Update Key Vault to use Azure RBAC (#306)

* Use Azure RBAC for key vault access

RELEASING.md

@@ -3,10 +3,16 @@
 Releases are made through the [GitHub UI](https://github.com/microsoft/planetary-computer-tasks/releases/new).
 Create a new tag for your release, using the format `<year>.<month>.<count>`.
 
-You also need to update the `pc-test-gha-tags-release` Federated Identity Credential on the `PC Test GitHub Actions Deployment` App Regestration to match the new tag.
+You also need to update the `pc-test-gha-tags-release` Federated Identity Credential on the `PC Test GitHub Actions Deployment` App Registration to match the new tag.
 
 ```azurecli
 az ad app federated-credential update --federated-credential-id "pc-test-gha-tags-release" --id "$CLIENT_ID" --parameters '{"issuer": "https://token.actions.githubusercontent.com", "subject": "repo:microsoft/planetary-computer-tasks:ref:refs/tags/$TAG", "description": "Federated credential for Github Actions to deploy to Azure from microsoft/planetary-computer-tasks with any tag", "audiences": ["api://AzureADTokenExchange"]}'
 ```
 
 where `$TAG` is something like `2024.6.1`.
+
+This identity has been granted the necessary Azure RBAC permissions to do the deployment.
+
+```azurecli
+az role assignment create --role "Key Vault Secrets Officer" --assignee "$CLIENT_ID" --scope "$KEYVAULT_ID"
+```

deployment/bin/deploy

@@ -223,36 +223,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then
         --timeout 2m0s \
         --debug
 
-    echo "=================="
-    echo "===== KEDA ======="
-    echo "=================="
-
-    helm upgrade --install keda helm/vendored/keda-2.14.2.tgz \
-        -n keda \
-        --create-namespace \
-        -f helm/keda-values.yaml \
-        --wait \
-        --timeout 2m0s \
-        --debug
-
-    # TODO: Figure out how to apply to set this with helm
-    echo "Adding KEDA secret"
-    pushd ${TERRAFORM_DIR}
-      SA_CONNECTION_STRING=$(tf_output sa_connection_string)
-    popd
-    # pipe into kubectl apply to ensure create or update works.
-    kubectl -n pc create secret generic secrets-storage-queue-connection-string \
-        --from-literal="ConnectionString=$SA_CONNECTION_STRING" \
-        --dry-run=client -o yaml \
-        | kubectl apply -f -
-    echo "Creating KEDA trigger auth"
-    # This namespace must match where argo runs its workflows
-    kubectl -n pc apply -f helm/keda-trigger-authentication.yaml
-
-    echo "Adding KEDA roles and rolebindings"
-    # This namespace must match where argo runs its workflows
-    kubectl -n pc apply -f helm/argo-workflow-keda-rbac-prod.yaml
-
     echo "===================="
     echo "== PCTasksIngress =="
     echo "===================="

deployment/terraform/resources/aks.tf

@@ -175,14 +175,10 @@ resource "azurerm_federated_identity_credential" "workflows" {
   timeouts {}
 }
 
-resource "azurerm_key_vault_access_policy" "example" {
-  key_vault_id = data.azurerm_key_vault.pctasks.id
-  tenant_id    = azurerm_user_assigned_identity.workflows.tenant_id
-  object_id    = azurerm_user_assigned_identity.workflows.principal_id
-
-  secret_permissions = [
-    "Get"
-  ]
+resource "azurerm_role_assignment" "workflows-secrets-user" {
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azurerm_user_assigned_identity.workflows.principal_id
+  scope                = data.azurerm_key_vault.pctasks.id
 }
 
