Provide AGIC Identity role to manage AppGW Identity

.github/workflows/ghpages.yml

@@ -16,7 +16,7 @@ jobs:
         run: |
           cd helper
           npm install
-          REACT_APP_APPINSIGHTS_KEY=${{ secrets.REACT_APP_APPINSIGHTS_KEY}} REACT_APP_K8S_VERSION="1.20.7" REACT_APP_AZ_TEMPLATE_ARG="--template-uri https://github.com/Azure/Aks-Construction/releases/download/0.1.3-preview/main.json" npm run build
+          REACT_APP_APPINSIGHTS_KEY=${{ secrets.REACT_APP_APPINSIGHTS_KEY}} REACT_APP_K8S_VERSION="1.20.7" REACT_APP_AZ_TEMPLATE_ARG="--template-uri https://github.com/Azure/Aks-Construction/releases/download/0.1.4-preview/main.json" npm run build
 
       - name: Deploy to GitHub Pages
         if: success() && github.event_name == 'push' && github.ref == 'refs/heads/main'

bicep/compiled/main.json

@@ -229,6 +229,7 @@
     "DEPLOY_APPGW_ADDON": "[and(parameters('ingressApplicationGateway'), empty(parameters('byoAGWSubnetId')))]",
     "contributor": "[resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
     "reader": "[resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]",
+    "managedIdentityOperator": "[resourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]",
     "diagProperties": {
       "workspaceId": "[variables('workspaceId')]",
       "logs": [
@@ -272,7 +273,7 @@
       "apiVersion": "2021-06-01-preview",
       "name": "[variables('akvName')]",
       "location": "[parameters('location')]",
-      "properties": "[union(createObject('tenantId', subscription().tenantId, 'sku', createObject('family', 'A', 'name', 'Standard'), 'enabledForTemplateDeployment', true(), 'accessPolicies', concat(if(parameters('azureKeyvaultSecretsProvider'), array(createObject('tenantId', subscription().tenantId, 'objectId', reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.azureKeyvaultSecretsProvider.identity.clientId, 'permissions', createObject('keys', createArray('get', 'decrypt', 'unwrapKey', 'verify'), 'secrets', createArray('get'), 'certificates', createArray('get', 'getissuers')))), createArray()), if(parameters('appgwKVIntegration'), array(createObject('tenantId', subscription().tenantId, 'objectId', reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('id-appgw-{0}', parameters('resourceName')))).principalId, 'permissions', createObject('secrets', createArray('get', 'set', 'delete', 'list')))), createArray()))), if(not(empty(parameters('AKVserviceEndpointFW'))), createObject('networkAcls', createObject('defaultAction', 'Deny', 'virtualNetworkRules', concat(array(createObject('action', 'Allow', 'id', if(parameters('custom_vnet'), reference(resourceId('Microsoft.Resources/deployments', 'network'), '2019-10-01').outputs.aksSubnetId.value, parameters('byoAKSSubnetId')))), if(parameters('appgwKVIntegration'), array(createObject('action', 'Allow', 'id', if(parameters('ingressApplicationGateway'), if(parameters('custom_vnet'), reference(resourceId('Microsoft.Resources/deployments', 'network'), '2019-10-01').outputs.appGwSubnetId.value, parameters('byoAGWSubnetId')), ''))), createArray())), 'ipRules', if(not(equals(parameters('AKVserviceEndpointFW'), 'vnetonly')), createArray(createObject('action', 'Allow', 'value', parameters('AKVserviceEndpointFW'))), null()))), createObject()))]",
+      "properties": "[union(createObject('tenantId', subscription().tenantId, 'sku', createObject('family', 'A', 'name', 'Standard'), 'enabledForTemplateDeployment', true(), 'publicNetworkAccess', 'enabled', 'accessPolicies', concat(if(parameters('azureKeyvaultSecretsProvider'), array(createObject('tenantId', subscription().tenantId, 'objectId', reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.azureKeyvaultSecretsProvider.identity.objectId, 'permissions', createObject('keys', createArray('get', 'decrypt', 'unwrapKey', 'verify'), 'secrets', createArray('get'), 'certificates', createArray('get', 'getissuers')))), createArray()), if(parameters('appgwKVIntegration'), array(createObject('tenantId', subscription().tenantId, 'objectId', reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('id-appgw-{0}', parameters('resourceName')))).principalId, 'permissions', createObject('secrets', createArray('get', 'set', 'delete', 'list')))), createArray()))), if(not(empty(parameters('AKVserviceEndpointFW'))), createObject('networkAcls', createObject('defaultAction', 'Deny', 'virtualNetworkRules', concat(array(createObject('action', 'Allow', 'id', if(parameters('custom_vnet'), reference(resourceId('Microsoft.Resources/deployments', 'network'), '2019-10-01').outputs.aksSubnetId.value, parameters('byoAKSSubnetId')))), if(parameters('appgwKVIntegration'), array(createObject('action', 'Allow', 'id', if(parameters('ingressApplicationGateway'), if(parameters('custom_vnet'), reference(resourceId('Microsoft.Resources/deployments', 'network'), '2019-10-01').outputs.appGwSubnetId.value, parameters('byoAGWSubnetId')), ''))), createArray())), 'ipRules', if(not(equals(parameters('AKVserviceEndpointFW'), 'vnetonly')), createArray(createObject('action', 'Allow', 'value', parameters('AKVserviceEndpointFW'))), null()))), createObject()))]",
       "dependsOn": [
         "[resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))]",
         "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('id-appgw-{0}', parameters('resourceName')))]",
@@ -359,7 +360,7 @@
       "properties": {
         "roleDefinitionId": "[variables('contributor')]",
         "principalType": "ServicePrincipal",
-        "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.ingressApplicationGateway.identity.clientId]"
+        "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.ingressApplicationGateway.identity.objectId]"
       },
       "dependsOn": [
         "[resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))]",
@@ -374,12 +375,28 @@
       "properties": {
         "roleDefinitionId": "[variables('reader')]",
         "principalType": "ServicePrincipal",
-        "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.ingressApplicationGateway.identity.clientId]"
+        "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.ingressApplicationGateway.identity.objectId]"
       },
       "dependsOn": [
         "[resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))]"
       ]
     },
+    {
+      "condition": "[and(variables('DEPLOY_APPGW_ADDON'), variables('deployAppGw'))]",
+      "type": "Microsoft.Authorization/roleAssignments",
+      "apiVersion": "2021-04-01-preview",
+      "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', format('id-appgw-{0}', parameters('resourceName')))]",
+      "name": "[guid(resourceGroup().id, variables('appgwName'), 'apidentityoperator')]",
+      "properties": {
+        "roleDefinitionId": "[variables('managedIdentityOperator')]",
+        "principalType": "ServicePrincipal",
+        "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))).addonProfiles.ingressApplicationGateway.identity.objectId]"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.ContainerService/managedClusters', format('aks-{0}', parameters('resourceName')))]",
+        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('id-appgw-{0}', parameters('resourceName')))]"
+      ]
+    },
     {
       "condition": "[and(variables('deployAppGw'), not(empty(variables('workspaceId'))))]",
       "type": "Microsoft.Insights/diagnosticSettings",
@@ -1091,7 +1108,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.3.126.58533",
-      "templateHash": "7379087891921921572"
+      "templateHash": "13364905346399954379"
     }
   }
 }

