From 71f6270deafd782171b164f08188c83ea5c40a17 Mon Sep 17 00:00:00 2001 From: jagilber Date: Sun, 29 Dec 2024 16:58:26 -0500 Subject: [PATCH 1/4] init draft --- ...cess-control-for-service-fabric-cluster.md | 280 ++++++++++++++++++ 1 file changed, 280 insertions(+) create mode 100644 Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md diff --git a/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md b/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md new file mode 100644 index 00000000..6b03e02e --- /dev/null +++ b/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md @@ -0,0 +1,280 @@ +# How to configure Azure Access control (IAM) for a Service Fabric Cluster + +The steps below describe how to configure Azure Access control Custom Roles for Service Fabric clusters. This configuration is based on default deployment parameters and may need to be adjusted based on specific requirements. These steps have been tested with Service Fabric clusters deployed in Azure as a default Entra constrained user that is not the subscription owner / administrator. + +## Azure Devops Service Connection Options + +For Service Fabric service connection configurations, it is recommended to use Entra (Azure Active Directory / AAD) for authentication and certificate common name for server certificate lookup. This configuration is maintenance free and provides the best security. This is the only service connection configuration that supports parallel deployments per agent host. See [Agent limitations](#agent-limitations). + +## Process + +- Verify [Requirements](#requirements) +- Create Azure Resource Group for Service Fabric cluster +- Create [Azure Subscription Custom Role Definition](#azure-subscription-custom-role-definition) +- Assign [Azure Subscription Custom Role Definition](#azure-subscription-custom-role-definition) to Entra constrained user +- Create [Azure Resource Group Custom Role Definition](#azure-resource-group-custom-role-definition) +- Assign [Azure Resource Group Custom Role Definition](#azure-resource-group-custom-role-definition) to Entra constrained user +- Assign built-in roles to Entra constrained user + - Service Fabric Cluster Contributor + - Service Fabric Managed Cluster Contributor +- Assign Entra constrained user to Azure Key Vault Access Policy +- Assign any additional roles to Entra constrained user necessary for custom deployment +- Test Entra constrained user configuration + +## Requirements + +- Administrative access to Azure Subscription and Resource Group that allows creation of custom roles and assignment of roles. +- Default Service Fabric cluster deployment consisting of: + - Service Fabric Cluster + - Virtual Network + - Public IP Address + - Load Balancer + - Virtual Machine Scale Set + - Storage Accounts +- Entra constrained user that can be assigned with the following permissions: + - Azure Key Vault Access Policy + - Azure Subscription Custom Role + - Azure Resource Group Custom Role + +## Azure Subscription Configuration + +### Subscription Access Control (IAM) + +### Azure Subscription Custom Role Definition + +```json +{ + "properties": { + "roleName": "service fabric subscription custom role for deployments", + "description": "", + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.ServiceFabric/locations/*/read", + "Microsoft.KeyVault/vaults/deploy/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +``` + +## Azure Resource Group Configuration + +### Resource Group Access Control (IAM) + +### Azure Resource Group Custom Role Definition + +```json +{ + "properties": { + "roleName": "service fabric resource group custom role for deployments", + "description": "", + "assignableScopes": [ + "/subscriptions//resourceGroups/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/write", + "Microsoft.Network/virtualNetworks/write", + "Microsoft.Network/publicIPAddresses/write", + "Microsoft.Network/loadBalancers/write", + "Microsoft.Compute/virtualMachineScaleSets/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +``` + +## Assign built-in roles to Entra constrained user + +## Assign Entra constrained user to Azure Key Vault Access Policy + +## Assign any additional roles to Entra constrained user necessary for custom deployment + +## Testing Entra constrained user configuration + +### Azure Portal Service Fabric cluster deployment + +### PowerShell Service Fabric cluster deployment + +## Scenarios + +- Azure Portal Service Fabric cluster deployment +- PowerShell Service Fabric cluster deployment +- Azure DevOps Service Connection configuration +- Azure Portal Service Fabric managed cluster deployment +- PowerShell Service Fabric managed cluster deployment + +## PowerShell commands + +### Creating custom role definitions + +```powershell +# connect to Azure with global admin account +Connect-AzAccount -TenantId -SubscriptionId +# create role definition +$roleDefinition = @' +{ + "properties": { + "roleName": "service fabric subscription custom role for deployments", + "description": "", + "assignableScopes": [ + "/providers/Microsoft.Management/managementGroups/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.ServiceFabric/locations/*/read", + "Microsoft.KeyVault/vaults/deploy/action" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +'@ + +New-AzRoleDefinition -InputObject $roleDefinition +$roleDefinition = @' +{ + "properties": { + "roleName": "service fabric resource group custom role for deployments", + "description": "", + "assignableScopes": [ + "/subscriptions//resourceGroups/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.Storage/storageAccounts/write", + "Microsoft.Network/virtualNetworks/write", + "Microsoft.Network/publicIPAddresses/write", + "Microsoft.Network/loadBalancers/write", + "Microsoft.Compute/virtualMachineScaleSets/write" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +'@ + +New-AzRoleDefinition -InputObject $roleDefinition +``` + +### Assigning custom role definitions to user + +```powershell +# connect to Azure with global admin account +Connect-AzAccount -TenantId -SubscriptionId +# assign subscription role definition +New-AzRoleAssignment -SignInName -RoleDefinitionName "service fabric subscription custom role for deployments" -Scope "/providers/Microsoft.Management/managementGroups/" + +# assign resource group role definition +New-AzRoleAssignment -SignInName -RoleDefinitionName "service fabric resource group custom role for deployments" -Scope "/subscriptions//resourceGroups/" +``` + +### Enumerating role definitions and role assignments + +```powershell +# connect to Azure with global admin account +Connect-AzAccount -TenantId -SubscriptionId +# get subscription role definition +Get-AzRoleDefinition -Name "service fabric subscription custom role for deployments" + +# get resource group role definition +Get-AzRoleDefinition -Name "service fabric resource group custom role for deployments" + +# get role assignment +Get-AzRoleAssignment -SignInName +``` + +## Troubleshooting + + + +## Reference + +- https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-services-resource-providers +- https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles +- https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles +- https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments +- https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal +- https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps +- https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-resource-group + +## Built-in roles + +### Service Fabric Cluster Contributor + +```json +{ + "id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-4e90-a50a-8c000140b017", + "properties": { + "roleName": "Service Fabric Cluster Contributor", + "description": "Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc.", + "assignableScopes": [ + "/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.ServiceFabric/clusters/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +``` + +### Service Fabric Managed Cluster Contributor + +```json +{ + "id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-438c-ad2d-39e94d718838", + "properties": { + "roleName": "Service Fabric Managed Cluster Contributor", + "description": "Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services.", + "assignableScopes": [ + "/" + ], + "permissions": [ + { + "actions": [ + "Microsoft.ServiceFabric/managedclusters/*", + "Microsoft.Authorization/*/read", + "Microsoft.Insights/alertRules/*", + "Microsoft.Resources/deployments/*", + "Microsoft.Resources/subscriptions/resourceGroups/read" + ], + "notActions": [], + "dataActions": [], + "notDataActions": [] + } + ] + } +} +``` From 5a8343ef191faba7bfdc98cd531648f4d14e20af Mon Sep 17 00:00:00 2001 From: jagilber Date: Sun, 29 Dec 2024 18:49:06 -0500 Subject: [PATCH 2/4] #draft# add additional section details --- ...cess-control-for-service-fabric-cluster.md | 121 ++++++++++++------ 1 file changed, 83 insertions(+), 38 deletions(-) diff --git a/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md b/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md index 6b03e02e..5cf17302 100644 --- a/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md +++ b/Deployment/how-to-configure-azure-access-control-for-service-fabric-cluster.md @@ -10,11 +10,11 @@ For Service Fabric service connection configurations, it is recommended to use E - Verify [Requirements](#requirements) - Create Azure Resource Group for Service Fabric cluster -- Create [Azure Subscription Custom Role Definition](#azure-subscription-custom-role-definition) -- Assign [Azure Subscription Custom Role Definition](#azure-subscription-custom-role-definition) to Entra constrained user -- Create [Azure Resource Group Custom Role Definition](#azure-resource-group-custom-role-definition) -- Assign [Azure Resource Group Custom Role Definition](#azure-resource-group-custom-role-definition) to Entra constrained user -- Assign built-in roles to Entra constrained user +- [Create Azure Subscription Custom Role Definition](#create-azure-subscription-custom-role-definition) +- [Assign Azure Subscription Custom Role to Entra constrained user](#assign-azure-subscription-custom-role-to-entra-constrained-user) +- [Create Azure Resource Group Custom Role Definition](#create-azure-resource-group-custom-role-definition) +- [Assign Azure Resource Group Custom Role to Entra constrained user](#assign-azure-resource-group-custom-role-to-entra-constrained-user) +- [Assign