 # When you enable the key vault secrets provider block in an AKS cluster,

deployment/terraform/resources/apim.tf

@@ -18,18 +18,10 @@ resource "azurerm_api_management" "pctasks" {
   }
 }
 
-resource "azurerm_key_vault_access_policy" "apim" {
-  key_vault_id = data.azurerm_key_vault.deploy_secrets.id
-  tenant_id    = azurerm_api_management.pctasks.identity[0].tenant_id
-  object_id    = azurerm_api_management.pctasks.identity[0].principal_id
-
-  depends_on = [
-    azurerm_api_management.pctasks,
-  ]
-
-  secret_permissions = [
-    "Get", "List"
-  ]
+resource "azurerm_role_assignment" "apim-secrets-user" {
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azurerm_api_management.pctasks.identity[0].principal_id
+  scope                = data.azurerm_key_vault.deploy_secrets.id
 }
 
 resource "azurerm_api_management_named_value" "pctasks_access_key" {

deployment/terraform/resources/keyvault.tf

@@ -3,14 +3,10 @@ data "azurerm_key_vault" "pctasks" {
   resource_group_name = var.pctasks_task_kv_resource_group_name
 }
 
-resource "azurerm_key_vault_access_policy" "function_app" {
-  key_vault_id = data.azurerm_key_vault.pctasks.id
-  tenant_id    = azurerm_linux_function_app.pctasks.identity.0.tenant_id
-  object_id    = azurerm_linux_function_app.pctasks.identity.0.principal_id
-
-  secret_permissions = [
-    "Get", "List"
-  ]
+resource "azurerm_role_assignment" "functions-secrets-user" {
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azurerm_linux_function_app.pctasks.identity.0.principal_id
+  scope                = data.azurerm_key_vault.pctasks.id
 }
 
 # Store database information as a secret

docs/development/deploying.md

@@ -47,26 +47,6 @@ az acr import -n pccomponentstest --source quay.io/argoproj/argoexec:v3.5.7 -t a
 
 The image and tag values are specified in the `argo-values.yaml` file and used during installs.
 
-#### KEDA
-
-The chart can be brought into the `deployment/helm/vendored` directory by running the following command:
-
-```console
-cd deployment/helm/vendored
-helm repo add kedacore <https://kedacore.github.io/charts>
-helm pull kedacore/keda --version 2.14.2
-```
-
-The images can be imported into your ACR by running the following command:
-
-```console
-az acr import -n pccomponentstest --source ghcr.io/kedacore/keda-admission-webhooks:2.14.0 -t kedacore/keda-admission-webhooks:2.14.0  --subscription "Planetary Computer Test"
-az acr import -n pccomponentstest --source ghcr.io/kedacore/keda-metrics-apiserver:2.14.0 -t kedacore/keda-metrics-apiserver:2.14.0 --subscription "Planetary Computer Test"
-az acr import -n pccomponentstest --source ghcr.io/kedacore/keda:2.14.0 -t kedacore/keda:2.14.0 --subscription "Planetary Computer Test"
-```
-
-The image and tag values are specified in the `keda-values.yaml` file and used during installs.
-
 ### Deployment Service principal
 
 You'll need a service principal that has sufficient permissions to deploy Azure resources, including creating resource groups and assigning IAM roles.

scripts/cluster

@@ -113,16 +113,6 @@ EOF
     # E0303 15:59:48.181644   27243 memcache.go:255] couldn't get resource list for external.metrics.k8s.io/v1beta1: Got empty response for: external.metrics.k8s.io/v1beta1
     # https://github.com/kubernetes-sigs/custom-metrics-apiserver/issues/146
 
-    echo "===== KEDA ======="
-    helm repo add kedacore https://kedacore.github.io/charts
-
-    helm upgrade --install keda kedacore/keda \
-        -n keda \
-        --create-namespace \
-        --wait \
-        --timeout 2m0s
-    kubectl -n argo apply -f deployment/helm/argo-workflow-keda-rbac-dev.yaml
-    kubectl -n argo apply -f deployment/helm/keda-trigger-authentication.yaml
     kubectl -n argo create secret generic queue-connection-string-auth \
         --from-literal=ConnectionString='AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;DefaultEndpointsProtocol=http;BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;'