document requirement of right to assign role to cyclecloud VM principal

[ltalirz]

In what area(s)?

/area administration /area ansible /area autoscaling /area configuration /area cyclecloud /area documentation /area image /area job-scheduling /area monitoring /area ood /area remote-visualization /area user-management

Describe the feature

As part of the deployment process, the 'Contributor' role is assigned to the ccportal principal here: https://github.com/Azure/az-hop/blob/8898d87e0d4b1bea09d1e2ffed0bb8f02e49d5ee/tf/ccportal.tf#L146-L152

While the "User Access Administrator" rights allow this in principle, customers may have policies in place that allow assigning roles only to active directory groups (for governance reasons).

It may be useful to document this requirement.

One possible mitigation might be to allow the deployer VM service principal to add the cyclecloud VM principal to an existing "contributors" active directory group.

[xpillons]

The contributor role is only granted to the resource group in which CycleCloud will create resources (VMS, VMSS, NIC). Is it still an issue in your case.

[ltalirz]

Is it still an issue in your case.

The Azure policy that was violated was: Roles can only be assigned to Azure directory groups (i.e. not to an individual user / managed identity).

One way to abide by this policy would have been to have an AD group "contributors to resource group X", and letting terraform add the cyclecloud VM to this group (instead of giving it the contributor role directly).

Not saying that this needs to be changed, just pointing out that the current az-hop deployment violated this policy.

[xpillons]

ok, that will be a big change and avoiding the all in once deployment model. We won't change it for now, but this is an interesting scenario to be covered.