Team Core needs help setting up workload identity for FileScan

[SandGrainOne]

Description

We need workload identity for the altinn-file-scan application before we can properly remove the Shared Access Signature related code and resources. The migration project can proceed now that Storage is updated, but it would be nice if we could discontinue the support for SAS fully. It would also means deleting the SAS generating KeyVault for every application owner.

Required accesses

File scan needs similar accesses as Storage:

• [ ] Key Vault Secrets User access to the platform keyvault. (List, Get)
• [ ] Storage Blob Data Contributor access to all Application Owner Storage accounts.

Tasks

• [ ] Update helm charts to enable Workload Identity and to add the client id for each AKS instance.
• [ ] Create Service accounts?
• [ ] Azure Entra ID configuration/role assignments for correct resources

[tjololo]

Is this a good time to remove the filescan service? We have defender with malware detection enabled for apps ref: https://github.com/Altinn/altinn-platform/issues/516

This would require some rewriting in storage I think, but that would probably be a better use of our time than fixing the filescan service?

@bengtfredh @Herskis @SandGrainOne

[SandGrainOne]

@tjololo is it more or less work than setting up EventGrid (and whatever we need, I haven't properly looked at it yet.) to get the Defender scan reports to Storage?

[tjololo]

Once files are scanned by Defender (scanned when uploaded). When malware scan is complete Defender will add two blob index tags: The scan time and the scan result. These tags should then be available on the blob once uploaded, or there is an option to send them to event grid it seems. Not sure what suites Storage best? https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#providing-scan-results

[SandGrainOne]

If we are to replicate the features provided by FileScan we would need to actively update the DataElement with the scan result. The best way to do that would be to react to the event rather than polling for results.

[tjololo]

@bengtfredh you are more familiar than me with the setup of defender. I see there is an eventgrid system topic present now. Is there anything more that is need? If the filescan always is finished the moment storage gets the OK status back from the storage account, we might just be able to update the scan status as soon as the file is uploaded, but that would require som testing and verification that the scan result always is present

[bengtfredh]

The event grid for every storageaccount is created by Azure. This is not something we have configured. I have actually been looking in to prevent this event grid to get created. I think both broker and SFVT use the event grid with some app logic, it is probably better to talk to them.