceptor"></a> [enable\_peering\_acceptor](#input\_enable\_peering\_acceptor) | Whether to create the Peering Acceptor IAM Role | `bool` | `false` | no |
+| <a name="input_enable_private_link_manager"></a> [enable\_private\_link\_manager](#input\_enable\_private\_link\_manager) | Whether to create the Private Link Manager IAM Role | `bool` | `false` | no |
 | <a name="input_from_aws"></a> [from\_aws](#input\_from\_aws) | Whether Wayfinder is running on AWS. | `bool` | `false` | no |
 | <a name="input_from_azure"></a> [from\_azure](#input\_from\_azure) | Whether Wayfinder is running on Azure. | `bool` | `true` | no |
 | <a name="input_from_gcp"></a> [from\_gcp](#input\_from\_gcp) | Whether Wayfinder is running on GCP. | `bool` | `false` | no |

diff --git a/modules/cloudaccess/variables.tf b/modules/cloudaccess/variables.tf
@@ -76,6 +76,12 @@ variable "enable_peering_acceptor" {
   type        = bool
 }
 
+variable "enable_private_link_manager" {
+  default     = false
+  description = "Whether to create the Private Link Manager IAM Role"
+  type        = bool
+}
+
 variable "enable_cloud_info" {
   default     = false
   description = "Whether to create the Cloud Info IAM Role"

diff --git a/modules/cloudaccess/wf_cluster_manager_definition.json b/modules/cloudaccess/wf_cluster_manager_definition.json
@@ -28,6 +28,7 @@
         "Microsoft.Storage/register/action",
         "Microsoft.Features/register/action",
         "Microsoft.Features/providers/features/register/action",
-        "Microsoft.Network/virtualNetworks/subnets/join/action"
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        "Microsoft.ContainerService/managedClusters/PrivateEndpointConnectionsApproval/action"
     ]
 }
diff --git a/modules/cloudaccess/wf_privatelink_manager.tf b/modules/cloudaccess/wf_privatelink_manager.tf
@@ -0,0 +1,41 @@
+locals {
+  privatelinkmanager_definition = jsondecode(file("${path.module}/wf_privatelink_manager_definition.json"))
+}
+
+resource "azurerm_role_definition" "privatelinkmanager" {
+  count = var.enable_private_link_manager ? 1 : 0
+
+  name  = "${local.resource_prefix}privatelinkmanager${local.resource_suffix}"
+  scope = data.azurerm_subscription.primary.id
+
+  permissions {
+    actions = local.privatelinkmanager_definition.actions
+  }
+}
+
+resource "time_sleep" "after_azurerm_role_definition_privatelinkmanager" {
+  count = var.enable_private_link_manager ? 1 : 0
+  depends_on = [
+    azurerm_role_definition.privatelinkmanager[0],
+  ]
+
+  triggers = {
+    "azurerm_role_definition_privatelinkmanager" = jsonencode(keys(azurerm_role_definition.privatelinkmanager[0]))
+  }
+
+  create_duration  = var.create_duration_delay["azurerm_role_definition"]
+  destroy_duration = var.destroy_duration_delay["azurerm_role_definition"]
+}
+
+resource "azurerm_role_assignment" "privatelinkmanager" {
+  count = var.enable_private_link_manager && var.from_azure ? 1 : 0
+
+  scope                = data.azurerm_subscription.primary.id
+  role_definition_name = azurerm_role_definition.privatelinkmanager[0].name
+  principal_id         = var.wayfinder_identity_azure_principal_id
+
+  depends_on = [
+    time_sleep.after_azurerm_role_definition_privatelinkmanager[0],
+    azurerm_role_definition.privatelinkmanager[0],
+  ]
+}
diff --git a/modules/cloudaccess/wf_privatelink_manager_definition.json b/modules/cloudaccess/wf_privatelink_manager_definition.json
@@ -0,0 +1,21 @@
+{
+    "actions": [
+        "Microsoft.Authorization/roleAssignments/read",
+        "Microsoft.Authorization/roleDefinitions/read",
+        "Microsoft.Network/privateEndpoints/read",
+        "Microsoft.Network/privateEndpoints/write",
+        "Microsoft.Network/privateEndpoints/delete",
+        "Microsoft.Network/privateDnsZones/read",
+        "Microsoft.Network/privateDnsZones/write",
+        "Microsoft.Network/privateDnsZones/A/read",
+        "Microsoft.Network/privateDnsZones/A/write",
+        "Microsoft.Network/privateDnsZones/A/delete",
+        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
+        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
+        "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete",
+        "Microsoft.Network/virtualNetworks/join/action",
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+        "Microsoft.Network/networkInterfaces/read",
+        "Microsoft.ContainerService/managedClusters/PrivateEndpointConnectionsApproval/action"
+    ]
+}
diff --git a/variables.tf b/variables.tf
@@ -193,6 +193,12 @@ variable "enable_wf_cloudaccess" {
   default     = true
 }
 
