Assign the Network Contributor role to AGIC to allow access to the existing virtual network (#349)

* Update WebLogic AKS version and add AGIC network contributor role assignment

* Add scope to agicNetworkContributorRoleAssignment for resource group

* Remove unused vnetRgName parameter from agicNetworkContributorRoleAssignment module

---------

Co-authored-by: galiacheng <[email protected]>

Author: edburns

pom.xml

@@ -40,7 +40,7 @@
     <properties>    
         <!--  versions  start -->
         <!--  weblogic azure aks versions  -->
-        <version.wls-on-aks-azure-marketplace>1.0.88</version.wls-on-aks-azure-marketplace>
+        <version.wls-on-aks-azure-marketplace>1.0.89</version.wls-on-aks-azure-marketplace>
         <!--  weblogic azure vm versions  -->
         <version.arm-oraclelinux-wls>1.0.31</version.arm-oraclelinux-wls>
         <version.arm-oraclelinux-wls-admin>1.0.56</version.arm-oraclelinux-wls-admin>

weblogic-azure-aks/src/main/bicep/mainTemplate.bicep

@@ -637,6 +637,8 @@ module networkingDeployment 'modules/networking.bicep' = if (const_enableNetwork
     identity: obj_uamiForDeploymentScript
     location: location
     lbSvcValues: lbSvcValues
+    newOrExistingVnetForApplicationGateway: newOrExistingVnetForApplicationGateway
+    vnetRGNameForApplicationGateway: vnetRGNameForApplicationGateway
     tagsByResource: _objTagsByResource
     useInternalLB: useInternalLB
     wlsDomainName: wlsDomainName

weblogic-azure-aks/src/main/bicep/modules/_rolesAssignment/_agicNetworkContributor.bicep

@@ -0,0 +1,31 @@
+/* 
+ Copyright (c) 2021, 2024, Oracle and/or its affiliates.
+Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+*/
+
+param aksClusterName string 
+param aksClusterRGName string
+param utcValue string = utcNow()
+
+var const_APIVersion = '2020-12-01'
+var name_appGwContributorRoleAssignmentName = guid('${resourceGroup().id}${uniqueString(utcValue)}NetworkContributor')
+// https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
+var const_roleDefinitionIdOfVnetContributor = '4d97b98b-1d4f-4787-a291-c67834d212e7'
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@${azure.apiVersionForManagedClusters}' existing = {
+  name: aksClusterName
+  scope: resourceGroup(aksClusterRGName)
+}
+
+resource agicUamiRoleAssignment 'Microsoft.Authorization/roleAssignments@${azure.apiVersionForRoleAssignment}' = {
+  name: name_appGwContributorRoleAssignmentName
+  properties: {
+    description: 'Assign Network Contributor role to AGIC Identity '
+    principalId: reference(aksCluster.id, const_APIVersion , 'Full').properties.addonProfiles.ingressApplicationGateway.identity.objectId
+    principalType: 'ServicePrincipal'
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', const_roleDefinitionIdOfVnetContributor)
+  }
+  dependsOn: [
+    aksCluster
+  ]
+}

weblogic-azure-aks/src/main/bicep/modules/networking.bicep

@@ -47,6 +47,8 @@ param identity object = {}
 param location string
 @description('Object array to define Load Balancer service, each object must include service name, service target[admin-server or cluster-1], port.')
 param lbSvcValues array = []
+param newOrExistingVnetForApplicationGateway string
+param vnetRGNameForApplicationGateway string
 @description('${label.tagsLabel}')
 param tagsByResource object
 @description('True to set up internal load balancer service.')
@@ -124,6 +126,18 @@ module agicRoleAssignment '_rolesAssignment/_agicRoleAssignment.bicep' = if (ena
   ]
 }
 
+module agicNetworkContributorRoleAssignment '_rolesAssignment/_agicNetworkContributor.bicep' = if (enableAppGWIngress && newOrExistingVnetForApplicationGateway != 'new' && vnetRGNameForApplicationGateway != resourceGroup().name) {
+  name: 'allow-agic-access-vnet'
+  scope: resourceGroup(vnetRGNameForApplicationGateway)
+  params: {
+    aksClusterName: aksClusterName
+    aksClusterRGName: aksClusterRGName
+  }
+  dependsOn: [
+    installAgic
+  ]
+}
+
 module validateAgic '_deployment-scripts/_ds_validate_agic.bicep' = if (enableAppGWIngress) {
   name: 'validate-agic'
   params: {