Orphan role assignment cleanup script (#3696)

scripts/v2/clean-orphan-role-assignments.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT license.
+
+# This script exists to manually clean up the CI subscription role assignments if there get to be too many.
+# We could run it automatically but they're leaked relatively rarely and only clutter the UI (not a security issue as the
+# backing identity is deleted).
+# We should probably figure out what's creating the assignments and update that to do a best effort delete...
+# It's probably make-mi-fic.sh
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+DELETE=0
+
+print_usage() {
+  echo "Usage: cleanup-orphan-role-assignments.sh [-y]"
+  echo "    -y: Actually delete everything. If not specified, the default is dry-run mode"
+}
+
+while getopts 'y' flag; do
+  case "${flag}" in
+    y) DELETE=1 ;;
+    *) print_usage
+       exit 1 ;;
+  esac
+done
+
+# This lists all of the role assignments with no principal
+IDS=$(az role assignment list --query "([?(principalName == '')].id).join(' ', [*])" | tr -d '"')
+
+COUNT=$(echo ${IDS} | wc -w)
+
+echo "About to delete ${COUNT} role assignments..."
+
+if [[ "$DELETE" -eq 1 ]]; then
+  echo "Starting to delete role assignments..."
+  for I in $IDS
+    do
+      echo "Deleting ID ${I}"
+      az role assignment delete --ids "${I}" -y
+    done
+  echo "Done deleting role assignments"
+else
+  echo "Not deleting role assignments in dry-run mode. Pass -y to actually delete the role assignments"
+fi

scripts/v2/delete-kind-wi-storage.sh

@@ -50,6 +50,13 @@ if [ -f "$DIR/azure/fic.txt" ]; then
   fi
 fi
 
+if [ -f "$DIR/azure/roleassignmentid.txt" ]; then
+  # Need to delete the role assignment as well so we don't leak them
+  ROLE_ASSIGNMENT_ID=$(cat $DIR/azure/roleassignmentid.txt)
+  echo "Deleting role assignment: ${ROLE_ASSIGNMENT_ID}"
+  az role assignment delete --ids "${ROLE_ASSIGNMENT_ID}"
+fi
+
 if [ $(az group exists --name ${RESOURCE_GROUP}) = true ]; then
   echo "Deleting resourceGroup: ${RESOURCE_GROUP}"
   az group delete --name ${RESOURCE_GROUP} -y

scripts/v2/make-mi-fic.sh

@@ -15,7 +15,6 @@ function retry_create_role_assignment() {
   until create_role_assignment; do
     sleep 5
   done
-
 }
 
 print_usage() {
@@ -76,11 +75,15 @@ az identity federated-credential create \
 export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${IDENTITY_NAME}" --query 'clientId' -otsv)"
 export USER_ASSIGNED_OBJECT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${IDENTITY_NAME}" --query 'principalId' -otsv)"
 
-# Assumption is if the user brought their own identity that it already has the permisisons it needs
+# Assumption is if the user brought their own identity that it already has the permissions it needs
 if [ "$EXISTING_IDENTITY" = false ]; then
   export -f create_role_assignment
   export -f retry_create_role_assignment
   timeout 1m bash -c retry_create_role_assignment
+
+  # Save the ID of the role assignment we created as well
+  ROLE_ASSIGNMENT_ID=$(az role assignment list --assignee "${USER_ASSIGNED_OBJECT_ID}" --query "[0].id" | tr -d '"')
+  echo ${ROLE_ASSIGNMENT_ID} > "${DIR}/azure/roleassignmentid.txt"
 fi
 
 echo ${USER_ASSIGNED_CLIENT_ID} > "${DIR}/azure/miclientid.txt"