From a8931692283b073efe3cde430290eea08b6fd821 Mon Sep 17 00:00:00 2001 From: tjololo <1145298+tjololo@users.noreply.github.com> Date: Fri, 27 Sep 2024 12:05:51 +0200 Subject: [PATCH] feat(#956): Improve workflow feedback Grant listKeys/action to reader group --- infrastructure/products/azure_arm.tf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/infrastructure/products/azure_arm.tf b/infrastructure/products/azure_arm.tf index dd2dcb65..6dbd6ac6 100644 --- a/infrastructure/products/azure_arm.tf +++ b/infrastructure/products/azure_arm.tf @@ -92,6 +92,22 @@ resource "azurerm_app_configuration" "state" { } } +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition +resource "azurerm_role_definition" "app_config_list_keys_action" { + name = "app-configuration-list-keys-action" + scope = data.azurerm_resource_group.tfstate.id + description = "Grants listKeys/action on App Configurations. Managed by terraform" + + permissions { + actions = ["Microsoft.AppConfiguration/configurationStores/listKeys/action"] + not_actions = [] + } + + assignable_scopes = [ + azurerm_app_configuration.state.id + ] +} + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account resource "azurerm_storage_account" "backend" { name = "${var.arm_product_name}${var.arm_solution_name}storage${var.arm_instance}" @@ -250,6 +266,14 @@ resource "azurerm_role_assignment" "product_reader_storage_blob_reader_data_acce # skip_service_principal_aad_check = true } +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment +resource "azurerm_role_assignment" "product_reader_storage_blob_reader_data_access" { + scope = azurerm_app_configuration.state.id + principal_id = azuread_group.product_readers.object_id + role_definition_name = azurerm_role_definition.app_config_list_keys_action.name + # skip_service_principal_aad_check = true +} + # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment resource "azurerm_role_assignment" "product_readers_storage_blob_owner" { scope = azurerm_storage_container.container.resource_manager_id