diff --git a/lib/qesapdeployment.pm b/lib/qesapdeployment.pm index 2da54f11091d..a1016ff4d798 100644 --- a/lib/qesapdeployment.pm +++ b/lib/qesapdeployment.pm @@ -100,8 +100,6 @@ our @EXPORT = qw( qesap_az_get_active_peerings qesap_az_clean_old_peerings qesap_az_setup_native_fencing_permissions - qesap_az_enable_system_assigned_identity - qesap_az_assign_role qesap_az_get_tenant_id qesap_az_create_sas_token qesap_az_list_container_files @@ -2225,66 +2223,23 @@ sub qesap_az_setup_native_fencing_permissions { croak "Missing argument: '$_'" unless defined($args{$_}); } - my $vm_id = qesap_az_enable_system_assigned_identity(vm_name => $args{vm_name}, resource_group => $args{resource_group}); - qesap_az_assign_role(assignee => $vm_id, role => 'Virtual Machine Contributor', resource_group => $args{resource_group}); -} - -=head2 qesap_az_enable_system_assigned_identity - - qesap_az_enable_system_assigned_identity($vm_name, $resource_group); - - Enables 'System assigned identity' for specified VM. - Returns 'systemAssignedIdentity' ID. - -=over - -=item B - VM name - -=item B - resource group resource belongs to - -=back -=cut - -sub qesap_az_enable_system_assigned_identity { - my (%args) = @_; - foreach ('vm_name', 'resource_group') { - croak "Missing argument: '$_'" unless defined($args{$_}); - } - - my $identity_id = script_output(join(' ', + # Enable system assigned identity + my $vm_id = script_output(join(' ', 'az vm identity assign', '--only-show-errors', "-g '$args{resource_group}'", "-n '$args{vm_name}'", "--query 'systemAssignedIdentity'", '-o tsv')); - die 'Returned output does not match ID pattern' if az_validate_uuid_pattern(uuid => $identity_id) eq 0; - return $identity_id; -} - -=head2 qesap_az_assign_role - - qesap_az_assign_role( assignee=>$assignee, role=>$role, resource_group=>$resource_group ) - - Assigns defined role to 'assignee' (user, vm, etc...) using subscription id. - assignee - UUID for the resource (VM in this case) - role - role to be assigned - resource_group - resource group resource belongs to - -=cut - -sub qesap_az_assign_role { - my (%args) = @_; - foreach ('assignee', 'role', 'resource_group') { - croak "Missing argument: '$_'" unless defined($args{$_}); - } + die 'Returned output does not match ID pattern' if az_validate_uuid_pattern(uuid => $vm_id) eq 0; + # Assign role my $subscription_id = script_output('az account show --query "id" -o tsv'); my $az_cmd = join(' ', 'az role assignment', 'create --only-show-errors', - "--assignee-object-id '$args{assignee}'", + "--assignee-object-id $vm_id", '--assignee-principal-type ServicePrincipal', - "--role '$args{role}'", + "--role 'Virtual Machine Contributor'", "--scope '/subscriptions/$subscription_id/resourceGroups/$args{resource_group}'"); assert_script_run($az_cmd); } diff --git a/t/15_qesap_azure.t b/t/15_qesap_azure.t index 384ef3b4f839..245139750567 100644 --- a/t/15_qesap_azure.t +++ b/t/15_qesap_azure.t @@ -147,9 +147,12 @@ subtest '[qesap_az_vnet_peering_delete] delete failure' => sub { }; subtest '[qesap_az_setup_native_fencing_permissions]' => sub { + my $command; + my $vm_id = 'c0ffeeee-c0ff-eeee-1234-123456abcdef'; my $qesap = Test::MockModule->new('qesapdeployment', no_auto => 1); - $qesap->redefine(qesap_az_enable_system_assigned_identity => sub { return 'WalkThePlank!'; }); - $qesap->redefine(qesap_az_assign_role => sub { return 'AyeAyeCaptain!'; }); + $qesap->redefine(script_output => sub { return $vm_id; }); + $qesap->redefine(assert_script_run => sub { $command = shift; return 1; }); + my %mandatory_args = ( vm_name => 'CaptainUsop', resource_group => 'StrawhatPirates' @@ -163,58 +166,7 @@ subtest '[qesap_az_setup_native_fencing_permissions]' => sub { } ok qesap_az_setup_native_fencing_permissions(%mandatory_args), 'PASS with all args defined'; -}; - -subtest '[qesap_az_assign_role] mandatory arguments' => sub { - my $qesap = Test::MockModule->new('qesapdeployment', no_auto => 1); - $qesap->redefine(assert_script_run => sub { return 1; }); - - my %mandatory_args = ( - assignee => 'CaptainUsop', - resource_group => 'StrawhatPirates', - role => 'Liar' - ); - # check mandatory args - foreach ('assignee', 'role', 'resource_group') { - $mandatory_args{$_} = undef; - dies_ok { qesap_az_assign_role(%mandatory_args) } "Expected failure: missing mandatory arg: $_"; - } -}; - -subtest '[qesap_az_assign_role]' => sub { - my @calls; - my $qesap = Test::MockModule->new('qesapdeployment', no_auto => 1); - $qesap->redefine(assert_script_run => sub { push @calls, $_[0]; return 1; }); - $qesap->redefine(script_output => sub { return 'SOME_ID'; }); - - my %mandatory_args = ( - assignee => 'CaptainUsop', - resource_group => 'StrawhatPirates', - role => 'Liar' - ); - - qesap_az_assign_role(%mandatory_args); - - note("\n C--> " . join("\n C--> ", @calls)); - ok((any { /az role assignment/ } @calls), 'az command properly composed'); -}; - -subtest '[qesap_az_enable_system_assigned_identity] Missing arguments' => sub { - my $vm_name = 'CaptainHook'; - - # Missing args - dies_ok { qesap_az_enable_system_assigned_identity(vm_name => $vm_name) } 'Fail with missing resource group'; - dies_ok { qesap_az_enable_system_assigned_identity() } 'Fail with missing args'; -}; - -subtest '[qesap_az_enable_system_assigned_identity]' => sub { - my $qesap = Test::MockModule->new('qesapdeployment', no_auto => 1); - my $vm_name = 'CaptainHook'; - my $resource_group = 'TheJollyRoger'; - my $good_uuid = 'c0ffeeee-c0ff-eeee-1234-123456abcdef'; - - $qesap->redefine(script_output => sub { return $good_uuid; }); - is qesap_az_enable_system_assigned_identity(vm_name => $vm_name, resource_group => $resource_group), $good_uuid, 'PASS with valid UUID'; + like($command, qr/az role assignment create.*--assignee-object-id $vm_id.*StrawhatPirates/, 'az command properly composed'); }; subtest '[qesap_az_get_tenant_id]' => sub {