From 44609f049988da17ada491979449cdb4a907a6f1 Mon Sep 17 00:00:00 2001
From: Joel Bennett <Jaykul@HuddledMasses.org>
Date: Tue, 3 Oct 2023 23:53:06 -0400
Subject: [PATCH] Add a sops-key in the deployment

---
 infrastructure/Cluster.bicep                  | 64 +++++++++----------
 infrastructure/modules/keyVault.bicep         |  1 +
 infrastructure/modules/managedCluster.bicep   |  3 +
 .../modules/resourceRoleAssignment.bicep      |  6 +-
 4 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/infrastructure/Cluster.bicep b/infrastructure/Cluster.bicep
index 957a044..a9f93d8 100644
--- a/infrastructure/Cluster.bicep
+++ b/infrastructure/Cluster.bicep
@@ -170,8 +170,8 @@ var deploymentName = deployment().name
 // }
 
 // The actual cluster's identity does not need federation
-module uai 'modules/userAssignedIdentity.bicep' = {
-  name: '${deploymentName}_uai'
+module kubeletId 'modules/userAssignedIdentity.bicep' = {
+  name: '${deploymentName}_uai_kubelet'
   params: {
     baseName: baseName
     location: location
@@ -209,7 +209,7 @@ module aks 'modules/managedCluster.bicep' = {
     identity: {
       type: 'UserAssigned'
       userAssignedIdentities: {
-        '${uai.outputs.id}': {}
+        '${kubeletId.outputs.id}': {}
       }
     }
     controlPlaneUpgradeChannel: controlPlaneUpgradeChannel
@@ -230,6 +230,20 @@ module aks 'modules/managedCluster.bicep' = {
   }
 }
 
+module fluxId 'modules/userAssignedIdentity.bicep' = {
+  name: '${deploymentName}_uai_flux_crypto'
+  params: {
+    baseName: 'flux_crypto'
+    location: location
+    tags: tags
+    azureADTokenExchangeFederatedIdentityCredentials: {
+      '${aks.outputs.oidcIssuerUrl}': 'system:serviceaccount:flux-system:source-controller'
+      '${aks.outputs.oidcIssuerUrl}': 'system:serviceaccount:flux-system:helm-controller'
+      '${aks.outputs.oidcIssuerUrl}': 'system:serviceaccount:flux-system:image-reflector-controller'
+    }
+  }
+}
+
 module flux 'modules/flux.bicep' = {
   name: '${deploymentName}_flux'
   params: {
@@ -249,8 +263,8 @@ module flux 'modules/flux.bicep' = {
 //   }
 // }
 
-module aks_iam1 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_aks_iam1'
+module iam_admin_aks 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_admin_aks'
   params: {
     principalIds: [ adminId ]
     resourceId: aks.outputs.id
@@ -258,17 +272,8 @@ module aks_iam1 'modules/resourceRoleAssignment.bicep' = {
   }
 }
 
-module aks_iam2 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_aks_iam2'
-  params: {
-    principalIds: [ adminId ]
-    resourceId: aks.outputs.id
-    roleName: 'Azure Kubernetes Service RBAC Reader'
-  }
-}
-
-module keyvault_devops_secrets 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akvdvo_secrets'
+module iam_admin_kv_secrets 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_admin_kv_secrets'
   params: {
     principalIds: [ adminId ]
     resourceId: keyVault.outputs.id
@@ -276,28 +281,19 @@ module keyvault_devops_secrets 'modules/resourceRoleAssignment.bicep' = {
   }
 }
 
-module keyvault_devops_crypto 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akvdvo_crypto'
+module iam_admin_kv_crypto 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_admin_kv_crypto'
   params: {
     principalIds: [ adminId ]
     resourceId: keyVault.outputs.id
-    roleName: 'Key Vault Crypto User'
-  }
-}
-
-module keyvault_kubelet_secrets 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akv2k8s_secrets'
-  params: {
-    principalIds: [ aks.outputs.kubeletIdentityObjectId ]
-    resourceId: keyVault.outputs.id
-    roleName: 'Key Vault Secrets User'
+    roleName: 'Key Vault Crypto Officer'
   }
 }
 
