Merge branch 'main' of github.com:PureStorage-OpenConnect/cbs-deploy-bicep

vjirovsky-pure · vjirovsky-pure · commit a41fabcd993a · 2024-02-21T12:33:29.000+01:00
diff --git a/02-cbs.bicepparam.example b/02-cbs.bicepparam.example
@@ -15,3 +15,5 @@ param managedUserIdentityId = '/subscriptions/<---MY SUBSCRITION ID--->/resource
 // replace with vNET name (e.g. from output of 01-deploy-prerequisities.sh)
 param vnetName = 'my-vnet-name'
 param availabilityZone = 1
+// replace with an identity (user or group) within tenant, who would approve the JIT requests to manage CBS app resources.
+param jitApprovers = [{displayName:'my-cloud-ops-group',id:'<---OBJECT ID OF USER OR GROUP--->',type:'<--- 'group' OR 'user'--->'}]
diff --git a/deploy-e2e-demo.sh b/deploy-e2e-demo.sh
@@ -110,6 +110,9 @@ AZURE_MARKETPLACE_PUBLISHER=`echo $bicep_raw | jq -r .templateJson | jq -r .para
 AZURE_MARKETPLACE_PLAN_OFFER=`echo $bicep_raw | jq -r .templateJson | jq -r .parameters.azureMarketPlacePlanOffer.defaultValue`
 AZURE_MARKETPLACE_PLAN_VERSION=`echo $latestPlan | jq -r .planVersion`
 
+AZURE_LOGGED_USER_ID=`az ad signed-in-user show | jq -r .id`
+AZURE_LOGGED_USER_EMAIL=`az ad signed-in-user show | jq -r .mail`
+
 enablementOutput=$(az vm image terms accept \
     --subscription $subscriptionId \
     --publisher $AZURE_MARKETPLACE_PUBLISHER \
@@ -129,8 +132,9 @@ fi
 echo -e "${C_BLUE3}${C_GREY85}
 [Step #4] Deploying CBS managed app (~20mins):${NO_FORMAT}
 "
+jitApprovers="[{'displayName':'$AZURE_LOGGED_USER_EMAIL','id':'$AZURE_LOGGED_USER_ID','type':'user'}]"
 
-# Deploy our infrastructure
+# Deploy CBS
 output=$(az deployment group create \
   --name "CBS-E2E-deploy-sh" \
   --resource-group $resourceGroupName \
@@ -152,6 +156,7 @@ output=$(az deployment group create \
                azureMarketPlacePlanName=$AZURE_MARKETPLACE_PLAN_NAME \
                azureMarketPlacePlanPublisher=$AZURE_MARKETPLACE_PUBLISHER \
                azureMarketPlacePlanOffer=$AZURE_MARKETPLACE_PLAN_OFFER \
+               jitApprovers="$jitApprovers" \
                sshPublicKey="$sshPublicKeyInOpenSSHFormat"
   )
 
diff --git a/templates/cbs-managed-app.bicep b/templates/cbs-managed-app.bicep
@@ -105,6 +105,20 @@ param azureMarketPlacePlanName string = 'cbs_azure_6_4_10'
 
 param azureMarketPlacePlanOffer string = 'pure_storage_cloud_block_store_deployment'
 
+@description('''
+This access will not be used, but enabling JIT increases security - with turned on, Azure will not provide any default access to CBS resources (Managed App) to service provider.
+''')
+param jitAccessEnabled bool = true
+param jitApprovalMode string = 'ManualApprove'
+@description('''
+Provide an identity (user or group) within tenant, who would approve the JIT requests to manage CBS app resources.
+Required parameter by Azure, needs to be provided.
+Example value:
+[{'displayName':'some-user','id':'<<object-id-of-group>>','type':'group'}]
+''')
+param jitApprovers array
+
+
 module variables 'modules/variables.bicep' = {
   name: 'scriptVariables'
   params: {
@@ -146,9 +160,10 @@ resource cbsManagedApp 'Microsoft.Solutions/applications@2021-07-01' =  {
   identity: managedUserIdentity
   properties:{
     managedResourceGroupId: subscriptionResourceId('Microsoft.Resources/resourceGroups', managedRgName)
-    //TODO: currently not implemented in Bicep module
     jitAccessPolicy:{
-      jitAccessEnabled: false
+      jitAccessEnabled: jitAccessEnabled
+      jitApprovalMode: jitApprovalMode
+      jitApprovers: jitApprovers
     }
     parameters:{
       tagsByResource: {
