Skip to content

Commit

Permalink
Feat(#956): Improve workflow feedback (#965)
Browse files Browse the repository at this point in the history
Grant listKeys/action to reader group

---------

Co-authored-by: tjololo <1145298+tjololo@users.noreply.github.com>
  • Loading branch information
tjololo and tjololo authored Sep 27, 2024
1 parent 35d9394 commit 4d5a627
Showing 1 changed file with 24 additions and 0 deletions.
24 changes: 24 additions & 0 deletions infrastructure/products/azure_arm.tf
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,22 @@ resource "azurerm_app_configuration" "state" {
}
}

# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition
resource "azurerm_role_definition" "app_config_list_keys_action" {
name = "app-configuration-list-keys-action"
scope = data.azurerm_resource_group.tfstate.id
description = "Grants listKeys/action on App Configurations. Managed by terraform"

permissions {
actions = ["Microsoft.AppConfiguration/configurationStores/listKeys/action"]
not_actions = []
}

assignable_scopes = [
azurerm_app_configuration.state.id
]
}

# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account
resource "azurerm_storage_account" "backend" {
name = "${var.arm_product_name}${var.arm_solution_name}storage${var.arm_instance}"
Expand Down Expand Up @@ -250,6 +266,14 @@ resource "azurerm_role_assignment" "product_reader_storage_blob_reader_data_acce
# skip_service_principal_aad_check = true
}

# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
resource "azurerm_role_assignment" "product_reader_app_config_list_keys_action" {
scope = azurerm_app_configuration.state.id
principal_id = azuread_group.product_readers.object_id
role_definition_name = azurerm_role_definition.app_config_list_keys_action.name
# skip_service_principal_aad_check = true
}

# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
resource "azurerm_role_assignment" "product_readers_storage_blob_owner" {
scope = azurerm_storage_container.container.resource_manager_id
Expand Down

0 comments on commit 4d5a627

Please sign in to comment.