Service Fabric built-in roles to Entra constrained user](#assign-service-fabric-built-in-roles-to-entra-constrained-user) - Service Fabric Cluster Contributor - Service Fabric Managed Cluster Contributor - Assign Entra constrained user to Azure Key Vault Access Policy @@ -25,22 +25,30 @@ For Service Fabric service connection configurations, it is recommended to use E - Administrative access to Azure Subscription and Resource Group that allows creation of custom roles and assignment of roles. - Default Service Fabric cluster deployment consisting of: - - Service Fabric Cluster - - Virtual Network - - Public IP Address - - Load Balancer - - Virtual Machine Scale Set - - Storage Accounts -- Entra constrained user that can be assigned with the following permissions: - - Azure Key Vault Access Policy - - Azure Subscription Custom Role - - Azure Resource Group Custom Role - -## Azure Subscription Configuration + - Service Fabric Cluster + - Virtual Network + - Public IP Address + - Load Balancer + - Virtual Machine Scale Set + - Storage Accounts +- Entra constrained user that will be assigned the following roles: + - Azure Key Vault Access Policy + - Azure Subscription Custom Role + - Azure Resource Group Custom Role + - Service Fabric Cluster Contributor + +## Azure Portal Subscription Configuration + +To configure Azure Access control (IAM) for Service Fabric cluster deployments, currently, a custom role at the subscription level is required. This is necessary to allow the Entra constrained user to deploy Service Fabric clusters in the subscription. The custom roles should be created with the minimum permissions required for Service Fabric cluster deployments. ### Subscription Access Control (IAM) -### Azure Subscription Custom Role Definition +- Login to [Azure Portal](https://portal.azure.com) as a subscription owner / administrator +- On the Subscription blade, select Access control (IAM), then select Add custom role +- Fill in the required fields +- JSON definition for the custom role is provided below. This definition should be modified with subscription id and required permissions. + +#### Create Azure Subscription Custom Role Definition ```json { @@ -65,11 +73,25 @@ For Service Fabric service connection configurations, it is recommended to use E } ``` -## Azure Resource Group Configuration +#### Assign Azure Subscription Custom Role to Entra constrained user + +- On the Subscription blade, select Access control (IAM), then select Add role assignment +- Select the custom role created in the previous step +- Select the Entra constrained user +- Select Review + assign + +## Azure Portal Resource Group Configuration + +To configure Azure Access control (IAM) for Service Fabric cluster deployments, a custom role at the resource group level is required. This is necessary to allow the Entra constrained user to deploy Service Fabric clusters in the resource group. The custom roles should be created with the minimum permissions required for Service Fabric cluster deployments. ### Resource Group Access Control (IAM) -### Azure Resource Group Custom Role Definition +#### Create Azure Resource Group Custom Role Definition + +- Login to [Azure Portal](https://portal.azure.com) as a subscription owner / administrator +- On the Resource Group blade, select Access control (IAM), then select Add custom role +- Fill in the required fields +- JSON definition for the custom role is provided below. This definition should be modified with subscription id, resource group and required permissions. ```json { @@ -97,7 +119,21 @@ For Service Fabric service connection configurations, it is recommended to use E } ``` -## Assign built-in roles to Entra constrained user +#### Assign Azure Resource Group Custom Role to Entra constrained user + +- On the Resource Group blade, select Access control (IAM), then select Add role assignment +- Select the custom role created in the previous step +- Select the Entra constrained user +- Select Review + assign + +## Assign Service Fabric built-in roles to Entra constrained user + +- On the Resource Group blade, select Access control (IAM), then select Add role assignment +- Select one of the built-in roles: + - Service Fabric Cluster Contributor + - Service Fabric Managed Cluster Contributor +- Select the Entra constrained user +- Select Review + assign ## Assign Entra constrained user to Azure Key Vault Access Policy @@ -107,13 +143,25 @@ For Service Fabric service connection configurations, it is recommended to use E ### Azure Portal Service Fabric cluster deployment +- Login to [Azure Portal](https://portal.azure.com) as Entra constrained user +- Select Resource Group +- Select +Create +- Select [Service Fabric Cluster](https://portal.azure.com/#create/Microsoft.ServiceFabricCluster) or [Service Fabric Managed Cluster](https://portal.azure.com/#create/Microsoft.ManagedServiceFabricCluster) +- Fill in the required fields + ### PowerShell Service Fabric cluster deployment +```powershell +# connect to Azure with global admin account +Connect-AzAccount -TenantId -SubscriptionId +# create new service fabric cluster arm template deployment +New-AzResourceGroupDeployment -ResourceGroupName -TemplateFile