+variable "enable_wf_privatelinks" {
+  description = "Whether to configure admin CloudAccessConfig for Private Link Management in the account wayfinder is installed in once installed (requires enable_k8s_resources and enable_wf_cloudaccess)"
+  type        = bool
+  default     = false
+}
+
 variable "enable_cross_tenant_access" {
   description = "Whether to enable cross-tenant access for Wayfinder. Will create a suitable Enterprise Application with federated credential for Wayfinder to use."
   type        = bool

diff --git a/wayfinder-cloudaccess.tf b/wayfinder-cloudaccess.tf
@@ -8,16 +8,17 @@ module "wayfinder_azure_cloudaccess" {
   create_duration_delay                 = { azurerm_role_definition = var.create_duration_delay.azurerm_role_definition }
   destroy_duration_delay                = { azurerm_role_definition = var.destroy_duration_delay.azurerm_role_definition }
 
-  enable_dns_zone_manager = var.enable_wf_dnszonemanager
-  enable_cloud_info       = var.enable_wf_costestimates
+  enable_dns_zone_manager     = var.enable_wf_dnszonemanager
+  enable_cloud_info           = var.enable_wf_costestimates
+  enable_private_link_manager = var.enable_wf_privatelinks
 }
 
 resource "kubectl_manifest" "wayfinder_cloud_identity_main" {
   count      = var.enable_k8s_resources && var.enable_wf_cloudaccess ? 1 : 0
   depends_on = [helm_release.wayfinder]
 
   yaml_body = templatefile("${path.module}/manifests/wayfinder-cloud-identity.yml.tpl", {
-    name         = "cloudidentity-azure"
+    name         = local.cloudidentity_name
     description  = "Cloud managed identity"
     client_id    = azurerm_user_assigned_identity.wayfinder_main.client_id
     tenant_id    = data.azurerm_subscription.current.tenant_id
@@ -33,7 +34,19 @@ resource "kubectl_manifest" "wayfinder_azure_cloudinfo_cloudaccessconfig" {
     region          = var.location
     subscription_id = data.azurerm_subscription.current.subscription_id
     tenant_id       = data.azurerm_subscription.current.tenant_id
-    identity        = "cloudidentity-azure"
+    identity        = local.cloudidentity_name
+  })
+}
+
+resource "kubectl_manifest" "wayfinder_azure_privatelinkmanager_cloudaccessconfig" {
+  count      = var.enable_k8s_resources && var.enable_wf_cloudaccess && var.enable_wf_privatelinks ? 1 : 0
+  depends_on = [time_sleep.after_kubectl_manifest_cloud_identity]
+
+  yaml_body = templatefile("${path.module}/manifests/wayfinder-azure-privatelinkmanager-cloudaccessconfig.yml.tpl", {
+    region          = var.location
+    subscription_id = data.azurerm_subscription.current.subscription_id
+    tenant_id       = data.azurerm_subscription.current.tenant_id
+    identity        = local.cloudidentity_name
   })
 }
 
@@ -45,6 +58,6 @@ resource "kubectl_manifest" "wayfinder_azure_dnszonemanagement_cloudaccessconfig
     region          = var.location
     subscription_id = data.azurerm_subscription.current.subscription_id
     tenant_id       = data.azurerm_subscription.current.tenant_id
-    identity        = "cloudidentity-azure"
+    identity        = local.cloudidentity_name
   })
 }