Skip to content

Commit

Permalink
Merge branch 'david/azure-cross-subscription-roles' into david/suppor…
Browse files Browse the repository at this point in the history
…t-partial-scopes
  • Loading branch information
otterobert committed Dec 10, 2024
2 parents 80f7bf9 + 5d1b56a commit 0d7f6aa
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ func (a *Agent) ensureRoleAssignmentsForIntents(ctx context.Context, userAssigne
a.assignmentMutex.Lock()
defer a.assignmentMutex.Unlock()

existingRoleAssignments, err := a.ListRoleAssignments(ctx, userAssignedIdentity)
existingRoleAssignments, err := a.ListRoleAssignmentsAcrossSubscriptions(ctx, userAssignedIdentity)
if err != nil {
return errors.Wrap(err)
}
Expand Down Expand Up @@ -195,7 +195,7 @@ func (a *Agent) DeleteRolePolicyFromIntents(ctx context.Context, intents otteriz
return errors.Wrap(err)
}

existingRoleAssignments, err := a.ListRoleAssignments(ctx, userAssignedIdentity)
existingRoleAssignments, err := a.ListRoleAssignmentsAcrossSubscriptions(ctx, userAssignedIdentity)
if err != nil {
return errors.Wrap(err)
}
Expand Down
2 changes: 1 addition & 1 deletion src/shared/azureagent/identities.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ func (a *Agent) DeleteUserAssignedIdentity(ctx context.Context, namespace string
return errors.Wrap(err)
}

roleAssignments, err := a.ListRoleAssignments(ctx, identity)
roleAssignments, err := a.ListRoleAssignmentsAcrossSubscriptions(ctx, identity)
if err != nil {
return errors.Wrap(err)
}
Expand Down
42 changes: 18 additions & 24 deletions src/shared/azureagent/roleassignments.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,48 +59,42 @@ func (a *Agent) DeleteRoleAssignment(ctx context.Context, roleAssignment armauth
return nil
}

func (a *Agent) ListRoleAssignments(ctx context.Context, userAssignedIdentity armmsi.Identity) ([]armauthorization.RoleAssignment, error) {
func (a *Agent) ListRoleAssignmentsAcrossSubscriptions(ctx context.Context, userAssignedIdentity armmsi.Identity) ([]armauthorization.RoleAssignment, error) {
subscriptions, err := a.ListSubscriptions(ctx)
if err != nil {
return nil, errors.Wrap(err)
}

var roleAssignments []armauthorization.RoleAssignment
pager := a.roleAssignmentsClient.NewListForSubscriptionPager(nil)
for pager.More() {
page, err := pager.NextPage(ctx)
for _, sub := range subscriptions {
roleAssignmentsForSubscription, err := a.ListRoleAssignmentsForSubscription(ctx, *sub.SubscriptionID, userAssignedIdentity)
if err != nil {
return nil, errors.Wrap(err)
}
for _, roleAssignment := range page.Value {
if *roleAssignment.Properties.PrincipalID == *userAssignedIdentity.Properties.PrincipalID {
roleAssignments = append(roleAssignments, *roleAssignment)
}
}

roleAssignments = append(roleAssignments, roleAssignmentsForSubscription...)
}

return roleAssignments, nil
}

func (a *Agent) ListRoleAssignmentsAcrossSubscriptions(ctx context.Context, userAssignedIdentity armmsi.Identity) ([]armauthorization.RoleAssignment, error) {
subscriptions, err := a.ListSubscriptions(ctx)
func (a *Agent) ListRoleAssignmentsForSubscription(ctx context.Context, subscriptionID string, userAssignedIdentity armmsi.Identity) ([]armauthorization.RoleAssignment, error) {
roleClient, err := a.GetRoleAssignmentClientForSubscription(subscriptionID)
if err != nil {
return nil, errors.Wrap(err)
}

var roleAssignments []armauthorization.RoleAssignment
for _, sub := range subscriptions {
roleClient, err := a.GetRoleAssignmentClientForSubscription(*sub.SubscriptionID)
pager := roleClient.NewListForSubscriptionPager(nil)
for pager.More() {
page, err := pager.NextPage(ctx)
if err != nil {
return nil, errors.Wrap(err)
}

pager := roleClient.NewListForSubscriptionPager(nil)
for pager.More() {
page, err := pager.NextPage(ctx)
if err != nil {
return nil, errors.Wrap(err)
}

for _, roleAssignment := range page.Value {
if *roleAssignment.Properties.PrincipalID == *userAssignedIdentity.Properties.PrincipalID {
roleAssignments = append(roleAssignments, *roleAssignment)
}
for _, roleAssignment := range page.Value {
if *roleAssignment.Properties.PrincipalID == *userAssignedIdentity.Properties.PrincipalID {
roleAssignments = append(roleAssignments, *roleAssignment)
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions src/shared/azureagent/subscriptions.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ func (a *Agent) ListSubscriptions(ctx context.Context) ([]armsubscriptions.Subsc
return nil, errors.Wrap(err)
}

for _, roleAssignment := range page.Value {
subscriptions = append(subscriptions, *roleAssignment)
for _, subscription := range page.Value {
subscriptions = append(subscriptions, *subscription)
}
}

Expand Down

0 comments on commit 0d7f6aa

Please sign in to comment.