Add support for instance-permission-set in azure (#632)

* Add support for instance-permission-set in azure.

The instance-permission-set is parsed as a comma-separated list of ARM resource ids in the form
'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

* Update docs.

* Support permission sets in azure (task).

* Minor updates to aws permission set resource.

Fix typo in error message.
Move regexp compilation to package level (quicker panic).
Handle error case first.

* Add permission set parsing step to azure task creation.

Also proposing a refactoring of task command step definition - renumbering the progress indication manually seems a bit tedious.

* Revert "Add permission set parsing step to azure task creation."

This reverts commit aaa06e9.

* Add permission set read step.

* Specify resource identity type.

* Improved ARMID matching regular expression.

* Propagate command line permission set value to task.

Author: tasdomas

cmd/create/create.go

@@ -93,7 +93,8 @@ func (o *Options) Run(cmd *cobra.Command, args []string, cloud *common.Cloud) er
 				Ports: &[]uint16{22},
 			},
 		},
-		Parallelism: uint16(1),
+		Parallelism:   uint16(1),
+		PermissionSet: o.PermissionSet,
 	}
 
 	cfg.Spot = common.Spot(common.SpotDisabled)

docs/resources/task.md

@@ -274,8 +274,8 @@ A service account email and a [list of scopes](https://cloud.google.com/sdk/gclo
 `permission_set = "sa-name@project_id.iam.gserviceaccount.com,scopes=storage-rw"`
 
 #### Microsoft Azure
-
-[Not yet implemented](https://github.com/iterative/terraform-provider-iterative/issues/559)
+A comma-separated list of [user-assigned identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) ARM resource ids, e.g.:
+`permission_set = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}"`
 
 #### Kubernetes
 

iterative/azure/provider.go

@@ -16,6 +16,8 @@ import (
 	"github.com/Azure/go-autorest/autorest/to"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	azresources "terraform-provider-iterative/task/az/resources"
 )
 
 //ResourceMachineCreate creates AWS instance
@@ -34,6 +36,11 @@ func ResourceMachineCreate(ctx context.Context, d *schema.ResourceData, m interf
 	spot := d.Get("spot").(bool)
 	spotPrice := d.Get("spot_price").(float64)
 
+	userAssignedIdentities, err := getUserAssignedIdentityMap(d.Get("instance_permission_set").(string))
+	if err != nil {
+		return err
+	}
+
 	metadata := map[string]*string{}
 	for key, value := range d.Get("metadata").(map[string]interface{}) {
 		stringValue := value.(string)
@@ -199,7 +206,11 @@ func ResourceMachineCreate(ctx context.Context, d *schema.ResourceData, m interf
 
 	vmClient, _ := getVMClient(subscriptionID)
 	vmSettings := compute.VirtualMachine{
-		Tags:     metadata,
+		Tags: metadata,
+		Identity: &compute.VirtualMachineIdentity{
+			UserAssignedIdentities: userAssignedIdentities,
+			Type:                   compute.ResourceIdentityTypeSystemAssignedUserAssigned,
+		},
 		Location: to.StringPtr(region),
 		VirtualMachineProperties: &compute.VirtualMachineProperties{
 			HardwareProfile: &compute.HardwareProfile{
@@ -360,6 +371,30 @@ func getVMClient(subscriptionID string) (compute.VirtualMachinesClient, error) {
 	return client, err
 }
 
