[WIP] Add two roles for Azure ARC Onboarding

[Klaas-]

SUMMARY

As prep for doing more arc stuff in ansible we need to be able to setup arc agent on non-azure servers.
Best way to do this should be by using the packages.microsoft.com repository and then connecting using a token.
This is my first idea of how to do this, locally I am only using it on RHEL, so this is naturally the first OS I implemented.

ISSUE TYPE

• New Role Pull Request

COMPONENT NAME

roles/azure_arc
roles/azure_repo_microsoft_prod

ADDITIONAL INFORMATION

No tests, just sharing my first idea

[p3ck]

This is great! BTW - I've been working on a role to do this as well.

https://github.com/p3ck/cloud.azure_ops/blob/configure_archost/playbooks/ARCHOST.md

The pull request is here: redhat-cop/cloud.azure_ops#111

I can see some improvements I can make from your work and vice versa..

[p3ck]

I updated my PR to include a lot of the updates from your version. (I added you to the author list)

I guess the question is does Azure/Microsoft want roles added to this collection? Or should we continue to expand the cloud.azure_ops repo?

[jeremycline]

I updated my PR to include a lot of the updates from your version. (I added you to the author list)

I guess the question is does Azure/Microsoft want roles added to this collection? Or should we continue to expand the cloud.azure_ops repo?

Hi! I have been chatting with @alt-key and @stefanoochoa from the Azure Arc team about adding roles to this collection for Arc, so this is great timing.

I've done some light contributions to this collection, but I'm not an expert by any stretch of the imagination, so out of curiosity why might we not want to include this in the Azure collection? I've not run across https://github.com/redhat-cop/cloud.azure_ops before, how is it intended to differ from the roles in this collection?

Also, I (and I imagine the Arc folks as well) are happy to help test this out and expand support to additional distros.

[Klaas-]

@jeremycline maybe you can start by getting proper docs on the arc agent, some assumptions I made in this PR are unverified because of lack of documentation:

azure/roles/azure_arc/tasks/main.yml

Lines 52 to 53 in 4ecb6af

	# It is currently unclear if this is a valid indicator for "azure arc registration is already done" a query about this is open towards the ARC team
	when: azure_arc_show.status != 'Connected'

is the prime example :)

Other examples are exit codes, they are currently undocumented.

azure/roles/azure_arc/tasks/main.yml

Line 44 in 4ecb6af

changed_when: azure_arc_proxy_set.rc == 0

Another thing you could help with is

azure/roles/azure_arc/tasks/main.yml

Lines 55 to 63 in 4ecb6af

	- name: Get a token using the ARC service principal
	# Run on localhost, so that service principal secrets don't leave control node
	delegate_to: localhost
	# This command produces output that includes an access token
	no_log: true
	azure.azcollection.azure_rm_accesstoken_info:
	scopes:
	- https://management.azure.com/.default
	register: azure_arc_access_token

Currently there is no way to issue single-use-arc-onboard-only tokens. From a security perspective it's a bad idea to give even a short lived secret to a target node. The best idea is to create a service principal that is only allowed to onboard arc systems. But even then giving a 60 minute token is not as good as doing single use tokens

Another thing you can help with is provide resources to CI test ARC modules. I've started with #2065 - but at the moment you can't test it in CI because there are no ARC machines there.
Also have a look at the module, there are several API side issues documented in there, tags don't update on create or update API call or autoUpgradeMinorVersion does not work
( https://learn.microsoft.com/en-us/rest/api/hybridcompute/machine-extensions/create-or-update?view=rest-hybridcompute-2025-01-13&tabs=HTTP )

I have several issues open with MSFT support about the API, and I only really looked at it for like a day ... :)

[Klaas-]

I've incorporated a lot of the changes @p3ck made, this should be working, if you guys get a non-azure system into CI I'll also write some integration tests :)