fix(infra): add permissions to ssh into ssh-jumper (#1703)

.azure/infrastructure/main.bicep

@@ -22,6 +22,9 @@ param sourceKeyVaultName string
 @minLength(3)
 param sourceKeyVaultSshJumperSshPublicKey string
 
+@description('The object ID of the group to assign the Admin Login role for SSH Jumper')
+param sshJumperAdminLoginGroupObjectId string
+
 import { Sku as RedisSku } from '../modules/redis/main.bicep'
 param redisSku RedisSku
 @minLength(1)
@@ -218,6 +221,7 @@ module sshJumper '../modules/ssh-jumper/main.bicep' = {
     subnetId: vnet.outputs.defaultSubnetId
     tags: tags
     sshPublicKey: secrets.sourceKeyVaultSshJumperSshPublicKey
+    adminLoginGroupObjectId: sshJumperAdminLoginGroupObjectId
   }
 }
 

.azure/infrastructure/prod.bicepparam

@@ -35,3 +35,6 @@ param applicationGatewayConfiguration = {
     secretKey: 'star-altinn-no'
   }
 }
+
+// Altinn Product Dialogporten: Developers Prod
+param sshJumperAdminLoginGroupObjectId = 'a94de4bf-0a83-4d30-baba-0c6a7365571c'

.azure/infrastructure/staging.bicepparam

@@ -35,3 +35,6 @@ param applicationGatewayConfiguration = {
     secretKey: 'star-tt-altinn-no'
   }
 }
+
+// Altinn Product Dialogporten: Developers Prod
+param sshJumperAdminLoginGroupObjectId = 'a94de4bf-0a83-4d30-baba-0c6a7365571c'

.azure/infrastructure/test.bicepparam

@@ -35,3 +35,6 @@ param applicationGatewayConfiguration = {
     secretKey: 'star-at-altinn-cloud'
   }
 }
+
+// Altinn Product Dialogporten: Developers Dev
+param sshJumperAdminLoginGroupObjectId = 'c12e51e3-5cbd-4229-8a31-5394c423fb5f'

.azure/infrastructure/yt01.bicepparam

@@ -35,3 +35,6 @@ param applicationGatewayConfiguration = {
     secretKey: 'star-yt01-altinn-no'
   }
 } 
+
+// Altinn Product Dialogporten: Developers Dev
+param sshJumperAdminLoginGroupObjectId = 'c12e51e3-5cbd-4229-8a31-5394c423fb5f'

.azure/modules/ssh-jumper/main.bicep

@@ -14,6 +14,9 @@ param tags object
 @secure()
 param sshPublicKey string
 
+@description('The object ID of the group to assign the Admin Login role for SSH Jumper')
+param adminLoginGroupObjectId string
+
 var name = '${namePrefix}-ssh-jumper'
 
 resource publicIp 'Microsoft.Network/publicIPAddresses@2023-11-01' = {
@@ -79,6 +82,7 @@ module virtualMachine '../../modules/virtualMachine/main.bicep' = {
     sshPublicKey: sshPublicKey
     location: location
     tags: tags
+    adminLoginGroupObjectId: adminLoginGroupObjectId
     hardwareProfile: {
       vmSize: 'Standard_B1s'
     }

.azure/modules/virtualMachine/main.bicep

@@ -68,6 +68,9 @@ type StorageProfile = {
 @description('Specifies the storage profile for the virtual machine')
 param storageProfile StorageProfile
 
+@description('Specifies the AD group object ID for the virtual machine administrator login')
+param adminLoginGroupObjectId string
+
 @description('Specifies the SSH public key for the virtual machine')
 @secure()
 param sshPublicKey string
@@ -129,3 +132,19 @@ resource aadLoginExtension 'Microsoft.Compute/virtualMachines/extensions@2024-03
     autoUpgradeMinorVersion: true
   }
 }
+
+@description('This is the built-in Virtual Machine Administrator Login role. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#compute')
+resource vmAdminLoginRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
+  scope: subscription()
+  name: '1c0163c0-47e6-4577-8991-ea5c82e286e4'
+}
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(virtualMachine.id, adminLoginGroupObjectId, vmAdminLoginRoleDefinition.id)
+  scope: virtualMachine
+  properties: {
+    roleDefinitionId: vmAdminLoginRoleDefinition.id
+    principalId: adminLoginGroupObjectId
+    principalType: 'Group'
+  }
+}