+// getUserAssignedIdentityMap generates a map of user-assigned identity values from a comma-separated
+// list of ARM resource ids.
+func getUserAssignedIdentityMap(identitiesRaw string) (map[string]*compute.VirtualMachineIdentityUserAssignedIdentitiesValue, error) {
+	if len(strings.TrimSpace(identitiesRaw)) == 0 {
+		return nil, nil
+	}
+	identities := strings.Split(identitiesRaw, ",")
+	identityMap := map[string]*compute.VirtualMachineIdentityUserAssignedIdentitiesValue{}
+	for _, identity := range identities {
+		identity = strings.TrimSpace(identity)
+		if len(identity) == 0 {
+			continue
+		}
+		if err := azresources.ValidateARMID(identity); err != nil {
+			return nil, err
+		}
+		identityMap[identity] = &compute.VirtualMachineIdentityUserAssignedIdentitiesValue{}
+	}
+	if len(identityMap) == 0 {
+		return nil, nil
+	}
+	return identityMap, nil
+}
+
 //GetRegion maps region to real cloud regions
 func GetRegion(region string) string {
 	instanceRegions := make(map[string]string)

iterative/resource_machine.go

@@ -181,7 +181,7 @@ func resourceMachineCreate(ctx context.Context, d *schema.ResourceData, m interf
 
 	cloud := d.Get("cloud").(string)
 
-	if len(d.Get("instance_permission_set").(string)) > 0 && (cloud == "azure" || cloud == "kubernetes") {
+	if len(d.Get("instance_permission_set").(string)) > 0 && (cloud == "kubernetes") {
 		diags = append(diags, diag.Diagnostic{
 			Severity: diag.Error,
 			Summary:  fmt.Sprintf("instance_permission_set is not yet supported in " + cloud),

task/aws/resources/data_source_permission_set.go

@@ -11,6 +11,8 @@ import (
 	"terraform-provider-iterative/task/aws/client"
 )
 
+var validateARN = regexp.MustCompile(`arn:aws:iam::[\d]*:instance-profile/[\S]*`)
+
 func NewPermissionSet(client *client.Client, identifier string) *PermissionSet {
 	ps := new(PermissionSet)
 	ps.Client = client
@@ -31,12 +33,11 @@ func (ps *PermissionSet) Read(ctx context.Context) error {
 		ps.Resource = nil
 		return nil
 	}
-	re := regexp.MustCompile(`arn:aws:iam::[\d]*:instance-profile/[\S]*`)
-	if re.MatchString(arn) {
-		ps.Resource = &types.LaunchTemplateIamInstanceProfileSpecificationRequest{
-			Arn: aws.String(arn),
-		}
-		return nil
+	if !validateARN.MatchString(arn) {
+		return fmt.Errorf("invalid IAM Instance Profile: %s", arn)
+	}
+	ps.Resource = &types.LaunchTemplateIamInstanceProfileSpecificationRequest{
+		Arn: aws.String(arn),
 	}
-	return fmt.Errorf("invlaid IAM Instance Profile: %s", arn)
+	return nil
 }

task/az/resources/data_source_permission_set.go

@@ -3,12 +3,25 @@ package resources
 import (
 	"context"
 	"fmt"
+	"regexp"
+	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-30/compute"
 
 	"terraform-provider-iterative/task/az/client"
 )
 
+// validateARMID is a regular expression for validating user-assigned identity ids.
+var validateARMID = regexp.MustCompile(`^/subscriptions/(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})/resourceGroups/(.*)/providers/Microsoft.ManagedIdentity/userAssignedIdentities/(.*)`)
+
+// ValidateARMID validates the user-assigned identity value.
+func ValidateARMID(id string) error {
+	if !validateARMID.MatchString(id) {
+		return fmt.Errorf("invalid user-assigned identity id: %q", id)
+	}
+	return nil
+}
+
 func NewPermissionSet(client *client.Client, identifer string) *PermissionSet {
 	ps := new(PermissionSet)
 	ps.Client = client
@@ -23,9 +36,26 @@ type PermissionSet struct {
 }
 
