Identify minimal set of Azure permissions required to deploy

[netr0m]

Describe Problem

We currently expect the user to have full access to the Azure subscription in question (i.e. Owner), as we have not outlined the required permission set for deployment.

We should identify and document all required permissions, in order to ensure that we use Azure IAM role grants with the permissions that are strictly required.

Suggest Solution

• Identify by trial and error (documentation lacks)
• Produce JSON representing the custom role.
• Create documentation explaining the requirements

Additional Details

[netr0m]

Assuming that deployment is done in a resource group named either MultiJuicer or MultiJuicerTest under a subscription <SUBSCRIPTION_ID>, create a custom role with the following configuration:

{
    "id": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/<ROLE_DEFINITION_ID>",
    "properties": {
        "roleName": "MultiJuicerDev",
        "description": "Role with minimal permission set required for working with the bouvet/nord-juice-shop solution (CTF deployment)",
        "assignableScopes": [
            "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/MultiJuicerTest",
            "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/MultiJuicer"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Resources/subscriptions/resourceGroups/read",
                    "Microsoft.Resources/subscriptions/resourceGroups/write",
                    "Microsoft.Resources/subscriptions/resourceGroups/delete",
                    "Microsoft.Resources/subscriptions/resourcegroups/resources/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
                    "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
                    "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
                    "Microsoft.ContainerService/managedClusters/write",
                    "Microsoft.ContainerService/managedClusters/read",
                    "Microsoft.ContainerService/managedClusters/delete",
                    "Microsoft.ContainerService/managedClusters/start/action",
                    "Microsoft.ContainerService/managedClusters/stop/action",
                    "Microsoft.ContainerService/managedClusters/abort/action",
                    "Microsoft.Network/publicIPAddresses/read",
                    "Microsoft.Network/publicIPAddresses/write",
                    "Microsoft.Network/publicIPAddresses/delete",
                    "Microsoft.KeyVault/vaults/read",
                    "Microsoft.KeyVault/vaults/write",
                    "Microsoft.KeyVault/vaults/secrets/write",
                    "Microsoft.KeyVault/vaults/secrets/read",
                    "Microsoft.KeyVault/locations/deletedVaults/read",
                    "Microsoft.KeyVault/checkNameAvailability/read",
                    "Microsoft.KeyVault/deletedVaults/read",
                    "Microsoft.KeyVault/vaults/delete"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.KeyVault/vaults/secrets/update/action",
                    "Microsoft.KeyVault/vaults/secrets/readMetadata/action",
                    "Microsoft.KeyVault/vaults/secrets/getSecret/action",
                    "Microsoft.KeyVault/vaults/secrets/setSecret/action"
                ],
                "notDataActions": []
            }
        ]
    }
}