feat: Add approval resource to azure service connection (#82)

* add approval resource to serv connect * code review
pagopa · Mar 7, 2024 · bcef6d9 · bcef6d9
1 parent cb5bb14
commit bcef6d9
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/azuredevops_serviceendpoint_federated/README.md b/azuredevops_serviceendpoint_federated/README.md
@@ -56,6 +56,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [azuredevops_check_approval.this](https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/check_approval) | resource |
 | [azuredevops_serviceendpoint_azurerm.azurerm](https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/serviceendpoint_azurerm) | resource |
 | [azurerm_federated_identity_credential.federated_setup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
 | [azurerm_role_assignment.managed_identity_default_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -66,6 +67,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_approver_ids"></a> [approver\_ids](#input\_approver\_ids) | (Optional) Credential IDs for approving the use of the service connection | `list(string)` | `[]` | no |
+| <a name="input_check_approval_enabled"></a> [check\_approval\_enabled](#input\_check\_approval\_enabled) | (Optional) Flag to approve use of the service connection | `bool` | `false` | no |
 | <a name="input_default_roleassignment_rg_prefix"></a> [default\_roleassignment\_rg\_prefix](#input\_default\_roleassignment\_rg\_prefix) | (Optional) Add a prefix to default\_roleassignment\_rg | `string` | `""` | no |
 | <a name="input_location"></a> [location](#input\_location) | n/a | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | (Required) Managed identity & Service connection name (if not defined `serviceendpoint_azurerm_name`) | `string` | n/a | yes |

diff --git a/azuredevops_serviceendpoint_federated/main.tf b/azuredevops_serviceendpoint_federated/main.tf
@@ -44,3 +44,19 @@ resource "azuredevops_serviceendpoint_azurerm" "azurerm" {
   azurerm_subscription_id   = var.subscription_id
   azurerm_subscription_name = var.subscription_name
 }
+
+#
+# Approval
+#
+
+resource "azuredevops_check_approval" "this" {
+  count = var.check_approval_enabled ? 1 : 0
+
+  project_id           = var.project_id
+  target_resource_id   = azuredevops_serviceendpoint_azurerm.azurerm.id
+  target_resource_type = "endpoint"
+
+  requester_can_approve = true
+  approvers             = var.approver_ids
+  timeout               = 120
+}
diff --git a/azuredevops_serviceendpoint_federated/variables.tf b/azuredevops_serviceendpoint_federated/variables.tf
@@ -48,3 +48,15 @@ variable "default_roleassignment_rg_prefix" {
   default     = ""
   description = "(Optional) Add a prefix to default_roleassignment_rg"
 }
+
+variable "check_approval_enabled" {
+  type        = bool
+  default     = false
+  description = "(Optional) Flag to approve use of the service connection"
+}
+
+variable "approver_ids" {
+  type        = list(string)
+  default     = []
+  description = "(Optional) Credential IDs for approving the use of the service connection"
+}