 func (ps *PermissionSet) Read(ctx context.Context) error {
-	if ps.Identifier != "" {
-		return fmt.Errorf("not yet implemented")
+	identities := strings.Split(ps.Identifier, ",")
+	identityMap := map[string]*compute.VirtualMachineScaleSetIdentityUserAssignedIdentitiesValue{}
+	for _, identity := range identities {
+		identity = strings.TrimSpace(identity)
+		if identity == "" {
+			continue
+		}
+		if err := ValidateARMID(identity); err != nil {
+			return err
+		}
+
+		identityMap[identity] = &compute.VirtualMachineScaleSetIdentityUserAssignedIdentitiesValue{}
+	}
+	if len(identityMap) == 0 {
+		ps.Resource = nil
+		return nil
+	}
+	ps.Resource = &compute.VirtualMachineScaleSetIdentity{
+		UserAssignedIdentities: identityMap,
+		Type:                   compute.ResourceIdentityTypeSystemAssignedUserAssigned,
 	}
-	ps.Resource = nil
 	return nil
 }

task/az/resources/data_source_permission_set_test.go

@@ -0,0 +1,31 @@
+package resources_test
+
+import (
+	"terraform-provider-iterative/task/az/resources"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestARMIDValidation tests the validation of user-assigned identity values.
+func TestARMIDValidation(t *testing.T) {
+	tests := []struct {
+		Identity    string
+		ExpectError string
+	}{{
+		Identity:    "/subscriptions/cse78759-ef49-49f7-b371-f6841fa82182/resourceGroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/managed-identity",
+		ExpectError: "",
+	}, {
+		Identity:    "/subscriptions/no-valid",
+		ExpectError: `invalid user-assigned identity id: "/subscriptions/no-valid"`,
+	}}
+
+	for _, test := range tests {
+		err := resources.ValidateARMID(test.Identity)
+		if test.ExpectError == "" {
+			require.NoError(t, err)
+		} else {
+			require.EqualError(t, err, test.ExpectError)
+		}
+	}
+}

task/az/task.go

@@ -110,45 +110,49 @@ type Task struct {
 
 func (t *Task) Create(ctx context.Context) error {
 	logrus.Info("Creating resources...")
-	logrus.Info("[1/10] Creating ResourceGroup...")
+	logrus.Info("[1/11] Creating PermissionSet...")
+	if err := t.DataSources.PermissionSet.Read(ctx); err != nil {
+		return err
+	}
+	logrus.Info("[2/11] Creating ResourceGroup...")
 	if err := t.Resources.ResourceGroup.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[2/10] Creating StorageAccount...")
+	logrus.Info("[3/11] Creating StorageAccount...")
 	if err := t.Resources.StorageAccount.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[3/10] Creating BlobContainer...")
+	logrus.Info("[4/11] Creating BlobContainer...")
 	if err := t.Resources.BlobContainer.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[4/10] Creating Credentials...")
+	logrus.Info("[5/11] Creating Credentials...")
 	if err := t.DataSources.Credentials.Read(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[5/10] Creating VirtualNetwork...")
+	logrus.Info("[6/11] Creating VirtualNetwork...")
 	if err := t.Resources.VirtualNetwork.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[6/10] Creating SecurityGroup...")
+	logrus.Info("[7/11] Creating SecurityGroup...")
 	if err := t.Resources.SecurityGroup.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[7/10] Creating Subnet...")
+	logrus.Info("[8/11] Creating Subnet...")
 	if err := t.Resources.Subnet.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[8/10] Creating VirtualMachineScaleSet...")
+	logrus.Info("[9/11] Creating VirtualMachineScaleSet...")
 	if err := t.Resources.VirtualMachineScaleSet.Create(ctx); err != nil {
 		return err
 	}
-	logrus.Info("[9/10] Uploading Directory...")
+	logrus.Info("[10/11] Uploading Directory...")
 	if t.Attributes.Environment.Directory != "" {
 		if err := t.Push(ctx, t.Attributes.Environment.Directory); err != nil {
 			return err
 		}
 	}
-	logrus.Info("[10/10] Starting task...")
+	logrus.Info("[11/11] Starting task...")
 	if err := t.Start(ctx); err != nil {
 		return err
 	}