pkg/infrastructure/azure: remove identity creation

patrickdillon · patrickdillon · commit c26d2bb48a68 · 2025-03-19T11:52:25.000-04:00
Removes automatic creation of the user-assigned identity, as it is
no longer required to authenticate the cloud-provider (CCM handles
this). All subsequent identity-VM relationships will be handled
directly through CAPZ. Subsequent commits will mirror the CAPZ API
to the install config.
diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
@@ -14,14 +14,11 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
-	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
-	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage"
 	"github.com/coreos/stream-metadata-go/arch"
-	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/utils/ptr"
@@ -144,109 +141,6 @@ func (p *Provider) PreProvision(ctx context.Context, in clusterapi.PreProvisionI
 	logrus.Debugf("ResourceGroup.ID=%s", *resourceGroup.ID)
 	p.ResourceGroupName = resourceGroupName
 
-	// Create user assigned identity
-	userAssignedIdentityName := fmt.Sprintf("%s-identity", in.InfraID)
-	armmsiClientFactory, err := armmsi.NewClientFactory(
-		subscriptionID,
-		tokenCredential,
-		&arm.ClientOptions{
-			ClientOptions: policy.ClientOptions{
-				Cloud: cloudConfiguration,
-			},
-		},
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create armmsi client: %w", err)
-	}
-	_, err = armmsiClientFactory.NewUserAssignedIdentitiesClient().CreateOrUpdate(
-		ctx,
-		resourceGroupName,
-		userAssignedIdentityName,
-		armmsi.Identity{
-			Location: ptr.To(platform.Region),
-			Tags:     tags,
-		},
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create user assigned identity %s: %w", userAssignedIdentityName, err)
-	}
-	userAssignedIdentity, err := armmsiClientFactory.NewUserAssignedIdentitiesClient().Get(
-		ctx,
-		resourceGroupName,
-		userAssignedIdentityName,
-		nil,
-	)
-	if err != nil {
-		return fmt.Errorf("failed to get user assigned identity %s: %w", userAssignedIdentityName, err)
-	}
-	principalID := *userAssignedIdentity.Properties.PrincipalID
-
-	logrus.Debugf("UserAssignedIdentity.ID=%s", *userAssignedIdentity.ID)
-	logrus.Debugf("PrinciapalID=%s", principalID)
-
-	clientFactory, err := armauthorization.NewClientFactory(
-		subscriptionID,
-		tokenCredential,
-		&arm.ClientOptions{
-			ClientOptions: policy.ClientOptions{
-				Cloud: cloudConfiguration,
-			},
-		},
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create armauthorization client: %w", err)
-	}
-
-	roleDefinitionsClient := clientFactory.NewRoleDefinitionsClient()
-
-	var contributor *armauthorization.RoleDefinition
-	roleDefinitionsPager := roleDefinitionsClient.NewListPager(*resourceGroup.ID, nil)
-	for roleDefinitionsPager.More() {
-		roleDefinitionsList, err := roleDefinitionsPager.NextPage(ctx)
-		if err != nil {
-			return fmt.Errorf("failed to find any role definitions: %w", err)
-		}
-		for _, roleDefinition := range roleDefinitionsList.Value {
-			if *roleDefinition.Properties.RoleName == "Contributor" {
-				contributor = roleDefinition
-				break
-			}
-		}
-	}
-	if contributor == nil {
-		return fmt.Errorf("failed to find contributor definition")
-	}
-
-	roleAssignmentsClient := clientFactory.NewRoleAssignmentsClient()
-	scope := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s", subscriptionID, resourceGroupName)
-	roleAssignmentUUID := uuid.New().String()
-
-	// XXX: Azure doesn't like creating an identity and immediately
-	// creating a role assignment for the identity. There can be
-	// replication delays. So, retry every 10 seconds for a minute until
-	// the role assignment gets created.
-	//
-	// See https://aka.ms/docs-principaltype
-	for i := 0; i < retryCount; i++ {
-		_, err = roleAssignmentsClient.Create(ctx, scope, roleAssignmentUUID,
-			armauthorization.RoleAssignmentCreateParameters{
-				Properties: &armauthorization.RoleAssignmentProperties{
-					PrincipalID:      ptr.To(principalID),
-					RoleDefinitionID: contributor.ID,
-				},
-			},
-			nil,
-		)
-		if err == nil {
-			break
-		}
-		time.Sleep(retryTime)
-	}
-	if err != nil {
-		return fmt.Errorf("failed to create role assignment: %w", err)
-	}
-
 	// Creating a dummy nsg for existing vnets installation to appease the ingress operator.
 	if in.InstallConfig.Config.Azure.VirtualNetwork != "" {
 		networkClientFactory, err := armnetwork.NewClientFactory(
