[DEVEX-91] azure_role_assignments module implemented #44

christian-calabrese · 2024-06-14T18:38:26Z

List of changes

Implemented the terraform module to allow principals (mostly managed identities and user assigned identities) to read, write or manage the most commonly used resources.

The supported roles for each role assignment are:

reader
writer
owner

As of the time of writing the following resources are supported as scopes of the role assignments:

Cosmos DB:
- Account
- Database
- Collections
Event Hubs:
- Namespace
- Event Hub
Key Vault (both RBAC or Access Policies)
- Secrets
- Keys
- Certificates
Redis
Storage Accounts
- Queue (all in a storage account or single ones)
- Table (all in a storage account or single ones)
- Blob Container (all in a storage account or single ones)

More services that will be implemented in the next future are:

Service Bus
Function App
App Service
Notification Hub

Motivation and context

The aim of this module is to simplify the segmented management of RBAC assignments in Azure.

Other information

To request more supported services, please contact the DevEx team

infra/modules/azure_role_assignments/variables.tf

infra/modules/azure_role_assignments/main.tf

Krusty93 · 2024-06-28T09:18:00Z

Very nice work!

infra/modules/azure_role_assignments/examples/function_app/main.tf

Co-authored-by: gunzip <gunzip@users.noreply.github.com>

… and queue datasource

Krusty93 reviewed Jun 28, 2024

View reviewed changes

infra/modules/azure_role_assignments/variables.tf Outdated Show resolved Hide resolved

Krusty93 reviewed Jun 28, 2024

View reviewed changes

infra/modules/azure_role_assignments/variables.tf Show resolved Hide resolved

Krusty93 reviewed Jun 28, 2024

View reviewed changes

infra/modules/azure_role_assignments/main.tf Outdated Show resolved Hide resolved

gunzip reviewed Jul 3, 2024

View reviewed changes

infra/modules/azure_role_assignments/examples/function_app/main.tf Outdated Show resolved Hide resolved

christian-calabrese and others added 19 commits July 4, 2024 15:38

feat: azure_role_assignments module implemented

e92ca97

docs: added readme

8dc05ec

fix: example

c12085a

feat: storage_account

11ea3e7

feat: added storage_account permissions

6c12d51

fix: changed wrong references

4e4befb

feat: added variables validation

0710322

fix: removed storage_use_azuread flag in provider definition

31caf08

feat: cosmos containers are now passed in a list

5a4eef0

fix: example using old collection notation

cbbbc5b

Co-authored-by: gunzip <gunzip@users.noreply.github.com>

fix: wrong reference to roles in key_vault variable validation

364285d

fix: azurerm provider must be >= 3.106.0 due to missing storage table…

ddc24d3

… and queue datasource

fix: validation for key_vault roles

90bb12b

fix: validation for key_vault roles

b07ec90

fix: default for key_vault override roles

4027bdb

fix: missing id reference

8ad6060

fix: kv access policies permissions

6833d00

feat: implemented event hub role assignments

b3ddd0b

fix: added id references missing in storage account role assignments

39cf3ee

christian-calabrese force-pushed the DEVEX-91-role-assignments-module branch from 8de3112 to 39cf3ee Compare July 4, 2024 14:59

christian-calabrese added 5 commits July 5, 2024 11:27

fix: using submodules for better division

6866301

fix: key_vault key

1cdca33

fix: event hub assignments

96213cb

fix: changed constraint

13fbd90

fix: not creating event_hub data when the name is *

4b8af7e

christian-calabrese added 8 commits July 5, 2024 12:30

fix: reids assignment key adds username to avoid conflicts

2a1a9cd

fix: storage account resources keys now use role to avoid conflicts

a9d97f8

fix: storage account resources keys now use role to avoid conflicts

8ce18a2

feat: added duplicate assignment validation on redis

4b7d7a6

feat: added duplicate assignments validation to all variables

e2e571d

feat: added duplicate assignments validation to all variables

bacde0e

fix: moved validations to submodules for better readibility

167e6e2

chore: ran precommit

c93a236

christian-calabrese marked this pull request as ready for review July 5, 2024 13:27

christian-calabrese requested a review from a team as a code owner July 5, 2024 13:27

christian-calabrese added 2 commits July 5, 2024 15:33

fix: moved cosmos variable validation in the submodule folder

54263a7

fix: moved cosmos variable validation in the submodule folder

bba7ad6

Krusty93 approved these changes Jul 9, 2024

View reviewed changes

christian-calabrese merged commit 62a518d into main Jul 9, 2024
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DEVEX-91] azure_role_assignments module implemented #44

[DEVEX-91] azure_role_assignments module implemented #44

christian-calabrese commented Jun 14, 2024 •

edited

Loading

Krusty93 commented Jun 28, 2024

[DEVEX-91] azure_role_assignments module implemented #44

[DEVEX-91] azure_role_assignments module implemented #44

Conversation

christian-calabrese commented Jun 14, 2024 • edited Loading

List of changes

Motivation and context

Other information

Krusty93 commented Jun 28, 2024

christian-calabrese commented Jun 14, 2024 •

edited

Loading