-module keyvault_kubelet_crypto 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akv2k8s_crypto'
+module iam_flux_crypto 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_iam_flux_crypto'
   params: {
-    principalIds: [ aks.outputs.kubeletIdentityObjectId ]
+    principalIds: [ fluxId.outputs.principalId ]
     resourceId: keyVault.outputs.id
     roleName: 'Key Vault Crypto User'
   }
@@ -310,13 +306,13 @@ output fluxReleaseNamespace string = flux.outputs.fluxReleaseNamespace
 output clusterId string = aks.outputs.id
 
 @description('User Assigned Identity Resource ID, required by deployment scripts')
-output userAssignedResourceID string = uai.outputs.id
+output userAssignedResourceID string = kubeletId.outputs.id
 
 @description('User Assigned Identity Object ID, used for Azure Role assignement')
-output userAssignedIdentityPrincipalId string = uai.outputs.principalId
+output userAssignedIdentityPrincipalId string = kubeletId.outputs.principalId
 
 @description('User Assigned Identity Client ID, used for application config (so we can use this identity from code)')
-output userAssignedIdentityClientId string = uai.outputs.clientId
+output userAssignedIdentityClientId string = kubeletId.outputs.clientId
 
 // output LogAnalyticsName string = logAnalytics.name
 // output LogAnalyticsGuid string = logAnalytics.properties.customerId
diff --git a/infrastructure/modules/keyVault.bicep b/infrastructure/modules/keyVault.bicep
index 5e53ade..77ef017 100644
--- a/infrastructure/modules/keyVault.bicep
+++ b/infrastructure/modules/keyVault.bicep
@@ -38,6 +38,7 @@ resource sopsKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
   parent: vault
   name: 'sops-key'
   properties: {
+    kty: 'RSA'
     keyOps: [
       'decrypt'
       'encrypt'
diff --git a/infrastructure/modules/managedCluster.bicep b/infrastructure/modules/managedCluster.bicep
index c5968d0..7024bd5 100644
--- a/infrastructure/modules/managedCluster.bicep
+++ b/infrastructure/modules/managedCluster.bicep
@@ -445,3 +445,6 @@ output id string = cluster.id
 
 @description('User Assigned Object ID for the Kubelet Identity used to access the ACR. Used for Azure Role assignement for AcrPull to the ACR, and for granting Akv2K8s access to KeyVaults')
 output kubeletIdentityObjectId string = cluster.properties.identityProfile.kubeletidentity.objectId
+
+@description('The OIDC Issuer URL for federated credentials (Workload Identity)')
+output oidcIssuerUrl string = cluster.properties.oidcIssuerProfile.issuerURL
diff --git a/infrastructure/modules/resourceRoleAssignment.bicep b/infrastructure/modules/resourceRoleAssignment.bicep
index 8fbfefc..64712aa 100644
--- a/infrastructure/modules/resourceRoleAssignment.bicep
+++ b/infrastructure/modules/resourceRoleAssignment.bicep
@@ -382,9 +382,9 @@ var builtInRoles = json(loadTextContent('roles.jsonc'))
 
 // pull the subscription id and resourceGroup name from the resource Id:
 // Input: /subscriptions/<id>/resourceGroups/<rg-name>/<resource-type>/<resource-id>
-var subscription = split(resourceId, '/resourceGroups/')
-var subscriptionId = split(subscription[0], 'subscriptions/')[1]
-var resourceGroupName = split(subscription[1], '/')[0]
+var splits = split(substring(resourceId, 1, length(resourceId) - 1), '/')
+var subscriptionId = splits[1]
+var resourceGroupName = splits[3]
 
 // For subdeployments, prefix our name (which is hopefully unique/time-stamped)
 var deploymentName = deployment().name