diff --git a/infrastructure/products/azure_arm.tf b/infrastructure/products/azure_arm.tf index dd2dcb65..6dbd6ac6 100644 --- a/infrastructure/products/azure_arm.tf +++ b/infrastructure/products/azure_arm.tf @@ -92,6 +92,22 @@ resource "azurerm_app_configuration" "state" { } } +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition +resource "azurerm_role_definition" "app_config_list_keys_action" { + name = "app-configuration-list-keys-action" + scope = data.azurerm_resource_group.tfstate.id + description = "Grants listKeys/action on App Configurations. Managed by terraform" + + permissions { + actions = ["Microsoft.AppConfiguration/configurationStores/listKeys/action"] + not_actions = [] + } + + assignable_scopes = [ + azurerm_app_configuration.state.id + ] +} + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account resource "azurerm_storage_account" "backend" { name = "${var.arm_product_name}${var.arm_solution_name}storage${var.arm_instance}" @@ -250,6 +266,14 @@ resource "azurerm_role_assignment" "product_reader_storage_blob_reader_data_acce # skip_service_principal_aad_check = true } +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment +resource "azurerm_role_assignment" "product_reader_storage_blob_reader_data_access" { + scope = azurerm_app_configuration.state.id + principal_id = azuread_group.product_readers.object_id + role_definition_name = azurerm_role_definition.app_config_list_keys_action.name + # skip_service_principal_aad_check = true +} + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment resource "azurerm_role_assignment" "product_readers_storage_blob_owner" { scope = azurerm_storage_container.container.resource_manager_id