feat: add automation for assigning aks rbac role

lib/consts/consts.go

@@ -29,6 +29,7 @@ const (
 	AzKeyName                    = "posit-team-dedicated"
 	KeyVaultAdminRoleId          = "00482a5a-887f-4fb3-b363-3b7fe8e74483" // Key Vault Administrator built-in role
 	StorageBlobDataContribRoleId = "ba92f5b4-2d11-453d-a403-e96b0029c9fe" // Storage Blob Data Contributor built-in role
+	AksRbacClusterAdminRoleId    = "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b" // Azure Kubernetes Service RBAC Cluster Admin built-in role
 
 	// Tags
 	POSIT_TEAM_ENVIRONMENT    = "posit.team/environment"

lib/steps/bootstrap.go

@@ -227,6 +227,19 @@ func (s *BootstrapStep) runAzure(ctx context.Context, c types.Credentials, _ str
 		}
 	}
 
+	// Ensure AKS RBAC Cluster Admin role assignment exists for admin group
+	s.Log.Info("Ensuring AKS RBAC Cluster Admin role assignment exists", "adminGroupId", azureTarget.AdminGroupID())
+	aksRbacExists, err := azure.RoleAssignmentExists(ctx, azureCreds, azureTarget.SubscriptionID(), azureTarget.ResourceGroupName(), azureTarget.AdminGroupID(), consts.AksRbacClusterAdminRoleId)
+	if err != nil {
+		return err
+	}
+	if !aksRbacExists {
+		err = azure.CreateRoleAssignment(ctx, azureCreds, azureTarget.SubscriptionID(), azureTarget.ResourceGroupName(), azureTarget.AdminGroupID(), consts.AksRbacClusterAdminRoleId)
+		if err != nil {
+			return err
+		}
+	}
+
 	// create site secrets, certain site secret values are populated in later steps rather than here
 	for siteName := range s.DstTarget.Sites() {
 		s.Log.Info("Creating site secrets if they don't exist", "site", siteName)