fix(azure): Enforce azure provider account permissions (#4482)

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

clouddriver-azure/src/main/groovy/com/netflix/spinnaker/clouddriver/azure/config/AzureConfigurationProperties.groovy

@@ -18,6 +18,7 @@ package com.netflix.spinnaker.clouddriver.azure.config
 
 import com.netflix.spinnaker.clouddriver.azure.resources.vmimage.model.AzureCustomImageStorage
 import com.netflix.spinnaker.clouddriver.azure.resources.vmimage.model.AzureVMImage
+import com.netflix.spinnaker.fiat.model.resources.Permissions
 import groovy.transform.ToString
 
 class AzureConfigurationProperties {
@@ -37,6 +38,7 @@ class AzureConfigurationProperties {
     String defaultResourceGroup
     String defaultKeyVault
     Boolean useSshPublicKey
+    Permissions.Builder permissions = new Permissions.Builder()
   }
 
   List<ManagedAccount> accounts = []

clouddriver-azure/src/main/groovy/com/netflix/spinnaker/clouddriver/azure/security/AzureCredentialsInitializer.groovy

@@ -50,7 +50,8 @@ class AzureCredentialsInitializer {
           managedAccount.defaultResourceGroup,
           managedAccount.defaultKeyVault,
           managedAccount.useSshPublicKey,
-          clouddriverUserAgentApplicationName
+          clouddriverUserAgentApplicationName,
+          managedAccount.permissions.build()
         )
 
         azureAccounts << (accountCredentialsRepository.save(managedAccount.name, azureAccount) as AzureNamedAccountCredentials)

clouddriver-azure/src/main/groovy/com/netflix/spinnaker/clouddriver/azure/security/AzureNamedAccountCredentials.groovy

@@ -20,6 +20,7 @@ import com.netflix.spinnaker.clouddriver.azure.client.AzureComputeClient
 import com.netflix.spinnaker.clouddriver.azure.resources.vmimage.model.AzureCustomImageStorage
 import com.netflix.spinnaker.clouddriver.azure.resources.vmimage.model.AzureVMImage
 import com.netflix.spinnaker.clouddriver.security.AccountCredentials
+import com.netflix.spinnaker.fiat.model.resources.Permissions
 import groovy.transform.CompileStatic
 import groovy.util.logging.Slf4j
 
@@ -46,6 +47,7 @@ public class AzureNamedAccountCredentials implements AccountCredentials<AzureCre
   final List<String> regionsSupportZones
   final List<String> availabilityZones
   final Boolean useSshPublicKey
+  final Permissions permissions
 
   AzureNamedAccountCredentials(String accountName,
                                String environment,
@@ -61,6 +63,7 @@ public class AzureNamedAccountCredentials implements AccountCredentials<AzureCre
                                String defaultKeyVault,
                                Boolean useSshPublicKey,
                                String applicationName,
+                               Permissions permissions = null,
                                List<String> requiredGroupMembership = null) {
     this.accountName = accountName
     this.environment = environment
@@ -77,6 +80,7 @@ public class AzureNamedAccountCredentials implements AccountCredentials<AzureCre
     this.defaultResourceGroup = defaultResourceGroup
     this.useSshPublicKey = useSshPublicKey
     this.requiredGroupMembership = requiredGroupMembership ?: [] as List<String>
+    this.permissions = permissions
     this.credentials = appKey.isEmpty() ? null : buildCredentials()
     this.locationToInstanceTypesMap = this.credentials.computeClient.getVirtualMachineSizesByRegions(this.regions)
     this.regionsSupportZones = Arrays.asList("centralus", "eastus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2")