6. Create Deployment Service Principals

Create the Azure Devops & Kubernetes Service Principals

The Terraform specific Service Principals (SPs) are used for automating the creation process of the various runtime environments. As these SPs have powerful permissions, we don't want to use them too often. Therefore, in order to safely manage the deployment in the CD pipelines, we need to use some more restricted SPs.

As such, we will create one Service Principal for each environment with minimal required permissions.

    az ad sp create-for-rbac --name ar-devops-<env>-sp

Where <env> is the environment the SP is created for.

Example:

    az ad sp create-for-rbac --name ar-devops-uat-sp

Assign the required roles to the new Service Principal

Once the Service Principal is created, the required roles can be associated and scoped to the corresponding resources. The <app-id> is the identifier of the Service Principal created before.

The first assigned role is the Reader of the Resource Group where the environment specific resources are defined.

az role assignment create \
    --role Reader \
    --scope /subscriptions/<subscription-id>/resourceGroups/ar-<env>-env \
    --assignee <app-id>

Next, we need to assign a Contributor role over the environment's Application Gateway, a role required by the App Gateway Ingress Controller.

az role assignment create \
        --role Contributor \
        --scope /subscriptions/<subscription-id>/resourceGroups/ar-<env>-env/providers/Microsoft.Network/applicationGateways/ar-<env>-app-gw \
        --assignee <app-id>

Example:

az role assignment create \
    --role Reader \
    --scope /subscriptions/35ddf877-eb02-420f-97e8-81f584388517/resourceGroups/ar-uat-env \
    --assignee <app-id>    

az role assignment create \
    --role Contributor \
    --scope /subscriptions/35ddf877-eb02-420f-97e8-81f584388517/resourceGroups/ar-uat-env/providers/Microsoft.Network/applicationGateways/ar-uat-app-gw \
    --assignee <app-id>