Refactoring permissions

frasermolyneux · Sep 27, 2024 · 0234fcb · 0234fcb
1 parent bc49209
commit 0234fcb
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 17 deletions.
diff --git a/terraform/api_management_role_assignments.tf b/terraform/api_management_role_assignments.tf
@@ -0,0 +1,5 @@
+resource "azurerm_role_assignment" "apim_kv_role_assignment" {
+  scope                = azurerm_key_vault.kv.id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = data.azurerm_api_management.core.identity.0.principal_id
+}
diff --git a/terraform/function_app.tf b/terraform/function_app.tf
@@ -63,12 +63,6 @@ resource "azurerm_linux_function_app" "app" {
   }
 }
 
-resource "azurerm_role_assignment" "app-to-storage" {
-  scope                = azurerm_storage_account.function_app_storage.id
-  role_definition_name = "Storage Blob Data Owner"
-  principal_id         = azurerm_linux_function_app.app.identity[0].principal_id
-}
-
 data "azurerm_function_app_host_keys" "app" {
   name                = azurerm_linux_function_app.app.name
   resource_group_name = azurerm_resource_group.rg.name

diff --git a/terraform/function_app_role_assignments.tf b/terraform/function_app_role_assignments.tf
@@ -1,3 +1,27 @@
+resource "azurerm_role_assignment" "app-to-storage" {
+  scope                = azurerm_storage_account.function_app_storage.id
+  role_definition_name = "Storage Blob Data Owner"
+  principal_id         = azurerm_linux_function_app.app.identity[0].principal_id
+}
+
+resource "azurerm_role_assignment" "app-to-servicebus-receiver" {
+  scope                = azurerm_servicebus_namespace.ingest.id
+  role_definition_name = "Azure Service Bus Data Receiver"
+  principal_id         = azurerm_linux_function_app.app.identity.0.principal_id
+}
+
+resource "azurerm_role_assignment" "app-to-servicebus-sender" {
+  scope                = azurerm_servicebus_namespace.ingest.id
+  role_definition_name = "Azure Service Bus Data Sender"
+  principal_id         = azurerm_linux_function_app.app.identity.0.principal_id
+}
+
+resource "azurerm_role_assignment" "web_app_kv_role_assignment" {
+  scope                = azurerm_key_vault.kv.id
+  role_definition_name = "Key Vault Secrets User"
+  principal_id         = azurerm_linux_function_app.app.identity.0.principal_id
+}
+
 resource "azuread_app_role_assignment" "repository_api" {
   app_role_id         = data.azuread_service_principal.repository_api.app_roles[index(data.azuread_service_principal.repository_api.app_roles.*.display_name, "ServiceAccount")].id
   principal_object_id = azurerm_linux_function_app.app.identity.0.principal_id

diff --git a/terraform/key_vault_role_assignments.tf b/terraform/key_vault_role_assignments.tf