From 0d99f878b0628d3f7973a65fa0aa2701768de66c Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Mon, 5 Feb 2024 17:39:18 +0000 Subject: [PATCH 1/2] Migrate the test cluster to Azure RBAC --- cluster/terraform_aks_cluster/config/test.tfvars.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cluster/terraform_aks_cluster/config/test.tfvars.json b/cluster/terraform_aks_cluster/config/test.tfvars.json index a29662d1..2aa54d25 100644 --- a/cluster/terraform_aks_cluster/config/test.tfvars.json +++ b/cluster/terraform_aks_cluster/config/test.tfvars.json @@ -16,5 +16,6 @@ "orchestrator_version": "1.26.10" } }, - "admin_group_id": "21b2f2a6-231e-45cb-b624-d5521b820941" + "admin_group_id": "21b2f2a6-231e-45cb-b624-d5521b820941", + "enable_azure_RBAC": true } From 8293d07d9e2e862b8b321b39847dba951bdd8ae9 Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Mon, 5 Feb 2024 17:45:37 +0000 Subject: [PATCH 2/2] Update doc with Azure RBAC on test cluster --- documentation/developer-onboarding.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/documentation/developer-onboarding.md b/documentation/developer-onboarding.md index e3341a75..e57cf4e6 100644 --- a/documentation/developer-onboarding.md +++ b/documentation/developer-onboarding.md @@ -23,13 +23,15 @@ Documentation for the Teacher services application developers > [!IMPORTANT] > The clusters are soon to be migrated to Azure RBAC, which will change the process to access them. This documentation will be updated as we go along. -### Test and Production clusters +### Production cluster - Microsoft Entra Privileged Identity Management (PIM) allows gaining new user permissions in the s189 subscriptions. This is required to access the cluster and troubleshoot application or database. **We must be very cautious** as this gives access to all the other services deployed to s189 subscriptions. - Once added to the s189 subscription, you can PIM yourself to the *test* subscription. See the [technical guidance PIM section](https://technical-guidance.education.gov.uk/infrastructure/hosting/azure-cip/#privileged-identity-management-pim-requests). - You can request PIM to the *production* subscription, however this will need to be approved by members of the Managers group - As a manager, you should receive and email with the user request. You can also approve PIM requests by going to [Privileged Identity Management](https://portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart) (PIM) in the Azure portal and selecting Approve request, Azure resources, select the user and approve the request. -### Future process +### Test cluster +Microsoft Entra Privileged Identity Management (PIM) allows gaining new user permissions. This is required to access the cluster and troubleshoot application or database. **We must be very cautious** as this gives access to all the other services deployed to s189 subscriptions. + Use [PIM for groups](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/groups-activate-roles) to elevate your access. Two groups are available: - `s189 AKS admin test PIM`: access to the test cluster, self-approved - `s189 AKS admin production PIM`: access to the production cluster, must be approved by another team member