From 300c9e84c0d0221b4d29d2ccb5f4bbdbf34ab5e5 Mon Sep 17 00:00:00 2001 From: Gustavo Hidalgo Date: Mon, 17 Nov 2025 09:50:53 -0800 Subject: [PATCH 1/2] user subscription mode --- deployment/terraform/resources/batch.tf | 9 +++++++-- deployment/terraform/resources/keyvault.tf | 15 +++++++++++++-- deployment/terraform/resources/output.tf | 4 ---- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/deployment/terraform/resources/batch.tf b/deployment/terraform/resources/batch.tf index a5ec53cb2..bde8a96c5 100644 --- a/deployment/terraform/resources/batch.tf +++ b/deployment/terraform/resources/batch.tf @@ -12,9 +12,14 @@ resource "azurerm_batch_account" "pctasks" { name = local.nodash_prefix resource_group_name = azurerm_resource_group.pctasks.name location = azurerm_resource_group.pctasks.location - pool_allocation_mode = "BatchService" + pool_allocation_mode = "UserSubscription" storage_account_id = azurerm_storage_account.pctasks-batch.id - storage_account_authentication_mode = "StorageKeys" + storage_account_authentication_mode = "BatchAccountManagedIdentity" + allowed_authentication_modes = ["AAD"] + + identity { + type = "SystemAssigned" + } tags = { ManagedBy = "AI4E" diff --git a/deployment/terraform/resources/keyvault.tf b/deployment/terraform/resources/keyvault.tf index cbe2d8a0e..3cc396444 100644 --- a/deployment/terraform/resources/keyvault.tf +++ b/deployment/terraform/resources/keyvault.tf @@ -9,6 +9,17 @@ resource "azurerm_role_assignment" "functions-secrets-user" { scope = data.azurerm_key_vault.pctasks.id } +# Required for Batch UserSubscription mode +data "azuread_service_principal" "batch" { + display_name = "Microsoft Azure Batch" +} + +resource "azurerm_role_assignment" "batch-keyvault-secrets-officer" { + role_definition_name = "Key Vault Secrets Officer" + principal_id = data.azuread_service_principal.batch.object_id + scope = data.azurerm_key_vault.pctasks.id +} + # Store database information as a secret resource "azurerm_key_vault_secret" "pgstac-connection-string" { @@ -18,8 +29,8 @@ resource "azurerm_key_vault_secret" "pgstac-connection-string" { } resource "azurerm_key_vault_secret" "task-application-insights-connection-string" { - name = "task-application-insights-connection-string" - value = azurerm_application_insights.pctasks.connection_string + name = "task-application-insights-connection-string" + value = azurerm_application_insights.pctasks.connection_string key_vault_id = data.azurerm_key_vault.pctasks.id } diff --git a/deployment/terraform/resources/output.tf b/deployment/terraform/resources/output.tf index a326688c2..527c97eef 100644 --- a/deployment/terraform/resources/output.tf +++ b/deployment/terraform/resources/output.tf @@ -86,10 +86,6 @@ output "batch_url" { value = "https://${azurerm_batch_account.pctasks.account_endpoint}" } -output "batch_key" { - value = azurerm_batch_account.pctasks.primary_access_key -} - output "batch_default_pool_id" { value = var.batch_default_pool_id } From d82ffdf13dccb4219da8041b2503a353fd9f4b01 Mon Sep 17 00:00:00 2001 From: Gustavo Hidalgo Date: Mon, 24 Nov 2025 15:08:53 -0500 Subject: [PATCH 2/2] Deploy staging PCTasks again --- deployment/helm/deploy-values.template.yaml | 7 +++---- deployment/terraform/resources/batch.tf | 11 +++++++++++ deployment/terraform/resources/output.tf | 4 ---- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/deployment/helm/deploy-values.template.yaml b/deployment/helm/deploy-values.template.yaml index 0049ab664..5eaf1684f 100644 --- a/deployment/helm/deploy-values.template.yaml +++ b/deployment/helm/deploy-values.template.yaml @@ -45,17 +45,16 @@ pctasks: run: task_runner_type: "batch" streaming_task_namespace: "pc" - streaming_task_node_group: {{ tf.aks_streaming_task_node_group_name }} task_poll_seconds: 30 notifications: queue_name: "notifications" - connection_string: {{ tf.sa_connection_string }} + connection_string: "NOT_USED" tables: account_url: {{ tf.sa_tables_account_url }} account_name: {{ tf.sa_account_name }} - connection_string: {{ tf.sa_connection_string }} + connection_string: "NOT_USED" image_key_table_name: "imagekeys" blob: @@ -82,7 +81,7 @@ pctasks: batch: enabled: true url: "{{ tf.batch_url }}" - key: "{{ tf.batch_key }}" + key: "NOT_USED" default_pool_id: "{{ tf.batch_default_pool_id }}" submit_threads: 0 diff --git a/deployment/terraform/resources/batch.tf b/deployment/terraform/resources/batch.tf index bde8a96c5..7bfbcd9a1 100644 --- a/deployment/terraform/resources/batch.tf +++ b/deployment/terraform/resources/batch.tf @@ -16,6 +16,10 @@ resource "azurerm_batch_account" "pctasks" { storage_account_id = azurerm_storage_account.pctasks-batch.id storage_account_authentication_mode = "BatchAccountManagedIdentity" allowed_authentication_modes = ["AAD"] + key_vault_reference { + id = data.azurerm_key_vault.pctasks.id + url = data.azurerm_key_vault.pctasks.vault_uri + } identity { type = "SystemAssigned" @@ -58,3 +62,10 @@ resource "azurerm_role_assignment" "batch-tasks-blob-storage-contributor" { "/subscriptions/1b045d0d-e560-456a-952d-7514f87f1b1f", # NOAA Data Project ]) } + +# Allow workflow identity to submit and manage Batch jobs +resource "azurerm_role_assignment" "workflows-batch-contributor" { + role_definition_name = "Azure Batch Job Submitter" + principal_id = azurerm_user_assigned_identity.workflows.principal_id + scope = azurerm_batch_account.pctasks.id +} \ No newline at end of file diff --git a/deployment/terraform/resources/output.tf b/deployment/terraform/resources/output.tf index 527c97eef..73aebd8a9 100644 --- a/deployment/terraform/resources/output.tf +++ b/deployment/terraform/resources/output.tf @@ -130,10 +130,6 @@ output "sa_account_name" { value = azurerm_storage_account.pctasks.name } -output "sa_connection_string" { - value = azurerm_storage_account.pctasks.primary_connection_string -} - ## Keyvault output "keyvault_url" {