Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set owner to lowercase in blobstorage permissions condition #963

Merged
merged 1 commit into from
Sep 27, 2024

Conversation

tjololo
Copy link
Member

@tjololo tjololo commented Sep 27, 2024

Description

Reader user has no access as folder is in lowercase but condition is in upper case

Related Issue(s)

  • #{issue number}

Verification

  • Your code builds clean without any errors or warnings
  • Manual testing done (required)
  • Relevant automated test added (if you find this hard, leave it and we'll help out)
  • All tests run green

Documentation

  • User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

Copy link
Member

@bengtfredh bengtfredh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link

github-actions bot commented Sep 27, 2024

Terraform environment prod

Format and Style 🖌success

Initialization ⚙️success

Validation 🤖success

Validation Output

Success! The configuration is valid.


Plan 📖success

Show Plan

[Lines containing Refreshing state removed]
[Maybe further truncated see logs for complete plan output]
Acquiring state lock. This may take a few moments...
data.azuread_client_config.current: Reading...
data.azuread_application_published_app_ids.well_known: Reading...
data.azuread_client_config.current: Read complete after 0s [id=cd0026d8-283b-4a55-9bfa-d0ef4a8ba21c-c217a3ea-402f-4886-ace5-478db72ab4c9-cc75a1cc-d6a1-4530-828f-86832ce91b9b]
data.azuread_application_published_app_ids.well_known: Read complete after 0s [id=appIds]
data.azuread_directory_object.current: Reading...
data.azuread_service_principal.msgraph: Reading...
data.azuread_directory_object.current: Read complete after 0s [id=cc75a1cc-d6a1-4530-828f-86832ce91b9b]
data.azuread_service_principal.msgraph: Read complete after 1s [id=b9d7b3d8-a063-4e34-89d9-15db56e22d42]
data.azurerm_role_definition.contributor: Reading...
data.azurerm_role_definition.storage_blob_reader_data_access: Reading...
data.azurerm_role_definition.storage_blob_data_owner: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_role_definition.user_access_administrator: Reading...
data.azurerm_resource_group.tfstate: Reading...
data.azurerm_role_definition.reader: Reading...
data.azurerm_role_definition.contributor: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c]
data.azurerm_role_definition.storage_blob_data_owner: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/d43d5057-8389-40d5-88c4-04db9275cbf2]
data.azurerm_role_definition.reader: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7]
data.azurerm_role_definition.user_access_administrator: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9]
data.azurerm_role_definition.storage_blob_reader_data_access: Read complete after 0s [id=/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349]
data.azurerm_resource_group.tfstate: Read complete after 2s [id=/subscriptions/d43d5057-8389-40d5-88c4-04db9275cbf2/resourceGroups/terraform-rg]
data.azuread_service_principal.current[0]: Reading...
data.azuread_service_principal.current[0]: Read complete after 0s [id=cc75a1cc-d6a1-4530-828f-86832ce91b9b]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # azuread_application.reader will be updated in-place
  ~ resource "azuread_application" "reader" {
        id                             = "/applications/f2259af8-0975-4e83-925f-3ccdf18da571"
        tags                           = []
        # (16 unchanged attributes hidden)

      - required_resource_access {
          - resource_app_id = "00000003-0000-0000-c000-000000000000" -> null

          - resource_access {
              - id   = "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30" -> null
              - type = "Role" -> null
            }
          - resource_access {
              - id   = "5b567255-7703-4780-807c-7be8301ae99b" -> null
              - type = "Role" -> null
            }
        }

        # (6 unchanged blocks hidden)
    }

  # azuread_application_api_access.example_msgraph will be created
  + resource "azuread_application_api_access" "example_msgraph" {
      + api_client_id  = "00000003-0000-0000-c000-000000000000"
      + application_id = "/applications/005b1c70-6fa7-4205-9fa1-8b7a53713238"
      + id             = (known after apply)
      + role_ids       = [
          + "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9",
          + "62a82d76-70ea-41e2-9197-370581804d09",
        ]
    }

  # azurerm_app_configuration.state will be updated in-place
  ~ resource "azurerm_app_configuration" "state" {
        id                         = "/subscriptions/d43d5057-8389-40d5-88c4-04db9275cbf2/resourceGroups/terraform-rg/providers/Microsoft.AppConfiguration/configurationStores/altinnterraformappconf02"
        name                       = "altinnterraformappconf02"
      ~ tags                       = {
          - "costcenter" = "altinn3"
          - "createdAt"  = "09-07-2024 09:55:43 UTC"
          - "createdBy"  = "Bengt Rino Fredh"
          - "modifiedAt" = "27-09-2024 07:00:46 UTC"
          - "modifiedBy" = "GitHub: altinn/altinn-platform - Admin"
          - "repository" = "github.com/Altinn/altinn-platform"
          - "solution"   = "platform"
        } -> (known after apply)
        # (11 unchanged attributes hidden)
    }

  # azurerm_role_assignment.product_readers_storage_blob_owner must be replaced
-/+ resource "azurerm_role_assignment" "product_readers_storage_blob_owner" {
      ~ condition                        = <<-EOT # forces replacement
            (
             (
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/permanentDelete/action'})
              AND
              !(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action'})
            )
            
             OR 
             (
          -   @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'github.com/Altinn/altinn-platform/'
          +   @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path] StringStartsWith 'github.com/altinn/altinn-platform/'
             )
            )
        EOT
      ~ id                               = "/subscriptions/d43d5057-8389-40d5-88c4-04db9275cbf2/resourceGroups/terraform-rg/providers/Microsoft.Storage/storageAccounts/altinnterraformstorage02/blobServices/default/containers/tfstates/providers/Microsoft.Authorization/roleAssignments/4b7afb29-f4e5-e113-ee7e-cf99d28acbbc" -> (known after apply)
      ~ name                             = "4b7afb29-f4e5-e113-ee7e-cf99d28acbbc" -> (known after apply)
      ~ principal_type                   = "Group" -> (known after apply)
      ~ role_definition_id               = "/subscriptions/d43d5057-8389-40d5-88c4-04db9275cbf2/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b" -> (known after apply)
      + skip_service_principal_aad_check = (known after apply)
        # (4 unchanged attributes hidden)
    }

  # azurerm_storage_account.backend will be updated in-place
  ~ resource "azurerm_storage_account" "backend" {
        id                                = "/subscriptions/d43d5057-8389-40d5-88c4-04db9275cbf2/resourceGroups/terraform-rg/providers/Microsoft.Storage/storageAccounts/altinnterraformstorage02"
        name                              = "altinnterraformstorage02"
      ~ tags                              = {
          - "costcenter" = "altinn3"
          - "createdAt"  = "09-07-2024 09:55:43 UTC"
          - "createdBy"  = "Bengt Rino Fredh"
          - "modifiedAt" = "27-09-2024 07:00:46 UTC"
          - "modifiedBy" = "GitHub: altinn/altinn-platform - Admin"
          - "repository" = "github.com/Altinn/altinn-platform"
          - "solution"   = "platform"
        } -> (known after apply)
        # (36 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 2 to add, 3 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan.out

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan.out"
Releasing state lock. This may take a few moments...

Context Values
Pusher @tjololo
Action push
Working Directory ./infrastructure/products
State File github.com/altinn/altinn-platform/environments/prod/products.tfstate
Plan File github.com_altinn_altinn-platform_environments_prod_products.tfstate.tfplan

@tjololo tjololo merged commit 35d9394 into main Sep 27, 2024
4 checks passed
@tjololo tjololo deleted the fix-condition-for-reader branch September 27, 2024 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants