Merge pull request #17478 from hakman/azure-fix-role-assignment

azure: Fix small issues related to role assignments

Author: k8s-ci-robot

pkg/model/azuremodel/vmscaleset.go

@@ -67,7 +67,7 @@ func (b *VMScaleSetModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 			// See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
 			resourceGroupID := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s",
 				b.Cluster.Spec.CloudProvider.Azure.SubscriptionID,
-				b.Cluster.Spec.CloudProvider.Azure.ResourceGroupName,
+				b.Cluster.AzureResourceGroupName(),
 			)
 			c.AddTask(&azuretasks.RoleAssignment{
 				Name:       to.Ptr(fmt.Sprintf("%s-%s", *vmss.Name, "owner")),

pkg/resources/azure/azure.go

@@ -63,6 +63,14 @@ func (g *resourceGetter) resourceGroupName() string {
 	return g.clusterInfo.AzureResourceGroupName
 }
 
+func (g *resourceGetter) resourceGroupID() string {
+	return fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", g.clusterInfo.AzureSubscriptionID, g.clusterInfo.AzureResourceGroupName)
+}
+
+func (g *resourceGetter) storageAccountID() string {
+	return g.clusterInfo.AzureStorageAccountID
+}
+
 func (g *resourceGetter) listResourcesAzure() (map[string]*resources.Resource, error) {
 	rs, err := g.listAll()
 	if err != nil {
@@ -397,11 +405,17 @@ func (g *resourceGetter) listVMScaleSetsAndRoleAssignments(ctx context.Context)
 		principalIDs[*vmss.Identity.PrincipalID] = vmss
 	}
 
-	ras, err := g.listRoleAssignments(ctx, principalIDs)
+	resourceGroupRAs, err := g.listRoleAssignments(ctx, principalIDs, g.resourceGroupID())
+	if err != nil {
+		return nil, err
+	}
+	rs = append(rs, resourceGroupRAs...)
+
+	storageAccountRAs, err := g.listRoleAssignments(ctx, principalIDs, g.storageAccountID())
 	if err != nil {
 		return nil, err
 	}
-	rs = append(rs, ras...)
+	rs = append(rs, storageAccountRAs...)
 
 	return rs, nil
 }
@@ -509,8 +523,8 @@ func (g *resourceGetter) deleteDisk(_ fi.Cloud, r *resources.Resource) error {
 	return g.cloud.Disk().Delete(context.TODO(), g.resourceGroupName(), r.Name)
 }
 
-func (g *resourceGetter) listRoleAssignments(ctx context.Context, principalIDs map[string]*compute.VirtualMachineScaleSet) ([]*resources.Resource, error) {
-	ras, err := g.cloud.RoleAssignment().List(ctx, g.resourceGroupName())
+func (g *resourceGetter) listRoleAssignments(ctx context.Context, principalIDs map[string]*compute.VirtualMachineScaleSet, scope string) ([]*resources.Resource, error) {
+	ras, err := g.cloud.RoleAssignment().List(ctx, scope)
 	if err != nil {
 		return nil, err
 	}

pkg/resources/clusterinfo.go

@@ -20,6 +20,8 @@ type ClusterInfo struct {
 	Name        string
 	UsesNoneDNS bool
 	// Azure specific
+	AzureStorageAccountID    string
+	AzureSubscriptionID      string
 	AzureResourceGroupName   string
 	AzureResourceGroupShared bool
 	AzureNetworkShared       bool

pkg/resources/ops/collector.go

@@ -57,6 +57,8 @@ func ListResources(cloud fi.Cloud, cluster *kops.Cluster) (map[string]*resources
 	case kops.CloudProviderOpenstack:
 		return openstack.ListResources(cloud.(cloudopenstack.OpenstackCloud), clusterInfo)
 	case kops.CloudProviderAzure:
+		clusterInfo.AzureStorageAccountID = cluster.Spec.CloudProvider.Azure.StorageAccountID
+		clusterInfo.AzureSubscriptionID = cluster.Spec.CloudProvider.Azure.SubscriptionID
 		clusterInfo.AzureResourceGroupName = cluster.AzureResourceGroupName()
 		clusterInfo.AzureResourceGroupShared = cluster.IsSharedAzureResourceGroup()
 		clusterInfo.AzureNetworkShared = cluster.SharedVPC()

upup/pkg/fi/cloudup/azure/roleassignment.go

@@ -44,7 +44,10 @@ func (c *roleAssignmentsClientImpl) Create(
 	parameters authz.RoleAssignmentCreateParameters,
 ) (*authz.RoleAssignment, error) {
 	resp, err := c.c.Create(ctx, scope, roleAssignmentName, parameters, nil)
-	return &resp.RoleAssignment, err
+	if err != nil {
+		return nil, err
+	}
+	return &resp.RoleAssignment, nil
 }
 
 func (c *roleAssignmentsClientImpl) List(ctx context.Context, scope string) ([]*authz.RoleAssignment, error) {