bicep/main.bicep

@@ -254,7 +254,7 @@ var deployAppGw = ingressApplicationGateway && (custom_vnet || !empty(byoAGWSubn
 // If integrating App Gateway with KeyVault, create a Identity App Gateway will use to access keyvault
 // 'identity' is always created (adding: "|| deployAppGw") until this is fixed: 
 // https://github.com/Azure/bicep/issues/387#issuecomment-885671296
-resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if ( /*appgwKVIntegration*/deployAppGw) {
+resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if ( /* appgwKVIntegration && */deployAppGw) {
   name: 'id-appgw-${resourceName}'
   location: location
 }
@@ -423,6 +423,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAp
 var DEPLOY_APPGW_ADDON = ingressApplicationGateway && empty(byoAGWSubnetId)
 var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
 // https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
+// AGIC's identity requires "Contributor" permission over Application Gateway.
 resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (DEPLOY_APPGW_ADDON && deployAppGw) {
   scope: appgw
   name: guid(resourceGroup().id, appgwName, 'appgwcont')
@@ -433,6 +434,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2021-04-01-pr
   }
 }
 
+// AGIC's identity requires "Reader" permission over Application Gateway's resource group.
 var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
 resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (DEPLOY_APPGW_ADDON && deployAppGw) {
   scope: resourceGroup()
@@ -444,6 +446,18 @@ resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2021-04-01-p
   }
 }
 
+// AGIC's identity requires "Managed Identity Operator" permission over the user assigned identity of Application Gateway.
+var managedIdentityOperator = resourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
+resource appGwAGICMIOp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (DEPLOY_APPGW_ADDON && /* appgwKVIntegration && */ deployAppGw) {
+  scope: appGwIdentity
+  name: guid(resourceGroup().id, appgwName, 'apidentityoperator')
+  properties: {
+    roleDefinitionId: managedIdentityOperator
+    principalType: 'ServicePrincipal'
+    principalId: aks.properties.addonProfiles.ingressApplicationGateway.identity.objectId
+  }
+}
+
 // ------------------------------------------------------------------ AppGW Diagnostics
 var diagProperties = {
   workspaceId: workspaceId

helper/src/components/deployTab.js

@@ -92,15 +92,18 @@ az role assignment create --role "Contributor" --assignee-principal-type Service
 az role assignment create --role "Reader" --assignee-principal-type ServicePrincipal --assignee-object-id $AKS_AGIC_IDENTITY_ID --scope $APPGW_RG_ID
 #------- END Workaround
 ` : '') +
-
+    (net.vnet_opt === "byo" && addons.ingress === 'appgw' /* && appgwKVIntegration */ ? `
+APPGW_IDENTITY="$(az network application-gateway show -g ${rg} -n ${agw} --query 'keys(identity.userAssignedIdentities)[0]' -o tsv)"
+az role assignment create --role "Managed Identity Operator" --assignee-principal-type ServicePrincipal --assignee-object-id $AKS_AGIC_IDENTITY_ID --scope $APPGW_IDENTITY
+` : '') +
     // CSI-Secret KeyVault addon - using this method until supported by ARM template
     //    (addons.csisecret !== "none" ? `\n# Workaround to enabling the csisecret addon (in preview)
     //az aks enable-addons -n ${aks} -g ${rg} -a azure-keyvault-secrets-provider
     //` : '') +
 
-    // Get Admin credentials
-    `\n# Get admin credentials for your new AKS cluster
-az aks get-credentials -g ${rg} -n ${aks} --admin ` +
+    // Get credentials
+    `\n# Get credentials for your new AKS cluster
+az aks get-credentials -g ${rg} -n ${aks} ` +
     // Prometheus
     (addons.monitor === 'oss' ? `\n\n# Install kube-prometheus-stack
 helm repo add prometheus-community https://prometheus-community.github.io/helm-charts